Authorization for Amazon applications and services using Amazon Directory Service - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorization for Amazon applications and services using Amazon Directory Service

Authorizing an Amazon application on an Active Directory

Amazon Directory Service grants specific permissions for the selected applications to integrate seamlessly with your Active Directory when you authorize an Amazon application. Amazon applications are only granted the access necessary for their use-case. The set of internal permissions granted to applications and application administrators after authorization are provided below:

Note

The ds:AuthorizationApplication permission is required to authorize a new Amazon application an Active Directory. Permissions to this action should only be provided to Administrators that configure integrations with Directory Service.

  • Read access to Active Directory user, group, organizational unit, computer, or certification authority data in all Organizational Units (OU) of Amazon Managed Microsoft AD, Simple AD, AD Connector directories, as well as trusted domains for Amazon Managed Microsoft AD if permitted by a trust relationship.

  • Write access to users, groups, group membership, computers, or certification authority data in your organizational unit of Amazon Managed Microsoft AD. Write access to all OU‘s of Simple AD.

  • Authentication and session management of Active Directory users for all directory types.

Certain Amazon Managed Microsoft AD applications such as Amazon RDS and Amazon FSx integrate through direct network connection to your Active Directory. In this case, the directory interactions use native Active Directory protocols such as LDAP and Kerberos. The permissions of these Amazon applications are controlled by a directory user account created in the Amazon Reserved Organizational Unit (OU) during the application authorization, which includes DNS management and full access to a custom OU created for the application. In order to use this account, the application requires permissions to ds:GetAuthorizedApplicationDetails action through caller credentials or an IAM role.

For more information about Amazon Directory Service API permissions, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

For more information about enabling Amazon applications and services for Amazon Managed Microsoft AD, see Enable access to Amazon applications and services. For more information about enabling Amazon applications and services for AD Connector, see Enable access to Amazon applications and services. For more information about enabling Amazon applications and services for Simple AD, see Enable access to Amazon applications and services.

Deauthorizing an Amazon application on a Active Directory

In order to remove permissions for an Amazon application to access the Active Directory, the ds:UnauthorizedApplication permission is required. Follow the steps provided by the application to disable it.