Creating IAM data-access policies in Amazon Neptune - Amazon Neptune
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM data-access policies in Amazon Neptune

The following examples show how to create custom IAM policies that use fine-grained access control of data-plane APIs and actions, introduced in Neptune engine release version 1.2.0.0.

Policy example allowing unrestricted access to the data in a Neptune DB cluster

The following example policy allows an IAM user to connect to a Neptune DB cluster using IAM database authentication, and uses the "*" character to match all available actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "neptune-db:*", "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

The preceding example includes a resource ARN in a format that is particular to Neptune IAM authentication. To construct the ARN, see Specifying data resources. Note that the ARN used for an IAM authorization Resource is not the same as the ARN assigned to the cluster on creation.

Policy example allowing read-only access to a Neptune DB cluster

The following policy grants permission for full read-only access to data in a Neptune DB cluster:

{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "neptune-db:Read*", "neptune-db:Get*", "neptune-db:List*" ], "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example denying all access to a Neptune DB cluster

The default IAM action is to deny access to a DB cluster unless an Allow Effect is granted. However, the following policy denies all access to a DB cluster for a particular Amazon account and Region, which then takes precedence over any Allow effect.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "neptune-db:*", "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example granting read access through queries

The following policy only grants permission to read from a Neptune DB cluster using a query:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "neptune-db:ReadDataViaQuery", "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example that only allows Gremlin queries

The following policy uses the neptune-db:QueryLanguage condition key to grant permission to query Neptune only using the Gremlin query language:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "neptune-db:ReadDataViaQuery", "neptune-db:WriteDataViaQuery", "neptune-db:DeleteDataViaQuery" ], "Resource": "*", "Condition": { "StringEquals": { "neptune-db:QueryLanguage": "Gremlin" } } } ] }

Policy example allowing all access except to Neptune ML model management

The following policy grants full access to Neptune graph operations except for the Neptune ML model-management features:

{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "neptune-db:CancelLoaderJob", "neptune-db:CancelQuery", "neptune-db:DeleteDataViaQuery", "neptune-db:DeleteStatistics", "neptune-db:GetEngineStatus", "neptune-db:GetLoaderJobStatus", "neptune-db:GetQueryStatus", "neptune-db:GetStatisticsStatus", "neptune-db:GetStreamRecords", "neptune-db:ListLoaderJobs", "neptune-db:ManageStatistics", "neptune-db:ReadDataViaQuery", "neptune-db:ResetDatabase", "neptune-db:StartLoaderJob", "neptune-db:WriteDataViaQuery" ], "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example allowing access to Neptune ML model management

This policy grants access to the Neptune ML model-management features:

{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "neptune-db:CancelMLDataProcessingJob", "neptune-db:CancelMLModelTrainingJob", "neptune-db:CancelMLModelTransformJob", "neptune-db:CreateMLEndpoint", "neptune-db:DeleteMLEndpoint", "neptune-db:GetMLDataProcessingJobStatus", "neptune-db:GetMLEndpointStatus", "neptune-db:GetMLModelTrainingJobStatus", "neptune-db:GetMLModelTransformJobStatus", "neptune-db:ListMLDataProcessingJobs", "neptune-db:ListMLEndpoints", "neptune-db:ListMLModelTrainingJobs", "neptune-db:ListMLModelTransformJobs", "neptune-db:StartMLDataProcessingJob", "neptune-db:StartMLModelTrainingJob", "neptune-db:StartMLModelTransformJob" ], "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example granting full query access

The following policy grants full access to Neptune graph query operations, but not to features like fast reset, streams, the bulk loader, Neptune ML model management, and so forth:

{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "neptune-db:ReadDataViaQuery", "neptune-db:WriteDataViaQuery", "neptune-db:DeleteDataViaQuery", "neptune-db:GetEngineStatus", "neptune-db:GetQueryStatus", "neptune-db:CancelQuery" ], "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }

Policy example granting full access for Gremlin queries only

The following policy grants full access to Neptune graph query operations using the Gremlin query language, but not to queries in other languages, and not to features like fast reset, streams, the bulk loader, Neptune ML model management, and so on:

{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": [ "neptune-db:ReadDataViaQuery", "neptune-db:WriteDataViaQuery", "neptune-db:DeleteDataViaQuery", "neptune-db:GetEngineStatus", "neptune-db:GetQueryStatus", "neptune-db:CancelQuery" ], "Resource": [ "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" ], "Condition": { "StringEquals": { "neptune-db:QueryLanguage":"Gremlin" } } } ] }

Policy example granting full access except for fast reset

The following policy grants full access to a Neptune DB cluster except for using fast reset:

{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "neptune-db:*", "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" }, { "Effect": "Deny", "Action": "neptune-db:ResetDatabase", "Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" } ] }