Actions, resources, and condition keys for AWS Directory Service
AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Directory Service
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptSharedDirectory | Grants permission to accept a directory sharing request that was sent from the directory owner account | Write | |||
| AccessDSData [permission only] | Grants permission to access directory data using the Directory Service Data API | Permissions management | |||
| AddIpRoutes | Grants permission to add a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:DescribeSecurityGroups |
||
| AddRegion | Grants permission to add two domain controllers in the specified Region for the specified directory | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| AddTagsToResource | Grants permission to add or overwrite one or more tags for the specified Amazon Directory Services directory | Tagging |
ec2:CreateTags |
||
| AuthorizeApplication [permission only] | Grants permission to authorize an application for your AWS Directory | Write | |||
| CancelSchemaExtension | Grants permission to cancel an in-progress schema extension to a Microsoft AD directory | Write | |||
| CheckAlias [permission only] | Grants permission to verify that the alias is available for use | Read | |||
| ConnectDirectory | Grants permission to create an AD Connector to connect to an on-premises directory | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateAlias | Grants permission to create an alias for a directory and assigns the alias to the directory | Write | |||
| CreateComputer | Grants permission to create a computer account in the specified directory, and joins the computer to the directory | Write | |||
| CreateConditionalForwarder | Grants permission to create a conditional forwarder associated with your AWS directory | Write | |||
| CreateDirectory | Grants permission to create a Simple AD directory | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateIdentityPoolDirectory [permission only] | Grants permission to create an IdentityPool Directory in the AWS cloud | Write | |||
| CreateLogSubscription | Grants permission to create a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account | Write | |||
| CreateMicrosoftAD | Grants permission to create a Microsoft AD in the AWS cloud | Write |
ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateSnapshot | Grants permission to create a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud | Write | |||
| CreateTrust | Grants permission to initiate the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain | Write | |||
| DeleteConditionalForwarder | Grants permission to delete a conditional forwarder that has been set up for your AWS directory | Write | |||
| DeleteDirectory | Grants permission to delete an AWS Directory Service directory | Write |
ec2:DeleteNetworkInterface ec2:DeleteSecurityGroup ec2:DescribeNetworkInterfaces ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress |
||
| DeleteLogSubscription | Grants permission to delete the specified log subscription | Write | |||
| DeleteSnapshot | Grants permission to delete a directory snapshot | Write | |||
| DeleteTrust | Grants permission to delete an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain | Write | |||
| DeregisterCertificate | Grants permission to delete from the system the certificate that was registered for a secured LDAP connection | Write | |||
| DeregisterEventTopic | Grants permission to remove the specified directory as a publisher to the specified SNS topic | Write | |||
| DescribeCertificate | Grants permission to display information about the certificate registered for a secured LDAP connection | Read | |||
| DescribeClientAuthenticationSettings | Grants permission to retrieve information about the type of client authentication for the specified directory, if the type is specified. If no type is specified, information about all client authentication types that are supported for the specified directory is retrieved. Currently, only SmartCard is supported | Read | |||
| DescribeConditionalForwarders | Grants permission to obtain information about the conditional forwarders for this account | Read | |||
| DescribeDirectories | Grants permission to obtain information about the directories that belong to this account | List | |||
| DescribeDirectoryDataAccess | Grants permission to describe the Directory Service Data API status for the specified directory | Read | |||
| DescribeDomainControllers | Grants permission to provide information about any domain controllers in your directory | Read | |||
| DescribeEventTopics | Grants permission to obtain information about which SNS topics receive status messages from the specified directory | Read | |||
| DescribeLDAPSSettings | Grants permission to describe the status of LDAP security for the specified directory | Read | |||
| DescribeRegions | Grants permission to provide information about the Regions that are configured for multi-Region replication | Read | |||
| DescribeSettings | Grants permission to retrieve information about the configurable settings for the specified directory | Read | |||
| DescribeSharedDirectories | Grants permission to return the shared directories in your account | Read | |||
| DescribeSnapshots | Grants permission to obtain information about the directory snapshots that belong to this account | Read | |||
| DescribeTrusts | Grants permission to obtain information about the trust relationships for this account | Read | |||
| DescribeUpdateDirectory | Grants permission to describe the updates of a directory for a particular update type | Read | |||
| DisableClientAuthentication | Grants permission to disable alternative client authentication methods for the specified directory | Write | |||
| DisableDirectoryDataAccess | Grants permission to disable the Directory Service Data API for the specified directory | Write | |||
| DisableLDAPS | Grants permission to deactivate LDAP secure calls for the specified directory | Write | |||
| DisableRadius | Grants permission to disable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory | Write | |||
| DisableRoleAccess [permission only] | Grants permission to disable AWS Management Console access for identity in your AWS Directory | Write | |||
| DisableSso | Grants permission to disable single-sign on for a directory | Write | |||
| EnableClientAuthentication | Grants permission to enable alternative client authentication methods for the specified directory | Write | |||
| EnableDirectoryDataAccess | Grants permission to enable the Directory Service Data API for the specified directory | Write | |||
| EnableLDAPS | Grants permission to activate the switch for the specific directory to always use LDAP secure calls | Write | |||
| EnableRadius | Grants permission to enable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory | Write | |||
| EnableRoleAccess [permission only] | Grants permission to enable AWS Management Console access for identity in your AWS Directory | Write |
iam:PassRole |
||
| EnableSso | Grants permission to enable single-sign on for a directory | Write | |||
| GetAuthorizedApplicationDetails [permission only] | Grants permission to retrieve the details of the authorized applications on a directory | Read | |||
| GetDirectoryLimits | Grants permission to obtain directory limit information for the current region | Read | |||
| GetSnapshotLimits | Grants permission to obtain the manual snapshot limits for a directory | Read | |||
| ListAuthorizedApplications [permission only] | Grants permission to obtain the AWS applications authorized for a directory | Read | |||
| ListCertificates | Grants permission to list all the certificates registered for a secured LDAP connection, for the specified directory | List | |||
| ListIpRoutes | Grants permission to list the address blocks that you have added to a directory | Read | |||
| ListLogSubscriptions | Grants permission to list the active log subscriptions for the AWS account | Read | |||
| ListSchemaExtensions | Grants permission to list all schema extensions applied to a Microsoft AD Directory | List | |||
| ListTagsForResource | Grants permission to list all tags on an Amazon Directory Services directory | Read | |||
| RegisterCertificate | Grants permission to register a certificate for secured LDAP connection | Write | |||
| RegisterEventTopic | Grants permission to associate a directory with an SNS topic | Write |
sns:GetTopicAttributes |
||
| RejectSharedDirectory | Grants permission to reject a directory sharing request that was sent from the directory owner account | Write | |||
| RemoveIpRoutes | Grants permission to remove IP address blocks from a directory | Write | |||
| RemoveRegion | Grants permission to stop all replication and removes the domain controllers from the specified Region. You cannot remove the primary Region with this operation | Write | |||
| RemoveTagsFromResource | Grants permission to remove tags from an Amazon Directory Services directory | Tagging |
ec2:DeleteTags |
||
| ResetUserPassword | Grants permission to reset the password for any user in your AWS Managed Microsoft AD or Simple AD directory | Write | |||
| RestoreFromSnapshot | Grants permission to restore a directory using an existing directory snapshot | Write | |||
| ShareDirectory | Grants permission to share a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region | Write | |||
| StartSchemaExtension | Grants permission to apply a schema extension to a Microsoft AD directory | Write | |||
| UnauthorizeApplication [permission only] | Grants permission to unauthorize an application from your AWS Directory | Write | |||
| UnshareDirectory | Grants permission to stop the directory sharing between the directory owner and consumer accounts | Write | |||
| UpdateAuthorizedApplication [permission only] | Grants permission to update an authorized application for your AWS Directory | Write | |||
| UpdateConditionalForwarder | Grants permission to update a conditional forwarder that has been set up for your AWS directory | Write | |||
| UpdateDirectory [permission only] | Grants permission to update the configurations like service account credentials or DNS server IP addresses for the specified directory | Write | |||
| UpdateDirectorySetup | Grants permission to update the directory for a particular update type | Write | |||
| UpdateNumberOfDomainControllers | Grants permission to add or remove domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request | Write | |||
| UpdateRadius | Grants permission to update the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory | Write | |||
| UpdateSettings | Grants permission to update the configurable settings for the specified directory | Write | |||
| UpdateTrust | Grants permission to update the trust that has been set up between your AWS Managed Microsoft AD directory and an on-premises Active Directory | Write | |||
| VerifyTrust | Grants permission to verify a trust relationship between your Microsoft AD in the AWS cloud and an external domain | Read |
Resource types defined by AWS Directory Service
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| directory |
arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
|
Condition keys for AWS Directory Service
AWS Directory Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the value of the request to AWS DS | String |
| aws:ResourceTag/${TagKey} | Filters access by the AWS DS Resource being acted upon | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
