Aura security is achieved by following the best practices around running database instances. Based on our best practices around operating securely Neo4j this is a summary of what we implement.
- Your database sits behind a VPC.
This is a shared VPC for the Professional tier but private to your environment for the Enterprise tier.
- Only the necessary ports are open.
- Access to the Neo4j database is restricted to encrypted Bolt port only (via strong TLS ciphers) and HTTPS to access console.
- We use SSL certificates issued from a trusted certificate authority (CA).
- We rotate these certificates at least every 90 days.
- SSL is enabled for causal clustering. See Intra-cluster encryption.
- Causal clustering is configured to use encryption for backups.
Manage extensions and their security:
Access and authorisation
- We always use the latest security patch version of Neo4j.
Aura (Enterprise tier only) makes use of SSO for Bloom and Browser and the native Neo4j authentication for the rest.
LOAD CSVis enabled, we ensure that it only allows authorised users to import data.
- The configuration neo4j.conf file has disabled ports relating to deprecated functions such as remote JMX (controlled by the parameter setting
- We disable Neo4j Browser caching credentials by setting
- We ensure the correct file permissions is set on the Neo4j files and restrict access to the bin, lib, and plugins directories to protect against the execution of unauthorised extensions.