Amazon Directory ServiceAPI 权限:操作、资源和条件参考 - Amazon Directory Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Directory ServiceAPI 权限:操作、资源和条件参考

在设置 访问控制 和编写您可挂载到 IAM 身份的权限策略(基于身份的策略)时,可以使用下表作为参考。以下内容:

  • 各个 Amazon Directory Service API 操作

  • 您可授予执行该操作的权限的对应操作

  • 您可以授予权限的 Amazon 资源

您在策略的 Action 字段中指定操作,并在策略的 Resource 字段中指定资源值。

注意

一些 Amazon 应用程序可能需要在自身的策略中使用非公共 Amazon Directory Service API 操作 ds:AuthorizeApplicationds:CheckAliasds:CreateIdentityPoolDirectoryds:UnauthorizeApplication

您可以在 Amazon Directory Service 策略中使用 Amazon 全局条件键来表示条件。有关的完整列表Amazon钥匙,请参阅可用的全局条件键中的IAM 用户指南.

注意

要指定操作,请在 API 操作名称之前使用 ds: 前缀 (例如,ds:CreateDirectory)。

Amazon Directory Service API 和必需的操作权限
Amazon Directory Service API 操作 所需权限(API 操作) 资源
AcceptSharedDirectory ds:AcceptSharedDirectory *
AddIpRoutes

ds:AddIpRoutes

ec2:DescribeSecurityGroup

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

*
AddTagsToResource ds:AddTagsToResource

ec2:CreateTags

*
CancelSchemaExtension ds:CancelSchemaExtension *

ConnectDirectory

ds:ConnectDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:CreateTags

*

CreateAlias

ds:CreateAlias

*

CreateComputer

ds:CreateComputer

*

CreateConditionalForwarder

ds:CreateConditionalForwarder

*

CreateDirectory

ds:CreateDirectory

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:CreateTags

*

CreateLogSubscription ds:CreateLogSubscription *

CreateMicrosoftAD

ds:CreateMicrosoftAD

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateSecurityGroup

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:AuthorizeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

ec2:RevokeSecurityGroupEgress

ec2:CreateTags

*

CreateSnapshot

ds:CreateSnapshot

*

CreateTrust

ds:CreateTrust

*

DeleteConditionalForwarder

ds:DeleteConditionalForwarder

*

DeleteDirectory

ds:DeleteDirectory

ec2:DescribeNetworkInterfaces

ec2:DeleteSecurityGroup

ec2:DeleteNetworkInterface

ec2:RevokeSecurityGroupIngress

ec2:RevokeSecurityGroupEgress

ec2:DeleteTags

*

DeleteLogSubscription ds:DeleteLogSubscription *

DeleteSnapshot

ds:DeleteSnapshot

*

DeleteTrust

ds:DeleteTrust

*

DeregisterEventTopic

ds:DeregisterEventTopic

*

DescribeConditionalForwarders

ds:DescribeConditionalForwarders

*

DescribeDirectories

ds:DescribeDirectories

*

DescribeDomainControllers ds:DescribeDomainControllers *

DescribeEventTopics

ds:DescribeEventTopics

*

DescribeSharedDirectories ds:DescribeSharedDirectories *

DescribeSnapshots

ds:DescribeSnapshots

*

DescribeTrusts

ds:DescribeTrusts

*

DisableRadius

ds:DisableRadius

*

DisableSso

ds:DisableSso

*

EnableRadius

ds:EnableRadius

*

EnableSso

ds:EnableSso

*

GetDirectoryLimits

ds:GetDirectoryLimits

*

GetSnapshotLimits

ds:GetSnapshotLimits

*

ListIpRoutes

ds:ListIpRoutes

*

ListLogSubscriptions ds:ListLogSubscriptions *

ListSchemaExtensions

ds:ListSchemaExtensions

*

ListTagsForResource

ds:ListTagsForResource

*

RegisterEventTopic

ds:RegisterEventTopic

sns:GetTopicAttributes

*

RejectSharedDirectory ds:RejectSharedDirectory *

RemoveIpRoutes

ds:RemoveIpRoutes

*

RemoveTagsFromResource

ds:RemoveTagsFromResource

ec2:DeleteTags

*

ResetUserPassword ds:ResetUserPassword *

RestoreFromSnapshot

ds:RestoreFromSnapshot

*

ShareDirectory

ds:ShareDirectory

organizations:DescribeAccount

organizations:DescribeOrganization

organizations:ListAWSServiceAccessForOrganization

*

StartSchemaExtension

ds:StartSchemaExtension

*

UnshareDirectory ds:UnshareDirectory *

UpdateConditionalForwarder

ds:UpdateConditionalForwarder

*

UpdateNumberOfDomainControllers

ds:UpdateNumberOfDomainControllers

ec2:DescribeSubnets

ec2:DescribeVpcs

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DeleteNetworkInterface

*

UpdateRadius

ds:UpdateRadius

*

UpdateTrust ds:UpdateTrust *

VerifyTrust

ds:VerifyTrust

*