AWS neptune documentation change
Summary
Updated managed policy descriptions with clearer action scopes and use cases, added sections on creating custom policies and validating IAM policies, and corrected links for Neptune Analytics policies.
Security assessment
The changes enhance documentation about IAM security best practices by adding guidance on custom policy creation and policy validation tools (IAM Access Analyzer/Policy Simulator), but don't indicate a specific security vulnerability. The updates improve security awareness by clarifying least-privilege principles without addressing an active exploit.
Diff
diff --git a/neptune/latest/userguide/security-iam-access-managed-policies.md b/neptune/latest/userguide/security-iam-access-managed-policies.md index ca04dee1e..a6c776cef 100644 --- a//neptune/latest/userguide/security-iam-access-managed-policies.md +++ b//neptune/latest/userguide/security-iam-access-managed-policies.md @@ -7 +7 @@ -Updates +Custom policiesValidating policiesUpdates @@ -15 +15 @@ The following AWS managed policies, which you can attach to users in your accoun - * **[NeptuneReadOnlyAccess](./read-only-access-iam-managed-policy.html)** — Grants read-only access to all Neptune resources for both administrative and data-access purposes in the root AWS account. + * **[NeptuneReadOnlyAccess](./read-only-access-iam-managed-policy.html)** — Grants read-only administrative actions (such as `rds:Describe*` and `rds:ListTagsForResource`) and read-only data-access actions (`neptune-db:Read*`, `neptune-db:Get*`, and `neptune-db:List*`) on all Neptune resources. Use this policy for users who need to view cluster configurations and query data without making changes. @@ -17 +17 @@ The following AWS managed policies, which you can attach to users in your accoun - * **[NeptuneFullAccess](./full-access-iam-managed-policy.html)** — Grants full access to all Neptune resources for both administrative and data-access purposes in the root AWS account. This is recommended if you need full Neptune access from the AWS CLI or SDK, but not for AWS Management Console access. + * **[NeptuneFullAccess](./full-access-iam-managed-policy.html)** — Grants all administrative actions (`rds:*` on Neptune resources) and all data-access actions (`neptune-db:*`). This policy is suitable for administrators who manage Neptune clusters through the AWS CLI or SDK but do not need AWS Management Console access. @@ -19 +19 @@ The following AWS managed policies, which you can attach to users in your accoun - * **[NeptuneConsoleFullAccess](./console-full-access-iam-managed-policy.html)** — Grants full access in the root AWS account to all Neptune administrative actions and resources, but not to any data-access actions or resources. It also includes additional permissions to simplify Neptune access from the console, including limited IAM and Amazon EC2 (VPC) permissions. + * **[NeptuneConsoleFullAccess](./console-full-access-iam-managed-policy.html)** — Grants all administrative actions on Neptune resources plus additional permissions for Amazon EC2 (VPC), IAM, and Neptune Analytics that are needed for AWS Management Console workflows. This policy does not include data-access actions (`neptune-db:*`). Use this policy for users who manage Neptune through the AWS Management Console. @@ -21 +21 @@ The following AWS managed policies, which you can attach to users in your accoun - * **[NeptuneGraphReadOnlyAccess](./graph-read-only-access-iam-managed-policy.html)** — Provides read-only access to all Amazon Neptune Analytics resources along with read-only permissions for dependent services + * **NeptuneGraphReadOnlyAccess** — This policy is for Neptune Analytics. For details, see [NeptuneGraphReadOnlyAccess in Neptune Analytics](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/security-iam-awsmanpol-graph-read-only.html). @@ -23 +23 @@ The following AWS managed policies, which you can attach to users in your accoun - * **[AWSServiceRoleForNeptuneGraphPolicy](./aws-service-role-for-neptune-graph-policy.html)** — Lets Neptune Analytics graphs to publish CloudWatch operational and usage metrics and logs. + * **AWSServiceRoleForNeptuneGraphPolicy** — This policy is for Neptune Analytics. For details, see [AWSServiceRoleForNeptuneGraphPolicy in Neptune Analytics](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/security-iam-awsmanpol-slr-policy.html). @@ -29,0 +30,21 @@ Neptune IAM roles and policies grant some access to Amazon RDS resources, becaus +## Creating custom policies + +If the AWS managed policies are too broad for your use case, you can create custom IAM policies that grant only the specific permissions you need. Neptune supports two categories of custom policies: + + * **Administrative policies** — Control access to Neptune management operations such as creating, modifying, and deleting clusters and instances. These actions use the `rds:` prefix. For examples, see [Creating IAM administrative policy statements for Amazon Neptune](./iam-admin-policy-examples.html). + + * **Data-access policies** — Control access to the data in your Neptune graph database, including read, write, and delete operations. These actions use the `neptune-db:` prefix. For examples, see [Creating IAM data-access policies in Amazon Neptune](./iam-data-access-examples.html). + + + + +By combining administrative and data-access policy statements, you can grant fine-grained permissions tailored to each user or role in your organization. + +## Validating IAM policies + +When you create or edit custom IAM policies, we recommend that you validate them before applying them to users, groups, or roles. + +**IAM Access Analyzer policy validation** — IAM Access Analyzer provides policy checks that validate your IAM policies against IAM policy grammar and AWS best practices. It identifies errors, security warnings, and suggestions to help you author policies that are functional and conform to security best practices. For more information, see [Validating policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the _IAM User Guide_. + +**IAM Policy Simulator** — The IAM Policy Simulator lets you test the effects of IAM policies before committing them to production. You can simulate API calls to AWS services to verify that your policies grant or deny the expected access. For more information, see [Testing IAM policies with the IAM Policy Simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html) in the _IAM User Guide_. + @@ -37,2 +58,2 @@ AWS managed policies for Amazon Neptune - update to existing policies | The `Nep -[NeptuneGraphReadOnlyAccess](./read-only-access-iam-managed-policy.html) (released) | Released to provide read-only access to Neptune Analytics graphs and resources. | 2023-11-29 -[AWSServiceRoleForNeptuneGraphPolicy](./aws-service-role-for-neptune-graph-policy.html) (released) | Released to allow Neptune Analytics graphs access to CloudWatch to publish operational and usage metrics and logs. See [Using service-linked roles (SLRs) in Neptune Analytics](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/nan-service-linked-roles.html). | 2023-11-29 +[NeptuneGraphReadOnlyAccess](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/security-iam-awsmanpol-graph-read-only.html) (released) | Released to provide read-only access to Neptune Analytics graphs and resources. | 2023-11-29 +[AWSServiceRoleForNeptuneGraphPolicy](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/security-iam-awsmanpol-slr-policy.html) (released) | Released to allow Neptune Analytics graphs access to CloudWatch to publish operational and usage metrics and logs. See [Using service-linked roles (SLRs) in Neptune Analytics](https://docs.aws.amazon.com/neptune-analytics/latest/userguide/nan-service-linked-roles.html). | 2023-11-29