Amazon Neptune
User Guide (API Version 2017-11-29)

Manage Access with IAM

This section shows you how to select permissions that specify which Neptune actions a user or group can perform on which Neptune resources.

You can use AWS Identity and Access Management (IAM) and Neptune to help secure your resources by controlling who can access them.

Note

If you want to use IAM to authenticate to a cluster or instance, see the IAM Database Authentication for Neptune section.

Authentication

You can access AWS as any of the following types of identities:

  • AWS account root user – When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

  • IAM user – An IAM user is an identity within your AWS account that has specific custom permissions (for example, permissions to create a Neptune DB instance in Neptune). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself. Neptune supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the AWS General Reference.

  • IAM role – An IAM role is an IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

    • AWS service access – You can use an IAM role in your account to grant an AWS service permissions to access your account’s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

    • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.

Permissions Required to Use the Amazon Neptune Console

For a user to work with the Amazon Neptune console, that user must have a minimum set of permissions. These permissions allow the user to describe the Neptune resources for their AWS account and to provide other related information, including Amazon EC2 security and network information.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the Neptune console, also attach the NeptuneReadOnlyAccess managed policy to the user, as described in AWS Managed (Predefined) Policies for Amazon Neptune.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon Neptune API.

AWS Managed (Predefined) Policies for Amazon Neptune

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to Amazon Neptune:

  • NeptuneReadOnlyAccess – Grants read-only access to all Amazon Neptune resources for the root AWS account.

  • NeptuneFullAccess – Grants full access to all Amazon Neptune resources for the root AWS account. This is recommended if you need full Neptune access from the CLI or SDK, but not AWS Management Console access.

  • NeptuneConsoleFullAccess – Grants full access to all Amazon Neptune resources for the root AWS account and includes additional permissions to simplify Neptune access from the console, including limited IAM and EC2 (VPC) permissions.

Important

These IAM roles grant some access to RDS resources. For certain management features Neptune uses operational technology that is shared with Amazon RDS.

You can also create custom IAM policies that allow users to access the required Amazon Neptune API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

For certain management features Amazon Neptune uses operational technology that is shared with Amazon RDS. This includes management API permissions. To restrict access to a specific set of actions, see Access Control Overview in the Amazon RDS documentation.