# Using identity-based policies (IAM policies) for Amazon Directory Service
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (users, groups, and roles). These examples demonstrate IAM policies in Amazon Directory Service. You should modify and create your own policies to suit your needs and environment.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Directory Service resources. For more information, see [Overview of managing access permissions to your Amazon Directory Service resources](IAM_Auth_Access_Overview.md).
The sections in this topic cover the following:
+ [Permissions required to use the Amazon Directory Service console](#UsingWithDS_IAM_RequiredPermissions_Console)
+ [Amazon managed (predefined) policies for Amazon Directory Service](#IAM_Auth_Access_ManagedPolicies)
+ [Customer managed policy examples](#IAMPolicyExamples_DS)
+ [Using tags with IAM policies](#using_tags_with_iam_policies)
The following shows an example of a permissions policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDsEc2IamGetRole",
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "WarningAllowsCreatingRolesWithDirSvcPrefix",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy"
],
"Resource": "arn:aws-cn:iam::{{111122223333}}:role/DirSvc*"
},
{
"Sid": "AllowPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-cn:iam::{{111122223333}}:role/{{Your-Role-Name}}",
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudwatch.amazonaws.com"
}
}
}
]
}
```
------
The three statements in the policy grant permissions as follows:
+ The first statement grants permission to create an Amazon Directory Service directory. Because Amazon Directory Service doesn't support permissions at the resource level, the policy specifies a wildcard character (\*) as the `Resource` value.
+ The second statement grants permissions to access IAM actions, so that Amazon Directory Service can read and create IAM roles on your behalf. The wildcard character (\*) at the end of the `Resource` value means that the statement allows permission for the IAM actions on any IAM role. To limit this permission to a specific role, replace the wildcard character (\*) in the resource ARN with the specific role name. For more information, see [IAM Actions](https://docs.amazonaws.cn/IAM/latest/APIReference/API_Operations.html).
+ The third statement grants permissions to a specific set of resources in Amazon EC2 that are necessary to allow Amazon Directory Service to create, configure, and destroy its directories. Replace the role ARN with your role. For more information, see [Amazon EC2 Actions](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_Operations.html).
You don't see a `Principal` element in the policy, because in an identity-based policy you don't specify the principal who gets the permission. When you attach the policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.
For a table showing all of the Amazon Directory Service API actions and the resources that they apply to, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md).
## Permissions required to use the Amazon Directory Service console
For a user to work with the Amazon Directory Service console, that user must have permissions listed in the preceding policy or the permissions granted by the Directory Service Full Access Role or Directory Service Read Only role, described in [Amazon managed (predefined) policies for Amazon Directory Service](#IAM_Auth_Access_ManagedPolicies).
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy.
## Amazon managed (predefined) policies for Amazon Directory Service
Amazon addresses many common use cases by providing predefined, or managed, IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases, which helps you decide what permissions you need. For more information, see [Amazon managed policies for Amazon Directory Service](security-iam-awsmanpol.md).
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Amazon Directory Service actions.
**Note**
All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitious account IDs.
**Topics**
+ [Example 1: Allow a user to perform any Describe action on any Amazon Directory Service resource](#IAMPolicyExamples_DS_perform_describe_action)
+ [Example 2: Allow a user to create a directory](#IAMPolicyExamples_DS_create_directory)
### Example 1: Allow a user to perform any Describe action on any Amazon Directory Service resource
The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe` in an Amazon Managed Microsoft AD with the directory ID `d-1234567890` in the Amazon Web Services account `111122223333`. These actions show information about an Amazon Directory Service resource, such as a directory or snapshot. Make sure to change the Amazon Web Services Region and account number to the region you want to use and your account number.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ds:Describe*",
"Resource": "arn:aws-cn:ds:us-west-2:{{111122223333}}:directory/{{d-1234567890}}"
}
]
}
```
------
### Example 2: Allow a user to create a directory
The following permissions policy grants permissions to allow a user to create a directory and all other related resources, such as snapshots and trusts. In order to do so, permissions to certain Amazon EC2 services are also required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ds:DescribeDirectories"
],
"Resource": "arn:aws-cn:ds:*:{{111122223333}}:*"
}
]
}
```
------
## Using tags with IAM policies
You can apply tag-based resource-level permissions in the IAM policies you use for most Amazon Directory Service API actions. This gives you better control over what resources a user can create, modify, or use. You use the `Condition` element (also called the `Condition` block) with the following condition context keys and values in an IAM policy to control user access (permissions) based on a resource's tags:
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to allow or deny user actions on resources with specific tags.
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to require that a specific tag be used (or not used) when making an API request to create or modify a resource that allows tags.
+ Use `aws`:`TagKeys`: [**tag-key**, ...] to require that a specific set of tag keys be used (or not used) when making an API request to create or modify a resource that allows tags.
**Note**
The condition context keys and values in an IAM policy apply only to those Amazon Directory Service actions where an identifier for a resource capable of being tagged is a required parameter.
[Controlling access using tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide* has additional information on using tags. The [IAM JSON policy reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html) section of that guide has detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM.
The following tag policy allows creating an Amazon Directory Service directory as long as the following tags are used:
+ Environment: Production
+ Owner: Infrastructure Team
+ Cost center: 1234
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "Production",
"aws:RequestTag/Owner": "Infrastructure-Team",
"aws:RequestTag/CostCenter": "12345"
}
}
}
]
}
```
------
The following tag policy allows updating and deleting Amazon Directory Service directories as long as the following tags are used:
+ Project: Atlas
+ Department: Engineering
+ Environment: Staging
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:DeleteDirectory",
"ds:UpdateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "Atlas",
"aws:ResourceTag/Department": "Engineering",
"aws:ResourceTag/Environment": "Staging"
}
}
}
]
}
```
------
The following tag policy denies resource tagging for Amazon Directory Service where the resource has one of the following tags:
+ Production
+ Security
+ Confidential
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ds:AddTagsToResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": ["Production", "Security", "Confidential"]
}
}
}
]
}
```
------
For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Service Namespaces](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html).
The following list of Amazon Directory Service API operations support tag-based resource-level permissions:
+ [AcceptSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AcceptSharedDirectory.html)
+ [AddIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddIpRoutes.html)
+ [AddTagsToResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddTagsToResource.html)
+ [CancelSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CancelSchemaExtension.html)
+ [CreateAlias](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateAlias.html)
+ [CreateComputer](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateComputer.html)
+ [CreateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateConditionalForwarder.html)
+ [CreateSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateSnapshot.html)
+ [CreateLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateLogSubscription.html)
+ [CreateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateTrust.html)
+ [DeleteConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html)
+ [DeleteDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteDirectory.html)
+ [DeleteLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteLogSubscription.html)
+ [DeleteSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteSnapshot.html)
+ [DeleteTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteTrust.html)
+ [DeregisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeregisterEventTopic.html)
+ [DescribeConditionalForwarders](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html)
+ [DescribeDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeDomainControllers.html)
+ [DescribeEventTopics](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeEventTopics.html)
+ [DescribeSharedDirectories](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSharedDirectories.html)
+ [DescribeSnapshots](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSnapshots.html)
+ [DescribeTrusts](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeTrusts.html)
+ [DisableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableRadius.html)
+ [DisableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableSso.html)
+ [EnableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableRadius.html)
+ [EnableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableSso.html)
+ [GetSnapshotLimits](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_GetSnapshotLimits.html)
+ [ListIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListIpRoutes.html)
+ [ListSchemaExtensions](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListSchemaExtensions.html)
+ [ListTagsForResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListTagsForResource.html)
+ [RegisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RegisterEventTopic.html)
+ [RejectSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RejectSharedDirectory.html)
+ [RemoveIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveIpRoutes.html)
+ [RemoveTagsFromResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveTagsFromResource.html)
+ [ResetUserPassword](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ResetUserPassword.html)
+ [RestoreFromSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RestoreFromSnapshot.html)
+ [ShareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ShareDirectory.html)
+ [StartSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_StartSchemaExtension.html)
+ [UnshareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UnshareDirectory.html)
+ [UpdateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html)
+ [UpdateNumberOfDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html)
+ [UpdateRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateRadius.html)
+ [UpdateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateTrust.html)
+ [VerifyTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_VerifyTrust.html)