Security for Aerospike Graph

Aerospike Graph Service (AGS) supports role-based access control (RBAC), TLS encryption, and audit logging. Use these features together to build a comprehensive security posture for your graph deployment.

Access control

AGS supports two levels of access control: database-level RBAC (if your Aerospike cluster already uses RBAC) and graph-level RBAC using JWTs. Use one or both depending on your security requirements:

Database-level RBAC

Authenticate against an RBAC-enabled cluster.

RBAC with Aerospike Database

Graph-level RBAC

Assign roles to users with JWTs.

RBAC for AGS

Encryption

AGS supports TLS encryption for data in transit between your application and AGS, and between AGS and Aerospike Database. You can enable TLS on either or both connections. Start with the TLS overview to understand the architecture:

TLS architecture

Understand TLS across Aerospike Graph.

TLS overview

Client encryption

TLS for Gremlin client connections.

TLS between application and AGS

Backend encryption

TLS for connections to Aerospike Database.

TLS between AGS and Aerospike DB

Auditing

AGS can log user actions for compliance and incident investigation. Audit logs capture write, delete, and call step operations, so you have a record of who changed what and when.

Compliance logging

Record graph mutations and call steps.

Audit logging

Note

Audit logging requires RBAC for AGS to be enabled. Without RBAC, there is no user identity to associate with logged operations.