Authorization for Amazon applications and services using Amazon Directory Service - Amazon Directory Service
Authorizing an Amazon application on an Active Directory Amazon application authorization with Directory Service Data
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorization for Amazon applications and services using Amazon Directory Service

This topic describes authorization for Amazon applications and services using Amazon Directory Service and Amazon Directory Service Data

Authorizing an Amazon application on an Active Directory

Amazon Directory Service grants specific permissions for selected applications to integrate seamlessly with your Active Directory when you authorize an Amazon application. Amazon applications are only granted the access that's necessary for their specific use-cases. The following is a set of internal permissions granted to applications and application administrators after authorization:

Note

The ds:AuthorizationApplication permission is required to authorize a new Amazon application for an Active Directory. Permissions to this action should only be provided to Administrators that configure integrations with Directory Service.

  • Read access to Active Directory user, group, organizational unit, computer, or certification authority data in all Organizational Units (OU) of Amazon Managed Microsoft AD, Simple AD, AD Connector directories, as well as trusted domains for Amazon Managed Microsoft AD if permitted by a trust relationship.

  • Write access to users, groups, group membership, computers, or certification authority data in your organizational unit of Amazon Managed Microsoft AD. Write access to all OU‘s of Simple AD.

  • Authentication and session management of Active Directory users for all directory types.

Certain Amazon Managed Microsoft AD applications such as Amazon RDS and Amazon FSx integrate through direct network connection to your Active Directory. In this case, the directory interactions use native Active Directory protocols such as LDAP and Kerberos. The permissions of these Amazon applications are controlled by a directory user account created in the Amazon Reserved Organizational Unit (OU) during the application authorization, which includes DNS management and full access to a custom OU created for the application. In order to use this account, the application requires permissions to ds:GetAuthorizedApplicationDetails action through caller credentials or an IAM role.

For more information about Amazon Directory Service API permissions, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

For more information about enabling Amazon applications and services for Amazon Managed Microsoft AD, see Access to Amazon applications and services from your Amazon Managed Microsoft AD. For more information about enabling Amazon applications and services for Simple AD, see Access to Amazon applications and services from your Simple AD. For information about enabling Amazon applications and services for AD Connector, see Access to Amazon applications and services from AD Connector.

Deauthorizing an Amazon application on a Active Directory

The ds:UnauthorizedApplication permission is required to remove permissions for an Amazon application to access an Active Directory. Follow the procedure the application provides to disable it.

Amazon application authorization with Directory Service Data

For Amazon Managed Microsoft AD directories, the Directory Service Data (ds-data) API provides programmatic access to user and group management tasks. The authorization model of Amazon applications is separate from the access controls of Directory Service Data, which means that access policies for Directory Service Data actions don't effect the authorization for Amazon applications. Denying access to a directory in ds-data will not interrupt the Amazon Application integration or use-cases of Amazon applications.

When writing access policies for Amazon Managed Microsoft AD directories that authorize Amazon applications, be aware that user and group functionality might be available by calling either an authorized Amazon Application or Directory Service Data API. Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime all provide user and group management actions in their APIs. Control access to this Amazon application functionality with IAM policies.

Examples

The following snippets show the incorrect and correct ways to deny DeleteUser functionality when Amazon applications, such as Amazon WorkDocs and Amazon WorkMail, are authorized on the directory.

Incorrect 

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "ds-data:DeleteUser"
            ],
            "Resource": "*"
        }
    ]
}

Correct 

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "ds-data:DeleteUser",
                "workmail:DeleteUser",
                "workdocs:DeleteUser"
            ],
            "Resource": "*"
        }
    ]
}