Amazon managed policies for Amazon Directory Service
The following sections describe the Amazon managed policies that are specific to Amazon Directory Service. You can attach these policies to users in your account.
For more information, see Amazon managed policies in the IAM User Guide.
AWSDirectoryServiceFullAccess
The AWSDirectoryServiceFullAccess policy grants a user or group the following:
-
Full access to Amazon Directory Service
-
Access to key Amazon EC2 services required to use Amazon Directory Service
-
Ability to list Amazon SNS topics
-
Ability to create, manage, and delete Amazon SNS topics with a name beginning with “DirectoryMonitoring”
AWSDirectoryServiceReadOnlyAccess
The AWSDirectoryServiceReadOnlyAccess policy grants a user or group read-only access to all Amazon Directory Service resources, EC2 subnets, EC2 network interfaces, and Amazon Simple Notification Service (Amazon SNS) topics and subscriptions for the root Amazon account. For more information, see Using Amazon managed policies with Amazon Directory Service.
AWSDirectoryServiceDataFullAccess
The AWSDirectoryServiceDataFullAccess policy grants a user or group full access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups. For details, see Amazon Directory Service Data API Reference.
-
Full access to Directory Service Data
AWSDirectoryServiceDataReadOnlyAccess
The AWSDirectoryServiceDataReadOnlyAccess policy grants a user or group access to view and search AD users, members, and groups. For details, see Amazon Directory Service Data API Reference.
-
Ability to list Directory Service Data
-
Ability to search Directory Service Data
-
Ability to get descriptions of Directory Service Data
For more information, see Using Amazon managed policies with Amazon Directory Service.
In addition, there are other Amazon managed policies that are suitable for use with other IAM roles. These policies are assigned to the roles that are associated with users in your Amazon Directory Service directory. These policies are required for those users to have access to other Amazon resources, such as Amazon EC2. For more information, see Granting Amazon Managed Microsoft AD users and groups access to Amazon resources with IAM roles.
You can also create custom IAM policies that allow users to access the required API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.
IAM and Amazon Directory Service updates to Amazon managed policies
View details about updates to IAM and Amazon managed policies since the service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and Amazon Directory Service Document history pages.
Change | Description | Date |
---|---|---|
AWSDirectoryServiceDataReadOnlyAccess – New policy |
Amazon Directory Service added a new policy to allow a user or group access to view and search AD users, members, and groups. |
September 17, 2024 |
AWSDirectoryServiceDataFullAccess – New policy |
Amazon Directory Service added a new policy to allow a user or group access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups. |
September 17, 2024 |
Amazon Directory Service started tracking changes |
Amazon Directory Service started tracking changes for its Amazon managed policies. |
September 17, 2024 |