Actions, resources, and condition keys for AWS Directory Service - Service Authorization Reference

Actions, resources, and condition keys for AWS Directory Service

AWS Directory Service (service prefix: ds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Directory Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptSharedDirectory Grants permission to accept a directory sharing request that was sent from the directory owner account Write

directory*

AddIpRoutes Grants permission to add a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services Write

directory*

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:DescribeSecurityGroups

AddRegion Grants permission to add two domain controllers in the specified Region for the specified directory Write

directory*

AddTagsToResource Grants permission to add or overwrite one or more tags for the specified Amazon Directory Services directory Tagging

directory*

ec2:CreateTags

aws:RequestTag/${TagKey}

aws:TagKeys

AuthorizeApplication [permission only] Grants permission to authorize an application for your AWS Directory Write

directory*

CancelSchemaExtension Grants permission to cancel an in-progress schema extension to a Microsoft AD directory Write

directory*

CheckAlias [permission only] Grants permission to verify that the alias is available for use Read
ConnectDirectory Grants permission to create an AD Connector to connect to an on-premises directory Write

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateAlias Grants permission to create an alias for a directory and assigns the alias to the directory Write

directory*

CreateComputer Grants permission to create a computer account in the specified directory, and joins the computer to the directory Write

directory*

CreateConditionalForwarder Grants permission to create a conditional forwarder associated with your AWS directory Write

directory*

CreateDirectory Grants permission to create a Simple AD directory Write

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateIdentityPoolDirectory [permission only] Grants permission to create an IdentityPool Directory in the AWS cloud Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLogSubscription Grants permission to create a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account Write

directory*

CreateMicrosoftAD Grants permission to create a Microsoft AD in the AWS cloud Write

aws:RequestTag/${TagKey}

aws:TagKeys

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateTags

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

CreateSnapshot Grants permission to create a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud Write

directory*

CreateTrust Grants permission to initiate the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain Write

directory*

DeleteConditionalForwarder Grants permission to delete a conditional forwarder that has been set up for your AWS directory Write

directory*

DeleteDirectory Grants permission to delete an AWS Directory Service directory Write

directory*

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DescribeNetworkInterfaces

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

DeleteLogSubscription Grants permission to delete the specified log subscription Write

directory*

DeleteSnapshot Grants permission to delete a directory snapshot Write

directory*

DeleteTrust Grants permission to delete an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain Write

directory*

DeregisterCertificate Grants permission to delete from the system the certificate that was registered for a secured LDAP connection Write

directory*

DeregisterEventTopic Grants permission to remove the specified directory as a publisher to the specified SNS topic Write

directory*

DescribeCertificate Grants permission to display information about the certificate registered for a secured LDAP connection Read

directory*

DescribeClientAuthenticationSettings Grants permission to retrieve information about the type of client authentication for the specified directory, if the type is specified. If no type is specified, information about all client authentication types that are supported for the specified directory is retrieved. Currently, only SmartCard is supported Read

directory*

DescribeConditionalForwarders Grants permission to obtain information about the conditional forwarders for this account Read

directory*

DescribeDirectories Grants permission to obtain information about the directories that belong to this account List
DescribeDomainControllers Grants permission to provide information about any domain controllers in your directory Read

directory*

DescribeEventTopics Grants permission to obtain information about which SNS topics receive status messages from the specified directory Read

directory*

DescribeLDAPSSettings Grants permission to describe the status of LDAP security for the specified directory Read

directory*

DescribeRegions Grants permission to provide information about the Regions that are configured for multi-Region replication Read

directory*

DescribeSharedDirectories Grants permission to return the shared directories in your account Read

directory*

DescribeSnapshots Grants permission to obtain information about the directory snapshots that belong to this account Read
DescribeTrusts Grants permission to obtain information about the trust relationships for this account Read
DisableClientAuthentication Grants permission to disable alternative client authentication methods for the specified directory Write

directory*

DisableLDAPS Grants permission to deactivate LDAP secure calls for the specified directory Write

directory*

DisableRadius Grants permission to disable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory Write

directory*

DisableSso Grants permission to disable single-sign on for a directory Write

directory*

EnableClientAuthentication Grants permission to enable alternative client authentication methods for the specified directory Write

directory*

EnableLDAPS Grants permission to activate the switch for the specific directory to always use LDAP secure calls Write

directory*

EnableRadius Grants permission to enable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory Write

directory*

EnableSso Grants permission to enable single-sign on for a directory Write

directory*

GetAuthorizedApplicationDetails [permission only] Grants permission to retrieve the details of the authorized applications on a directory Read

directory*

GetDirectoryLimits Grants permission to obtain directory limit information for the current region Read
GetSnapshotLimits Grants permission to obtain the manual snapshot limits for a directory Read

directory*

ListAuthorizedApplications [permission only] Grants permission to obtain the AWS applications authorized for a directory Read

directory*

ListCertificates Grants permission to list all the certificates registered for a secured LDAP connection, for the specified directory List

directory*

ListIpRoutes Grants permission to list the address blocks that you have added to a directory Read

directory*

ListLogSubscriptions Grants permission to list the active log subscriptions for the AWS account Read
ListSchemaExtensions Grants permission to list all schema extensions applied to a Microsoft AD Directory List

directory*

ListTagsForResource Grants permission to list all tags on an Amazon Directory Services directory Read

directory*

RegisterCertificate Grants permission to register a certificate for secured LDAP connection Write

directory*

RegisterEventTopic Grants permission to associate a directory with an SNS topic Write

directory*

sns:GetTopicAttributes

RejectSharedDirectory Grants permission to reject a directory sharing request that was sent from the directory owner account Write

directory*

RemoveIpRoutes Grants permission to remove IP address blocks from a directory Write

directory*

RemoveRegion Grants permission to stop all replication and removes the domain controllers from the specified Region. You cannot remove the primary Region with this operation Write

directory*

RemoveTagsFromResource Grants permission to remove tags from an Amazon Directory Services directory Tagging

directory*

ec2:DeleteTags

aws:RequestTag/${TagKey}

aws:TagKeys

ResetUserPassword Grants permission to reset the password for any user in your AWS Managed Microsoft AD or Simple AD directory Write

directory*

RestoreFromSnapshot Grants permission to restore a directory using an existing directory snapshot Write

directory*

ShareDirectory Grants permission to share a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region Write

directory*

StartSchemaExtension Grants permission to apply a schema extension to a Microsoft AD directory Write

directory*

UnauthorizeApplication [permission only] Grants permission to unauthorize an application from your AWS Directory Write

directory*

UnshareDirectory Grants permission to stop the directory sharing between the directory owner and consumer accounts Write

directory*

UpdateConditionalForwarder Grants permission to update a conditional forwarder that has been set up for your AWS directory Write

directory*

UpdateNumberOfDomainControllers Grants permission to add or remove domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request Write

directory*

UpdateRadius Grants permission to update the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory Write

directory*

UpdateTrust Grants permission to update the trust that has been set up between your AWS Managed Microsoft AD directory and an on-premises Active Directory Write

directory*

VerifyTrust Grants permission to verify a trust relationship between your Microsoft AD in the AWS cloud and an external domain Read

directory*

Resource types defined by AWS Directory Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
directory arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Directory Service

AWS Directory Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the value of the request to AWS DS String
aws:ResourceTag/${TagKey} Filters access by the AWS DS Resource being acted upon String
aws:TagKeys Filters access based on the tag keys that are passed in the request ArrayOfString