Ensure Neptune cluster instance is not publicly available

Error: Neptune cluster instance is publicly available

Bridgecrew Policy ID: BC_AWS_GENERAL_42
Checkov Check ID: CKV_AWS_102
Severity: HIGH

Neptune cluster instance is publicly available


Amazon Neptune is a graph database service that for high-performance graph database engine. Neptune supports the popular graph query languages Apache TinkerPop Gremlin and W3Cā€™s SPARQL.

Neptune also gives you the ability to create snapshots of your databases, which you can use later to restore a database. You can share a snapshot with a different Amazon Web Services account, and the owner of the recipient account can use your snapshot to restore a DB that contains your data. You can even choose to make your snapshots public ā€“ that is, anybody can restore a DB containing your data.

This is a check to make sure that your database resource is not Publicly available. This is the resources' default behaviour. https://docs.aws.amazon.com/neptune/latest/userguide/security-vpc.html. .

Fix - Runtime

AWS Console

First find your neptune instance id with the AWS commandline:

aws neptune describe-db-instances

Once you have your instance id you can unset its public status with:

aws neptune modify-db-instance aws neptune --db-instance-identifier <your db identifier> --no-publicly-accessible

Fix - Buildtime


  • Resource: aws_neptune_cluster_instance
  • Argument: publicly_accessible this default to false, so the check is to ensure it's missing or false.
resource "aws_neptune_cluster_instance" "example" {
  count              = 2
  cluster_identifier = aws_neptune_cluster.default.id
  engine             = "neptune"
  instance_class     = "db.r4.large"
  apply_immediately  = true