Condition keys available in Neptune IAM administrative policy statements - Amazon Neptune
Resource property keysTag-based keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Condition keys available in Neptune IAM administrative policy statements

Using condition keys, you can specify conditions in an IAM policy statement so that the statement takes effect only when the conditions are true. The condition keys that you can use in Neptune administrative policy statements fall into the following categories:

Neptune administrative resource property condition keys

Condition keys Description Type
rds:DatabaseClass Filters access by the type of DB instance class. String
rds:DatabaseEngine Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API String
rds:DatabaseName Filters access by the user-defined name of the database on the DB instance String
rds:EndpointType Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM String
rds:Vpc Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true. Boolean

Administrative tag-based condition keys

Amazon Neptune supports specifying conditions in an IAM policy using custom tags, to control access to Neptune through the Management API reference.

For example, if you add a tag named environment to your DB instances, with values such as beta, staging, and production, you can then create a policy that restricts access to the instances based on the value of that tag.

Important

If you manage access to your Neptune resources using tagging, be sure to secure access to the tags. You can restrict access to the tags by creating policies for the AddTagsToResource and RemoveTagsFromResource actions.

For example, you could use the following policy to deny users the ability to add or remove tags for all resources. Then, you could create policies to allow specific users to add or remove tags.

{ "Version": "2012-10-17",
  "Statement":[
    { "Sid": "DenyTagUpdates",
      "Effect": "Deny",
      "Action": [
        "rds:AddTagsToResource",
        "rds:RemoveTagsFromResource"
      ],
      "Resource":"*"
    }
  ]
}

The following tag-based condition keys only work with administrative resources in administrative policy statements.

Tag-based administrative condition keys
Condition keys Description Type
aws:RequestTag/${TagKey}

Filters access based on the presence of tag key-value pairs in the request.

 String
aws:ResourceTag/${TagKey}

Filters access based on tag key-value pairs attached to the resource.

 String
aws:TagKeys

Filters access based on the presence of tag keys in the request.

 String
rds:cluster-pg-tag/${TagKey} Filters access by the tag attached to a DB cluster parameter group. String
rds:cluster-snapshot-tag/${TagKey} Filters access by the tag attached to a DB cluster snapshot. String
rds:cluster-tag/${TagKey} Filters access by the tag attached to a DB cluster. String
rds:db-tag/${TagKey} Filters access by the tag attached to a DB instance. String
rds:es-tag/${TagKey} Filters access by the tag attached to an event subscription. String
rds:pg-tag/${TagKey} Filters access by the tag attached to a DB parameter group. String
rds:req-tag/${TagKey} Filters access by the set of tag keys and values that can be used to tag a resource. String
rds:secgrp-tag/${TagKey} Filters access by the tag attached to a DB security group. String
rds:snapshot-tag/${TagKey} Filters access by the tag attached to a DB snapshot. String
rds:subgrp-tag/${TagKey} Filters access by the tag attached to a DB subnet group String