- Newest
- Most votes
- Most comments
Queries to Neptune Database are not logged in CloudTrail, only calls to Neptune's control plane are logged in CloudTrail. You can enable Audit Logs on a Neptune cluster [1] and also configure those logs to get published to CloudWatch Logs [2]. If IAM authentication [3] is enabled for your Neptune Database cluster, then the related access key for the role used will appear in the Neptune audit logs along with the query issued.
You can restrict query access to Neptune using IAM Data Plane actions. If you wanted to restrict access from a notebook instance, you could create an IAM role for the notebook instance that only allows the WriteDataViaQuery action [4].
[1] https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html
[2] https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html
[3] https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
[4] https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html#writedataviaquery
Relevant content
- asked 7 months ago
- Accepted Answerasked 9 months ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
hi i am using the below Policy attached to sagemaker but still using jupyter notebook i am able add and delete via query "{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject", "logs:CreateLogStream", "sagemaker:DescribeNotebookInstance", "s3:ListBucket", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:sagemaker:ap-south-1:107253860581:notebook-instance/", "arn:aws:logs:ap-south-1:107253860581:log-group:/aws/sagemaker/", "arn:aws:s3:::aws-neptune-notebook-ap-south-1", "arn:aws:s3:::aws-neptune-notebook-ap-south-1/" ] }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "neptune-db:CancelLoaderJob", "neptune-db:CancelMLDataProcessingJob", "neptune-db:CancelMLModelTransformJob", "neptune-db:StartLoaderJob", "neptune-db:CancelMLModelTrainingJob", "neptune-db:ResetDatabase", "neptune-db:DeleteDataViaQuery", "neptune-db:DeleteMLEndpoint", "neptune-db:StartMLDataProcessingJob", "neptune-db:CreateMLEndpoint", "neptune-db:CancelQuery", "neptune-db:connect", "neptune-db:StartMLModelTrainingJob", "neptune-db:StartMLModelTransformJob", "neptune-db:ManageStatistics", "neptune-db:WriteDataViaQuery", "neptune-db:DeleteStatistics" ], "Resource": "arn:aws:neptune-db:ap-south-1:107253860581:cluster-KOTFG4ZPCJDD7IG4QPFGI7ADKU/" } ] }"