Amazon Neptune
User Guide (API Version 2017-11-29)

Security in Amazon Neptune

There are multiple ways for you to secure your Amazon Neptune clusters.

IAM Permissions for Cluster Management

To control who can perform Neptune management actions on Neptune DB clusters and DB instances, you use AWS Identity and Access Management (IAM). When you connect to AWS using IAM credentials, your IAM account must have IAM policies that grant the permissions that are required to perform Neptune management operations. For more information, see Identity and Access Management in Amazon Neptune.

If you are using an IAM account to access the Neptune console, you must first sign in to the AWS Management Console using your IAM account. Then open the Neptune console at

VPC and VPC Security Groups

Neptune DB clusters must be created in an Amazon Virtual Private Cloud (Amazon VPC). To control which devices and EC2 instances can open connections to the endpoint and port of the DB instance for Neptune DB clusters in a VPC, you use a VPC security group. For more information about VPCs, see Creating a Security Group to Provide Access to a Neptune DB Instance in a VPC.

IAM Authentication

You can use IAM database authentication for Neptune. With IAM database authentication, you authenticate to your Neptune DB cluster with an IAM user. For more information, see Neptune Database Authentication Using IAM.

Encryption at Rest

You can use AWS Key Management Service (AWS KMS) to create encryption keys and then use those keys to encrypt Neptune cluster data at rest. For more information, see Encrypting Neptune Resources at Rest.