本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 Amazon Neptune 中建立 IAM 資料存取政策
下列範例說明如何建立自訂 IAM 政策,使用 Neptune [引擎 1.2.0.0 版](engine-releases-1.2.0.0.md)中引進的資料平面 API 和動作的精細存取控制。
## 允許不受限制地存取 Neptune 資料庫叢集中資料的政策範例
以下範例政策可讓 IAM 使用者利用 IAM 資料庫身分驗證,連線至 Neptune 資料庫叢集,以及使用 "`*`" 字元比對所有可用的動作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
上述範例包含資源 ARN,其格式為 Neptune IAM 身分驗證的專屬格式。若要建構 ARN,請參閱[指定資料資源](iam-data-resources.md)。請注意,用於 IAM 授權 `Resource` 的 ARN 不同於在建立時指派給叢集的 ARN。
## 允許對 Neptune 資料庫叢集進行唯讀存取的政策範例
以下政策會授與對 Neptune 資料庫叢集中資料進行完整唯讀存取的許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:Read*",
"neptune-db:Get*",
"neptune-db:List*"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 允許對 Neptune 資料庫叢集的所有存取的政策範例
預設 IAM 動作是拒絕存取資料庫叢集,除非已授與 `Allow`「效果」**。不過,下列政策會拒絕對特定 AWS 帳戶和區域資料庫叢集的所有存取,然後優先於任何`Allow`效果。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 透過查詢授與讀取存取權的政策範例
以下政策只會授與使用查詢從 Neptune 資料庫叢集讀取的許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:ReadDataViaQuery",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 只允許 Gremlin 查詢的政策範例
以下政策會使用 `neptune-db:QueryLanguage` 條件金鑰,授與僅使用 Gremlin 查詢語言查詢 Neptune 的許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"neptune-db:QueryLanguage": "Gremlin"
}
}
}
]
}
```
------
## 允許除了 Neptune ML 模型管理以外的所有存取的政策範例
以下政策會授與 Neptune 圖形操作的完整存取權,但 Neptune ML 模型管理功能除外:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:CancelLoaderJob",
"neptune-db:CancelQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:DeleteStatistics",
"neptune-db:GetEngineStatus",
"neptune-db:GetLoaderJobStatus",
"neptune-db:GetQueryStatus",
"neptune-db:GetStatisticsStatus",
"neptune-db:GetStreamRecords",
"neptune-db:ListLoaderJobs",
"neptune-db:ManageStatistics",
"neptune-db:ReadDataViaQuery",
"neptune-db:ResetDatabase",
"neptune-db:StartLoaderJob",
"neptune-db:WriteDataViaQuery"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 允許存取 Neptune ML 模型管理的政策範例
此政策會授與 Neptune ML 模型管理功能的存取權:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:CancelMLDataProcessingJob",
"neptune-db:CancelMLModelTrainingJob",
"neptune-db:CancelMLModelTransformJob",
"neptune-db:CreateMLEndpoint",
"neptune-db:DeleteMLEndpoint",
"neptune-db:GetMLDataProcessingJobStatus",
"neptune-db:GetMLEndpointStatus",
"neptune-db:GetMLModelTrainingJobStatus",
"neptune-db:GetMLModelTransformJobStatus",
"neptune-db:ListMLDataProcessingJobs",
"neptune-db:ListMLEndpoints",
"neptune-db:ListMLModelTrainingJobs",
"neptune-db:ListMLModelTransformJobs",
"neptune-db:StartMLDataProcessingJob",
"neptune-db:StartMLModelTrainingJob",
"neptune-db:StartMLModelTransformJob"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 授與完整查詢存取權的政策
以下政策會授與 Neptune 圖形查詢操作的完整存取權,但不會授與快速重設、串流、大量載入器、Neptune ML 模型管理等功能的完整存取權:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:GetEngineStatus",
"neptune-db:GetQueryStatus",
"neptune-db:CancelQuery"
],
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------
## 僅對 Gemlin 查詢授與完整存取權的政策範例
以下政策會授與使用 Gremlin 查詢語言完整存取 Neptune 圖形查詢操作的權限,但不會授權其他語言的查詢,也不會授權快速重設、串流、大量載入器、Neptune ML 模型管理等功能:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": [
"neptune-db:ReadDataViaQuery",
"neptune-db:WriteDataViaQuery",
"neptune-db:DeleteDataViaQuery",
"neptune-db:GetEngineStatus",
"neptune-db:GetQueryStatus",
"neptune-db:CancelQuery"
],
"Resource": [
"arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
],
"Condition": {
"StringEquals": {
"neptune-db:QueryLanguage":"Gremlin"
}
}
}
]
}
```
------
## 授與完整存取權 (快速重設除外) 的政策範例
以下政策會授與 Neptune 資料庫叢集的完整存取權,但使用快速重設除外:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "neptune-db:*",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
},
{
"Effect": "Deny",
"Action": "neptune-db:ResetDatabase",
"Resource": "arn:aws:neptune-db:us-east-1:123456789012:cluster-ABCD1234EFGH5678IJKL90MNOP/*"
}
]
}
```
------