Hi Team,
We are using sagemaker notebooks to query data from neptune DB while giving permissions i have attached the below policy Still able to delete and write via query
I want only readonly access to the DB via query
Below is the Policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"logs:CreateLogStream",
"sagemaker:DescribeNotebookInstance",
"s3:ListBucket",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:sagemaker:ap-south-1:107253860581:notebook-instance/",
"arn:aws:logs:ap-south-1:107253860581:log-group:/aws/sagemaker/",
"arn:aws:s3:::aws-neptune-notebook-ap-south-1",
"arn:aws:s3:::aws-neptune-notebook-ap-south-1/"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:GetQueryStatus"
],
"Resource": ""
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"neptune-db:CancelLoaderJob",
"neptune-db:CancelMLDataProcessingJob",
"neptune-db:CancelMLModelTransformJob",
"neptune-db:StartLoaderJob",
"neptune-db:CancelMLModelTrainingJob",
"neptune-db:ResetDatabase",
"neptune-db:DeleteDataViaQuery",
"neptune-db:DeleteMLEndpoint",
"neptune-db:StartMLDataProcessingJob",
"neptune-db:CreateMLEndpoint",
"neptune-db:CancelQuery",
"neptune-db:connect",
"neptune-db:StartMLModelTrainingJob",
"neptune-db:StartMLModelTransformJob",
"neptune-db:ManageStatistics",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteStatistics"
],
"Resource": "*"
}
]
}
AWS OFFICIALUpdated 4 years ago
In the IAM Policy Simulator Console it is denying the write and delete options but not in the sagemaker and we are using the role which is attached to the notebook instance