Skip to content
Ask AI about this
Help improve this page

Neptune DB clusters should have IAM database authentication enabled

IAM database authentication lets you authenticate to Neptune using IAM roles and temporary credentials instead of static passwords. This eliminates the need to store or rotate long-lived database credentials, reduces the blast radius of a credential leak, and integrates Neptune access into your existing IAM policy structure. You get CloudTrail logging of authentication events for free.

Without IAM authentication, Neptune access depends on VPC-level network controls alone. Any client that can reach the cluster endpoint can query or mutate graph data with no identity verification beyond network reachability.

Retrofit consideration

Enabling IAM authentication on an existing cluster does not cause downtime, but all client applications must be updated to use IAM-based SigV4 signing for connections. Existing non-IAM connections continue to work, so you must also verify that applications actually adopt the new auth method.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_neptune_cluster.

resource "aws_neptune_cluster" "this" {
  backup_retention_period        = 7
  cluster_identifier             = "pofix-abc123"
  enable_cloudwatch_logs_exports = ["audit"]
  neptune_subnet_group_name      = "example-neptune-subnet-group"
  skip_final_snapshot            = true

  iam_database_authentication_enabled = true
}

What this control checks

The control validates that the aws_neptune_cluster resource has iam_database_authentication_enabled set to true. When this argument is omitted, the AWS provider defaults it to false, which causes the control to fail. No additional resources or IAM policy attachments are evaluated, only the boolean flag on the cluster resource itself. Set iam_database_authentication_enabled = true on every aws_neptune_cluster to pass.

Common pitfalls

  • Default value is false

    The iam_database_authentication_enabled argument defaults to false when omitted. Unlike some other Neptune settings, there's no provider-level default override, so every cluster definition must explicitly set it to true.

  • Enabling IAM auth does not replace network controls

    Setting iam_database_authentication_enabled = true enables IAM database authentication, but it doesn't restrict which network paths can reach the cluster endpoint. You still need restrictive security groups and subnet design, plus least-privilege IAM permissions (for example, neptune-db:connect scoped appropriately) so only approved principals from approved network locations can access the cluster.

  • Client SDK changes required

    Enabling the flag without updating clients means IAM auth exists on paper but is never exercised. Applications must sign Neptune HTTP or WebSocket requests with SigV4 using the neptune-db:connect IAM action, and Gremlin and SPARQL clients need explicit SigV4 signing plugins.

Audit evidence

An auditor expects Config rule evaluation results showing all Neptune clusters passing the neptune-cluster-iam-db-auth managed rule. Supporting evidence includes CLI output from aws neptune describe-db-clusters with IAMDatabaseAuthenticationEnabled set to true for every cluster. CloudTrail logs showing SigV4-signed connection attempts to Neptune endpoints confirm that IAM authentication is actively used, not merely enabled.

Security Hub exports showing a passing status for this control across all accounts and regions in scope provide consolidated evidence for audit packages.

Framework-specific interpretation

PCI DSS v4.0: Requirements 7 and 8 together call for least-privilege access and strong, unique authentication for every system component in scope. For Neptune, IAM database authentication checks both boxes: it replaces static credentials with per-principal, time-limited tokens, and the authentication path runs through IAM rather than the network perimeter.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: neptune_db_cluster_iam_authentication_enabled

  • AWS Config Managed Rule: NEPTUNE_CLUSTER_IAM_DATABASE_AUTHENTICATION

  • Checkov Check: CKV_AWS_359

  • Powerpipe Control: aws_compliance.control.neptune_db_cluster_iam_authentication_enabled

  • Prowler Check: neptune_cluster_iam_authentication_enabled

  • AWS Security Hub Control: Neptune.7

  • KICS Queries: 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6, c91d7ea0-d4d1-403b-8fe1-c9961ac082c5

Last reviewed: 2026-03-09