Actions, resources, and condition keys for AWS Directory Service

AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Directory Service
Resource types defined by AWS Directory Service
Condition keys for AWS Directory Service

Actions defined by AWS Directory Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AcceptSharedDirectory	Accepts a directory sharing request that was sent from the directory owner account.	Write	directory*
AddIpRoutes	Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services	Write	directory*		ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:DescribeSecurityGroups
AddTagsToResource	Adds or overwrites one or more tags for the specified Amazon Directory Services directory.	Tagging	directory*		ec2:CreateTags
AddTagsToResource		Tagging		aws:RequestTag/${TagKey} aws:TagKeys
AuthorizeApplication [permission only]	Authorizes an application for your AWS Directory.	Write	directory*
CancelSchemaExtension	Cancels an in-progress schema extension to a Microsoft AD directory.	Write	directory*
CheckAlias [permission only]	Verifies that the alias is available for use.	Read
ConnectDirectory	Creates an AD Connector to connect to an on-premises directory.	Tagging		aws:RequestTag/${TagKey} aws:TagKeys	ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs
CreateAlias	Creates an alias for a directory and assigns the alias to the directory.	Write	directory*
CreateComputer	Creates a computer account in the specified directory, and joins the computer to the directory.	Write	directory*
CreateConditionalForwarder	Creates a conditional forwarder associated with your AWS directory.	Write	directory*
CreateDirectory	Creates a Simple AD directory.	Tagging		aws:RequestTag/${TagKey} aws:TagKeys	ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs
CreateIdentityPoolDirectory [permission only]	Creates a IdentityPool Directory in the AWS cloud.	Tagging		aws:RequestTag/${TagKey} aws:TagKeys
CreateLogSubscription	Creates a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account.	Write	directory*
CreateMicrosoftAD	Creates a Microsoft AD in the AWS cloud.	Tagging		aws:RequestTag/${TagKey} aws:TagKeys	ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs
CreateSnapshot	Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud.	Write	directory*
CreateTrust	Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain.	Write	directory*
DeleteConditionalForwarder	Deletes a conditional forwarder that has been set up for your AWS directory.	Write	directory*
DeleteDirectory	Deletes an AWS Directory Service directory.	Write	directory*		ec2:DeleteNetworkInterface ec2:DeleteSecurityGroup ec2:DescribeNetworkInterfaces ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress
DeleteLogSubscription	Deletes the specified log subscription.	Write	directory*
DeleteSnapshot	Deletes a directory snapshot.	Write	directory*
DeleteTrust	Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain.	Write	directory*
DeregisterCertificate	Deletes from the system the certificate that was registered for a secured LDAP connection.	Write	directory*
DeregisterEventTopic	Removes the specified directory as a publisher to the specified SNS topic.	Write	directory*
DescribeCertificate	Displays information about the certificate registered for a secured LDAP connection.	Read	directory*
DescribeConditionalForwarders	Obtains information about the conditional forwarders for this account.	Read	directory*
DescribeDirectories	Obtains information about the directories that belong to this account.	List
DescribeDomainControllers	Provides information about any domain controllers in your directory.	Read	directory*
DescribeEventTopics	Obtains information about which SNS topics receive status messages from the specified directory.	Read	directory*
DescribeLDAPSSettings	Describes the status of LDAP security for the specified directory.	Read	directory*
DescribeSharedDirectories	Returns the shared directories in your account.	Read	directory*
DescribeSnapshots	Obtains information about the directory snapshots that belong to this account.	Read
DescribeTrusts	Obtains information about the trust relationships for this account.	Read
DisableLDAPS	Deactivates LDAP secure calls for the specified directory.	Write	directory*
DisableRadius	Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.	Write	directory*
DisableSso	Disables single-sign on for a directory.	Write	directory*
EnableLDAPS	Activates the switch for the specific directory to always use LDAP secure calls.	Write	directory*
EnableRadius	Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.	Write	directory*
EnableSso	Enables single-sign on for a directory.	Write	directory*
GetAuthorizedApplicationDetails [permission only]		Read	directory*
GetDirectoryLimits	Obtains directory limit information for the current region.	Read
GetSnapshotLimits	Obtains the manual snapshot limits for a directory.	Read	directory*
ListAuthorizedApplications [permission only]	Obtains the aws applications authorized for a directory.	Read	directory*
ListCertificates	For the specified directory, lists all the certificates registered for a secured LDAP connection.	List	directory*
ListIpRoutes	Lists the address blocks that you have added to a directory.	Read	directory*
ListLogSubscriptions	Lists the active log subscriptions for the AWS account.	Read
ListSchemaExtensions	Lists all schema extensions applied to a Microsoft AD Directory.	List	directory*
ListTagsForResource	Lists all tags on an Amazon Directory Services directory.	Read	directory*
RegisterCertificate	Registers a certificate for secured LDAP connection.	Write	directory*
RegisterEventTopic	Associates a directory with an SNS topic.	Write	directory*		sns:GetTopicAttributes
RejectSharedDirectory	Rejects a directory sharing request that was sent from the directory owner account.	Write	directory*
RemoveIpRoutes	Removes IP address blocks from a directory.	Write	directory*
RemoveTagsFromResource	Removes tags from an Amazon Directory Services directory.	Tagging	directory*		ec2:DeleteTags
RemoveTagsFromResource	Removes tags from an Amazon Directory Services directory.	Tagging		aws:RequestTag/${TagKey} aws:TagKeys
ResetUserPassword	Resets the password for any user in your AWS Managed Microsoft AD or Simple AD directory.	Write	directory*
RestoreFromSnapshot	Restores a directory using an existing directory snapshot.	Write	directory*
ShareDirectory	Shares a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region.	Write	directory*
StartSchemaExtension	Applies a schema extension to a Microsoft AD directory.	Write	directory*
UnauthorizeApplication [permission only]	Unauthorizes an application from your AWS Directory.	Write	directory*
UnshareDirectory	Stops the directory sharing between the directory owner and consumer accounts.	Write	directory*
UpdateConditionalForwarder	Updates a conditional forwarder that has been set up for your AWS directory.	Write	directory*
UpdateNumberOfDomainControllers	Adds or removes domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request.	Write	directory*
UpdateRadius	Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory.	Write	directory*
UpdateTrust	Updates the trust that has been set up between your AWS Managed Microsoft AD directory and an on-premises Active Directory.	Write	directory*
VerifyTrust	Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain.	Read	directory*

Resource types defined by AWS Directory Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types	ARN	Condition keys
directory	`arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}`	aws:ResourceTag/${TagKey}

Condition keys for AWS Directory Service

AWS Directory Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}		String
aws:ResourceTag/${TagKey}		String
aws:TagKeys		String

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Direct Connect

Amazon DynamoDB