# Creating an Amazon Neptune cluster
The easiest way to create a new Amazon Neptune DB cluster is to use an CloudFormation template that creates all the required resources for you, without having to do everything by hand. The CloudFormation template performs much of the setup for you, including creating an Amazon Elastic Compute Cloud (Amazon EC2) instance:
**To launch a new Neptune DB cluster using an CloudFormation template**
1. Create a new IAM user with the permissions you will need for working with your Neptune DB cluster, as explained in [IAM user permissions](manage-console-iam-user.md).
1. Set up additional prerequisites needed to use the CloudFormation template, as explained in [Prerequisites for setting up Amazon Neptune using AWS CloudFormation](get-started-prereqs.md).
1. Invoke the CloudFormation stack, as described in [Creating an Amazon Neptune cluster using AWS CloudFormation](get-started-cfn-create.md).
You can also create a [Neptune global database](neptune-global-database.md) that spans multiple AWS Regions, enabling low-latency global reads and providing fast recovery in the rare case where an outage affects an entire AWS Region.
For information about creating an Amazon Neptune cluster manually using the AWS Management Console, see [Launching a Neptune DB cluster using the AWS Management Console](manage-console-launch-console.md).
You can also use an CloudFormation template to create a Lambda function to use with Neptune (see [Using CloudFormation to Create a Lambda Function to Use in Neptune](get-started-cfn-lambda.md)).
For general information about managing clusters and instances in Neptune, see [Managing Your Amazon Neptune Database](manage-console.md).
# Prerequisites for setting up Amazon Neptune using AWS CloudFormation
Before you create an Amazon Neptune cluster using an CloudFormation template, you need to have the following:
+ An Amazon EC2 key pair.
+ The permissions required for using CloudFormation.
## Create an Amazon EC2 Key Pair to use for launching a Neptune cluster using CloudFormation
In order to launch a Neptune DB cluster using an CloudFormation template, you must have an Amazon EC2key pair (and its associated PEM file) available in the region where you create the CloudFormation stack.
If you need to create the key pair, see either [Creating a Key Pair Using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair) in the Amazon EC2 User Guide, or [Creating a Key Pair Using Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair) in the Amazon EC2 User Guide for instructions.
## Add IAM policies to grant permissions needed to use the CloudFormation template
First, you need to have an IAM user set up with permissions needed for working with Neptune, as described in [Creating an IAM user with permissions for Neptune](manage-console-iam-user.md).
Then you need to add the AWS managed policy, `AWSCloudFormationReadOnlyAccess`, to that user.
Finally, you need to create the following customer-managed policy and add it to that user:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/*",
"Condition": {
"StringEquals": {
"iam:passedToService": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:Publish"
],
"Resource": "arn:aws:sns:*:111122223333:*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListRetirableGrants",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListKeyPolicies"
],
"Resource": "arn:aws:kms:*:111122223333:key/*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "arn:aws:cloudwatch:*:111122223333:service/*-*",
"Condition": {
"StringLike": {
"cloudwatch:namespace": "AWS/Neptune"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute"
],
"Resource": [
"arn:aws:ec2:*:111122223333:vpc/*",
"arn:aws:ec2:*:111122223333:subnet/*",
"arn:aws:ec2:*:111122223333:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource",
"rds:RemoveRoleFromDBCluster",
"rds:ResetDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:ModifyDBParameterGroup",
"rds:DownloadDBLogFilePortion",
"rds:CopyDBParameterGroup",
"rds:AddRoleToDBCluster",
"rds:ModifyDBInstance",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DeleteDBInstance",
"rds:CopyDBClusterParameterGroup",
"rds:CreateDBParameterGroup",
"rds:DescribeDBSecurityGroups",
"rds:DeleteDBSubnetGroup",
"rds:DescribeValidDBInstanceModifications",
"rds:ModifyDBCluster",
"rds:CreateDBClusterSnapshot",
"rds:DeleteDBParameterGroup",
"rds:CreateDBClusterParameterGroup",
"rds:RemoveTagsFromResource",
"rds:PromoteReadReplicaDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:DescribeDBSubnetGroups",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeDBParameterGroups",
"rds:FailoverDBCluster",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DeleteDBCluster",
"rds:ResetDBClusterParameterGroup",
"rds:RestoreDBClusterToPointInTime",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:AddTagsToResource",
"rds:DescribeDBClusterParameters",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBLogFiles",
"rds:DeleteDBClusterSnapshot",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBClusterParameterGroup",
"rds:ApplyPendingMaintenanceAction",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterParameterGroups",
"rds:ModifyDBSubnetGroup"
],
"Resource": [
"arn:aws:rds:*:111122223333:cluster-snapshot:*",
"arn:aws:rds:*:111122223333:cluster:*",
"arn:aws:rds:*:111122223333:pg:*",
"arn:aws:rds:*:111122223333:cluster-pg:*",
"arn:aws:rds:*:111122223333:secgrp:*",
"arn:aws:rds:*:111122223333:db:*",
"arn:aws:rds:*:111122223333:subgrp:*"
],
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": [
"graphdb",
"neptune"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:111122223333:log-group:*:log-stream:*",
"arn:aws:logs:*:111122223333:log-group:*"
]
}
]
}
```
------
**Note**
The following permissions are only required to delete a stack: `iam:DeleteRole`, `iam:RemoveRoleFromInstanceProfile`, `iam:DeleteRolePolicy`, `iam:DeleteInstanceProfile`, and `ec2:DeleteVpcEndpoints`.
Also note that `ec2:*Vpc` grants `ec2:DeleteVpc` permissions.
# Creating an Amazon Neptune cluster using AWS CloudFormation
You can use an CloudFormation template to set up a Neptune DB Cluster.
1. To launch the CloudFormation stack on the CloudFormation console, choose one of the **Launch Stack** buttons in the following table.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/neptune/latest/userguide/get-started-cfn-create.html)
1. On the **Select Template** page, choose **Next**.
1. On the **Specify Details** page, choose a key pair for the **EC2SSHKeyPairName**.
This key pair is required to access the EC2 instance. Ensure that you have the PEM file for the key pair that you choose.
1. Choose **Next**.
1. On the **Options** page, choose **Next**.
1. On the **Review** page, select the first check box to acknowledge that CloudFormation will create IAM resources. Select the second check box to acknowledge `CAPABILITY_AUTO_EXPAND` for the new stack.
**Note**
`CAPABILITY_AUTO_EXPAND` explicitly acknowledges that macros will be expanded when creating the stack, without prior review. Users often create a change set from a processed template so that the changes made by macros can be reviewed before actually creating the stack. For more information, see the CloudFormation [CreateStack](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html) API.
Then choose **Create**.
**Note**
You can also use your CloudFormation template to [upgrade your DB cluster's engine version.](cfn-engine-update.md)