Access control using AWS Lambda, AWS Cognito, GraphQL, Neo4j and Serverless framework

Good day graph enthusiasts,

This topic's goal is to tap into collective intelligence to point me in the right direction of solving access control given a very particular technology stack.


My solution runs on Amazon AWS and implements a relatively classic GRAND stack. At the heart of it is a knowledge graph powered by Neo4j. I deploy everything using Serverless Framework.

Currently I have two things that access my knowledge graph:
Apollo GraphQL server running inside a Lambda function and a bunch of Docker containers writing through Bolt on a regular basis using Python's official Neo4j driver. All of these things are running inside a private subnet which allows them to communicate freely. However, the only way to invoke the Lambda is to call a particular AWS API Gateway endpoint which has an AWS Cognito authoriser associated with it (Serverless Framework makes it very easy to set up). This means that only registered users (those inside a Cognito user pool) are able to use GraphQL to communicate with my database.


I want my GraphQL endpoint to become a single point of contact with my Neo4j database (and, in future, my database casual cluster). Both, services (ECS containers, scrapers, ETL pipelines, etc.) as well as front-end users should transact through Apollo GraphQL server.

On top of that, I should be able to, later, implement access management for real users to limit certain parts of the application (I was envisioning to do this with the neo4j-graphql-js' access management).


I've thus stumbled upon a little impedance mismatch: AWS Cognito works fine for registered front-end users but doesn't really play well with all the rest (services and such).


How would you address it?

  • Would you use neo4j-graphql-js' access control for all things user ACL?
  • Would you leave Cognito as authoriser of the API Gateway access and let services identify themselves as if they where users through AWS SDK (Cognito client)?
  • Would you get rid of Cognito all together and use something else (Custom lambda functions maybe)?
  • Would you let services invoke Lambda through AWS SDK (Lambda client) while completely bypassing Cognito?

All ideas are welcome. I'll have to make a move soon but would like to make a smart one.

Hi @malik, how are you?

Nice architecture of yours. It is very similar to what I am planning to do. So, I have a couple of questions for you, if I may:

  1. Is your environment build or you are working on it?

  2. If the env is built, how did you resolve the external access to the neo4j browser (outside of the private subnet)?

I am new at AWS Cloud and the 2nd point is exactly where I am focusing my attention at this moment and I'd like to know whether you could share with me your best practices and lessons learned. It would save a lot of research time for me.

Best regards,

Hi @renatospaka,

Thanks for chiming in. My infrastructure is all done by now, yes, so I can answer your second question:

Both development and production neo4j databases are running on AWS EC2 instances inside private subnets of one of my main VPC with no external access. In order to be able to use Neo4j browser, you'll have to create a VPN profile specifically for your VPC and use this connection whenever you need BOLT or SSH access to your instances.

Amazon describes the way to do this. However, if you're new to AWS, it can be pretty arcane. Hang in there as you dig through documentation. Feel free to reach out if you need help with any particular aspect of this setup.

Having said that, here's the gist of where to start:

In your main web console, type VPC and select the first choice. Go to VPN > Client VPN Endpoints. Configure a new endpoint along with the necessary route rules. In my case, I wanted to have internet access and access to all instances running inside my private subnets while connected. So, there's some additional routing to be done there in order to achieve that. You should also have a certificate either issued by Amazon (the option I'd recommend) or import yours. Once you've set everything up, Amazon allows you to download your OpenVPN profile configuration file you'll be able to use with your Windows, Linux or MacOS VPN client such as Tunnelblick.

Once the VPN connection has been established, you can use Neo4j browser as if your databases weren't inside a private subnet.



1 Like

Good morning, @malik

Thanks for answering me and sending these tips. I will dig into some readings & documentation about AWS architecture.