AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS Directory Service API 权限:操作、资源和条件参考

在设置 访问控制 和编写您可挂载到 IAM 身份的权限策略(基于身份的策略)时,可以使用下表作为参考。该表列出每个 AWS Directory Service API 操作、您可授予执行操作权限的对应操作以及您可授予权限的 AWS 资源。您在策略的 Action 字段中指定操作,并在策略的 Resource 字段中指定资源值。

注意

有些 AWS 应用程序可能需要在其策略中使用非公有 AWS Directory Service API(如 ds:AuthorizeApplicationds:CheckAliasds:CreateIdentityPoolDirectoryds:UnauthorizeApplication)。

您可以在 AWS Directory Service 策略中使用 AWS 范围的条件键来表达条件。有关 AWS 范围内的键的完整列表,请参阅 IAM 用户指南 中的可用的全局条件键

注意

要指定操作,请在 API 操作名称之前使用 ds: 前缀(例如,ds:CreateDirectory)。

AWS Directory Service API 和操作所需的权限

AWS Directory Service API 操作 所需权限(API 操作) 资源
AcceptSharedDirectory ds:AcceptSharedDirectory *
AddIpRoutes

ds:AddIpRoutes

ec2:DescribeSecurityGroup

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*
AddTagsToResource ds:AddTagsToResource

ec2:CreateTags

*
CancelSchemaExtension ds:CancelSchemaExtension *

ConnectDirectory

ds:ConnectDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:CreateTags

*

CreateAlias

ds:CreateAlias

*

CreateComputer

ds:CreateComputer

*

CreateConditionalForwarder

ds:CreateConditionalForwarder

*

CreateDirectory

ds:CreateDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:CreateTags

*

CreateLogSubscription ds:CreateLogSubscription *

CreateMicrosoftAD

ds:CreateMicrosoftAD

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:RevokeSecurityGroupEgress

ec2:CreateTags

*

CreateSnapshot

ds:CreateSnapshot

*

CreateTrust

ds:CreateTrust

*

DeleteConditionalForwarder

ds:DeleteConditionalForwarder

*

DeleteDirectory

ds:DeleteDirectory

ec2:DescribeNetworkInterfaces

ec2:DeleteSecurityGroup

ec2:DeleteNetworkInterface

ec2:RevokeSecurityGroupIngress

ec2:RevokeSecurityGroupEgress

ec2:DeleteTags

*

DeleteLogSubscription ds:DeleteLogSubscription *

DeleteSnapshot

ds:DeleteSnapshot

*

DeleteTrust

ds:DeleteTrust

*

DeregisterEventTopic

ds:DeregisterEventTopic

*

DescribeConditionalForwarders

ds:DescribeConditionalForwarders

*

DescribeDirectories

ds:DescribeDirectories

*

DescribeDomainControllers ds:DescribeDomainControllers *

DescribeEventTopics

ds:DescribeEventTopics

*

DescribeSharedDirectories ds:DescribeSharedDirectories *

DescribeSnapshots

ds:DescribeSnapshots

*

DescribeTrusts

ds:DescribeTrusts

*

DisableRadius

ds:DisableRadius

*

DisableSso

ds:DisableSso

*

EnableRadius

ds:EnableRadius

*

EnableSso

ds:EnableSso

*

GetDirectoryLimits

ds:GetDirectoryLimits

*

GetSnapshotLimits

ds:GetSnapshotLimits

*

ListIpRoutes

ds:ListIpRoutes

*

ListLogSubscriptions ds:ListLogSubscriptions *

ListSchemaExtensions

ds:ListSchemaExtensions

*

ListTagsForResource

ds:ListTagsForResource

*

RegisterEventTopic

ds:RegisterEventTopic

sns:GetTopicAttributes

*

RejectSharedDirectory ds:RejectSharedDirectory *

RemoveIpRoutes

ds:RemoveIpRoutes

*

RemoveTagsFromResource

ds:RemoveTagsFromResource

ec2:DeleteTags

*

ResetUserPassword ds:ResetUserPassword *

RestoreFromSnapshot

ds:RestoreFromSnapshot

*

ShareDirectory

ds:ShareDirectory

organizations:DescribeAccount

organizations:DescribeOrganization

organizations:ListAWSServiceAccessForOrganization

*

StartSchemaExtension

ds:StartSchemaExtension

*

UnshareDirectory ds:UnshareDirectory *

UpdateConditionalForwarder

ds:UpdateConditionalForwarder

*

UpdateNumberOfDomainControllers

ds:UpdateNumberOfDomainControllers

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DeleteNetworkInterface

*

UpdateRadius

ds:UpdateRadius

*

UpdateTrust ds:UpdateTrust *

VerifyTrust

ds:VerifyTrust

*

本页内容: