Authorization for AWS applications and services using AWS Directory Service - AWS Directory Service

Authorization for AWS applications and services using AWS Directory Service

Authorizing an AWS application on an Active Directory

AWS Directory Service grants specific permissions for the selected applications to integrate seamlessly with your Active Directory when you authorize an AWS application. AWS applications are only granted the access necessary for their use-case. The set of internal permissions granted to applications and application administrators after authorization are provided below:

Note

The ds:AuthorizationApplication permission is required to authorize a new AWS application an Active Directory. Permissions to this action should only be provided to Administrators that configure integrations with Directory Service.

  • Read access to Active Directory user, group, organizational unit, computer, or certification authority data in all Organizational Units (OU) of AWS Managed Microsoft AD, Simple AD, AD Connector directories, as well as trusted domains for AWS Managed Microsoft AD if permitted by a trust relationship.

  • Write access to users, groups, group membership, computers, or certification authority data in your organizational unit of AWS Managed Microsoft AD. Write access to all OU‘s of Simple AD.

  • Authentication and session management of Active Directory users for all directory types.

Certain AWS Managed Microsoft AD applications such as Amazon RDS and Amazon FSx integrate through direct network connection to your Active Directory. In this case, the directory interactions use native Active Directory protocols such as LDAP and Kerberos. The permissions of these AWS applications are controlled by a directory user account created in the AWS Reserved Organizational Unit (OU) during the application authorization, which includes DNS management and full access to a custom OU created for the application. In order to use this account, the application requires permissions to ds:GetAuthorizedApplicationDetails action through caller credentials or an IAM role.

For more information about AWS Directory Service API permissions, see AWS Directory Service API permissions: Actions, resources, and conditions reference.

For more information about enabling AWS applications and services for AWS Managed Microsoft AD, see Enable access to AWS applications and services. For more information about enabling AWS applications and services for AD Connector, see Enable access to AWS applications and services. For more information about enabling AWS applications and services for Simple AD, see Enable access to AWS applications and services.

Deauthorizing an AWS application on a Active Directory

In order to remove permissions for an AWS application to access the Active Directory, the ds:UnauthorizedApplication permission is required. Follow the steps provided by the application to disable it.