Skip to content
Ask AI about this
Help improve this page

Neptune DB clusters should have automated backups enabled

Neptune graph databases tend to hold relationship-heavy data that is expensive to reconstruct: fraud detection graphs, identity resolution maps, knowledge graphs. Losing that data without a recent backup means days or weeks of re-ingestion and reprocessing.

Automated backups with a 7-day minimum retention give you point-in-time restore capability and protection against accidental deletion or corruption. The default backup_retention_period for aws_neptune_cluster is 1 day, which passes the "enabled" check but fails this control's 7-day minimum. Set the value explicitly to avoid surprises during compliance scans.

Retrofit consideration

Changing backup_retention_period on an existing Neptune cluster may trigger a brief maintenance window. Schedule the apply during a low-traffic period.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_neptune_cluster.

resource "aws_neptune_cluster" "this" {
  backup_retention_period        = 7
  cluster_identifier             = "pofix-abc123"
  enable_cloudwatch_logs_exports = ["audit"]
  neptune_subnet_group_name      = "example-neptune-subnet-group"
  skip_final_snapshot            = true
}

What this control checks

The aws_neptune_cluster resource controls backup behavior through the backup_retention_period argument. Set it to 7 or higher to pass. A value of 0 disables automated backups entirely and fails. Values between 1 and 6 enable backups but fail the 7-day minimum. The maximum allowed value is 35. You can also set preferred_backup_window to control when the daily snapshot occurs (e.g., "02:00-03:00"), though that argument has no effect on the control result. No additional resources are needed; the configuration lives entirely on the cluster resource.

Common pitfalls

  • Default retention is only 1 day

    Omit backup_retention_period on aws_neptune_cluster and Terraform applies the AWS default of 1 day. Backups are technically enabled, but the control still fails because 1 < 7. Always set this argument explicitly.

  • Cluster vs. instance confusion

    Backup configuration lives on the aws_neptune_cluster resource, not on aws_neptune_cluster_instance. Setting backup-related tags or parameters on the instance resource has no effect on the retention period.

  • Preferred backup window overlap with maintenance

    Overlapping preferred_backup_window and preferred_maintenance_window will cause create or modify operations to fail. Neptune requires these windows to be non-overlapping. This won't affect the control result, but it will block your terraform apply until you fix the overlap.

Audit evidence

AWS Config rule results showing each Neptune cluster as COMPLIANT work as primary evidence. Security Hub control status is an acceptable alternative. For a quick visual, the Neptune console shows the backup retention period directly on the cluster summary page.

For deeper evidence, aws neptune describe-db-clusters returns the BackupRetentionPeriod field for each cluster. Auditors may also ask for CloudTrail logs covering ModifyDBCluster events to confirm retention was not lowered after initial setup.

Framework-specific interpretation

PCI DSS v4.0: For environments where Neptune stores data adjacent to cardholder data, Requirements 3 and 12.10 both apply. Requirement 3 covers protection of stored data; Requirement 12.10 covers incident response preparedness. Automated backups with 7-day retention address both.

NIST Cybersecurity Framework v2.0: Neptune automated backups map directly to PR.DS under the Protect function and RC.RP under Recover. A 7-day retention window provides meaningful point-in-time restore capability, which is exactly what RC.RP asks for.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: neptune_db_cluster_automated_backup_enabled

  • AWS Config Managed Rule: NEPTUNE_CLUSTER_BACKUP_RETENTION_CHECK

  • Checkov Check: CKV_AWS_361

  • Powerpipe Control: aws_compliance.control.neptune_db_cluster_automated_backup_enabled

  • Prowler Check: neptune_cluster_backup_enabled

  • AWS Security Hub Control: Neptune.5

Last reviewed: 2026-03-09