Actions, Resources, and Condition Keys for AWS Directory Service
AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Topics
Actions Defined by AWS Directory Service
You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions
for anyone performing an operation in AWS. When you use an action in a policy,
you usually allow or deny access to the API operation or CLI command with the
same name. However, in some cases, a single action controls access to more than
one operation. Alternatively, some operations require several different actions.
For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AcceptSharedDirectory | Accepts a directory sharing request that was sent from the directory owner account. | Write | |||
| AddIpRoutes | Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:DescribeSecurityGroups |
||
| AddTagsToResource | Adds or overwrites one or more tags for the specified Amazon Directory Services directory. | Tagging |
ec2:CreateTags |
||
| CancelSchemaExtension | Cancels an in-progress schema extension to a Microsoft AD directory. | Write | |||
| ConnectDirectory | Creates an AD Connector to connect to an on-premises directory. | Tagging |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateAlias | Creates an alias for a directory and assigns the alias to the directory. | Write | |||
| CreateComputer | Creates a computer account in the specified directory, and joins the computer to the directory. | Write | |||
| CreateConditionalForwarder | Creates a conditional forwarder associated with your AWS directory. | Write | |||
| CreateDirectory | Creates a Simple AD directory. | Tagging |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateIdentityPoolDirectory [permission only] | Creates a IdentityPool Directory in the AWS cloud. | Tagging | |||
| CreateLogSubscription | Creates a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account. | Write | |||
| CreateMicrosoftAD | Creates a Microsoft AD in the AWS cloud. | Tagging |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateSnapshot | Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud. | Write | |||
| CreateTrust | Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain. | Write | |||
| DeleteConditionalForwarder | Deletes a conditional forwarder that has been set up for your AWS directory. | Write | |||
| DeleteDirectory | Deletes an AWS Directory Service directory. | Write |
ec2:DeleteNetworkInterface ec2:DeleteSecurityGroup ec2:DescribeNetworkInterfaces ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress |
||
| DeleteLogSubscription | Deletes the specified log subscription. | Write | |||
| DeleteSnapshot | Deletes a directory snapshot. | Write | |||
| DeleteTrust | Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain. | Write | |||
| DeregisterEventTopic | Removes the specified directory as a publisher to the specified SNS topic. | Write | |||
| DescribeConditionalForwarders | Obtains information about the conditional forwarders for this account. | Read | |||
| DescribeDirectories | Obtains information about the directories that belong to this account. | List | |||
| DescribeDomainControllers | Provides information about any domain controllers in your directory. | Read | |||
| DescribeEventTopics | Obtains information about which SNS topics receive status messages from the specified directory. | Read | |||
| DescribeSharedDirectories | Returns the shared directories in your account. | Read | |||
| DescribeSnapshots | Obtains information about the directory snapshots that belong to this account. | Read | |||
| DescribeTrusts | Obtains information about the trust relationships for this account. | Read | |||
| DisableRadius | Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. | Write | |||
| DisableSso | Disables single-sign on for a directory. | Write | |||
| EnableRadius | Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. | Write | |||
| EnableSso | Enables single-sign on for a directory. | Write | |||
| GetAuthorizedApplicationDetails [permission only] | Read | ||||
| GetDirectoryLimits | Obtains directory limit information for the current region. | Read | |||
| GetSnapshotLimits | Obtains the manual snapshot limits for a directory. | Read | |||
| ListIpRoutes | Lists the address blocks that you have added to a directory. | Read | |||
| ListLogSubscriptions | Lists the active log subscriptions for the AWS account. | Read | |||
| ListSchemaExtensions | Lists all schema extensions applied to a Microsoft AD Directory. | List | |||
| ListTagsForResource | Lists all tags on an Amazon Directory Services directory. | Read | |||
| RegisterEventTopic | Associates a directory with an SNS topic. | Write |
sns:GetTopicAttributes |
||
| RejectSharedDirectory | Rejects a directory sharing request that was sent from the directory owner account. | Write | |||
| RemoveIpRoutes | Removes IP address blocks from a directory. | Write | |||
| RemoveTagsFromResource | Removes tags from an Amazon Directory Services directory. | Tagging |
ec2:DeleteTags |
||
| ResetUserPassword | Resets the password for any user in your AWS Managed Microsoft AD or Simple AD directory. | Write | |||
| RestoreFromSnapshot | Restores a directory using an existing directory snapshot. | Write | |||
| ShareDirectory | Shares a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region. | Write | |||
| StartSchemaExtension | Applies a schema extension to a Microsoft AD directory. | Write | |||
| UnshareDirectory | Stops the directory sharing between the directory owner and consumer accounts. | Write | |||
| UpdateConditionalForwarder | Updates a conditional forwarder that has been set up for your AWS directory. | Write | |||
| UpdateNumberOfDomainControllers | Adds or removes domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request. | Write | |||
| UpdateRadius | Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory. | Write | |||
| VerifyTrust | Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain. | Read |
Resources Defined by AWS Directory Service
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
Condition Keys for AWS Directory Service
AWS Directory Service defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The Condition Keys Table.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.
