Fine Grained Access Control for Amazon Neptune data plane actions

{"value":"[Amazon Neptune](https://aws.amazon.com/neptune/) is purpose-built to store and navigate relationships. This provides advantages over relational databases for use cases like social networking, recommendation engines, and fraud detection, where you need to create relationships between data and quickly query these relationships.\n\nAt Amazon Web Services, security is Job Zero. Neptune offers several security features, including network isolation, encryption, and resource-level permissions for database management through [Amazon Web Services Identity and Access Management](http://aws.amazon.com/iam) (IAM) in a [shared responsibility model](https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/shared-responsibility-model.html) that customers can use to deploy solutions that meet industry-specific certification requirements.\n\nNeptune is secured via network isolation, encryption at rest & transit and resource level permission for database management. In this post, we show how users can control access to Neptune database access APIs through new [Fine Grained Access Control (FGAC) data plane actions](https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html) in IAM policy. These actions provide control over read, write, delete, bulk loading, and other data plane operations.\n\n### **Network isolation**\n\nNeptune runs in [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) (Amazon VPC), which allows you to isolate your database in your virtual network. It can also connect to your on-premises IT infrastructure using industry-standard encrypted IPsec VPNs and [Amazon Web Services Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html). In addition, you can use the VPC configuration in Neptune to configure firewall settings and control network access to your database instances.\n\n### **Encryption at rest and in transit**\n\nNeptune allows you to encrypt your databases using keys you create and control through [Amazon Web Services Key Management Service](https://aws.amazon.com/kms/) (Amazon Web Services KMS). On a database instance running with Neptune encryption, data stored at rest in the underlying storage is encrypted, as are the automated backups, and snapshots in the same cluster.\n\nNeptune only allows [Secure Sockets Layer (SSL)/TLS 1.2](https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html) connections through HTTPS to any instance or cluster endpoint. The client should connect to Neptune endpoints through SSL to help protect customer data, using HTTPS instead of HTTP.\n\n### **Resource-level permissions for database management**\n\nNeptune is integrated with IAM. It allows you to control the actions that your IAM users and groups can take on specific Neptune resources. These resources include clusters, cluster parameter groups, cluster snapshots, database instances, database snapshots, database parameter groups, database subnet groups and database event subscriptions. In addition, you can tag your Neptune resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag (and tag value). For example, you can configure your IAM rules to ensure developers can modify development database instances, but only database administrators can modify and delete production database instances. The following diagram illustrates the high-level permission model for Neptune.\n\n\n\nBefore Neptune engine version 1.2.0.0, Neptune didn’t offer granular access control or tag-based access control for database access APIs also known as data plane actions (for example, querying and bulk loading), which are different from [database management APIs](https://docs.aws.amazon.com/neptune/latest/userguide/neptune-iam-admin-actions.html). This is reflected in the dashed lines in the preceding figure.\n\n### **New Fine Grained Access Control (FGAC) for Neptune data plane with IAM**\n\nStarting in [Neptune engine version 1.2.0.0](https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html), users now have the ability to control access to database API through new [FGAC data plane actions](https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html) in IAM policy. These actions provide control over read, write, delete, bulk loading, and other data plane operations.\n\nNote: The “connect” IAM action is deprecated with this change. Existing IAM policies that are based on the deprecated connect action must be adjusted to use the more granular data plane actions. See [Types of Neptune data plane IAM policies](https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-access-examples.html).\n\nTo explain this, let’s take an example of a healthcare system. A typical hospital has patients, doctors, nurses, IT administrators, and researchers. These people have responsibilities that define what level of permission they have to create, modify, and delete patient records:\n\n- **Doctor** – Create, view, and edit patient records\n- **Nurse** – Create, view, and edit patient records\n- **Researcher** – Read patient records\n- **IT administrator** – Update access policies for all users\n\nThis example healthcare system uses Neptune as a graph database to store, manage, and track patients’ medical history. The following is a network/graph representation of the healthcare system.\n\n\n\nThe system needs the capability to define the different levels of permission for all personas based on their role. Neptune allows you to define security via network isolation and IAM-based access. The new set of IAM permissions extends existing IAM-based permissions to give more granular permissions to an IAM principal, including query level access to read, write, and delete.\n\nThe following policies illustrate the mappings of user personas to permissions.\n\n### **Researcher (read only)**\n\nThe following policy grants read access via query only permission to a Neptune database:\n\n```\n{\n \"Version\":\"2012-10-17\",\n \"Statement\":[\n {\n \"Action\":[\n \"neptune-db:ReadDataViaQuery\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\"\n }\n ]\n}\n```\n### **Doctor and nurse (read, write, delete)**\n\nThe following policy grants read, write, and delete access via query to the Neptune database data plane actions:\n\n```\n{\n \"Version\":\"2012-10-17\",\n \"Statement\":[\n {\n \"Action\":[\n \"neptune-db:ReadDataViaQuery\",\n \"neptune-db:WriteDataViaQuery\",\n \"neptune-db:DeleteDataViaQuery\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\"\n }\n ]\n}\n```\n### **IT administrator (full access)**\n\nThe following policy grants full access to the Neptune database data plane actions (minus Amazon Neptune ML actions):\n\n```\n{\n \"Version\":\"2012-10-17\",\n \"Statement\":[\n {\n \"Action\":[\n \"neptune-db:ReadDataViaQuery\",\n \"neptune-db:WriteDataViaQuery\",\n \"neptune-db:DeleteDataViaQuery\",\n \"neptune-db:GetEngineStatus\",\n \"neptune-db:GetStreamRecords\",\n \"neptune-db:StartLoaderJob\",\n \"neptune-db:GetLoaderJobStatus\",\n \"neptune-db:CancelLoaderJob\",\n \"neptune-db:ListLoaderJobs\",\n \"neptune-db:ResetDatabase\",\n \"neptune-db:GetStatisticsStatus\",\n \"neptune-db:DeleteStatistics\",\n \"neptune-db:ManageStatistics\",\n \"neptune-db:GetQueryStatus\",\n \"neptune-db:CancelQuery\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\"\n }\n ]\n}\n```\n### **IT administrator (full access except for fast reset)**\n\nThe following policy grants full access to Neptune data plane actions except for [fast reset API](https://docs.aws.amazon.com/neptune/latest/userguide/manage-console-fast-reset.html):\n\n```\n{\n \"Version\":\"2012-10-17\",\n \"Statement\":[\n {\n \"Action\":[\n \"neptune-db:*\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\"\n },\n {\n \"Action\":[\n \"neptune-db:ResetDatabase\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Deny\"\n }\n ]\n}\n```\n### **Global context keys with IAM policies**\n\n[Global context keys](https://docs.aws.amazon.com/neptune/latest/userguide/iam-condition-keys.html) allow you to specify conditions in [IAM policies](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html) that control access to Neptune resources. The policy statement then takes effect only when the conditions are true.\n\nIn a real-world application, you can combine IAM policies and global context keys to define a single policy that can be attached to multiple users or roles.\n\nFor example, if you want to allow access to various entities based on the [principal tag ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals)(the tag attached to the IAM user or role), a sample policy looks like the following:\n\n```\n{\n \"Version\":\"2012-10-17\",\n \"Statement\":[\n {\n \"Action\":[\n \"neptune-db:ReadDataViaQuery\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalTag/persona\": \"researcher\"\n }\n }\n },\n {\n \"Action\":[\n \"neptune-db:ReadDataViaQuery\",\n \"neptune-db:WriteDataViaQuery\",\n \"neptune-db:DeleteDataViaQuery\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalTag/persona\": \"doctor\"\n }\n }\n },\n {\n \"Action\":[\n \"neptune-db:*\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Allow\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalTag/persona\": \"itadmin\"\n }\n }\n },\n {\n \"Action\":[\n \"neptune-db:ResetDatabase\"\n ],\n \"Resource\":[\n \"arn:aws:neptune-db:<AWSRegion>:<AWSAccountID>:<AmazonNeptuneResourceIdentifier>/*\"\n ],\n \"Effect\":\"Deny\"\n }\n ]\n}\n```\n\n### **Conclusion**\n\nIn this post, we showed you how Fine Grained Access Control (FGAC) data plane actions for Neptune enable you to grant more granular permissions to manage your existing and new Neptune clusters. To use FGAC data plane actions, create a new cluster with [Neptune version 1.2.0.0](https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html) and enable IAM. Refer to the [documentation](https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-access-policies.html) to understand FGAC data plane policies in detail.\n\n#### **About the authors**\n\n\n\n**Ankit Gupta** is a Software Development Manager with the Amazon Neptune Platform Team in India and has been part of the Neptune team since product inception. He works with Amazon Web Services customers and internal development teams to improve Neptune’s usability, performance, scalability, and user experience.\n\n\n\n**Abhishek Mishra** is a Sr. Specialist Solutions Architect focused on Amazon Neptune at Amazon Web Services. He helps Amazon Web Services customers build innovative solutions using graph databases. In his spare time, he loves making the earth a greener place.","render":"<p><a href=\"https://aws.amazon.com/neptune/\" target=\"_blank\">Amazon Neptune</a> is purpose-built to store and navigate relationships. This provides advantages over relational databases for use cases like social networking, recommendation engines, and fraud detection, where you need to create relationships between data and quickly query these relationships.</p>\n<p>At Amazon Web Services, security is Job Zero. Neptune offers several security features, including network isolation, encryption, and resource-level permissions for database management through <a href=\"http://aws.amazon.com/iam\" target=\"_blank\">Amazon Web Services Identity and Access Management</a> (IAM) in a <a href=\"https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/shared-responsibility-model.html\" target=\"_blank\">shared responsibility model</a> that customers can use to deploy solutions that meet industry-specific certification requirements.</p>\n<p>Neptune is secured via network isolation, encryption at rest &amp; transit and resource level permission for database management. In this post, we show how users can control access to Neptune database access APIs through new <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html\" target=\"_blank\">Fine Grained Access Control (FGAC) data plane actions</a> in IAM policy. These actions provide control over read, write, delete, bulk loading, and other data plane operations.</p>\n<h3><a id=\"Network_isolation_6\"></a><strong>Network isolation</strong></h3>\n<p>Neptune runs in <a href=\"https://aws.amazon.com/vpc/\" target=\"_blank\">Amazon Virtual Private Cloud</a> (Amazon VPC), which allows you to isolate your database in your virtual network. It can also connect to your on-premises IT infrastructure using industry-standard encrypted IPsec VPNs and <a href=\"https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html\" target=\"_blank\">Amazon Web Services Direct Connect</a>. In addition, you can use the VPC configuration in Neptune to configure firewall settings and control network access to your database instances.</p>\n<h3><a id=\"Encryption_at_rest_and_in_transit_10\"></a><strong>Encryption at rest and in transit</strong></h3>\n<p>Neptune allows you to encrypt your databases using keys you create and control through <a href=\"https://aws.amazon.com/kms/\" target=\"_blank\">Amazon Web Services Key Management Service</a> (Amazon Web Services KMS). On a database instance running with Neptune encryption, data stored at rest in the underlying storage is encrypted, as are the automated backups, and snapshots in the same cluster.</p>\n<p>Neptune only allows <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html\" target=\"_blank\">Secure Sockets Layer (SSL)/TLS 1.2</a> connections through HTTPS to any instance or cluster endpoint. The client should connect to Neptune endpoints through SSL to help protect customer data, using HTTPS instead of HTTP.</p>\n<h3><a id=\"Resourcelevel_permissions_for_database_management_16\"></a><strong>Resource-level permissions for database management</strong></h3>\n<p>Neptune is integrated with IAM. It allows you to control the actions that your IAM users and groups can take on specific Neptune resources. These resources include clusters, cluster parameter groups, cluster snapshots, database instances, database snapshots, database parameter groups, database subnet groups and database event subscriptions. In addition, you can tag your Neptune resources and control the actions that your IAM users and groups can take on groups of resources that have the same tag (and tag value). For example, you can configure your IAM rules to ensure developers can modify development database instances, but only database administrators can modify and delete production database instances. The following diagram illustrates the high-level permission model for Neptune.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/f3c2d349718a4403a2e160e3e00d0586_image.png\" alt=\"image.png\" /></p>\n<p>Before Neptune engine version 1.2.0.0, Neptune didn’t offer granular access control or tag-based access control for database access APIs also known as data plane actions (for example, querying and bulk loading), which are different from <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/neptune-iam-admin-actions.html\" target=\"_blank\">database management APIs</a>. This is reflected in the dashed lines in the preceding figure.</p>\n<h3><a id=\"New_Fine_Grained_Access_Control_FGAC_for_Neptune_data_plane_with_IAM_24\"></a><strong>New Fine Grained Access Control (FGAC) for Neptune data plane with IAM</strong></h3>\n<p>Starting in <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html\" target=\"_blank\">Neptune engine version 1.2.0.0</a>, users now have the ability to control access to database API through new <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html\" target=\"_blank\">FGAC data plane actions</a> in IAM policy. These actions provide control over read, write, delete, bulk loading, and other data plane operations.</p>\n<p>Note: The “connect” IAM action is deprecated with this change. Existing IAM policies that are based on the deprecated connect action must be adjusted to use the more granular data plane actions. See <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-access-examples.html\" target=\"_blank\">Types of Neptune data plane IAM policies</a>.</p>\n<p>To explain this, let’s take an example of a healthcare system. A typical hospital has patients, doctors, nurses, IT administrators, and researchers. These people have responsibilities that define what level of permission they have to create, modify, and delete patient records:</p>\n<ul>\n<li><strong>Doctor</strong> – Create, view, and edit patient records</li>\n<li><strong>Nurse</strong> – Create, view, and edit patient records</li>\n<li><strong>Researcher</strong> – Read patient records</li>\n<li><strong>IT administrator</strong> – Update access policies for all users</li>\n</ul>\n<p>This example healthcare system uses Neptune as a graph database to store, manage, and track patients’ medical history. The following is a network/graph representation of the healthcare system.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/c54fed2f513a425bbab772a711d4c2b1_image.png\" alt=\"image.png\" /></p>\n<p>The system needs the capability to define the different levels of permission for all personas based on their role. Neptune allows you to define security via network isolation and IAM-based access. The new set of IAM permissions extends existing IAM-based permissions to give more granular permissions to an IAM principal, including query level access to read, write, and delete.</p>\n<p>The following policies illustrate the mappings of user personas to permissions.</p>\n<h3><a id=\"Researcher_read_only_45\"></a><strong>Researcher (read only)</strong></h3>\n<p>The following policy grants read access via query only permission to a Neptune database:</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;:&quot;2012-10-17&quot;,\n &quot;Statement&quot;:[\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ReadDataViaQuery&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;\n }\n ]\n}\n</code></pre>\n<h3><a id=\"Doctor_and_nurse_read_write_delete_65\"></a><strong>Doctor and nurse (read, write, delete)</strong></h3>\n<p>The following policy grants read, write, and delete access via query to the Neptune database data plane actions:</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;:&quot;2012-10-17&quot;,\n &quot;Statement&quot;:[\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ReadDataViaQuery&quot;,\n &quot;neptune-db:WriteDataViaQuery&quot;,\n &quot;neptune-db:DeleteDataViaQuery&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;\n }\n ]\n}\n</code></pre>\n<h3><a id=\"IT_administrator_full_access_87\"></a><strong>IT administrator (full access)</strong></h3>\n<p>The following policy grants full access to the Neptune database data plane actions (minus Amazon Neptune ML actions):</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;:&quot;2012-10-17&quot;,\n &quot;Statement&quot;:[\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ReadDataViaQuery&quot;,\n &quot;neptune-db:WriteDataViaQuery&quot;,\n &quot;neptune-db:DeleteDataViaQuery&quot;,\n &quot;neptune-db:GetEngineStatus&quot;,\n &quot;neptune-db:GetStreamRecords&quot;,\n &quot;neptune-db:StartLoaderJob&quot;,\n &quot;neptune-db:GetLoaderJobStatus&quot;,\n &quot;neptune-db:CancelLoaderJob&quot;,\n &quot;neptune-db:ListLoaderJobs&quot;,\n &quot;neptune-db:ResetDatabase&quot;,\n &quot;neptune-db:GetStatisticsStatus&quot;,\n &quot;neptune-db:DeleteStatistics&quot;,\n &quot;neptune-db:ManageStatistics&quot;,\n &quot;neptune-db:GetQueryStatus&quot;,\n &quot;neptune-db:CancelQuery&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;\n }\n ]\n}\n</code></pre>\n<h3><a id=\"IT_administrator_full_access_except_for_fast_reset_121\"></a><strong>IT administrator (full access except for fast reset)</strong></h3>\n<p>The following policy grants full access to Neptune data plane actions except for <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/manage-console-fast-reset.html\" target=\"_blank\">fast reset API</a>:</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;:&quot;2012-10-17&quot;,\n &quot;Statement&quot;:[\n {\n &quot;Action&quot;:[\n &quot;neptune-db:*&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;\n },\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ResetDatabase&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Deny&quot;\n }\n ]\n}\n</code></pre>\n<h3><a id=\"Global_context_keys_with_IAM_policies_150\"></a><strong>Global context keys with IAM policies</strong></h3>\n<p><a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/iam-condition-keys.html\" target=\"_blank\">Global context keys</a> allow you to specify conditions in <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html\" target=\"_blank\">IAM policies</a> that control access to Neptune resources. The policy statement then takes effect only when the conditions are true.</p>\n<p>In a real-world application, you can combine IAM policies and global context keys to define a single policy that can be attached to multiple users or roles.</p>\n<p>For example, if you want to allow access to various entities based on the <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals\" target=\"_blank\">principal tag </a>(the tag attached to the IAM user or role), a sample policy looks like the following:</p>\n<pre><code class=\"lang-\">{\n &quot;Version&quot;:&quot;2012-10-17&quot;,\n &quot;Statement&quot;:[\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ReadDataViaQuery&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;,\n &quot;Condition&quot;: {\n &quot;StringEquals&quot;: {\n &quot;aws:PrincipalTag/persona&quot;: &quot;researcher&quot;\n }\n }\n },\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ReadDataViaQuery&quot;,\n &quot;neptune-db:WriteDataViaQuery&quot;,\n &quot;neptune-db:DeleteDataViaQuery&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;,\n &quot;Condition&quot;: {\n &quot;StringEquals&quot;: {\n &quot;aws:PrincipalTag/persona&quot;: &quot;doctor&quot;\n }\n }\n },\n {\n &quot;Action&quot;:[\n &quot;neptune-db:*&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Allow&quot;,\n &quot;Condition&quot;: {\n &quot;StringEquals&quot;: {\n &quot;aws:PrincipalTag/persona&quot;: &quot;itadmin&quot;\n }\n }\n },\n {\n &quot;Action&quot;:[\n &quot;neptune-db:ResetDatabase&quot;\n ],\n &quot;Resource&quot;:[\n &quot;arn:aws:neptune-db:&lt;AWSRegion&gt;:&lt;AWSAccountID&gt;:&lt;AmazonNeptuneResourceIdentifier&gt;/*&quot;\n ],\n &quot;Effect&quot;:&quot;Deny&quot;\n }\n ]\n}\n</code></pre>\n<h3><a id=\"Conclusion_219\"></a><strong>Conclusion</strong></h3>\n<p>In this post, we showed you how Fine Grained Access Control (FGAC) data plane actions for Neptune enable you to grant more granular permissions to manage your existing and new Neptune clusters. To use FGAC data plane actions, create a new cluster with <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.2.0.0.html\" target=\"_blank\">Neptune version 1.2.0.0</a> and enable IAM. Refer to the <a href=\"https://docs.aws.amazon.com/neptune/latest/userguide/iam-data-access-policies.html\" target=\"_blank\">documentation</a> to understand FGAC data plane policies in detail.</p>\n<h4><a id=\"About_the_authors_223\"></a><strong>About the authors</strong></h4>\n<p><img src=\"https://dev-media.amazoncloud.cn/40e8ea01333b4e2782deac78ffb61514_image.png\" alt=\"image.png\" /></p>\n<p><strong>Ankit Gupta</strong> is a Software Development Manager with the Amazon Neptune Platform Team in India and has been part of the Neptune team since product inception. He works with Amazon Web Services customers and internal development teams to improve Neptune’s usability, performance, scalability, and user experience.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/b6ee286c92be42b686b95d87509b78a4_image.png\" alt=\"image.png\" /></p>\n<p><strong>Abhishek Mishra</strong> is a Sr. Specialist Solutions Architect focused on Amazon Neptune at Amazon Web Services. He helps Amazon Web Services customers build innovative solutions using graph databases. In his spare time, he loves making the earth a greener place.</p>\n"}