Security Graphs on AWS

Build a security graph with Amazon Neptune to efficiently manage the security of your IT infrastructure

What is a security graph?

A security graph is a graph representing assets that you want to protect and the relationships between these assets and roles within your organization. This can include computer networks, telecom networks, distribution routes, payment systems and other parts of your IT infrastructure. Using a graph database to model these assets enables you to use relationships in your data to consider how different dimensions of your IT environment interact, and the connections between layers of your infrastructure. Security graphs can be used for proactive detection, reactive investigation, and as part of a defense-in-depth strategy for customers to improve their IT security.

CloudHealth by VMware: Secure State. Manages Over 50M Assets from Billions of Events on AWS

Why use a graph for your organization's security?

Modern security profiles take a layered security approach. No individual layer stops all threats, but together they mitigate a wide variety of threats and provide redundancy should any layer fail. It is important to realize that these layers are often loosely coupled and individually managed. By storing this information in a graph, the relationships between those layers can be modeled and analyzed to provide a holistic view of the security profile and to find gaps across the layers.

Bad actors plan their schemes in form of a graph. They need to understand what infrastructure they can utilize that will have pathways to the system or data they target, what identities they can compromise that will give them access to that infrastructure, and what telemetry or monitoring they need to circumvent.
To protect your organization’s resources, you can model them as a graph representing how they are connected to each other and the users. This makes it easy to discover valuable insights, such as over extended permissions leading to resources vulnerability. If a resource is compromised, you can query your graph to find out the attack surface and where security may be compromised through the installation of backdoors or other malware.

Why use a graph database to store your security graph?

Graph databases help to store and manage your security graph because they are purpose-built to store and navigate the relationships in your data. Their query languages are designed to work with data that is highly connected, making querying the data for patterns and connections simple, fast, and reliable. Graph databases treat relationships as “first-class citizens,” have flexible schema, and provide higher performance for graph query traversals. This makes graph databases capable of sophisticated threat detection and breaches in security by utilizing the relationships between users, roles, and IT resources.

Using a relational database for your security graph is challenging because relational databases are built for storing and analyzing tabular data. They are inefficient at storing and querying the relationships between highly interconnected entities such as network resources and access patterns where you need to explore and visualize connections and groups within the data. Using a relational database and SQL to query relationships can result in multiple complex joins and longer processing times that may lead to missed opportunitites in indentifying security risks.

Security Graph Use Cases

Cloud Security Posture Management (CSPM)

CSPM is the process of continuously monitoring the cloud infrastructure to detect gaps in the security, misconfigurations, compliance risks, and enforce policies where such gaps exist. With graph databases, you can visualize your cloud infrastructure and resources. Getting a holistic, contextual view of your cloud inventory provides visibility into cloud assets, helping you to plan, predict, and mitigate any risk associated with your infrastructure.

Data Flow/Exfiltration Prevention

Data exfiltration is a malicious activity involving targeting, copying, and transferring sensitive data outside of your control. Common targets include financial records, customer data, and intellectual property. Attackers can often do this remotely and disguise it to look like legitimate traffic, making it difficult to detect. You can graph your data flow from source to destination, which helps you to capture incidents when data was transferred out of your control. For example, mapping the process of loading data from an S3 bucket to Amazon Neptune helps you to flag cases where data is copied elsewhere such as a different S3 bucket.

Identity and Access Management

You can use graph databases to monitor and visualize IAM policies and ensure that the right users and roles have the appropriate access to the right resources. A graphical representation of the resources an IAM policy has access to will help you uncover details such as unwanted access to a resource for a security group.

Digital Forensics

In the event of data theft, breaches, or unauthorized network penetration, organizations need various digital forensic tools to identify, preserve, analyze, and present digital evidence. By using graph databases to map your users to the organization’s network resources and data, you can establish a chain of custody for the affected data and resources, outlining access patterns and pointing out possible areas of vulnerabilities. 

Software Supply Chain Security

Software supply chains can be represented as a graph outlining resource ownership and identifying permissions to deploy and access resources in the supply chain. A software supply chain graph provides you with a unique view of your infrastructure, applications, open sources projects, and secrets, and can combine this data to identify chains of risks, providing you with a real time representation of your software supply chain. For example, when a software vulnerability notice is posted, a graph can highlight all of your impacted applications, rather than relying on a broadcast message to development teams to investigate. This can save valuable time and resources.

Using Amazon Neptune for Security Graphs

You can build your security graph solution using Amazon Neptune, a fast, reliable, fully managed graph database service that makes it easy to build and run applications with highly connected data. 

Amazon Neptune is purpose-built for storing billions of relationships and querying the graph with milliseconds latency. Neptune is compatible with open graph APIs, and supports popular graph models Property Graph and W3C's RDF, and their respective query languages Apache TinkerPop Gremlin, openCypher, and SPARQL. While graph databases usually require extensive hardware management, provisioning, and manual scaling, Neptune is a fully managed service, so you no longer have to worry about database management tasks. You can be up and running with Neptune clusters in a matter of minutes, with a few clicks in the AWS Management Console or API calls.

With Neptune, you can query relationships in your data to easily uncover insights in your data such as users with access to resources or how your infrastructure is connected. Neptune provides a fully managed service to execute fast graph queries to be able to detect unwanted access or exposed resources in real time and helps you manage the security of your IT infrastructure. You can also use Neptune’s native integration with Amazon OpenSearch Service or export your graph data to analytics and security tools such as Splunk to search for insights in your data and discover security events. 

Benefits of Amazon Neptune for security graphs

High scalability and availability

With Amazon Neptune, you can scale compute and memory resources by automatically creating or removing replica instances. Based on usage, Amazon Neptune storage will automatically grow to up to 128TiB with no impact to database performance. Amazon Neptune is highly available, with read replicas, point-in-time recovery, continuous backup, and replication across Availability Zones (AZs).

Cost-effective customer data platforms

Amazon Neptune reduces the cost of managing your graph database by eliminating the need for hardware and software investments and reducing operational burden. A security graph built on Amazon Neptune can enable you to build a cost-effective graph mapping your resources and providing you insights on your infrastructure security.

Highly Secure

Amazon Neptune is configured to be secure by default, with support for encryption at transit and encryption at rest. Amazon Neptune is in scope for FedRAMP, PCI, DSS, and ISO compliance programs, and is SOC 1, 2, and 3 compliant, so you build security and threat detection solutions meeting regulatory compliance.

Using relationships as 'First-class citizens'

Security is about managing the relationships between resources, policies, roles, data, applications, and projects. With Amazon Neptune, these relationships are stored as first-class data, not metadata calculated at runtime. This allows for more intuitive query patterns across that data and better performance.



LifeOmic leverages the cloud, machine learning, and mobile devices to enable precision medicine for healthcare providers, researchers, health IT companies and patients. LifeOmic’s JupiterOne is a DevSecOps solution built in the cloud, for the cloud to automate and simplify security and compliance such as HIPAA and PCI. "JupiterOne fills a key role in the market as cybersecurity, helping SaaS customers of all sizes develop, deploy, certify and maintain secure software," said Erkang Zheng, Chief Information Security Officer at LifeOmic. "Using Amazon Neptune has enabled us to accelerate software development, reduce our operational costs and make connections in our datasets that immediately identify potential misconfigurations and security issues."


Organizations of all sizes use the Wiz Security Graph to identify and prioritize critical risks across their cloud estate. Built on Amazon Neptune, the Wiz Security Graph shows the interconnected relationships between cloud resources and the toxic combinations that indicate the highest priority risks, helping users to visualize and secure everything they build and run in the cloud.

Getting started

Get started with Amazon Neptune, a fully managed graph database

Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Amazon Neptune is a purpose-built, high-performance graph database engine optimized for storing billions of relationships and querying the graph with milliseconds latency. Amazon Neptune supports popular graph models Property Graph and W3C's RDF, and their respective query languages openCypher, Apache TinkerPop Gremlin and SPARQL, allowing you to more easily build queries that efficiently navigate highly connected datasets. Neptune powers graph use cases such as recommendation engines, fraud detection, knowledge graphs, drug discovery, and IT security.

Graph your AWS resources with Amazon Neptune

In the post below, we walk through an example released for Neptune’s integration with Altimeter. Altimeter is an open-source project (MIT License) from Tableau Software, LLC that scans AWS resources and links these resources into a graph. You can store, query, and visualize the data in Neptune. You can query the graph to examine the AWS resources and their relationships in an account. For example, you can query for resources or pathways that expose a cluster with a public IP address to check for security and compliance.