Managing access to Amazon Neptune databases using IAM policies
IAM
policies
You control access in Amazon by creating policies and attaching them to Amazon identities or resources. A policy is an object in Amazon that, when associated with an identity or resource, defines their permissions. Amazon evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in Amazon as JSON documents. For more information about the structure and contents of JSON policy documents, see Overview of JSON policies in the IAM User Guide.
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
By default, users and roles have no permissions. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a
policy that allows the iam:GetRole
action. A user with that policy can get role information from the Amazon Web Services Management Console, the Amazon CLI, or the Amazon
API.
Identity-Based Policies
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Define custom IAM permissions with customer managed policies in the IAM User Guide.
Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your Amazon Web Services account. Managed policies include Amazon managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see Choose between managed policies and inline policies in the IAM User Guide.
Using Service Control Policies (SCP) with Amazon organizations
Service control policies (SCPs) are JSON policies that specify the maximum
permissions for an organization or organizational unit (OU) in
Amazon Organizations
Customers deploying Amazon Neptune in an Amazon Account within an Amazon Organization can leverage SCPs to control which accounts can use Neptune. To ensure access to Neptune within a member account, be sure to:
-
Allow access to
rds:*
andneptune-db:*
for Neptune database operations. Refer to Why are Amazon RDS permissions and resources required to use Neptune Database?for details on why Amazon RDS permissions are needed for Neptune database. -
Allow access to
neptune-graph:*
for Neptune Analytics operations.
Permissions Required to Use the Amazon Neptune Console
For a user to work with the Amazon Neptune console, that user must have a minimum set of permissions. These permissions allow the user to describe the Neptune resources for their Amazon account and to provide other related information, including Amazon EC2 security and network information.
If you create an IAM policy that is more restrictive than the minimum required
permissions, the console won't function as intended for users with that IAM policy. To
ensure that those users can still use the Neptune console, also attach the
NeptuneReadOnlyAccess
managed policy to the user, as described in Using Amazon managed policies to access
Amazon Neptune databases.
You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon Neptune API.
Attaching an IAM Policy to an IAM user
To apply a managed or custom policy, you attach it to an IAM user. For a tutorial on this topic, see Create and Attach Your First Customer Managed Policy in the IAM User Guide.
As you work through the tutorial, you can use one of the policy examples shown in this
section as a starting point and tailor it to your needs. At the end of the tutorial, you have
an IAM user with an attached policy that can use the neptune-db:*
action.
Important
-
Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.
-
IAM policies applied to a Neptune DB cluster apply to all instances in that cluster.
Using different kinds of IAM policies for controlling access to Neptune
To provide access to Neptune administrative actions or to data in a Neptune DB cluster, you attach policies to an IAM user or role. For information about how to attach an IAM policy to a user, see Attaching an IAM Policy to an IAM user. For information about attaching a policy to a role, see Adding and Removing IAM Policies in the IAM User Guide.
For general access to Neptune, you can use one of Neptune's managed policies. For more restricted access, you can create your own custom policy using the administrative actions and resources that Neptune supports..
In a custom IAM policy, you can use two different kinds of policy statement that control different modes of access to a Neptune DB cluster:
-
Administrative policy statements – Administrative policy statements provide access to the Neptune management APIs that you use to create, configure and manage a DB cluster and its instances.
Because Neptune shares functionality with Amazon RDS, administrative actions, resources, and condition keys in Neptune policies use an
rds:
prefix by design. -
Data-access policy statements – Data-access policy statements use data-access actions, resources, and condition keys to control access the data that a DB cluster contains.
Neptune data-access actions, resources and condition keys use a
neptune-db:
prefix.
Using IAM condition context keys in Amazon Neptune
You can specify conditions in an IAM policy statement that controls access to Neptune. The policy statement then takes effect only when the conditions are true.
For example, you might want a policy statement to take effect only after a specific date, or allows access only when a specific value is present in the request.
To express conditions, you use predefined condition keys in the Condition
element of a policy statement, together with IAM
condition policy operators such as equals or less than.
If you specify multiple Condition
elements in a statement, or
multiple keys in a single Condition
element, Amazon evaluates them using
a logical AND
operation. If you specify multiple values for a single
condition key, Amazon evaluates the condition using a logical OR
operation. All of the conditions must be met before the statement's permissions are
granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM Policy Elements: Variables and Tags in the IAM User Guide.
The data type of a condition key determines which condition operators you can use to compare values in the request with the values in the policy statement. If you use a condition operator that is not compatible with that data type, the match always fails and the policy statement never applies.
Neptune supports different sets of condition keys for administrative policy statements than for data-access policy statements:
Support for IAM policy and access-control features in Amazon Neptune
The following table shows what IAM features Neptune supports for administrative policy statements and data-access policy statements:
IAM feature | Administrative | Data-access |
---|---|---|
Yes |
Yes |
|
No |
No |
|
Yes |
Yes |
|
Yes |
Yes |
|
Yes |
(a subset) |
|
Yes |
No |
|
No |
No |
|
Yes |
Yes |
|
Yes |
No |
IAM Policy Limitations
Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.
IAM policies applied to a Neptune DB cluster apply to all instances in that cluster.
Neptune does not currently support cross-account access control.