AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Directory Service

AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Directory Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptSharedDirectory Accepts a directory sharing request that was sent from the directory owner account. Write

directory*

AddIpRoutes Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services Write

directory*

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:DescribeSecurityGroups

AddTagsToResource Adds or overwrites one or more tags for the specified Amazon Directory Services directory. Tagging

directory*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

CancelSchemaExtension Cancels an in-progress schema extension to a Microsoft AD directory. Write

directory*

ConnectDirectory Creates an AD Connector to connect to an on-premises directory. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateAlias Creates an alias for a directory and assigns the alias to the directory. Write

directory*

CreateComputer Creates a computer account in the specified directory, and joins the computer to the directory. Write

directory*

CreateConditionalForwarder Creates a conditional forwarder associated with your AWS directory. Write

directory*

CreateDirectory Creates a Simple AD directory. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateIdentityPoolDirectory [permission only] Creates a IdentityPool Directory in the AWS cloud. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLogSubscription Creates a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account. Write

directory*

CreateMicrosoftAD Creates a Microsoft AD in the AWS cloud. Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateSnapshot Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud. Write

directory*

CreateTrust Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain. Write

directory*

DeleteConditionalForwarder Deletes a conditional forwarder that has been set up for your AWS directory. Write

directory*

DeleteDirectory Deletes an AWS Directory Service directory. Write

directory*

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DescribeNetworkInterfaces

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

DeleteLogSubscription Deletes the specified log subscription. Write

directory*

DeleteSnapshot Deletes a directory snapshot. Write

directory*

DeleteTrust Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain. Write

directory*

DeregisterEventTopic Removes the specified directory as a publisher to the specified SNS topic. Write

directory*

DescribeConditionalForwarders Obtains information about the conditional forwarders for this account. Read

directory*

DescribeDirectories Obtains information about the directories that belong to this account. List
DescribeDomainControllers Provides information about any domain controllers in your directory. Read

directory*

DescribeEventTopics Obtains information about which SNS topics receive status messages from the specified directory. Read

directory*

DescribeSharedDirectories Returns the shared directories in your account. Read

directory*

DescribeSnapshots Obtains information about the directory snapshots that belong to this account. Read
DescribeTrusts Obtains information about the trust relationships for this account. Read
DisableRadius Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. Write

directory*

DisableSso Disables single-sign on for a directory. Write

directory*

EnableRadius Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. Write

directory*

EnableSso Enables single-sign on for a directory. Write

directory*

GetAuthorizedApplicationDetails [permission only] Read

directory*

GetDirectoryLimits Obtains directory limit information for the current region. Read
GetSnapshotLimits Obtains the manual snapshot limits for a directory. Read

directory*

ListIpRoutes Lists the address blocks that you have added to a directory. Read

directory*

ListLogSubscriptions Lists the active log subscriptions for the AWS account. Read
ListSchemaExtensions Lists all schema extensions applied to a Microsoft AD Directory. List

directory*

ListTagsForResource Lists all tags on an Amazon Directory Services directory. Read

directory*

RegisterEventTopic Associates a directory with an SNS topic. Write

directory*

sns:GetTopicAttributes

RejectSharedDirectory Rejects a directory sharing request that was sent from the directory owner account. Write

directory*

RemoveIpRoutes Removes IP address blocks from a directory. Write

directory*

RemoveTagsFromResource Removes tags from an Amazon Directory Services directory. Tagging

directory*

ec2:DeleteTags

aws:RequestTag/${TagKey}

aws:TagKeys

ResetUserPassword Resets the password for any user in your AWS Managed Microsoft AD or Simple AD directory. Write

directory*

RestoreFromSnapshot Restores a directory using an existing directory snapshot. Write

directory*

ShareDirectory Shares a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region. Write

directory*

StartSchemaExtension Applies a schema extension to a Microsoft AD directory. Write

directory*

UnshareDirectory Stops the directory sharing between the directory owner and consumer accounts. Write

directory*

UpdateConditionalForwarder Updates a conditional forwarder that has been set up for your AWS directory. Write

directory*

UpdateNumberOfDomainControllers Adds or removes domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request. Write

directory*

UpdateRadius Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory. Write

directory*

VerifyTrust Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain. Read

directory*

Resources Defined by AWS Directory Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
directory arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}

aws:ResourceTag/${TagKey}

Condition Keys for AWS Directory Service

AWS Directory Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} String
aws:ResourceTag/${TagKey} String
aws:TagKeys String