Menu
AWS Directory Service
Administration Guide (Version 1.0)

AWS Directory Service API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Directory Service API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field and the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your AWS Directory Service policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the ds: prefix followed by the API operation name (for example, ds:CreateDirectory).

AWS Directory Service API and Required Permissions for Actions

AWS Directory Service API Operations Required Permissions (API Actions) Resources
AddIpRoutes

ds:AddIpRoutes

ec2:DescribeSecurityGroup

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*
AddTagsToResource ds:AddTagsToResource *
CancelSchemaExtension ds:CancelSchemaExtension *

ConnectDirectory

ds:ConnectDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*

CreateAlias

ds:CreateAlias

*

CreateComputer

ds:CreateComputer

*

CreateConditionalForwarder

ds:CreateConditionalForwarder

*

CreateDirectory

ds:CreateDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*

CreateMicrosoftAD

ds:CreateMicrosoftAD

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*

CreateSnapshot

ds:CreateSnapshot

*

CreateTrust

ds:CreateTrust

*

DeleteConditionalForwarder

ds:DeleteConditionalForwarder

*

DeleteDirectory

ds:DeleteDirectory

ec2:DescribeNetworkInterfaces

ec2:DeleteSecurityGroup

ec2:DeleteNetworkInterface

ec2:RevokeSecurityGroupIngress

ec2:RevokeSecurityGroupEgress

*

DeleteSnapshot

ds:DeleteSnapshot

*

DeleteTrust

ds:DeleteTrust

*

DeregisterEventTopic

ds:DeregisterEventTopic

*

DescribeConditionalForwarders

ds:DescribeConditionalForwarders

*

DescribeDirectories

ds:DescribeDirectories

*

DescribeEventTopics

ds:DescribeEventTopics

*

DescribeSnapshots

ds:DescribeSnapshots

*

DescribeTrusts

ds:DescribeTrusts

*

DisableRadius

ds:DisableRadius

*

DisableSso

ds:DisableSso

*

EnableRadius

ds:EnableRadius

*

EnableSso

ds:EnableSso

*

GetDirectoryLimits

ds:GetDirectoryLimits

*

GetSnapshotLimits

ds:GetSnapshotLimits

*

ListIpRoutes

ds:ListIpRoutes

*

ListSchemaExtensions

ds:ListSchemaExtensions

*

ListTagsForResource

ds:ListTagsForResource

*

RegisterEventTopic

ds:RegisterEventTopic

sns:GetTopicAttributes

*

RemoveIpRoutes

ds:RemoveIpRoutes

*

RemoveTagsFromResource

ds:RemoveTagsFromResource

*

RestoreFromSnapshot

ds:RestoreFromSnapshot

*

StartSchemaExtension

ds:StartSchemaExtension

*

UpdateConditionalForwarder

ds:UpdateConditionalForwarder

*

UpdateRadius

ds:UpdateRadius

*

VerifyTrust

ds:VerifyTrust

*

On this page: