Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Directory Service

AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Directory Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddIpRoutes Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services

Write

AddTagsToResource Adds or overwrites one or more tags for the specified Amazon Directory Services directory.

Tagging

CancelSchemaExtension Cancels an in-progress schema extension to a Microsoft AD directory.

Write

ConnectDirectory Creates an AD Connector to connect to an on-premises directory.

Write

CreateAlias Creates an alias for a directory and assigns the alias to the directory.

Write

CreateComputer Creates a computer account in the specified directory, and joins the computer to the directory.

Write

CreateConditionalForwarder Creates a conditional forwarder associated with your AWS directory.

Write

CreateDirectory Creates a Simple AD directory.

Write

CreateMicrosoftAD Creates a Microsoft AD in the AWS cloud.

Write

CreateSnapshot Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud.

Write

CreateTrust Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain.

Write

DeleteConditionalForwarder Deletes a conditional forwarder that has been set up for your AWS directory.

Write

DeleteDirectory Deletes an AWS Directory Service directory.

Write

DeleteSnapshot Deletes a directory snapshot.

Write

DeleteTrust Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain.

Write

DeregisterEventTopic Removes the specified directory as a publisher to the specified SNS topic.

Write

DescribeConditionalForwarders Obtains information about the conditional forwarders for this account.

Read

DescribeDirectories Obtains information about the directories that belong to this account.

List

DescribeEventTopics Obtains information about which SNS topics receive status messages from the specified directory.

Read

DescribeSnapshots Obtains information about the directory snapshots that belong to this account.

Read

DescribeTrusts Obtains information about the trust relationships for this account.

Read

DisableRadius Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.

Write

DisableSso Disables single-sign on for a directory.

Write

EnableRadius Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.

Write

EnableSso Enables single-sign on for a directory.

Write

GetDirectoryLimits Obtains directory limit information for the current region.

Read

GetSnapshotLimits Obtains the manual snapshot limits for a directory.

Read

ListIpRoutes Lists the address blocks that you have added to a directory.

Read

ListSchemaExtensions Lists all schema extensions applied to a Microsoft AD Directory.

List

ListTagsForResource Lists all tags on an Amazon Directory Services directory.

Read

RegisterEventTopic Associates a directory with an SNS topic.

Write

RemoveIpRoutes Removes IP address blocks from a directory.

Write

RemoveTagsFromResource Removes tags from an Amazon Directory Services directory.

Tagging

RestoreFromSnapshot Restores a directory using an existing directory snapshot.

Write

StartSchemaExtension Applies a schema extension to a Microsoft AD directory.

Write

UpdateConditionalForwarder Updates a conditional forwarder that has been set up for your AWS directory.

Write

UpdateRadius Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory.

Write

VerifyTrust Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain.

Read

Resources Defined by Directory Service

Directory Service has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS Directory Service

Directory Service has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.