Using identity-based policies (IAM policies) for Amazon Directory Service - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using identity-based policies (IAM policies) for Amazon Directory Service

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Directory Service resources. For more information, see Overview of managing access permissions to your Amazon Directory Service resources.

The sections in this topic cover the following:

The following shows an example of a permissions policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDsEc2IamGetRole", "Effect": "Allow", "Action": [ "ds:CreateDirectory", "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "iam:GetRole" ], "Resource": "*" }, { "Sid": "WarningAllowsCreatingRolesWithDirSvcPrefix", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::111122223333:role/DirSvc*" }, { "Sid": "AllowPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "cloudwatch.amazonaws.com" } } } ] }

The policy includes the following:

  • The first statement grants permission to create a Amazon Directory Service directory. Amazon Directory Service doesn't support permissions for this particular action at the resource-level. Therefore, the policy specifies a wildcard character (*) as the Resource value.

  • The second statement grants permissions to certain IAM actions. The access to IAM actions is needed so that Amazon Directory Service can read and create IAM roles on your behalf. The wildcard character (*) at the end of the Resource value means that the statement allows permission for the IAM actions on any IAM role. To limit this permission to a specific role, replace the wildcard character (*) in the resource ARN with the specific role name. For more information, see IAM Actions.

  • The third statement grants permissions to a specific set of Amazon EC2 resources that are necessary to allow Amazon Directory Service to create, configure, and destroy its directories. The wildcard character (*) at the end of the Resource value means that the statement allows permission for the EC2 actions on any EC2 resource or subresource. To limit this permission to a specific role, replace the wildcard character (*) in the resource ARN with the specific resource or subresource. For more information, see Amazon EC2 Actions

The policy doesn't specify the Principal element because in an identity-based policy you don't specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.

For a table showing all of the Amazon Directory Service API actions and the resources that they apply to, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

Permissions required to use the Amazon Directory Service console

For a user to work with the Amazon Directory Service console, that user must have permissions listed in the preceding policy or the permissions granted by the Directory Service Full Access Role or Directory Service Read Only role, described in Amazon managed (predefined) policies for Amazon Directory Service.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy.

Amazon managed (predefined) policies for Amazon Directory Service

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see Amazon managed policies in the IAM User Guide.

The following Amazon managed policies, which you can attach to users in your account, are specific to Amazon Directory Service:

  • AWSDirectoryServiceReadOnlyAccess – Grants a user or group read-only access to all Amazon Directory Service resources, EC2 subnets, EC2 network interfaces, and Amazon Simple Notification Service (Amazon SNS) topics and subscriptions for the root Amazon account. For more information, see Using Amazon managed policies with Amazon Directory Service.

  • AWSDirectoryServiceFullAccess – Grants a user or group the following:

    • Full access to Amazon Directory Service

    • Access to key Amazon EC2 services required to use Amazon Directory Service

    • Ability to list Amazon SNS topics

    • Ability to create, manage, and delete Amazon SNS topics with a name beginning with “DirectoryMonitoring”

    For more information, see Using Amazon managed policies with Amazon Directory Service.

In addition, there are other Amazon managed policies that are suitable for use with other IAM roles. These policies are assigned to the roles that are associated with users in your Amazon Directory Service directory. These policies are required for those users to have access to other Amazon resources, such as Amazon EC2. For more information, see Grant users and groups access to Amazon resources.

You can also create custom IAM policies that allow users to access the required API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer managed policy examples

In this section, you can find example user policies that grant permissions for various Amazon Directory Service actions.

Note

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.

Example 1: Allow a user to perform any Describe action on any Amazon Directory Service resource

The following permissions policy grants permissions to a user to run all of the actions that begin with Describe. These actions show information about an Amazon Directory Service resource, such as a directory or snapshot. Note that the wildcard character (*) in the Resource element indicates that the actions are allowed for all Amazon Directory Service resources owned by the account.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ds:Describe*", "Resource":"*" } ] }

Example 2: Allow a user to create a directory

The following permissions policy grants permissions to allow a user to create a directory and all other related resources, such as snapshots and trusts. In order to do so, permissions to certain Amazon EC2 services are also required.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action": [ "ds:Create*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource":"*" ] } ] }

Using tags with IAM policies

You can apply tag-based resource-level permissions in the IAM policies you use for most Amazon Directory Service API actions. This gives you better control over what resources a user can create, modify, or use. You use the Condition element (also called the Condition block) with the following condition context keys and values in an IAM policy to control user access (permissions) based on a resource's tags:

  • Use aws:ResourceTag/tag-key: tag-value to allow or deny user actions on resources with specific tags.

  • Use aws:ResourceTag/tag-key: tag-value to require that a specific tag be used (or not used) when making an API request to create or modify a resource that allows tags.

  • Use aws:TagKeys: [tag-key, ...] to require that a specific set of tag keys be used (or not used) when making an API request to create or modify a resource that allows tags.

Note

The condition context keys and values in an IAM policy apply only to those Amazon Directory Service actions where an identifier for a resource capable of being tagged is a required parameter.

Controlling access using tags in the IAM User Guide has additional information on using tags. The IAM JSON policy reference section of that guide has detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM.

The following tag policy example allows all ds calls as long as it contains the tag key-value pair "fooKey":"fooValue".

{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "ds:*" ], "Resource":"*", "Condition":{ "StringEquals":{ "aws:ResourceTag/fooKey":"fooValue" } } }, { "Effect":"Allow", "Action":[ "ec2:*" ], "Resource":"*" } ] }

The following resource policy example allows all ds calls as long as the resource contains the directory ID "d-1234567890".

{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "ds:*" ], "Resource":"arn:aws:ds:us-east-1:123456789012:directory/d-1234567890" }, { "Effect":"Allow", "Action":[ "ec2:*" ], "Resource":"*" } ] }

For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Service Namespaces.

The following list of Amazon Directory Service API operations support tag-based resource-level permissions: