AWS Security ChangesHomeSearch

AWS neptune documentation change

Service: neptune · 2026-03-04 · Documentation medium

File: neptune/latest/userguide/access-graph-gremlin-java.md

Summary

Updated SSL/TLS configuration guidance and deprecated certificate setup methods for Java client connections

Security assessment

The changes clarify secure connection requirements and certificate management best practices, but don't address a specific security vulnerability.

Diff

diff --git a/neptune/latest/userguide/access-graph-gremlin-java.md b/neptune/latest/userguide/access-graph-gremlin-java.md
index 84103db93..1298e423d 100644
--- a//neptune/latest/userguide/access-graph-gremlin-java.md
+++ b//neptune/latest/userguide/access-graph-gremlin-java.md
@@ -83,0 +84,7 @@ When prompted, enter the number for Java 11.
+        <!-- https://mvnrepository.com/artifact/org.apache.tinkerpop/gremlin-groovy
+          (Not needed for TinkerPop version 3.5.2 and up)
+        <dependency>
+          <groupId>org.apache.tinkerpop</groupId>
+          <artifactId>gremlin-groovy</artifactId>
+          <version>3.7.2</version>
+        </dependency> -->
@@ -217 +224,3 @@ The following methods submit the query to the Neptune DB instance:
-Neptune requires SSL/TLS to be enabled by default. Typically, if the Java driver is configured with `enableSsl(true)`, it can connect to Neptune without having to set up a `trustStore()` or `keyStore()` with a local copy of a certificate. However, if the instance with which you are connecting doesn't have an internet connection through which to verify a public certificate, or if the certificate you're using isn't public, you can take the following steps to configure a local certificate copy:
+Neptune requires SSL/TLS to be enabled by default. Typically, if the Java driver is configured with `enableSsl(true)`, it can connect to Neptune without having to set up a `trustStore()` or `keyStore()` with a local copy of a certificate. Earlier versions of TinkerPop encouraged use of `keyCertChainFile()` to configure a locally stored `.pem` file, but that has been deprecated and no longer available after 3.5.x. If you were using that setup with a public certificate, using `SFSRootCAG2.pem`, you can now remove the local copy.
+
+However, if the instance with which you are connecting doesn't have an internet connection through which to verify a public certificate, or if the certificate you're using isn't public, you can take the following steps to configure a local certificate copy: