Creating IAM administrative policy statements for Amazon Neptune
General administrative policy examples
The following examples show how to create Neptune administrative policies that grant permissions to take various management actions on a DB cluster.
Policy that prevents an IAM user from deleting a specified DB instance
The following is an example policy that prevents an IAM user from deleting a specified Neptune DB instance:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyDeleteOneInstance", "Effect": "Deny", "Action": "rds:DeleteDBInstance", "Resource": "arn:aws:rds:us-west-2:123456789012:db:my-instance-name" } ] }
Policy that grants permission to create new DB instances
The following is an example policy that allows an IAM user to create DB instances in a specified Neptune DB cluster:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateInstance", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": "arn:aws:rds:us-west-2:123456789012:cluster:my-cluster" } ] }
Policy that grants permission to create new DB instances that use a specific DB parameter group
The following is an example policy that allows an IAM user to create DB instances
in a specified DB cluster (here us-west-2) in a specified Neptune DB cluster
using only a specified DB parameter group.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateInstanceWithPG", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": [ "arn:aws:rds:us-west-2:123456789012:cluster:my-cluster", "arn:aws:rds:us-west-2:123456789012:pg:my-instance-pg" ] } ] }
Policy that grants permission to describe any resource
The following is an example policy that allows an IAM user to describe any Neptune resource.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribe", "Effect": "Allow", "Action": "rds:Describe*", "Resource": * } ] }
Tag-based administrative policy examples
The following examples show how to create Neptune administrative policies that tags to filter permissions for various management actions on a DB cluster.
Example 1: Grant permission for actions on a resource using a custom tag that can take multiple values
The policy below allows use of the ModifyDBInstance,
CreateDBInstance or DeleteDBInstance API on any DB
instance that has the env tag set to either dev or
test:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDevTestAccess", "Effect": "Allow", "Action": [ "rds:ModifyDBInstance", "rds:CreateDBInstance", "rds:DeleteDBInstance" ], "Resource": "*", "Condition": { "StringEquals": { "rds:db-tag/env": [ "dev", "test" ], "rds:DatabaseEngine": "neptune" } } } ] }
Example 2: Limit the set of tag keys and values that can be used to tag a resource
This policy uses a Condition key to allow a tag that has the key
env and a value of test, qa, or
dev to be added to a resource:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTagAccessForDevResources", "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource": "*", "Condition": { "StringEquals": { "rds:req-tag/env": [ "test", "qa", "dev" ], "rds:DatabaseEngine": "neptune" } } } ] }
Example 3: Allow full access to Neptune resources based on aws:ResourceTag
The following policy is similar to the first example above, but uses the
aws:ResourceTag instead:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFullAccessToDev", "Effect": "Allow", "Action": [ "rds:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/env": "dev", "rds:DatabaseEngine": "neptune" } } } ] }
