本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 設定 Amazon Neptune 的先決條件 AWS CloudFormation
使用 CloudFormation 範本建立 Amazon Neptune 叢集之前,您需要具備下列項目:
+ 一個 Amazon EC2 金鑰對。
+ 使用 所需的許可 CloudFormation。
## 建立用於使用 啟動 Neptune 叢集的 Amazon EC2 金鑰對 CloudFormation
若要使用 CloudFormation 範本啟動 Neptune 資料庫叢集,您必須在建立 CloudFormation 堆疊的區域中擁有可用的 Amazon EC2key對 (及其相關聯的 PEM 檔案)。
如果您需要建立金鑰對,請參閱《[Amazon EC2 使用者指南》中的使用 Amazon EC2 建立金鑰對](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair),或《Amazon EC2 使用者指南》中的[使用 Amazon EC2 建立金鑰對](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair)。 Amazon EC2
## 新增 IAM 政策以授予使用 CloudFormation 範本所需的許可
首先,您需要設定 IAM 使用者,讓其具有使用 Neptune 所需的許可,如 [建立具有 Neptune 許可的 IAM 使用者](manage-console-iam-user.md) 中所述。
然後,您需要將 AWS 受管政策 `AWSCloudFormationReadOnlyAccess`新增至該使用者。
最後,您需要建立下列客戶受管政策,並將其新增至該使用者:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::{{111122223333}}:role/*",
"Condition": {
"StringEquals": {
"iam:passedToService": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:Publish"
],
"Resource": "arn:aws:sns:*:{{111122223333}}:*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListRetirableGrants",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListKeyPolicies"
],
"Resource": "arn:aws:kms:*:{{111122223333}}:key/*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "arn:aws:cloudwatch:*:{{111122223333}}:service/*-*",
"Condition": {
"StringLike": {
"cloudwatch:namespace": "AWS/Neptune"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute"
],
"Resource": [
"arn:aws:ec2:*:{{111122223333}}:vpc/*",
"arn:aws:ec2:*:{{111122223333}}:subnet/*",
"arn:aws:ec2:*:{{111122223333}}:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource",
"rds:RemoveRoleFromDBCluster",
"rds:ResetDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:ModifyDBParameterGroup",
"rds:DownloadDBLogFilePortion",
"rds:CopyDBParameterGroup",
"rds:AddRoleToDBCluster",
"rds:ModifyDBInstance",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DeleteDBInstance",
"rds:CopyDBClusterParameterGroup",
"rds:CreateDBParameterGroup",
"rds:DescribeDBSecurityGroups",
"rds:DeleteDBSubnetGroup",
"rds:DescribeValidDBInstanceModifications",
"rds:ModifyDBCluster",
"rds:CreateDBClusterSnapshot",
"rds:DeleteDBParameterGroup",
"rds:CreateDBClusterParameterGroup",
"rds:RemoveTagsFromResource",
"rds:PromoteReadReplicaDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:DescribeDBSubnetGroups",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeDBParameterGroups",
"rds:FailoverDBCluster",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DeleteDBCluster",
"rds:ResetDBClusterParameterGroup",
"rds:RestoreDBClusterToPointInTime",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:AddTagsToResource",
"rds:DescribeDBClusterParameters",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBLogFiles",
"rds:DeleteDBClusterSnapshot",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBClusterParameterGroup",
"rds:ApplyPendingMaintenanceAction",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterParameterGroups",
"rds:ModifyDBSubnetGroup"
],
"Resource": [
"arn:aws:rds:*:{{111122223333}}:cluster-snapshot:*",
"arn:aws:rds:*:{{111122223333}}:cluster:*",
"arn:aws:rds:*:{{111122223333}}:pg:*",
"arn:aws:rds:*:{{111122223333}}:cluster-pg:*",
"arn:aws:rds:*:{{111122223333}}:secgrp:*",
"arn:aws:rds:*:{{111122223333}}:db:*",
"arn:aws:rds:*:{{111122223333}}:subgrp:*"
],
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": [
"graphdb",
"neptune"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:{{111122223333}}:log-group:*:log-stream:*",
"arn:aws:logs:*:{{111122223333}}:log-group:*"
]
}
]
}
```
------
**注意**
刪除堆疊僅需下列許可:`iam:DeleteRole`、`iam:RemoveRoleFromInstanceProfile`、`iam:DeleteRolePolicy`、`iam:DeleteInstanceProfile`、及 `ec2:DeleteVpcEndpoints`。
亦請注意 `ec2:*Vpc`授予 `ec2:DeleteVpc` 許可。