feat(cloud-security): add Amazon Neptune as an AWS Cloud Tests service#3040
Merged
Conversation
Adds a dedicated Neptune scanner so AWS Cloud Tests cover Neptune directly in
the default `comp_scanners` mode (previously Neptune was only reachable via the
Security Hub scan mode). Requested by a customer evaluating AWS.
- neptune.adapter.ts: scans Neptune DB clusters for five checks — storage
encryption at rest (manual: enabling it needs snapshot+restore), deletion
protection, automated backup retention (>= 7 days), IAM database
authentication, and audit-log export to CloudWatch. The last four emit
auto-fix remediation via `neptune:ModifyDBClusterCommand`. Filters to
Engine === 'neptune' and paginates the DescribeDBClusters Marker.
- aws-security.service.ts: register the adapter + Cost-Explorer detection
('Amazon Neptune' -> 'neptune').
- aws-command-executor.ts: register the `@aws-sdk/client-neptune` SDK so the
ModifyDBCluster remediations execute.
- integration-platform AWS manifest: Neptune service catalog entry.
- ServiceCard: Neptune icon.
- apps/api dep: add @aws-sdk/client-neptune ^3.948.0.
- Tests: neptune.adapter.spec.ts (non-compliant, compliant, engine filter,
pagination, AccessDenied) — 5 passing.
Detection-gated (invisible to accounts without Neptune). Not yet verified
against a live Neptune cluster.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…pace Neptune's management API is part of the RDS API surface — its control-plane IAM actions use the `rds:` prefix (rds:ModifyDBCluster, rds:DescribeDBClusters); `neptune-db:` is data-plane only. The first cut used @aws-sdk/client-neptune and `neptune:ModifyDBClusterCommand` remediation, which would make permission detection suggest a non-existent `neptune:ModifyDBCluster` IAM action — so the customer's auto-fix would keep failing even after "granting" the suggestion. - neptune.adapter.ts: scan via @aws-sdk/client-rds DescribeDBClustersCommand (filter Engine === 'neptune'); remediate via rds:ModifyDBClusterCommand so permission detection emits the real rds:ModifyDBCluster action. - drop the unnecessary @aws-sdk/client-neptune dependency and its executor registration (the existing `rds` SDK module already exposes ModifyDBCluster). - spec: mock @aws-sdk/client-rds; assert rds:ModifyDBClusterCommand. Full cloud-security suite green (304 passing); changed files typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.71.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a dedicated Amazon Neptune scanner to AWS Cloud Tests. Today, AWS has two scan modes:
comp_scanners(our ~44 dedicated SDK adapters, the default) andsecurity_hub(ingests AWS Security Hub findings). Neptune was only reachable via Security Hub mode — there was no dedicated Neptune adapter. This PR adds one, so Neptune is covered directly in the default mode too.Requested by a customer (Jinesh) evaluating AWS who asked whether we support OpenSearch and Neptune. (OpenSearch was already supported.)
What changed
neptune.adapter.ts— scans Neptune DB clusters for five checks:neptune:ModifyDBClusterCommand.Filters to
Engine === 'neptune'and paginates theDescribeDBClustersMarker. (Aligned with the AWS Security Hub Neptune control set.)aws-security.service.ts— registerNeptuneAdapter+ Cost-Explorer detection (Amazon Neptune → neptune).aws-command-executor.ts— register the@aws-sdk/client-neptuneSDK so theModifyDBClusterremediations execute.ServiceCard.tsx— Neptune icon.apps/api/package.json— add@aws-sdk/client-neptune ^3.948.0(matches the other AWS SDK pins).Behavior / caveats
Amazon NeptuneCost-Explorer line won't be present → not detected).Tests
neptune.adapter.spec.ts: non-compliant (all 5 checks fail, encryption is[MANUAL], others emitModifyDBCluster), fully-compliant, non-Neptune engine filtered out,Markerpagination, andAccessDenied → []. 5 passing; changed files typecheck clean.🤖 Generated with Claude Code
Summary by cubic
Add a dedicated Amazon Neptune scanner to AWS Cloud Tests so Neptune is covered in the default mode, not only via Security Hub. Scans Neptune clusters via the RDS API with five checks and auto-fix guidance.
New Features
Dependencies
@aws-sdk/client-rdsfor DescribeDBClusters and ModifyDBCluster.Written for commit 64b9137. Summary will update on new commits.