AWS Directory Service
Administration Guide (Version 1.0)

AWS Directory Service API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Directory Service API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field and the resource value in the policy's Resource field.

Note

Some AWS applications may require use of non-public AWS Directory Service APIs such as ds:AuthorizeApplication, ds:CheckAlias, ds:CreateIdentityPoolDirectory, and ds:UnauthorizeApplication in their policies.

You can use AWS-wide condition keys in your AWS Directory Service policies to express conditions. For a complete list of AWS-wide keys, see Available Global Condition Keys in the IAM User Guide.

Note

To specify an action, use the ds: prefix followed by the API operation name (for example, ds:CreateDirectory).

AWS Directory Service API and Required Permissions for Actions

AWS Directory Service API Operations Required Permissions (API Actions) Resources
AcceptSharedDirectory ds:AcceptSharedDirectory *
AddIpRoutes

ds:AddIpRoutes

ec2:DescribeSecurityGroup

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*
AddTagsToResource ds:AddTagsToResource *
CancelSchemaExtension ds:CancelSchemaExtension *

ConnectDirectory

ds:ConnectDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*

CreateAlias

ds:CreateAlias

*

CreateComputer

ds:CreateComputer

*

CreateConditionalForwarder

ds:CreateConditionalForwarder

*

CreateDirectory

ds:CreateDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*

CreateLogSubscription ds:CreateLogSubscription *

CreateMicrosoftAD

ds:CreateMicrosoftAD

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:RevokeSecurityGroupEgress

*

CreateSnapshot

ds:CreateSnapshot

*

CreateTrust

ds:CreateTrust

*

DeleteConditionalForwarder

ds:DeleteConditionalForwarder

*

DeleteDirectory

ds:DeleteDirectory

ec2:DescribeNetworkInterfaces

ec2:DeleteSecurityGroup

ec2:DeleteNetworkInterface

ec2:RevokeSecurityGroupIngress

ec2:RevokeSecurityGroupEgress

*

DeleteLogSubscription ds:DeleteLogSubscription *

DeleteSnapshot

ds:DeleteSnapshot

*

DeleteTrust

ds:DeleteTrust

*

DeregisterEventTopic

ds:DeregisterEventTopic

*

DescribeConditionalForwarders

ds:DescribeConditionalForwarders

*

DescribeDirectories

ds:DescribeDirectories

*

DescribeDomainControllers ds:DescribeDomainControllers *

DescribeEventTopics

ds:DescribeEventTopics

*

DescribeSharedDirectories ds:DescribeSharedDirectories *

DescribeSnapshots

ds:DescribeSnapshots

*

DescribeTrusts

ds:DescribeTrusts

*

DisableRadius

ds:DisableRadius

*

DisableSso

ds:DisableSso

*

EnableRadius

ds:EnableRadius

*

EnableSso

ds:EnableSso

*

GetDirectoryLimits

ds:GetDirectoryLimits

*

GetSnapshotLimits

ds:GetSnapshotLimits

*

ListIpRoutes

ds:ListIpRoutes

*

ListLogSubscriptions ds:ListLogSubscriptions *

ListSchemaExtensions

ds:ListSchemaExtensions

*

ListTagsForResource

ds:ListTagsForResource

*

RegisterEventTopic

ds:RegisterEventTopic

sns:GetTopicAttributes

*

RejectSharedDirectory ds:RejectSharedDirectory *

RemoveIpRoutes

ds:RemoveIpRoutes

*

RemoveTagsFromResource

ds:RemoveTagsFromResource

*

ResetUserPassword ds:ResetUserPassword *

RestoreFromSnapshot

ds:RestoreFromSnapshot

*

ShareDirectory

ds:ShareDirectory

organizations:DescribeAccount

organizations:DescribeOrganization

organizations:ListAWSServiceAccessForOrganization

*

StartSchemaExtension

ds:StartSchemaExtension

*

UnshareDirectory ds:UnshareDirectory *

UpdateConditionalForwarder

ds:UpdateConditionalForwarder

*

UpdateNumberOfDomainControllers

ds:UpdateNumberOfDomainControllers

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DeleteNetworkInterface

*

UpdateRadius

ds:UpdateRadius

*

UpdateTrust ds:UpdateTrust *

VerifyTrust

ds:VerifyTrust

*

On this page: