# Identity and access management for Amazon Directory Service
Access to Amazon Directory Service requires credentials that Amazon can use to authenticate your requests. Those credentials must have permissions to access Amazon resources, such as an Amazon Directory Service directory. The following sections provide details on how you can use [Amazon Identity and Access Management (IAM)](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction.html) and Amazon Directory Service to help secure your resources by controlling who can access them:
+ [Authentication](#authentication)
+ [Access control](#access_control)
## Authentication
Learn how to access Amazon using [IAM identities](https://docs.amazonaws.cn//IAM/latest/UserGuide/id.html).
## Access control
You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon Directory Service resources. For example, you must have permissions to create an Amazon Directory Service directory or to create a directory snapshot.
The following sections describe how to manage permissions for Amazon Directory Service. We recommend that you read the overview first.
+ [Overview of managing access permissions to your Amazon Directory Service resources](IAM_Auth_Access_Overview.md)
+ [Using identity-based policies (IAM policies) for Amazon Directory Service](IAM_Auth_Access_IdentityBased.md)
+ [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md)
# Overview of managing access permissions to your Amazon Directory Service resources
Every Amazon resource is owned by an Amazon account. As a result, permissions to create or access the resources are governed by permissions policies. However, an account administrator, which is a user with administrator permissions, can attach permissions to resources. The also have the ability to attach permissions policies to IAM identities, such as users, groups, and roles, and some services, such as Amazon Lambda also support attaching permissions policies to resources.
**Note**
For information about the account administrator role, see [IAM best practices](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
**Topics**
+ [
## Amazon Directory Service resources and operations
](#CreatingIAMPolicies_DS)
+ [
## Understanding resource ownership
](#IAM_Auth_Access_ResourceOwner)
+ [
## Managing access to resources
](#IAM_Auth_Access_ManagingAccess)
+ [
## Specifying policy elements: Actions, effects, resources, and principals
](#SpecifyingIAMPolicyActions_DS)
+ [
## Specifying conditions in a policy
](#SpecifyingIAMPolicyConditions_DS)
## Amazon Directory Service resources and operations
In Amazon Directory Service, the primary resource is a *directory*. Because Amazon Directory Service supports directory snapshot resources, you can create snapshots only in the context of an existing directory. This snapshot is referred to as a *subresource*.
These resources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.
****
| **Resource Type** | **ARN Format** |
| --- | --- |
| Directory | `arn:aws:ds:region:account-id:directory/external-directory-id` |
| Snapshot | `arn:aws:ds:region:account-id:snapshot/external-snapshot-id` |
Amazon Directory Service includes two service namespaces based on the type of operations that you perform.
+ The `ds` service namespace provides a set of operations to work with the appropriate resources. For a list of available operations, see [Directory Service Actions](https://docs.amazonaws.cn//directoryservice/latest/devguide/API_Operations.html).
+ The `ds-data` service namespace provides a set of operations to Active Directory objects. For a list of available operations, see [Directory Service Data API Reference](https://docs.amazonaws.cn//directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html).
## Understanding resource ownership
A *resource owner* is the Amazon account that created a resource. That is, the resource owner is the Amazon account of the *principal entity* (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:
+ If you use the root account credentials of your Amazon account to create an Amazon Directory Service resource, such as a directory, your Amazon account is the owner of that resource.
+ If you create an IAM user in your Amazon account and grant permissions to create Amazon Directory Service resources to that user, the user can also create Amazon Directory Service resources. However, your Amazon account, to which the user belongs, owns the resources.
+ If you create an IAM role in your Amazon account with permissions to create Amazon Directory Service resources, anyone who can assume the role can create Amazon Directory Service resources. Your Amazon account, to which the role belongs, owns the Amazon Directory Service resources.
## Managing access to resources
A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies.
**Note**
This section discusses using IAM in the context of Amazon Directory Service. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM polices) and policies attached to a resource are referred to as *resource-based* policies. Amazon Directory Service supports only identity-based policies (IAM policies).
**Topics**
+ [
### Identity-based policies (IAM policies)
](#IAM_Auth_Access_ManagingAccess_IdentityBased)
+ [
### Resource-based policies
](#IAM_Auth_Access_ManagingAccess_ResourceBased)
### Identity-based policies (IAM policies)
You can attach policies to IAM identities. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your account** – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create an Amazon Directory Service resource, such as a new directory.
+ **Attach a permissions policy to a role (grant cross-account permissions)** – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions.
For more information about using IAM to delegate permissions, see [Access management](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe`. These actions show information about an Amazon Directory Service resource, such as a directory or snapshot. Note that the wildcard character (\$1) in the `Resource` element indicates that the actions are allowed for all Amazon Directory Service resources owned by the account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ds:Describe*",
"Resource":"*"
}
]
}
```
------
For more information about using identity-based policies with Amazon Directory Service, see [Using identity-based policies (IAM policies) for Amazon Directory Service](IAM_Auth_Access_IdentityBased.md). For more information about users, groups, roles, and permissions, see [Identities (users, groups, and roles)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
### Resource-based policies
Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Directory Service doesn't support resource-based policies.
## Specifying policy elements: Actions, effects, resources, and principals
For each Amazon Directory Service resource, the service defines a set of API operations. For more information, see [Amazon Directory Service resources and operations](#CreatingIAMPolicies_DS). For a list of available API operations, see [Directory Service Actions](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_Operations.html).
To grant permissions for these API operations, Amazon Directory Service defines a set of actions that you can specify in a policy. Note that performing an API operation can require permissions for more than one action.
The following are the basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For Amazon Directory Service resources, you always use the wildcard character (\$1) in IAM policies. For more information, see [Amazon Directory Service resources and operations](#CreatingIAMPolicies_DS).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, the `ds:DescribeDirectories` permission allows the user permissions to perform the Amazon Directory Service `DescribeDirectories` operation.
+ **Effect** – You specify the effect when the user requests the specific action. This can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon Directory Service doesn't support resource-based policies.
To learn more about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the Amazon Directory Service API actions and the resources that they apply to, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md).
## Specifying conditions in a policy
When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. There are no condition keys specific to Amazon Directory Service. However, there are Amazon condition keys that you can use as appropriate. For a complete list of Amazon keys, see [Available global condition keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
# Amazon managed policies for Amazon Directory Service
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
The following sections describe the Amazon managed policies that are specific to Amazon Directory Service. You can attach these policies to users in your account.
For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## Amazon managed policy: AWSDirectoryServiceFullAccess
You can attach the `AWSDirectoryServiceFullAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSDirectoryServiceFullAccess.html) in the *Amazon Managed Policy Reference*.
This policy grants administrative permissions that allow a principal full access to all Amazon Directory Service actions. Principals with these permissions can create, configure, and manage directories, including Simple AD, AD Connector, and Managed Microsoft AD. They can also manage directory sharing, trust relationships, and monitoring configurations. This policy includes permissions to manage the underlying network infrastructure required for directory services.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals full access to all Amazon Directory Service actions.
+ `ec2` – Allows principals to manage network interfaces, security groups, and describe VPC resources required for directory operations.
+ `sns` – Allows principals to create and manage SNS topics for directory monitoring, specifically topics with names beginning with "DirectoryMonitoring".
+ `iam` – Allows principals to list IAM roles for directory service operations.
+ `organizations` – Allows principals to manage Amazon Organizations integration and enable/disable service access for directory services.
## Amazon managed policy: AWSDirectoryServiceReadOnlyAccess
You can attach the `AWSDirectoryServiceReadOnlyAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceReadOnlyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSDirectoryServiceReadOnlyAccess.html) in the *Amazon Managed Policy Reference*.
This policy grants read-only permissions that allow users to view information in Amazon Directory Service. Principals with this policy attached cannot make any updates to directories or their configurations. For example, principals with these permissions can view directory details, trust relationships, and monitoring configurations, but cannot create new directories or modify existing ones. They can also view related EC2 network resources and SNS topics associated with directories.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows users to perform read-only actions that return directory information. This includes API operations that start with `Check`, `Describe`, `Get`, `List`, or `Verify`.
+ `ec2` – Allows users to describe network interfaces, subnets, and VPCs associated with directory services.
+ `sns` – Allows users to list and get information about SNS topics and subscriptions used for directory monitoring.
+ `organizations` – Allows users to describe Amazon Organizations accounts and service access configurations related to directory services.
## Amazon managed policy: AWSDirectoryServiceDataFullAccess
You can attach the `AWSDirectoryServiceDataFullAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceDataFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSDirectoryServiceDataFullAccess.html) in the *Amazon Managed Policy Reference*.
This policy grants administrative permissions that allow a principal full access to Directory Service Data operations. Principals with these permissions can create, update, and delete Active Directory users and groups within managed directories. They can manage group memberships, enable or disable users, and perform comprehensive user and group management operations. This policy is designed for administrators who need to manage Active Directory objects programmatically.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals to access directory data through the Directory Service Data API.
+ `ds-data` – Allows principals full access to all Directory Service Data operations, including creating, updating, and deleting users and groups, managing group memberships, and searching directory objects.
## Amazon managed policy: AWSDirectoryServiceDataReadOnlyAccess
You can attach the `AWSDirectoryServiceDataReadOnlyAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceDataReadOnlyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSDirectoryServiceDataReadOnlyAccess.html) in the *Amazon Managed Policy Reference*.
This policy grants read-only permissions that allow users to view and search Active Directory objects within managed directories. Principals with this policy attached cannot make any updates to users, groups, or group memberships. For example, principals with these permissions can search for users and groups, view user and group details, and list group memberships, but cannot create, modify, or delete any directory objects.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals to access directory data through the Directory Service Data API.
+ `ds-data` – Allows users to perform read-only actions that return directory object information. This includes API operations that start with `Describe`, `List`, or `Search`.
## AWSDirectoryServiceServiceRolePolicy
You cannot attach the `AWSDirectoryServiceServiceRolePolicy` policy to your IAM identities. This policy is attached to a service-linked role that allows Amazon Directory Service to perform actions on your behalf. To view the permissions for this policy, see [AWSDirectoryServiceServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSDirectoryServiceServiceRolePolicy.html) in the *Amazon Managed Policy Reference*.
This policy grants permissions that allow Amazon Directory Service to monitor and assess self-managed domain controllers in hybrid Active Directory environments. The service uses these permissions to run automated health assessments, execute PowerShell scripts for compatibility testing, and gather network configuration information to ensure proper hybrid connectivity and automated recovery capabilities.
**Permissions details**
This policy includes the following permissions:
+ `ssm` – Allows the service to send PowerShell commands to on-premises domain controllers and retrieve command execution results for monitoring and assessment purposes.
+ `ec2` – Allows the service to describe network resources such as VPCs, subnets, security groups, and network interfaces to validate hybrid connectivity configurations.
## IAM and Amazon Directory Service updates to Amazon managed policies
View details about updates to IAM and Amazon managed policies since the service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and Amazon Directory Service Document history pages.
| Change | Description | Date |
| --- | --- | --- |
| [AWSDirectoryServiceServiceRolePolicy](#security-iam-awsmanpol-AWSDirectoryServiceServiceRolePolicy) – New policy | Amazon Directory Service added a new policy to allow Amazon to monitor a customer's self-managed domain controllers. | July 30, 2025 |
| [Amazon managed policy: AWSDirectoryServiceDataReadOnlyAccess](#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess) – New policy | Amazon Directory Service added a new policy to allow a user or group access to view and search AD users, members, and groups. | September 17, 2024 |
| [Amazon managed policy: AWSDirectoryServiceDataFullAccess](#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) – New policy | Amazon Directory Service added a new policy to allow a user or group access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups. | September 17, 2024 |
| Amazon Directory Service started tracking changes | Amazon Directory Service started tracking changes for its Amazon managed policies. | September 17, 2024 |
# Using identity-based policies (IAM policies) for Amazon Directory Service
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (users, groups, and roles). These examples demonstrate IAM policies in Amazon Directory Service. You should modify and create your own policies to suit your needs and environment.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Directory Service resources. For more information, see [Overview of managing access permissions to your Amazon Directory Service resources](IAM_Auth_Access_Overview.md).
The sections in this topic cover the following:
+ [Permissions required to use the Amazon Directory Service console](#UsingWithDS_IAM_RequiredPermissions_Console)
+ [Amazon managed (predefined) policies for Amazon Directory Service](#IAM_Auth_Access_ManagedPolicies)
+ [Customer managed policy examples](#IAMPolicyExamples_DS)
+ [Using tags with IAM policies](#using_tags_with_iam_policies)
The following shows an example of a permissions policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDsEc2IamGetRole",
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "WarningAllowsCreatingRolesWithDirSvcPrefix",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:role/DirSvc*"
},
{
"Sid": "AllowPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-cn:iam::111122223333:role/Your-Role-Name",
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudwatch.amazonaws.com"
}
}
}
]
}
```
------
The three statements in the policy grant permissions as follows:
+ The first statement grants permission to create an Amazon Directory Service directory. Because Amazon Directory Service doesn't support permissions at the resource level, the policy specifies a wildcard character (\$1) as the `Resource` value.
+ The second statement grants permissions to access IAM actions, so that Amazon Directory Service can read and create IAM roles on your behalf. The wildcard character (\$1) at the end of the `Resource` value means that the statement allows permission for the IAM actions on any IAM role. To limit this permission to a specific role, replace the wildcard character (\$1) in the resource ARN with the specific role name. For more information, see [IAM Actions](https://docs.amazonaws.cn/IAM/latest/APIReference/API_Operations.html).
+ The third statement grants permissions to a specific set of resources in Amazon EC2 that are necessary to allow Amazon Directory Service to create, configure, and destroy its directories. Replace the role ARN with your role. For more information, see [Amazon EC2 Actions](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_Operations.html).
You don't see a `Principal` element in the policy, because in an identity-based policy you don't specify the principal who gets the permission. When you attach the policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.
For a table showing all of the Amazon Directory Service API actions and the resources that they apply to, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md).
## Permissions required to use the Amazon Directory Service console
For a user to work with the Amazon Directory Service console, that user must have permissions listed in the preceding policy or the permissions granted by the Directory Service Full Access Role or Directory Service Read Only role, described in [Amazon managed (predefined) policies for Amazon Directory Service](#IAM_Auth_Access_ManagedPolicies).
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy.
## Amazon managed (predefined) policies for Amazon Directory Service
Amazon addresses many common use cases by providing predefined, or managed, IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases, which helps you decide what permissions you need. For more information, see [Amazon managed policies for Amazon Directory Service](security-iam-awsmanpol.md).
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Amazon Directory Service actions.
**Note**
All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitious account IDs.
**Topics**
+ [
### Example 1: Allow a user to perform any Describe action on any Amazon Directory Service resource
](#IAMPolicyExamples_DS_perform_describe_action)
+ [
### Example 2: Allow a user to create a directory
](#IAMPolicyExamples_DS_create_directory)
### Example 1: Allow a user to perform any Describe action on any Amazon Directory Service resource
The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe` in an Amazon Managed Microsoft AD with the directory ID `d-1234567890` in the Amazon Web Services account `111122223333`. These actions show information about an Amazon Directory Service resource, such as a directory or snapshot. Make sure to change the Amazon Web Services Region and account number to the region you want to use and your account number.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ds:Describe*",
"Resource": "arn:aws-cn:ds:us-west-2:111122223333:directory/d-1234567890"
}
]
}
```
------
### Example 2: Allow a user to create a directory
The following permissions policy grants permissions to allow a user to create a directory and all other related resources, such as snapshots and trusts. In order to do so, permissions to certain Amazon EC2 services are also required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ds:DescribeDirectories"
],
"Resource": "arn:aws-cn:ds:*:111122223333:*"
}
]
}
```
------
## Using tags with IAM policies
You can apply tag-based resource-level permissions in the IAM policies you use for most Amazon Directory Service API actions. This gives you better control over what resources a user can create, modify, or use. You use the `Condition` element (also called the `Condition` block) with the following condition context keys and values in an IAM policy to control user access (permissions) based on a resource's tags:
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to allow or deny user actions on resources with specific tags.
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to require that a specific tag be used (or not used) when making an API request to create or modify a resource that allows tags.
+ Use `aws`:`TagKeys`: [**tag-key**, ...] to require that a specific set of tag keys be used (or not used) when making an API request to create or modify a resource that allows tags.
**Note**
The condition context keys and values in an IAM policy apply only to those Amazon Directory Service actions where an identifier for a resource capable of being tagged is a required parameter.
[Controlling access using tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide* has additional information on using tags. The [IAM JSON policy reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html) section of that guide has detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM.
The following tag policy allows creating an Amazon Directory Service directory as long as the following tags are used:
+ Environment: Production
+ Owner: Infrastructure Team
+ Cost center: 1234
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "Production",
"aws:RequestTag/Owner": "Infrastructure-Team",
"aws:RequestTag/CostCenter": "12345"
}
}
}
]
}
```
------
The following tag policy allows updating and deleting Amazon Directory Service directories as long as the following tags are used:
+ Project: Atlas
+ Department: Engineering
+ Environment: Staging
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:DeleteDirectory",
"ds:UpdateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "Atlas",
"aws:ResourceTag/Department": "Engineering",
"aws:ResourceTag/Environment": "Staging"
}
}
}
]
}
```
------
The following tag policy denies resource tagging for Amazon Directory Service where the resource has one of the following tags:
+ Production
+ Security
+ Confidential
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ds:AddTagsToResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": ["Production", "Security", "Confidential"]
}
}
}
]
}
```
------
For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Service Namespaces](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html).
The following list of Amazon Directory Service API operations support tag-based resource-level permissions:
+ [AcceptSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AcceptSharedDirectory.html)
+ [AddIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddIpRoutes.html)
+ [AddTagsToResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddTagsToResource.html)
+ [CancelSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CancelSchemaExtension.html)
+ [CreateAlias](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateAlias.html)
+ [CreateComputer](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateComputer.html)
+ [CreateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateConditionalForwarder.html)
+ [CreateSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateSnapshot.html)
+ [CreateLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateLogSubscription.html)
+ [CreateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateTrust.html)
+ [DeleteConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html)
+ [DeleteDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteDirectory.html)
+ [DeleteLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteLogSubscription.html)
+ [DeleteSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteSnapshot.html)
+ [DeleteTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteTrust.html)
+ [DeregisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeregisterEventTopic.html)
+ [DescribeConditionalForwarders](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html)
+ [DescribeDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeDomainControllers.html)
+ [DescribeEventTopics](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeEventTopics.html)
+ [DescribeSharedDirectories](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSharedDirectories.html)
+ [DescribeSnapshots](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSnapshots.html)
+ [DescribeTrusts](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeTrusts.html)
+ [DisableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableRadius.html)
+ [DisableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableSso.html)
+ [EnableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableRadius.html)
+ [EnableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableSso.html)
+ [GetSnapshotLimits](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_GetSnapshotLimits.html)
+ [ListIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListIpRoutes.html)
+ [ListSchemaExtensions](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListSchemaExtensions.html)
+ [ListTagsForResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListTagsForResource.html)
+ [RegisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RegisterEventTopic.html)
+ [RejectSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RejectSharedDirectory.html)
+ [RemoveIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveIpRoutes.html)
+ [RemoveTagsFromResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveTagsFromResource.html)
+ [ResetUserPassword](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ResetUserPassword.html)
+ [RestoreFromSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RestoreFromSnapshot.html)
+ [ShareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ShareDirectory.html)
+ [StartSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_StartSchemaExtension.html)
+ [UnshareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UnshareDirectory.html)
+ [UpdateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html)
+ [UpdateNumberOfDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html)
+ [UpdateRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateRadius.html)
+ [UpdateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateTrust.html)
+ [VerifyTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_VerifyTrust.html)
# Amazon Directory Service API permissions: Actions, resources, and conditions reference
When you are setting up [Access control](iam_auth_access.md#access_control) and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the [Amazon Directory Service API permissions: Actions, resources, and conditions reference](#UsingWithDS_IAM_ResourcePermissions) table as a reference. Each API entry in the table includes the following:
+ The name of each API operation
+ Each API operation's corresponding action or actions in which you can grant permissions to perform the action
+ The Amazon resource in which you can grant the permissions
You specify the actions in the policy's `Action` field and the resource value in the policy's `Resource` field. To specify an action, use the `ds:` prefix followed by the API operation name (for example, `ds:CreateDirectory`). Some Amazon applications may require use of nonpublic Amazon Directory Service API operations such as `ds:AuthorizeApplication`, `ds:CheckAlias`, `ds:CreateIdentityPoolDirectory`, `ds:GetAuthorizedApplicationDetails`, `ds:UpdateAuthorizedApplication`, and `ds:UnauthorizeApplication` in their policies.
Some Amazon Directory Service APIs can only be called through the Amazon Web Services Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. They accept user credentials. These API operations include `ds:DisableRoleAccess`, `ds:EnableRoleAccess`, and `ds:UpdateDirectory`.
You can use Amazon global condition keys in your Amazon Directory Service and Directory Service Data policies to express conditions. For a complete list of Amazon keys, see [Available Global Condition Keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
## Amazon Directory Service API and required permissions for actions
| Amazon Directory Service API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AcceptSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AcceptSharedDirectory.html) | ds:AcceptSharedDirectory | \$1 |
| [AddIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddIpRoutes.html) | `ds:AddIpRoutes` `ec2:DescribeSecurityGroup` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` | \$1 |
| [AddTagsToResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_AddTagsToResource.html) | ds:AddTagsToResource`ec2:CreateTags` | \$1 |
| [CancelSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CancelSchemaExtension.html) | ds:CancelSchemaExtension | \$1 |
| [ConnectDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ConnectDirectory.html) | `ds:ConnectDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateAlias](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateAlias.html) | `ds:CreateAlias` | \$1 |
| [CreateComputer](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateComputer.html) | `ds:CreateComputer` | \$1 |
| [CreateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateConditionalForwarder.html) | `ds:CreateConditionalForwarder` | \$1 |
| [CreateDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateDirectory.html) | `ds:CreateDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateLogSubscription.html) | ds:CreateLogSubscription | \$1 |
| [CreateMicrosoftAD](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateMicrosoftAD.html) | `ds:CreateMicrosoftAD` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:RevokeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateSnapshot.html) | `ds:CreateSnapshot` | \$1 |
| [CreateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_CreateTrust.html) | `ds:CreateTrust` | \$1 |
| [DeleteConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html) | `ds:DeleteConditionalForwarder` | \$1 |
| [DeleteDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteDirectory.html) | `ds:DeleteDirectory` `ec2:DescribeNetworkInterfaces` `ec2:DeleteSecurityGroup` `ec2:DeleteNetworkInterface` `ec2:RevokeSecurityGroupIngress` `ec2:RevokeSecurityGroupEgress` `ec2:DeleteTags` | \$1 |
| [DeleteLogSubscription](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteLogSubscription.html) | ds:DeleteLogSubscription | \$1 |
| [DeleteSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteSnapshot.html) | `ds:DeleteSnapshot` | \$1 |
| [DeleteTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeleteTrust.html) | `ds:DeleteTrust` | \$1 |
| [DeregisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DeregisterEventTopic.html) | `ds:DeregisterEventTopic` | \$1 |
| [DescribeConditionalForwarders](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html) | `ds:DescribeConditionalForwarders` | \$1 |
| [DescribeDirectories](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeDirectories.html) | `ds:DescribeDirectories` | \$1 |
| [DescribeDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeDomainControllers.html) | ds:DescribeDomainControllers | \$1 |
| [DescribeEventTopics](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeEventTopics.html) | `ds:DescribeEventTopics` | \$1 |
| [DescribeSharedDirectories](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSharedDirectories.html) | ds:DescribeSharedDirectories | \$1 |
| [DescribeSnapshots](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeSnapshots.html) | `ds:DescribeSnapshots` | \$1 |
| [DescribeTrusts](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DescribeTrusts.html) | `ds:DescribeTrusts` | \$1 |
| [DisableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableRadius.html) | `ds:DisableRadius` | \$1 |
| [DisableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_DisableSso.html) | `ds:DisableSso` | \$1 |
| [EnableRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableRadius.html) | `ds:EnableRadius` | \$1 |
| [EnableSso](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_EnableSso.html) | `ds:EnableSso` | \$1 |
| [GetDirectoryLimits](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_GetDirectoryLimits.html) | `ds:GetDirectoryLimits` | \$1 |
| [GetSnapshotLimits](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_GetSnapshotLimits.html) | `ds:GetSnapshotLimits` | \$1 |
| [ListIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListIpRoutes.html) | `ds:ListIpRoutes` | \$1 |
| [ListLogSubscriptions](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListLogSubscriptions.html) | ds:ListLogSubscriptions | \$1 |
| [ListSchemaExtensions](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListSchemaExtensions.html) | `ds:ListSchemaExtensions` | \$1 |
| [ListTagsForResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ListTagsForResource.html) | `ds:ListTagsForResource` | \$1 |
| [RegisterEventTopic](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RegisterEventTopic.html) | `ds:RegisterEventTopic` `sns:GetTopicAttributes` | \$1 |
| [RejectSharedDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RejectSharedDirectory.html) | ds:RejectSharedDirectory | \$1 |
| [RemoveIpRoutes](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveIpRoutes.html) | `ds:RemoveIpRoutes` | \$1 |
| [RemoveTagsFromResource](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RemoveTagsFromResource.html) | `ds:RemoveTagsFromResource` `ec2:DeleteTags` | \$1 |
| [ResetUserPassword](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ResetUserPassword.html) | ds:ResetUserPassword | \$1 |
| [RestoreFromSnapshot](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_RestoreFromSnapshot.html) | `ds:RestoreFromSnapshot` | \$1 |
| [ShareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_ShareDirectory.html) | `ds:ShareDirectory` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:ListAWSServiceAccessForOrganization` | \$1 |
| [StartSchemaExtension](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_StartSchemaExtension.html) | `ds:StartSchemaExtension` | \$1 |
| [UnshareDirectory](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UnshareDirectory.html) | ds:UnshareDirectory | \$1 |
| [UpdateConditionalForwarder](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html) | `ds:UpdateConditionalForwarder` | \$1 |
| [UpdateNumberOfDomainControllers](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html) | `ds:UpdateNumberOfDomainControllers` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DeleteNetworkInterface` | \$1 |
| [UpdateRadius](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateRadius.html) | `ds:UpdateRadius` | \$1 |
| [UpdateTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_UpdateTrust.html) | ds:UpdateTrust | \$1 |
| [VerifyTrust](https://docs.amazonaws.cn/directoryservice/latest/devguide/API_VerifyTrust.html) | `ds:VerifyTrust` | \$1 |
## Amazon Directory Service Data API and required permissions for actions
**Note**
To specify an action, use the `ds-data:` prefix followed by the name of the API operation (for example, `ds-data:AddGroupMember`).
| Directory Service Data API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AddGroupMember](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_AddGroupMember.html) | `ds-data:AddGroupMember` | \$1 |
| [CreateGroup](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) | `ds-data:CreateGroup` | \$1 |
| [CreateUser](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) | `ds-data:CreateUser` | \$1 |
| [DeleteGroup](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DeleteGroup.html) | `ds-data:DeleteGroup` | \$1 |
| [DeleteUser](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/DeleteUser.html) | `ds-data:DeleteUser` | \$1 |
| [DescribeGroup](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeGroup.html) | `ds-data:DescribeGroup` | \$1 |
| [DescribeUser](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeUser.html) | `ds-data:DescribeUser` | \$1 |
| [DisableUser](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DisableUser.html) | `ds-data:DisableUser` | \$1 |
| [ListGroups](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroups.html) | `ds-data:ListGroups` | \$1 |
| [ListGroupMembers](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupMembers.html) | `ds-data:ListGroupMembers` | \$1 |
| [ListGroupsForMember](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupsForMember.html) | `ds-data:ListGroupsForMember` | \$1 |
| [ListUsers](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListUsers.html) | `ds-data:ListUsers` | \$1 |
| [RemoveGroupMember](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_RemoveGroupMember.html) | `ds-data:RemoveGroupMember` | \$1 |
| [SearchGroups](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchGroups.html) | `ds-data:DescribeGroup` `ds-data:SearchGroups` | \$1 |
| [SearchUsers](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchUsers.html) | `ds-data:DescribeUser` `ds-data:SearchUsers` | \$1 |
| [UpdateGroup](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateGroup.html) | `ds-data:UpdateGroup` | \$1 |
| [UpdateUser](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateUser.html) | `ds-data:UpdateUser` | \$1 |
## Related Topics
+ [Access control](iam_auth_access.md#access_control)
# Directory Service Data condition keys
Use [Directory Service Data](https://docs.amazonaws.cn/directoryservicedata/latest/DirectoryServiceDataAPIReference/welcome.html) condition keys to add specific statements to users and group level access. This allows users to decide which principals can perform actions on what resources and under what conditions.
The *Condition element*, or *Condition block*, lets you specify conditions where a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals (=) or less than (<), to match the condition in the policy with values in the request.
If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, Amazon evaluates them by using a logical AND operation. If you specify multiple values for a single condition key, Amazon evaluates the condition by using a logical OR operation. All of the conditions must be met before the statement's permissions are granted. You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it's tagged with their username. For information, see [Condition with multiple keys or values](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) in the *IAM User Guide*.
For a list of which actions support these condition keys, see [Actions defined by Amazon Directory Service Data](https://docs.amazonaws.cn/service-authorization/latest/reference/list_directoryservice-data.html) in the *Service Authorization Reference*.
**Note**
For information about tag-based resource-level permissions, see [Using tags with IAM policies](IAM_Auth_Access_IdentityBased.md#using_tags_with_iam_policies).
## ds-data:SAMAccountName
Works with [String operators](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to explicitly allow or deny an IAM role from performing actions on specific users and groups.
**Important**
When using `SAMAccountName` or `MemberName`, we recommend specifying `ds-data:Identifier` as `SAMAccountName`. This prevents future identifiers that Amazon Directory Service Data supports, such as `SID`, from breaking existing permissions.
The following policy denies the IAM principal from describing the user `joe` or describing the group `joegroup`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyDescribe",
"Effect": "Deny",
"Action": "ds-data:Describe*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:SAMAccountName": [
"joe",
"joegroup"
],
"ds-data:identifier": [
"SAMAccountName"
]
}
}
}
]
}
```
------
**Note**
This condition key case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values regardless of letter cases.
## ds-data:Identifier
Works with [String operators](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to define which identifier to use in the IAM policy permissions. Currently, only `SAMAccountName` is supported.
The following policy allows the IAM principal to update the user `joe`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "UpdateJoe",
"Effect": "Allow",
"Action": "ds-data:UpdateUser",
"Resource": "arn:aws-cn:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:SAMAccountName": [
"joe"
],
"ds-data:identifier": [
"SAMAccountName"
]
}
}
}
]
}
```
------
## ds-data:MemberName
Works with [String operators](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to define the members that can have operations performed on them.
**Important**
When using `MemberName` or `SAMAccountName`, we recommend specifying `ds-data:Identifier` as `SAMAccountName`. This prevents future identifiers that Directory Service Data supports, such as `SID`, from breaking existing permissions.
The following policy allows the IAM principal to perform `AddGroupMember` on member `joe` in any group.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AddJoe",
"Effect": "Allow",
"Action": "ds-data:AddGroupMember",
"Resource": "arn:aws-cn:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:MemberName": "joe"
}
}
}
]
}
```
------
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values, regardless of letter cases.
## ds-data:MemberRealm
Works with [String operators](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to check whether the `ds-data:MemberRealm` value in the policy matches the member realm in the request.
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values, regardless of letter cases.
The following policy allows the IAM principal to call `AddGroupMember` for member `bob` in realm `ONE.TRU1.AMAZON.COM`.
**Note**
The following example uses only the `ds-data:MemberName` context key.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "addbob",
"Effect": "Allow",
"Action": "ds-data:AddGroupMember",
"Resource": "arn:aws-cn:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:MemberName": "bob",
"ds-data:MemberRealm": "one.tru1.amazon.com"
}
}
}
]
}
```
------
## ds-data:Realm
Works with [String operators](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to check whether the `ds-data:Realm` value in the policy matches the realm an IAM principal can use to make requests to Directory Service Data APIs.
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values regardless of letter cases.
The following policy denies the IAM principal from calling `ListUsers` on the realm `one.tru1.amazon.com`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyTrustedList",
"Effect": "Deny",
"Action": "ds-data:ListUsers",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:Realm": [
"one.tru1.amazon.com"
]
}
}
}
]
}
```
------