AWS Directory Service
Administration Guide (Version 1.0)

Admin Account

When you create an AWS Directory Service for Microsoft Active Directory directory, AWS creates an organizational unit (OU) to store all AWS related groups and accounts. For more information about this OU, see What Gets Created. This includes the Admin account. The Admin account has permissions to perform the following common administrative activities for your OU:

The Admin account also has rights to perform the following domainwide activities:

  • Manage DNS configurations (add, remove, or update records, zones, and forwarders)

  • View DNS event logs

  • View security event logs

Only the actions listed here are allowed for the Admin account. The Admin account also lacks permissions for any directory-related actions outside of your specific OU, such as on the parent OU.


AWS Domain Administrators have full administrative access to all domains hosted on AWS. See your agreement with AWS and the AWS Data Protection FAQ for more information about how AWS handles content, including directory information, that you store on AWS systems.