AWSDirectoryServiceFullAccess AWSDirectoryServiceReadOnlyAccess AWSDirectoryServiceDataFullAccess AWSDirectoryServiceDataReadOnlyAccess Policy updates

AWS managed policies for AWS Directory Service

The following sections describe the AWS managed policies that are specific to AWS Directory Service. You can attach these policies to users in your account.

For more information, see AWS managed policies in the IAM User Guide.

AWSDirectoryServiceFullAccess

The AWSDirectoryServiceFullAccess policy grants a user or group the following:

Full access to AWS Directory Service
Access to key Amazon EC2 services required to use AWS Directory Service
Ability to list Amazon SNS topics
Ability to create, manage, and delete Amazon SNS topics with a name beginning with “DirectoryMonitoring”

AWSDirectoryServiceReadOnlyAccess

The AWSDirectoryServiceReadOnlyAccess policy grants a user or group read-only access to all AWS Directory Service resources, EC2 subnets, EC2 network interfaces, and Amazon Simple Notification Service (Amazon SNS) topics and subscriptions for the root AWS account. For more information, see Using AWS managed policies with AWS Directory Service.

AWSDirectoryServiceDataFullAccess

The AWSDirectoryServiceDataFullAccess policy grants a user or group full access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups. For details, see AWS Directory Service Data API Reference.

Full access to Directory Service Data

AWSDirectoryServiceDataReadOnlyAccess

The AWSDirectoryServiceDataReadOnlyAccess policy grants a user or group access to view and search AD users, members, and groups. For details, see AWS Directory Service Data API Reference.

Ability to list Directory Service Data
Ability to search Directory Service Data
Ability to get descriptions of Directory Service Data

For more information, see Using AWS managed policies with AWS Directory Service.

In addition, there are other AWS managed policies that are suitable for use with other IAM roles. These policies are assigned to the roles that are associated with users in your AWS Directory Service directory. These policies are required for those users to have access to other AWS resources, such as Amazon EC2. For more information, see Granting AWS Managed Microsoft AD users and groups access to AWS resources with IAM roles.

You can also create custom IAM policies that allow users to access the required API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

IAM and AWS Directory Service updates to AWS managed policies

View details about updates to IAM and AWS managed policies since the service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and AWS Directory Service Document history pages.

Change	Description	Date
AWSDirectoryServiceDataReadOnlyAccess – New policy	AWS Directory Service added a new policy to allow a user or group access to view and search AD users, members, and groups.	September 17, 2024
AWSDirectoryServiceDataFullAccess – New policy	AWS Directory Service added a new policy to allow a user or group access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups.	September 17, 2024
AWS Directory Service started tracking changes	AWS Directory Service started tracking changes for its AWS managed policies.	September 17, 2024

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview of managing access

Using identity-based policies (IAM policies)