Amazon Neptune
User Guide (API Version 2017-11-29)

Neptune Database Authentication Using IAM

You can authenticate to your Neptune DB instance or DB cluster using AWS Identity and Access Management (IAM) database authentication. When IAM database authentication is enabled, each request must be signed using AWS Signature Version 4.

AWS Signature Version 4 is the process to add authentication information to AWS requests. For security, all requests to Neptune DB clusters with IAM authentication enabled must be signed with an access key. This key consists of an access key ID and secret access key. The authentication is managed externally using IAM policies.

Neptune authenticates on connection, and for WebSockets connections it verifies the permissions periodically to ensure that the user still has access.

Note

  • Revoking, deleting, or rotating of credentials associated with the IAM user would not terminate open connections, and thus is not recommended.

  • There are limits on the number of concurrent WebSocket connections per database instance, and on how long a connection can remain open. For more information, see WebSockets Limits.

Enabling IAM Authentication in Neptune

By default, IAM database authentication is disabled when you create an Amazon Neptune DB cluster. You can enable IAM database authentication (or disable it again) using the AWS Management Console.

To create a new Neptune DB cluster with IAM authentication by using the console, follow the instructions for creating a Neptune DB cluster in Launching a Neptune DB Cluster Using the Console.

On the second page of the creation process, for Enable IAM DB Authentication, choose Yes.

To enable or disable IAM authentication for an existing DB instance or cluster

  1. Sign in to the AWS Management Console, and open the Amazon Neptune console at https://console.aws.amazon.com/neptune/home.

  2. In the navigation pane, choose Clusters.

  3. Choose the Neptune DB cluster that you want to modify, and choose Cluster actions. Then choose Modify cluster.

  4. In the Database options section, for IAM DB Authentication, choose either Enable IAM DB authorization or No (to disable). Then choose Continue.

  5. To apply the changes immediately, choose Apply immediately.

  6. Choose Modify cluster.

Creating and Using an IAM Policy for IAM Database Access

To allow an IAM user to connect to your Amazon Neptune DB cluster, you must create an IAM policy. After that, you attach the policy to an IAM user or role. For information about attaching a policy to a role, see Adding and Removing IAM Policies in the IAM User Guide.

Note

The IAM policy, IAM user, and Neptune DB cluster must be in the same account. Cross-account access is not supported.

The following example policy allows an IAM user to connect to Neptune DB cluster using IAM database authentication.

Important

The neptune-db Amazon Resource Name (ARN) for the IAM authorization Resource is not the same as the ARN assigned to the cluster on creation. You must construct the ARN as shown in Constructing a Resource ARN for a Cluster.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "neptune-db:*" ], "Resource": [ "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" ] } ] }

Important

The neptune-db: prefix and the neptune-db:* action are only for IAM database authentication. They aren't valid in any other context.

The preceding resource section includes a resource ARN in a format that is particular to Neptune IAM authentication. To construct the ARN, see Constructing a Resource ARN for a Cluster. The ARN for the IAM authorization Resource is not the same as the ARN assigned to the cluster on creation. Construct the ARN as shown.

Constructing a Resource ARN for a Cluster

The Resource ARN includes a single statement with the following elements:

  • Effect—To grant access to the DB cluster, specify Allow . If you don't explicitly allow access, access is denied by default.

  • Action—To allow connection to the DB cluster, specify neptune-db:*.

  • Resource—Specify an ARN that describes a specific DB cluster. The ARN format is as follows:

    arn:aws:neptune-db:region:account-id:cluster-resource-id/*

    This format contains the following:

    • region is the AWS Region for the Amazon Neptune DB cluster. In the example policy, the AWS Region is us-east-1.

    • account-id is the AWS account number for the DB cluster. In the example policy, the account number is 123456789012.

    • cluster-resource-id is a resource id for the DB cluster. In the example policy, the identifier is cluster-ABCD1234EFGH5678IJKL90MNOP.

      Important

      The cluster-resource-id is different from the cluster identifier.

      To find a cluster resource ID in the AWS Management Console for Amazon Neptune, choose the DB cluster that you want. The Resource ID is shown in the Details section.

Important

  • Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.

  • IAM policies that are applied to a Neptune DB cluster apply to all instances in that cluster.

IAM Authentication Policy Examples

The following example policies require that you construct a resource ARN. The example resource ARNs can use wildcards to include multiple resources.

Important

  • Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.

  • IAM policies that are applied to a Neptune DB cluster apply to all instances in that cluster.

Granting Access to All Clusters

The following policy uses the "*" character to match all of the DB clusters for a particular AWS account and Region.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "neptune-db:*" ], "Resource": [ "arn:aws:neptune-db:us-east-1:123456789012:*/*" ] } ] }

The IAM user has access to everything on the Neptune DB cluster. Neptune does not support fine-grained access control.

The resource ARN in the "Resource" list in the policy is not the same as a cluster ARN. It must be constructed according to the resource ARN format. For more information, see Constructing a Resource ARN for a Cluster.

Denying Access to a Specific Cluster

The following policy denies access to a DB cluster for a particular AWS account and AWS Region.

The default IAM action is to deny access to a DB cluster unless an Allow Effect is granted.

To ensure that access is blocked, you can use the Deny Effect. The explicit Deny Effect takes precedent over any Allow Effect.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "neptune-db:*" ], "Resource": [ "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*" ] } ] }

The IAM user is denied access to everything on the Neptune DB cluster. Neptune does not support fine-grained access control.

The resource ARN in the "Resource" list in the policy is not the same as a cluster ARN. It must be constructed according to the resource ARN format. For more information, see Constructing a Resource ARN for a Cluster.

Denying Access to All Clusters

The following policy denies access to all DB clusters for a particular AWS account and Region.

The default IAM action is to deny access to a DB cluster unless an Allow Effect is granted.

To ensure that access is blocked, you can use the Deny Effect. The explicit Deny Effect takes precedent over any Allow Effect.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "neptune-db:*" ], "Resource": [ "arn:aws:neptune-db:us-east-1:123456789012:*/*" ] } ] }

The IAM user is denied access to everything on the Neptune DB cluster. Neptune does not support fine-grained access control.

The resource ARN in the "Resource" list in the policy is not the same as a cluster ARN. It must be constructed according to the resource ARN format. For more information, see Constructing a Resource ARN for a Cluster.

Next, you attach the IAM policy to a user. For more information, see Attaching an IAM Policy to an IAM User.

Attaching an IAM Policy to an IAM User

After you create an IAM policy to allow database authentication, you attach the policy to an IAM user. For a tutorial on this topic, see Create and Attach Your First Customer Managed Policy in the IAM User Guide.

As you work through the tutorial, you can use one of the policy examples shown in this section as a starting point and tailor it to your needs. At the end of the tutorial, you have an IAM user with an attached policy that can use the neptune-db:* action.

Important

  • Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.

  • IAM policies applied to a Neptune DB cluster apply to all instances in that cluster.

IAM Policy Limitations

Changes to an IAM policy take up to 10 minutes to apply to the specified Neptune resources.

IAM policies that are applied to a Neptune DB cluster apply to all instances in that cluster.

Neptune does not support the following:

  • AWS global and IAM condition context keys.

  • Fine-grained access control.

  • Actions other than neptune-db:*. A user must have a policy granting the neptune-db:* action to access an instance.

  • Cross-account access.