Security pillar

Cloud security is the highest priority at AWS. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between you and AWS. The shared responsibility model describes this as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of AWS security as part of AWS compliance programs. To learn about the compliance programs that apply to Neptune, see AWS Services in Scope by Compliance Program.

• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors, including the sensitivity of your data, your company's requirements, and applicable laws and regulations. For more information about data privacy, see the Data Privacy FAQs. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post.

The security pillar of the AWS Well-Architected Framework helps you understand how to apply the shared responsibility model when you use Neptune Analytics. The following topics explain how to configure Neptune Analytics to meet your security and compliance objectives. You also learn how to use other AWS services that help you monitor and secure your Neptune Analytics resources. The security pillar includes the following key focus areas:

• Data security

• Network security

• Authentication and authorization

Implement data security

Data leakage and breaches put your customers at risk and can cause substantial negative impact on your company. The following best practices help protect your customer data from inadvertent and malicious exposure:

• Graph names, tags, IAM roles, and other metadata should not contain confidential or sensitive information, because that data might appear in billing or diagnostic logs.

• URIs or links to external servers stored as data in Neptune should not contain credential information to validate requests.

• A Neptune Analytics graph is encrypted at rest. You can use the default key or an AWS Key Management Service (AWS KMS) key of your choosing to encrypt the graph. You can also encrypt snapshots and data that's exported to Amazon S3 during bulk import. You can remove the encryption when the import is complete.

• When you use the openCypher language, practice proper input validation and parameterization techniques to prevent SQL injection and other forms of attacks. Avoid constructing queries that use string concatenation with user-supplied input. Use parameterized queries or prepared statements to safely pass input parameters to the graph database. For more information, see Examples of openCypher parameterized queries in the Neptune documentation.

Secure your networks

You can enable a Neptune Analytics graph for public connectivity so it can be reached from outside a virtual private cloud (VPC). This connectivity is disabled by default. The graph requires IAM authentication. The caller must obtain an identity and have permissions to use the graph. For example, to run an openCypher query, the caller would need to have read, write, or delete permissions on the specific graph.

You can also create private endpoints for the graph to access the graph from within a VPC. When you create the endpoint, you specify the VPC, subnets, and security groups to restrict access to call the graph.

To protect your data in transit, Neptune Analytics enforces SSL connections through HTTPS to the graph. For more information, see Data protection in Neptune Analytics in the Neptune Analytics documentation.

Implement authentication and authorization

Calls to a Neptune Analytics graph require IAM authentication. The caller must obtain an identity and possess sufficient permissions to perform the action on the graph. For descriptions of API actions and their required permissions, see the Neptune Analytics API documentation. You can enforce condition checks to restrict access by tag.

IAM authentication uses the AWS Signature Version 4 (SigV4) protocol. To simplify usage from your application, we recommend that you use an AWS SDK. For example, in Python, use the Boto3 client for Neptune Graph, which abstracts SigV4.

When you load data into the graph, batch loading uses the IAM credentials of the caller. The caller must have permissions to download data from Amazon S3 with the trust relationship set up so that Neptune Analytics can assume the role to load the data into the graph from Amazon S3 files.

Bulk import can be performed either during graph creation (by the infrastructure team) or on an existing, empty graph (by the data engineering team that has permissions to start import tasks). In both cases, Neptune Analytics assumes the IAM role that the caller provides as input. This role gives it permission to read and list the contents of the Amazon S3 folder where input data is staged.