# Creating custom IAM policy statements to administer Amazon Neptune IAM administrative policy statements Administrative policy statements let you control what an IAM user can do to manage a Neptune database. A Neptune administrative policy statement grants access to one or more [administrative actions](neptune-iam-admin-actions.md) and [administrative resources](iam-admin-resources.md) that Neptune supports. You can also use [Condition Keys](iam-admin-condition-keys.md) to make the administrative permissions more specific. **Note** Because Neptune shares functionality with Amazon RDS, administrative actions, resources, and service-specific condition keys in administrative policy statements use an `rds:` prefix by design. **Topics** + [ # IAM actions for administering Amazon Neptune ](neptune-iam-admin-actions.md) + [ # IAM resource types for administering Amazon Neptune ](iam-admin-resources.md) + [ # IAM condition keys for administering Amazon Neptune ](iam-admin-condition-keys.md) + [ # Creating IAM administrative policy statements for Amazon Neptune ](iam-admin-policy-examples.md) # IAM actions for administering Amazon Neptune Administrative actions You can use the administrative actions listed below in the `Action` element of an IAM policy statement to control access to the [Neptune management APIs](api.md). When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. The `Resource type` field in the list below indicates whether each action supports resource-level permissions. If there is no value in this field, you must specify all resources ("\$1") in the `Resource` element of your policy statement. If the column includes a resource type, then you can specify a resource ARN of that type in a statement with that action. Neptune administrative resource types are listed on [this page](iam-admin-resources.md). Required resources are indicated in the list below with an asterisk (\$1). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If a resource types is optional (in other words, is not marked with an asterisk), then you do not have to include it. For more information about the fields listed here, see [action table](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html#actions_table) in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/). ## rds:AddRoleToDBCluster `AddRoleToDBCluster` associates an IAM role with a Neptune DB cluster. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). ## rds:AddSourceIdentifierToSubscription `AddSourceIdentifierToSubscription` adds a source identifier to an existing Neptune event notification subscription. *Access level:* `Write`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:AddTagsToResource `AddTagsToResource` associates an IAM role with a Neptune DB cluster. *Access level:* `Write`. *Resource types:* + [db](iam-admin-resources.md#neptune-db-resource) + [es](iam-admin-resources.md#neptune-es-resource) + [pg](iam-admin-resources.md#neptune-pg-resource) + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:ApplyPendingMaintenanceAction `ApplyPendingMaintenanceAction` applies a pending maintenance action to a resource. *Access level:* `Write`. *Resource type:* [db](iam-admin-resources.md#neptune-db-resource) (required). ## rds:CopyDBClusterParameterGroup `CopyDBClusterParameterGroup` copies the specified DB cluster parameter group. *Access level:* `Write`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:CopyDBClusterSnapshot `CopyDBClusterSnapshot` copies a snapshot of a DB cluster. *Access level:* `Write`. *Resource type:* [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). ## rds:CopyDBParameterGroup `CopyDBParameterGroup` copies the specified DB parameter group. *Access level:* `Write`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:CreateDBCluster `CreateDBCluster` creates a new Neptune DB cluster. *Access level:* `Tagging`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) + [neptune-rds\$1DatabaseEngine](iam-admin-condition-keys.md#admin-rds_DatabaseEngine) ## rds:CreateDBClusterParameterGroup `CreateDBClusterParameterGroup` creates a new DB cluster parameter group. *Access level:* `Tagging`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:CreateDBClusterSnapshot `CreateDBClusterSnapshot` creates a snapshot of a DB cluster. *Access level:* `Tagging`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:CreateDBInstance `CreateDBInstance` creates a new DB instance. *Access level:* `Tagging`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [db](iam-admin-resources.md#neptune-db-resource) (required). + [pg](iam-admin-resources.md#neptune-pg-resource) (required). + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:CreateDBParameterGroup `CreateDBParameterGroup` creates a new DB parameter group. *Access level:* `Tagging`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:CreateDBSubnetGroup `CreateDBSubnetGroup` creates a new DB subnet group. *Access level:* `Tagging`. *Resource type:* [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:CreateEventSubscription `CreateEventSubscription` creates a Neptune event notification subscription. *Access level:* `Tagging`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:DeleteDBCluster `DeleteDBCluster` deletes an existing Neptune DB cluster. *Access level:* `Write`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). ## rds:DeleteDBClusterParameterGroup `DeleteDBClusterParameterGroup` deletes a specified DB cluster parameter group. *Access level:* `Write`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:DeleteDBClusterSnapshot `DeleteDBClusterSnapshot` deletes a DB cluster snapshot. *Access level:* `Write`. *Resource type:* [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). ## rds:DeleteDBInstance `DeleteDBInstance` deletes a specified DB instance. *Access level:* `Write`. *Resource type:* [db](iam-admin-resources.md#neptune-db-resource) (required). ## rds:DeleteDBParameterGroup `DeleteDBParameterGroup` deletes a specified DBParameterGroup. *Access level:* `Write`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:DeleteDBSubnetGroup `DeleteDBSubnetGroup` deletes a DB subnet group. *Access level:* `Write`. *Resource type:* [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). ## rds:DeleteEventSubscription `DeleteEventSubscription` deletes an event notification subscription. *Access level:* `Write`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:DescribeDBClusterParameterGroups `DescribeDBClusterParameterGroups` returns a list of DBClusterParameterGroup descriptions. *Access level:* `List`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:DescribeDBClusterParameters `DescribeDBClusterParameters` returns the detailed parameter list for a particular DB cluster parameter group. *Access level:* `List`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:DescribeDBClusterSnapshotAttributes `DescribeDBClusterSnapshotAttributes` returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot. *Access level:* `List`. *Resource type:* [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). ## rds:DescribeDBClusterSnapshots `DescribeDBClusterSnapshots` returns information about DB cluster snapshots. *Access level:* `Read`. ## rds:DescribeDBClusters `DescribeDBClusters` returns information about a provisioned Neptune DB cluster. *Access level:* `List`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). ## rds:DescribeDBEngineVersions `DescribeDBEngineVersions` returns a list of the available DB engines. *Access level:* `List`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:DescribeDBInstances `DescribeDBInstances` returns information about DB instances. *Access level:* `List`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:DescribeDBParameterGroups `DescribeDBParameterGroups` returns a list of DBParameterGroup descriptions. *Access level:* `List`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:DescribeDBParameters `DescribeDBParameters` returns a detailed parameter list for a particular DB parameter group. *Access level:* `List`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:DescribeDBSubnetGroups `DescribeDBSubnetGroups` returns a list of DBSubnetGroup descriptions. *Access level:* `List`. *Resource type:* [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). ## rds:DescribeEventCategories `DescribeEventCategories` returns a list of categories for all event source types, or, if specified, for a specified source type. *Access level:* `List`. ## rds:DescribeEventSubscriptions `DescribeEventSubscriptions` lists all the subscription descriptions for a customer account. *Access level:* `List`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:DescribeEvents `DescribeEvents` returns events related to DB instances, DB security groups, and DB parameter groups for the past 14 days. *Access level:* `List`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:DescribeOrderableDBInstanceOptions `DescribeOrderableDBInstanceOptions` returns a list of orderable DB instance options for the specified engine. *Access level:* `List`. ## rds:DescribePendingMaintenanceActions `DescribePendingMaintenanceActions` returns a list of resources (for example, DB instances) that have at least one pending maintenance action. *Access level:* `List`. *Resource type:* [db](iam-admin-resources.md#neptune-db-resource) (required). ## rds:DescribeValidDBInstanceModifications `DescribeValidDBInstanceModifications` lists available modifications you can make to your DB instance. *Access level:* `List`. *Resource type:* [db](iam-admin-resources.md#neptune-db-resource) (required). ## rds:FailoverDBCluster `FailoverDBCluster` forces a failover for a DB cluster. *Access level:* `Write`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). ## rds:ListTagsForResource `ListTagsForResource` lists all tags on a Neptune resource. *Access level:* `Read`. *Resource types:* + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) + [db](iam-admin-resources.md#neptune-db-resource) + [es](iam-admin-resources.md#neptune-es-resource) + [pg](iam-admin-resources.md#neptune-pg-resource) + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) ## rds:ModifyDBCluster `ModifyDBCluster` Modifies a setting for a Neptune DB cluster. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:ModifyDBClusterParameterGroup `ModifyDBClusterParameterGroup` modifies the parameters of a DB cluster parameter group. *Access level:* `Write`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:ModifyDBClusterSnapshotAttribute `ModifyDBClusterSnapshotAttribute` adds an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot. *Access level:* `Write`. *Resource type:* [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). ## rds:ModifyDBInstance `ModifyDBInstance` modifies settings for a DB instance. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [db](iam-admin-resources.md#neptune-db-resource) (required). + [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:ModifyDBParameterGroup `ModifyDBParameterGroup` modifies the parameters of a DB parameter group. *Access level:* `Write`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:ModifyDBSubnetGroup `ModifyDBSubnetGroup` modifies an existing DB subnet group. *Access level:* `Write`. *Resource type:* [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). ## rds:ModifyEventSubscription `ModifyEventSubscription` modifies an existing Neptune event notification subscription. *Access level:* `Write`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:RebootDBInstance `RebootDBInstance` restarts the database engine service for the instance. *Access level:* `Write`. *Resource type:* [db](iam-admin-resources.md#neptune-db-resource) (required). ## rds:RemoveRoleFromDBCluster `RemoveRoleFromDBCluster` disassociates an AWS Identity and Access Management (IAM) role from an Amazon Neptune DB cluster. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). ## rds:RemoveSourceIdentifierFromSubscription `RemoveSourceIdentifierFromSubscription` removes a source identifier from an existing Neptune event notification subscription. *Access level:* `Write`. *Resource type:* [es](iam-admin-resources.md#neptune-es-resource) (required). ## rds:RemoveTagsFromResource `RemoveTagsFromResource` removes metadata tags from a Neptune resource. *Access level:* `Tagging`. *Resource types:* + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) + [db](iam-admin-resources.md#neptune-db-resource) + [es](iam-admin-resources.md#neptune-es-resource) + [pg](iam-admin-resources.md#neptune-pg-resource) + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:ResetDBClusterParameterGroup `ResetDBClusterParameterGroup` modifies the parameters of a DB cluster parameter group to the default value. *Access level:* `Write`. *Resource type:* [cluster-pg](iam-admin-resources.md#neptune-cluster-pg-resource) (required). ## rds:ResetDBParameterGroup `ResetDBParameterGroup` modifies the parameters of a DB parameter group to the engine/system default value. *Access level:* `Write`. *Resource type:* [pg](iam-admin-resources.md#neptune-pg-resource) (required). ## rds:RestoreDBClusterFromSnapshot `RestoreDBClusterFromSnapshot` creates a new DB cluster from a DB cluster snapshot. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [cluster-snapshot](iam-admin-resources.md#neptune-cluster-snapshot-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:RestoreDBClusterToPointInTime `RestoreDBClusterToPointInTime` restores a DB cluster to an arbitrary point in time. *Access level:* `Write`. *Dependent actions:* `iam:PassRole`. *Resource types:* + [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). + [subgrp](iam-admin-resources.md#neptune-subgrp-resource) (required). *Condition Keys:* + [aws:RequestTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_RequestTag) + [aws:TagKeys](iam-admin-condition-keys.md#admin-aws_TagKeys) ## rds:StartDBCluster `StartDBCluster` starts the specified DB cluster. *Access level:* `Write`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). ## rds:StopDBCluster `StopDBCluster` stops the specified DB cluster. *Access level:* `Write`. *Resource type:* [cluster](iam-admin-resources.md#neptune-cluster-resource) (required). # IAM resource types for administering Amazon Neptune Resources types Neptune supports the resource types in the following table for use in the `Resource` element of IAM administration policy statements. For more information about the `Resource` element, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html). The [list of Neptune administration actions](neptune-iam-admin-actions.md) identifies the resource types that can be specified with each action. A resource type also determines which condition keys you can include in a policy, as specified in the last column of the table below. The `ARN` column in the table below specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a ` $ ` must be replaced by the actual values for your scenario. For example, if you see `$user-name` in an ARN, you must replace that string either with the actual IAM user's name or with a policy variable that contains an IAM user name. For more information about ARNs, see [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns), and [Working with administrative ARNs in Amazon Neptune](tagging-arns.md). The` Condition Keys `column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a compatible supporting action are included in the statement. **** | Resource Types | ARN | Condition Keys | | --- | --- | --- | | `cluster` (a DB cluster) | arn:partition:rds:region:account-id:cluster:instance-name | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:cluster-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_cluster-tag) | | `cluster-pg` (a DB cluster parameter group) | arn:partition:rds:region:account-id:cluster-pg:neptune-DBClusterParameterGroupName | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) | | `cluster-snapshot` (a DB cluster snapshot) | arn:partition:rds:region:account-id:cluster-snapshot:neptune-DBClusterSnapshotName | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:cluster-snapshot-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_cluster-snapshot-tag) | | `db` (a DB instance) | arn:partition:rds:region:account-id:db:neptune-DbInstanceName | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:DatabaseClass](iam-admin-condition-keys.md#admin-rds_DatabaseClass) [rds:DatabaseEngine](iam-admin-condition-keys.md#admin-rds_DatabaseEngine) [rds:db-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_db-tag) | | `es` (an event subscription) | arn:partition:rds:region:account-id:es:neptune-CustSubscriptionId | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:es-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_es-tag) | | `pg` (a DB parameter group) | arn:partition:rds:region:account-id:pg:neptune-ParameterGroupName | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:pg-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_pg-tag) | | `subgrp` (a DB subnet group) | arn:partition:rds:region:account-id:subgrp:neptune-DBSubnetGroupName\$1 | [aws:ResourceTag/*tag-key*](iam-admin-condition-keys.md#admin-aws_ResourceTag) [rds:subgrp-tag/*tag-key*](iam-admin-condition-keys.md#admin-rds_subgrp-tag) | # IAM condition keys for administering Amazon Neptune Condition Keys [Using condition keys](security-iam-access-manage.md#iam-using-condition-keys), you can specify conditions in an IAM policy statement so that the statement takes effect only when the conditions are true. The condition keys that you can use in Neptune administrative policy statements fall into the following categories: + [Global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)   –   These are defined by AWS for general use with AWS services. Most can be used in Neptune administrative policy statements. + [Administrative resource property condition keys](#iam-rds-property-condition-keys)   –   These keys, listed [below](#iam-rds-property-condition-keys), are based on properties of administrative resources. + [Tag-based access condition keys](#iam-rds-tag-based-condition-keys)   –   These keys, listed [below](#iam-rds-tag-based-condition-keys), are based on [AWS tags](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) attached to administrative resources. ## Neptune administrative resource property condition keys Resource property keys | Condition keys | Description | Type | | --- | --- | --- | | rds:DatabaseClass | Filters access by the type of DB instance class. | String | | rds:DatabaseEngine | Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API | String | | rds:DatabaseName | Filters access by the user-defined name of the database on the DB instance | String | | rds:EndpointType | Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM | String | | rds:Vpc | Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true. | Boolean | ## Administrative tag-based condition keys Tag-based keys Amazon Neptune supports specifying conditions in an IAM policy using custom tags, to control access to Neptune through the [Management API reference](api.md). For example, if you add a tag named `environment` to your DB instances, with values such as `beta`, `staging`, and `production`, you can then create a policy that restricts access to the instances based on the value of that tag. **Important** If you manage access to your Neptune resources using tagging, be sure to secure access to the tags. You can restrict access to the tags by creating policies for the `AddTagsToResource` and `RemoveTagsFromResource` actions. For example, you could use the following policy to deny users the ability to add or remove tags for all resources. Then, you could create policies to allow specific users to add or remove tags. **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid": "DenyTagUpdates", "Effect": "Deny", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource":"*" } ] } ``` The following tag-based condition keys only work with administrative resources in administrative policy statements. **Tag-based administrative condition keys** | Condition keys | Description | Type | | --- | --- | --- | | [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters access based on the presence of tag key-value pairs in the request. | String | | [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters access based on tag key-value pairs attached to the resource. | String | | [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keyss](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keyss) | Filters access based on the presence of tag keys in the request. | String | | rds:cluster-pg-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB cluster parameter group. | String | | rds:cluster-snapshot-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB cluster snapshot. | String | | rds:cluster-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB cluster. | String | | rds:db-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB instance. | String | | rds:es-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to an event subscription. | String | | rds:pg-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB parameter group. | String | | rds:req-tag/\$1\$1TagKey\$1 | Filters access by the set of tag keys and values that can be used to tag a resource. | String | | rds:secgrp-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB security group. | String | | rds:snapshot-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB snapshot. | String | | rds:subgrp-tag/\$1\$1TagKey\$1 | Filters access by the tag attached to a DB subnet group | String | # Creating IAM administrative policy statements for Amazon Neptune Administrative policy examples ## General administrative policy examples General examples The following examples show how to create Neptune administrative policies that grant permissions to take various management actions on a DB cluster. ### Policy that prevents an IAM user from deleting a specified DB instance Prevent instance deletion The following is an example policy that prevents an IAM user from deleting a specified Neptune DB instance: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyDeleteOneInstance", "Effect": "Deny", "Action": "rds:DeleteDBInstance", "Resource": "arn:aws:rds:us-west-2:123456789012:db:my-instance-name" } ] } ``` ------ ### Policy that grants permission to create new DB instances Permission to create instances The following is an example policy that allows an IAM user to create DB instances in a specified Neptune DB cluster: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCreateInstance", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": "arn:aws:rds:us-west-2:123456789012:cluster:my-cluster" } ] } ``` ------ ### Policy that grants permission to create new DB instances that use a specific DB parameter group Create instances that use a parameter group The following is an example policy that allows an IAM user to create DB instances in a specified DB cluster (here `us-west-2`) in a specified Neptune DB cluster using only a specified DB parameter group. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCreateInstanceWithPG", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": [ "arn:aws:rds:us-west-2:123456789012:cluster:my-cluster", "arn:aws:rds:us-west-2:123456789012:pg:my-instance-pg" ] } ] } ``` ------ ### Policy that grants permission to describe any resource Permission to describe The following is an example policy that allows an IAM user to describe any Neptune resource. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowDescribe", "Effect": "Allow", "Action": "rds:Describe*", "Resource": "*" } ] } ``` ------ ## Tag-based administrative policy examples Tag-based examples The following examples show how to create Neptune administrative policies that tags to filter permissions for various management actions on a DB cluster. ### Example 1: Grant permission for actions on a resource using a custom tag that can take multiple values Custom tag with multiple values example The policy below allows use of the `ModifyDBInstance`, `CreateDBInstance` or `DeleteDBInstance` API on any DB instance that has the `env` tag set to either `dev` or `test`: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowDevTestAccess", "Effect": "Allow", "Action": [ "rds:ModifyDBInstance", "rds:CreateDBInstance", "rds:DeleteDBInstance" ], "Resource": "*", "Condition": { "StringEquals": { "rds:db-tag/env": [ "dev", "test" ], "rds:DatabaseEngine": "neptune" } } } ] } ``` ------ ### Example 2: Limit the set of tag keys and values that can be used to tag a resource Limiting key use example This policy uses a `Condition` key to allow a tag that has the key `env` and a value of `test`, `qa`, or `dev` to be added to a resource: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowTagAccessForDevResources", "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource": "*", "Condition": { "StringEquals": { "rds:req-tag/env": [ "test", "qa", "dev" ], "rds:DatabaseEngine": "neptune" } } } ] } ``` ------ ### Example 3: Allow full access to Neptune resources based on `aws:ResourceTag` Using aws:ResourceTag for full access The following policy is similar to the first example above, but uses the `aws:ResourceTag` instead: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowFullAccessToDev", "Effect": "Allow", "Action": [ "rds:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/env": "dev", "rds:DatabaseEngine": "neptune" } } } ] } ``` ------