Actions, Resources, and Condition Keys for AWS Directory Service
AWS Directory Service (service prefix: ds) provides the following service-specific resources,
actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Topics
Actions Defined by AWS Directory Service
You can specify the following actions in the Action element of an IAM
policy statement. By using policies, you define the permissions for anyone performing
an
operation in AWS. When you use an action in a policy, you usually allow or deny access
to
the API operation or CLI command with the same name. However, in some cases, a single
action
controls access to more than one operation. Alternatively, some operations require
several
different actions. For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AddIpRoutes | Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services | Write | |||
| AddTagsToResource | Adds or overwrites one or more tags for the specified Amazon Directory Services directory. | Tagging | |||
| CancelSchemaExtension | Cancels an in-progress schema extension to a Microsoft AD directory. | Write | |||
| ConnectDirectory | Creates an AD Connector to connect to an on-premises directory. | Write | |||
| CreateAlias | Creates an alias for a directory and assigns the alias to the directory. | Write | |||
| CreateComputer | Creates a computer account in the specified directory, and joins the computer to the directory. | Write | |||
| CreateConditionalForwarder | Creates a conditional forwarder associated with your AWS directory. | Write | |||
| CreateDirectory | Creates a Simple AD directory. | Write | |||
| CreateMicrosoftAD | Creates a Microsoft AD in the AWS cloud. | Write | |||
| CreateSnapshot | Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud. | Write | |||
| CreateTrust | Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain. | Write | |||
| DeleteConditionalForwarder | Deletes a conditional forwarder that has been set up for your AWS directory. | Write | |||
| DeleteDirectory | Deletes an AWS Directory Service directory. | Write | |||
| DeleteSnapshot | Deletes a directory snapshot. | Write | |||
| DeleteTrust | Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain. | Write | |||
| DeregisterEventTopic | Removes the specified directory as a publisher to the specified SNS topic. | Write | |||
| DescribeConditionalForwarders | Obtains information about the conditional forwarders for this account. | Read | |||
| DescribeDirectories | Obtains information about the directories that belong to this account. | List | |||
| DescribeEventTopics | Obtains information about which SNS topics receive status messages from the specified directory. | Read | |||
| DescribeSnapshots | Obtains information about the directory snapshots that belong to this account. | Read | |||
| DescribeTrusts | Obtains information about the trust relationships for this account. | Read | |||
| DisableRadius | Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. | Write | |||
| DisableSso | Disables single-sign on for a directory. | Write | |||
| EnableRadius | Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory. | Write | |||
| EnableSso | Enables single-sign on for a directory. | Write | |||
| GetDirectoryLimits | Obtains directory limit information for the current region. | Read | |||
| GetSnapshotLimits | Obtains the manual snapshot limits for a directory. | Read | |||
| ListIpRoutes | Lists the address blocks that you have added to a directory. | Read | |||
| ListSchemaExtensions | Lists all schema extensions applied to a Microsoft AD Directory. | List | |||
| ListTagsForResource | Lists all tags on an Amazon Directory Services directory. | Read | |||
| RegisterEventTopic | Associates a directory with an SNS topic. | Write | |||
| RemoveIpRoutes | Removes IP address blocks from a directory. | Write | |||
| RemoveTagsFromResource | Removes tags from an Amazon Directory Services directory. | Tagging | |||
| RestoreFromSnapshot | Restores a directory using an existing directory snapshot. | Write | |||
| StartSchemaExtension | Applies a schema extension to a Microsoft AD directory. | Write | |||
| UpdateConditionalForwarder | Updates a conditional forwarder that has been set up for your AWS directory. | Write | |||
| UpdateRadius | Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory. | Write | |||
| VerifyTrust | Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain. | Read |
Resources Defined by Directory Service
Directory Service has no service-defined resources that can be used as the Resource element of an IAM policy statement.
Condition Keys for AWS Directory Service
Directory Service has no service-specific context keys that can be used in the
Condition element of policy statements. For the list of the global context keys
that are available to all services, see Available Keys for
Conditions in the IAM Policy Reference.
