# Identity and access management for Directory Service
Access to Directory Service requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Directory Service directory. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and Directory Service to help secure your resources by controlling who can access them:
+ [Authentication](#authentication)
+ [Access control](#access_control)
## Authentication
Learn how to access AWS using [IAM identities](https://docs.aws.amazon.com//IAM/latest/UserGuide/id.html).
## Access control
You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Directory Service resources. For example, you must have permissions to create an Directory Service directory or to create a directory snapshot.
The following sections describe how to manage permissions for Directory Service. We recommend that you read the overview first.
+ [Overview of managing access permissions to your Directory Service resources](IAM_Auth_Access_Overview.md)
+ [Using identity-based policies (IAM policies) for Directory Service](IAM_Auth_Access_IdentityBased.md)
+ [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md)
# Overview of managing access permissions to your Directory Service resources
Every AWS resource is owned by an AWS account. As a result, permissions to create or access the resources are governed by permissions policies. However, an account administrator, which is a user with administrator permissions, can attach permissions to resources. The also have the ability to attach permissions policies to IAM identities, such as users, groups, and roles, and some services, such as AWS Lambda also support attaching permissions policies to resources.
**Note**
For information about the account administrator role, see [IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
**Topics**
+ [
## Directory Service resources and operations
](#CreatingIAMPolicies_DS)
+ [
## Understanding resource ownership
](#IAM_Auth_Access_ResourceOwner)
+ [
## Managing access to resources
](#IAM_Auth_Access_ManagingAccess)
+ [
## Specifying policy elements: Actions, effects, resources, and principals
](#SpecifyingIAMPolicyActions_DS)
+ [
## Specifying conditions in a policy
](#SpecifyingIAMPolicyConditions_DS)
## Directory Service resources and operations
In Directory Service, the primary resource is a *directory*. Because Directory Service supports directory snapshot resources, you can create snapshots only in the context of an existing directory. This snapshot is referred to as a *subresource*.
These resources have unique Amazon Resource Names (ARNs) associated with them as shown in the following table.
****
| **Resource Type** | **ARN Format** |
| --- | --- |
| Directory | `arn:aws:ds:region:account-id:directory/external-directory-id` |
| Snapshot | `arn:aws:ds:region:account-id:snapshot/external-snapshot-id` |
Directory Service includes two service namespaces based on the type of operations that you perform.
+ The `ds` service namespace provides a set of operations to work with the appropriate resources. For a list of available operations, see [Directory Service Actions](https://docs.aws.amazon.com//directoryservice/latest/devguide/API_Operations.html).
+ The `ds-data` service namespace provides a set of operations to Active Directory objects. For a list of available operations, see [Directory Service Data API Reference](https://docs.aws.amazon.com//directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html).
## Understanding resource ownership
A *resource owner* is the AWS account that created a resource. That is, the resource owner is the AWS account of the *principal entity* (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:
+ If you use the root account credentials of your AWS account to create an Directory Service resource, such as a directory, your AWS account is the owner of that resource.
+ If you create an IAM user in your AWS account and grant permissions to create Directory Service resources to that user, the user can also create Directory Service resources. However, your AWS account, to which the user belongs, owns the resources.
+ If you create an IAM role in your AWS account with permissions to create Directory Service resources, anyone who can assume the role can create Directory Service resources. Your AWS account, to which the role belongs, owns the Directory Service resources.
## Managing access to resources
A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies.
**Note**
This section discusses using IAM in the context of Directory Service. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM polices) and policies attached to a resource are referred to as *resource-based* policies. Directory Service supports only identity-based policies (IAM policies).
**Topics**
+ [
### Identity-based policies (IAM policies)
](#IAM_Auth_Access_ManagingAccess_IdentityBased)
+ [
### Resource-based policies
](#IAM_Auth_Access_ManagingAccess_ResourceBased)
### Identity-based policies (IAM policies)
You can attach policies to IAM identities. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your account** – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create an Directory Service resource, such as a new directory.
+ **Attach a permissions policy to a role (grant cross-account permissions)** – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions.
For more information about using IAM to delegate permissions, see [Access management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe`. These actions show information about an Directory Service resource, such as a directory or snapshot. Note that the wildcard character (\$1) in the `Resource` element indicates that the actions are allowed for all Directory Service resources owned by the account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ds:Describe*",
"Resource":"*"
}
]
}
```
------
For more information about using identity-based policies with Directory Service, see [Using identity-based policies (IAM policies) for Directory Service](IAM_Auth_Access_IdentityBased.md). For more information about users, groups, roles, and permissions, see [Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
### Resource-based policies
Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Directory Service doesn't support resource-based policies.
## Specifying policy elements: Actions, effects, resources, and principals
For each Directory Service resource, the service defines a set of API operations. For more information, see [Directory Service resources and operations](#CreatingIAMPolicies_DS). For a list of available API operations, see [Directory Service Actions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Operations.html).
To grant permissions for these API operations, Directory Service defines a set of actions that you can specify in a policy. Note that performing an API operation can require permissions for more than one action.
The following are the basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For Directory Service resources, you always use the wildcard character (\$1) in IAM policies. For more information, see [Directory Service resources and operations](#CreatingIAMPolicies_DS).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, the `ds:DescribeDirectories` permission allows the user permissions to perform the Directory Service `DescribeDirectories` operation.
+ **Effect** – You specify the effect when the user requests the specific action. This can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Directory Service doesn't support resource-based policies.
To learn more about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the Directory Service API actions and the resources that they apply to, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md).
## Specifying conditions in a policy
When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. There are no condition keys specific to Directory Service. However, there are AWS condition keys that you can use as appropriate. For a complete list of AWS keys, see [Available global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
# AWS managed policies for AWS Directory Service
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
The following sections describe the AWS managed policies that are specific to Directory Service. You can attach these policies to users in your account.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSDirectoryServiceFullAccess
You can attach the `AWSDirectoryServiceFullAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDirectoryServiceFullAccess.html) in the *AWS Managed Policy Reference*.
This policy grants administrative permissions that allow a principal full access to all Directory Service actions. Principals with these permissions can create, configure, and manage directories, including Simple AD, AD Connector, and Managed Microsoft AD. They can also manage directory sharing, trust relationships, and monitoring configurations. This policy includes permissions to manage the underlying network infrastructure required for directory services.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals full access to all Directory Service actions.
+ `ec2` – Allows principals to manage network interfaces, security groups, and describe VPC resources required for directory operations.
+ `sns` – Allows principals to create and manage SNS topics for directory monitoring, specifically topics with names beginning with "DirectoryMonitoring".
+ `iam` – Allows principals to list IAM roles for directory service operations.
+ `organizations` – Allows principals to manage AWS Organizations integration and enable/disable service access for directory services.
## AWS managed policy: AWSDirectoryServiceReadOnlyAccess
You can attach the `AWSDirectoryServiceReadOnlyAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDirectoryServiceReadOnlyAccess.html) in the *AWS Managed Policy Reference*.
This policy grants read-only permissions that allow users to view information in Directory Service. Principals with this policy attached cannot make any updates to directories or their configurations. For example, principals with these permissions can view directory details, trust relationships, and monitoring configurations, but cannot create new directories or modify existing ones. They can also view related EC2 network resources and SNS topics associated with directories.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows users to perform read-only actions that return directory information. This includes API operations that start with `Check`, `Describe`, `Get`, `List`, or `Verify`.
+ `ec2` – Allows users to describe network interfaces, subnets, and VPCs associated with directory services.
+ `sns` – Allows users to list and get information about SNS topics and subscriptions used for directory monitoring.
+ `organizations` – Allows users to describe AWS Organizations accounts and service access configurations related to directory services.
## AWS managed policy: AWSDirectoryServiceDataFullAccess
You can attach the `AWSDirectoryServiceDataFullAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceDataFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDirectoryServiceDataFullAccess.html) in the *AWS Managed Policy Reference*.
This policy grants administrative permissions that allow a principal full access to Directory Service Data operations. Principals with these permissions can create, update, and delete Active Directory users and groups within managed directories. They can manage group memberships, enable or disable users, and perform comprehensive user and group management operations. This policy is designed for administrators who need to manage Active Directory objects programmatically.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals to access directory data through the Directory Service Data API.
+ `ds-data` – Allows principals full access to all Directory Service Data operations, including creating, updating, and deleting users and groups, managing group memberships, and searching directory objects.
## AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess
You can attach the `AWSDirectoryServiceDataReadOnlyAccess` policy to your IAM identities. To view the full permissions for this policy, see [AWSDirectoryServiceDataReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDirectoryServiceDataReadOnlyAccess.html) in the *AWS Managed Policy Reference*.
This policy grants read-only permissions that allow users to view and search Active Directory objects within managed directories. Principals with this policy attached cannot make any updates to users, groups, or group memberships. For example, principals with these permissions can search for users and groups, view user and group details, and list group memberships, but cannot create, modify, or delete any directory objects.
**Permissions details**
This policy includes the following permissions:
+ `ds` – Allows principals to access directory data through the Directory Service Data API.
+ `ds-data` – Allows users to perform read-only actions that return directory object information. This includes API operations that start with `Describe`, `List`, or `Search`.
## AWSDirectoryServiceServiceRolePolicy
You cannot attach the `AWSDirectoryServiceServiceRolePolicy` policy to your IAM identities. This policy is attached to a service-linked role that allows AWS Directory Service to perform actions on your behalf. To view the permissions for this policy, see [AWSDirectoryServiceServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDirectoryServiceServiceRolePolicy.html) in the *AWS Managed Policy Reference*.
This policy grants permissions that allow Directory Service to monitor and assess self-managed domain controllers in hybrid Active Directory environments. The service uses these permissions to run automated health assessments, execute PowerShell scripts for compatibility testing, and gather network configuration information to ensure proper hybrid connectivity and automated recovery capabilities.
**Permissions details**
This policy includes the following permissions:
+ `ssm` – Allows the service to send PowerShell commands to on-premises domain controllers and retrieve command execution results for monitoring and assessment purposes.
+ `ec2` – Allows the service to describe network resources such as VPCs, subnets, security groups, and network interfaces to validate hybrid connectivity configurations.
## IAM and Directory Service updates to AWS managed policies
View details about updates to IAM and AWS managed policies since the service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and Directory Service Document history pages.
| Change | Description | Date |
| --- | --- | --- |
| [AWSDirectoryServiceServiceRolePolicy](#security-iam-awsmanpol-AWSDirectoryServiceServiceRolePolicy) – New policy | Directory Service added a new policy to allow AWS to monitor a customer's self-managed domain controllers. | July 30, 2025 |
| [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess) – New policy | Directory Service added a new policy to allow a user or group access to view and search AD users, members, and groups. | September 17, 2024 |
| [AWS managed policy: AWSDirectoryServiceDataFullAccess](#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) – New policy | Directory Service added a new policy to allow a user or group access to built-in object management with Directory Service Data to create, manage, and view AD users, members, and groups. | September 17, 2024 |
| Directory Service started tracking changes | Directory Service started tracking changes for its AWS managed policies. | September 17, 2024 |
# Using identity-based policies (IAM policies) for Directory Service
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (users, groups, and roles). These examples demonstrate IAM policies in Directory Service. You should modify and create your own policies to suit your needs and environment.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Directory Service resources. For more information, see [Overview of managing access permissions to your Directory Service resources](IAM_Auth_Access_Overview.md).
The sections in this topic cover the following:
+ [Permissions required to use the Directory Service console](#UsingWithDS_IAM_RequiredPermissions_Console)
+ [AWS managed (predefined) policies for Directory Service](#IAM_Auth_Access_ManagedPolicies)
+ [Customer managed policy examples](#IAMPolicyExamples_DS)
+ [Using tags with IAM policies](#using_tags_with_iam_policies)
The following shows an example of a permissions policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDsEc2IamGetRole",
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "WarningAllowsCreatingRolesWithDirSvcPrefix",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/DirSvc*"
},
{
"Sid": "AllowPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/Your-Role-Name",
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudwatch.amazonaws.com"
}
}
}
]
}
```
------
The three statements in the policy grant permissions as follows:
+ The first statement grants permission to create an Directory Service directory. Because Directory Service doesn't support permissions at the resource level, the policy specifies a wildcard character (\$1) as the `Resource` value.
+ The second statement grants permissions to access IAM actions, so that Directory Service can read and create IAM roles on your behalf. The wildcard character (\$1) at the end of the `Resource` value means that the statement allows permission for the IAM actions on any IAM role. To limit this permission to a specific role, replace the wildcard character (\$1) in the resource ARN with the specific role name. For more information, see [IAM Actions](https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html).
+ The third statement grants permissions to a specific set of resources in Amazon EC2 that are necessary to allow Directory Service to create, configure, and destroy its directories. Replace the role ARN with your role. For more information, see [Amazon EC2 Actions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html).
You don't see a `Principal` element in the policy, because in an identity-based policy you don't specify the principal who gets the permission. When you attach the policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.
For a table showing all of the Directory Service API actions and the resources that they apply to, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md).
## Permissions required to use the Directory Service console
For a user to work with the Directory Service console, that user must have permissions listed in the preceding policy or the permissions granted by the Directory Service Full Access Role or Directory Service Read Only role, described in [AWS managed (predefined) policies for Directory Service](#IAM_Auth_Access_ManagedPolicies).
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy.
## AWS managed (predefined) policies for Directory Service
AWS addresses many common use cases by providing predefined, or managed, IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases, which helps you decide what permissions you need. For more information, see [AWS managed policies for AWS Directory Service](security-iam-awsmanpol.md).
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Directory Service actions.
**Note**
All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitious account IDs.
**Topics**
+ [
### Example 1: Allow a user to perform any Describe action on any Directory Service resource
](#IAMPolicyExamples_DS_perform_describe_action)
+ [
### Example 2: Allow a user to create a directory
](#IAMPolicyExamples_DS_create_directory)
### Example 1: Allow a user to perform any Describe action on any Directory Service resource
The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe` in an AWS Managed Microsoft AD with the directory ID `d-1234567890` in the AWS account `111122223333`. These actions show information about an Directory Service resource, such as a directory or snapshot. Make sure to change the AWS Region and account number to the region you want to use and your account number.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ds:Describe*",
"Resource": "arn:aws:ds:us-west-2:111122223333:directory/d-1234567890"
}
]
}
```
------
### Example 2: Allow a user to create a directory
The following permissions policy grants permissions to allow a user to create a directory and all other related resources, such as snapshots and trusts. In order to do so, permissions to certain Amazon EC2 services are also required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory",
"ds:DescribeDirectories"
],
"Resource": "arn:aws:ds:*:111122223333:*"
}
]
}
```
------
## Using tags with IAM policies
You can apply tag-based resource-level permissions in the IAM policies you use for most Directory Service API actions. This gives you better control over what resources a user can create, modify, or use. You use the `Condition` element (also called the `Condition` block) with the following condition context keys and values in an IAM policy to control user access (permissions) based on a resource's tags:
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to allow or deny user actions on resources with specific tags.
+ Use `aws`:`ResourceTag`/**tag-key**: **tag-value** to require that a specific tag be used (or not used) when making an API request to create or modify a resource that allows tags.
+ Use `aws`:`TagKeys`: [**tag-key**, ...] to require that a specific set of tag keys be used (or not used) when making an API request to create or modify a resource that allows tags.
**Note**
The condition context keys and values in an IAM policy apply only to those Directory Service actions where an identifier for a resource capable of being tagged is a required parameter.
[Controlling access using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide* has additional information on using tags. The [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) section of that guide has detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM.
The following tag policy allows creating an Directory Service directory as long as the following tags are used:
+ Environment: Production
+ Owner: Infrastructure Team
+ Cost center: 1234
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:CreateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "Production",
"aws:RequestTag/Owner": "Infrastructure-Team",
"aws:RequestTag/CostCenter": "12345"
}
}
}
]
}
```
------
The following tag policy allows updating and deleting Directory Service directories as long as the following tags are used:
+ Project: Atlas
+ Department: Engineering
+ Environment: Staging
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:DeleteDirectory",
"ds:UpdateDirectory"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "Atlas",
"aws:ResourceTag/Department": "Engineering",
"aws:ResourceTag/Environment": "Staging"
}
}
}
]
}
```
------
The following tag policy denies resource tagging for Directory Service where the resource has one of the following tags:
+ Production
+ Security
+ Confidential
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ds:AddTagsToResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": ["Production", "Security", "Confidential"]
}
}
}
]
}
```
------
For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
The following list of Directory Service API operations support tag-based resource-level permissions:
+ [AcceptSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AcceptSharedDirectory.html)
+ [AddIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddIpRoutes.html)
+ [AddTagsToResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddTagsToResource.html)
+ [CancelSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CancelSchemaExtension.html)
+ [CreateAlias](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateAlias.html)
+ [CreateComputer](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateComputer.html)
+ [CreateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateConditionalForwarder.html)
+ [CreateSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateSnapshot.html)
+ [CreateLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateLogSubscription.html)
+ [CreateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateTrust.html)
+ [DeleteConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html)
+ [DeleteDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteDirectory.html)
+ [DeleteLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteLogSubscription.html)
+ [DeleteSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteSnapshot.html)
+ [DeleteTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteTrust.html)
+ [DeregisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeregisterEventTopic.html)
+ [DescribeConditionalForwarders](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html)
+ [DescribeDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDomainControllers.html)
+ [DescribeEventTopics](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeEventTopics.html)
+ [DescribeSharedDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSharedDirectories.html)
+ [DescribeSnapshots](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSnapshots.html)
+ [DescribeTrusts](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeTrusts.html)
+ [DisableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableRadius.html)
+ [DisableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableSso.html)
+ [EnableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableRadius.html)
+ [EnableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableSso.html)
+ [GetSnapshotLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetSnapshotLimits.html)
+ [ListIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListIpRoutes.html)
+ [ListSchemaExtensions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListSchemaExtensions.html)
+ [ListTagsForResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListTagsForResource.html)
+ [RegisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RegisterEventTopic.html)
+ [RejectSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RejectSharedDirectory.html)
+ [RemoveIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveIpRoutes.html)
+ [RemoveTagsFromResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveTagsFromResource.html)
+ [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html)
+ [RestoreFromSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RestoreFromSnapshot.html)
+ [ShareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ShareDirectory.html)
+ [StartSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_StartSchemaExtension.html)
+ [UnshareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UnshareDirectory.html)
+ [UpdateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html)
+ [UpdateNumberOfDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html)
+ [UpdateRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateRadius.html)
+ [UpdateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateTrust.html)
+ [VerifyTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_VerifyTrust.html)
# Directory Service API permissions: Actions, resources, and conditions reference
When you are setting up [Access control](iam_auth_access.md#access_control) and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the [Directory Service API permissions: Actions, resources, and conditions reference](#UsingWithDS_IAM_ResourcePermissions) table as a reference. Each API entry in the table includes the following:
+ The name of each API operation
+ Each API operation's corresponding action or actions in which you can grant permissions to perform the action
+ The AWS resource in which you can grant the permissions
You specify the actions in the policy's `Action` field and the resource value in the policy's `Resource` field. To specify an action, use the `ds:` prefix followed by the API operation name (for example, `ds:CreateDirectory`). Some AWS applications may require use of nonpublic Directory Service API operations such as `ds:AuthorizeApplication`, `ds:CheckAlias`, `ds:CreateIdentityPoolDirectory`, `ds:GetAuthorizedApplicationDetails`, `ds:UpdateAuthorizedApplication`, and `ds:UnauthorizeApplication` in their policies.
Some Directory Service APIs can only be called through the AWS Management Console. They are not public APIs, in the sense they cannot be called programmatically, and they are not provided by any SDK. They accept user credentials. These API operations include `ds:DisableRoleAccess`, `ds:EnableRoleAccess`, and `ds:UpdateDirectory`.
You can use AWS global condition keys in your Directory Service and Directory Service Data policies to express conditions. For a complete list of AWS keys, see [Available Global Condition Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the *IAM User Guide*.
## Directory Service API and required permissions for actions
| Directory Service API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AcceptSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AcceptSharedDirectory.html) | ds:AcceptSharedDirectory | \$1 |
| [AddIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddIpRoutes.html) | `ds:AddIpRoutes` `ec2:DescribeSecurityGroup` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` | \$1 |
| [AddTagsToResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddTagsToResource.html) | ds:AddTagsToResource`ec2:CreateTags` | \$1 |
| [CancelSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CancelSchemaExtension.html) | ds:CancelSchemaExtension | \$1 |
| [ConnectDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ConnectDirectory.html) | `ds:ConnectDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateAlias](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateAlias.html) | `ds:CreateAlias` | \$1 |
| [CreateComputer](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateComputer.html) | `ds:CreateComputer` | \$1 |
| [CreateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateConditionalForwarder.html) | `ds:CreateConditionalForwarder` | \$1 |
| [CreateDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateDirectory.html) | `ds:CreateDirectory` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateLogSubscription.html) | ds:CreateLogSubscription | \$1 |
| [CreateMicrosoftAD](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateMicrosoftAD.html) | `ds:CreateMicrosoftAD` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateSecurityGroup` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:AuthorizeSecurityGroupIngress` `ec2:AuthorizeSecurityGroupEgress` `ec2:RevokeSecurityGroupEgress` `ec2:CreateTags` | \$1 |
| [CreateSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateSnapshot.html) | `ds:CreateSnapshot` | \$1 |
| [CreateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateTrust.html) | `ds:CreateTrust` | \$1 |
| [DeleteConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html) | `ds:DeleteConditionalForwarder` | \$1 |
| [DeleteDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteDirectory.html) | `ds:DeleteDirectory` `ec2:DescribeNetworkInterfaces` `ec2:DeleteSecurityGroup` `ec2:DeleteNetworkInterface` `ec2:RevokeSecurityGroupIngress` `ec2:RevokeSecurityGroupEgress` `ec2:DeleteTags` | \$1 |
| [DeleteLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteLogSubscription.html) | ds:DeleteLogSubscription | \$1 |
| [DeleteSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteSnapshot.html) | `ds:DeleteSnapshot` | \$1 |
| [DeleteTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteTrust.html) | `ds:DeleteTrust` | \$1 |
| [DeregisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeregisterEventTopic.html) | `ds:DeregisterEventTopic` | \$1 |
| [DescribeConditionalForwarders](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html) | `ds:DescribeConditionalForwarders` | \$1 |
| [DescribeDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) | `ds:DescribeDirectories` | \$1 |
| [DescribeDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDomainControllers.html) | ds:DescribeDomainControllers | \$1 |
| [DescribeEventTopics](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeEventTopics.html) | `ds:DescribeEventTopics` | \$1 |
| [DescribeSharedDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSharedDirectories.html) | ds:DescribeSharedDirectories | \$1 |
| [DescribeSnapshots](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSnapshots.html) | `ds:DescribeSnapshots` | \$1 |
| [DescribeTrusts](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeTrusts.html) | `ds:DescribeTrusts` | \$1 |
| [DisableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableRadius.html) | `ds:DisableRadius` | \$1 |
| [DisableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableSso.html) | `ds:DisableSso` | \$1 |
| [EnableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableRadius.html) | `ds:EnableRadius` | \$1 |
| [EnableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableSso.html) | `ds:EnableSso` | \$1 |
| [GetDirectoryLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetDirectoryLimits.html) | `ds:GetDirectoryLimits` | \$1 |
| [GetSnapshotLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetSnapshotLimits.html) | `ds:GetSnapshotLimits` | \$1 |
| [ListIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListIpRoutes.html) | `ds:ListIpRoutes` | \$1 |
| [ListLogSubscriptions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListLogSubscriptions.html) | ds:ListLogSubscriptions | \$1 |
| [ListSchemaExtensions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListSchemaExtensions.html) | `ds:ListSchemaExtensions` | \$1 |
| [ListTagsForResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListTagsForResource.html) | `ds:ListTagsForResource` | \$1 |
| [RegisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RegisterEventTopic.html) | `ds:RegisterEventTopic` `sns:GetTopicAttributes` | \$1 |
| [RejectSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RejectSharedDirectory.html) | ds:RejectSharedDirectory | \$1 |
| [RemoveIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveIpRoutes.html) | `ds:RemoveIpRoutes` | \$1 |
| [RemoveTagsFromResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveTagsFromResource.html) | `ds:RemoveTagsFromResource` `ec2:DeleteTags` | \$1 |
| [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) | ds:ResetUserPassword | \$1 |
| [RestoreFromSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RestoreFromSnapshot.html) | `ds:RestoreFromSnapshot` | \$1 |
| [ShareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ShareDirectory.html) | `ds:ShareDirectory` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:ListAWSServiceAccessForOrganization` | \$1 |
| [StartSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_StartSchemaExtension.html) | `ds:StartSchemaExtension` | \$1 |
| [UnshareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UnshareDirectory.html) | ds:UnshareDirectory | \$1 |
| [UpdateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html) | `ds:UpdateConditionalForwarder` | \$1 |
| [UpdateNumberOfDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html) | `ds:UpdateNumberOfDomainControllers` `ec2:DescribeSubnets` `ec2:DescribeVpcs` `ec2:CreateNetworkInterface` `ec2:DescribeNetworkInterfaces` `ec2:DeleteNetworkInterface` | \$1 |
| [UpdateRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateRadius.html) | `ds:UpdateRadius` | \$1 |
| [UpdateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateTrust.html) | ds:UpdateTrust | \$1 |
| [VerifyTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_VerifyTrust.html) | `ds:VerifyTrust` | \$1 |
## AWS Directory Service Data API and required permissions for actions
**Note**
To specify an action, use the `ds-data:` prefix followed by the name of the API operation (for example, `ds-data:AddGroupMember`).
| Directory Service Data API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [AddGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_AddGroupMember.html) | `ds-data:AddGroupMember` | \$1 |
| [CreateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) | `ds-data:CreateGroup` | \$1 |
| [CreateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) | `ds-data:CreateUser` | \$1 |
| [DeleteGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DeleteGroup.html) | `ds-data:DeleteGroup` | \$1 |
| [DeleteUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/DeleteUser.html) | `ds-data:DeleteUser` | \$1 |
| [DescribeGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeGroup.html) | `ds-data:DescribeGroup` | \$1 |
| [DescribeUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeUser.html) | `ds-data:DescribeUser` | \$1 |
| [DisableUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DisableUser.html) | `ds-data:DisableUser` | \$1 |
| [ListGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroups.html) | `ds-data:ListGroups` | \$1 |
| [ListGroupMembers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupMembers.html) | `ds-data:ListGroupMembers` | \$1 |
| [ListGroupsForMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupsForMember.html) | `ds-data:ListGroupsForMember` | \$1 |
| [ListUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListUsers.html) | `ds-data:ListUsers` | \$1 |
| [RemoveGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_RemoveGroupMember.html) | `ds-data:RemoveGroupMember` | \$1 |
| [SearchGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchGroups.html) | `ds-data:DescribeGroup` `ds-data:SearchGroups` | \$1 |
| [SearchUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchUsers.html) | `ds-data:DescribeUser` `ds-data:SearchUsers` | \$1 |
| [UpdateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateGroup.html) | `ds-data:UpdateGroup` | \$1 |
| [UpdateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateUser.html) | `ds-data:UpdateUser` | \$1 |
## Related Topics
+ [Access control](iam_auth_access.md#access_control)
# Directory Service Data condition keys
Use [Directory Service Data](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/welcome.html) condition keys to add specific statements to users and group level access. This allows users to decide which principals can perform actions on what resources and under what conditions.
The *Condition element*, or *Condition block*, lets you specify conditions where a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals (=) or less than (<), to match the condition in the policy with values in the request.
If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, AWS evaluates them by using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition by using a logical OR operation. All of the conditions must be met before the statement's permissions are granted. You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it's tagged with their username. For information, see [Condition with multiple keys or values](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) in the *IAM User Guide*.
For a list of which actions support these condition keys, see [Actions defined by AWS Directory Service Data](https://docs.aws.amazon.com/service-authorization/latest/reference/list_directoryservice-data.html) in the *Service Authorization Reference*.
**Note**
For information about tag-based resource-level permissions, see [Using tags with IAM policies](IAM_Auth_Access_IdentityBased.md#using_tags_with_iam_policies).
## ds-data:SAMAccountName
Works with [String operators](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to explicitly allow or deny an IAM role from performing actions on specific users and groups.
**Important**
When using `SAMAccountName` or `MemberName`, we recommend specifying `ds-data:Identifier` as `SAMAccountName`. This prevents future identifiers that AWS Directory Service Data supports, such as `SID`, from breaking existing permissions.
The following policy denies the IAM principal from describing the user `joe` or describing the group `joegroup`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyDescribe",
"Effect": "Deny",
"Action": "ds-data:Describe*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:SAMAccountName": [
"joe",
"joegroup"
],
"ds-data:identifier": [
"SAMAccountName"
]
}
}
}
]
}
```
------
**Note**
This condition key case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values regardless of letter cases.
## ds-data:Identifier
Works with [String operators](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to define which identifier to use in the IAM policy permissions. Currently, only `SAMAccountName` is supported.
The following policy allows the IAM principal to update the user `joe`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "UpdateJoe",
"Effect": "Allow",
"Action": "ds-data:UpdateUser",
"Resource": "arn:aws:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:SAMAccountName": [
"joe"
],
"ds-data:identifier": [
"SAMAccountName"
]
}
}
}
]
}
```
------
## ds-data:MemberName
Works with [String operators](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to define the members that can have operations performed on them.
**Important**
When using `MemberName` or `SAMAccountName`, we recommend specifying `ds-data:Identifier` as `SAMAccountName`. This prevents future identifiers that Directory Service Data supports, such as `SID`, from breaking existing permissions.
The following policy allows the IAM principal to perform `AddGroupMember` on member `joe` in any group.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AddJoe",
"Effect": "Allow",
"Action": "ds-data:AddGroupMember",
"Resource": "arn:aws:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:MemberName": "joe"
}
}
}
]
}
```
------
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values, regardless of letter cases.
## ds-data:MemberRealm
Works with [String operators](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to check whether the `ds-data:MemberRealm` value in the policy matches the member realm in the request.
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values, regardless of letter cases.
The following policy allows the IAM principal to call `AddGroupMember` for member `bob` in realm `ONE.TRU1.AMAZON.COM`.
**Note**
The following example uses only the `ds-data:MemberName` context key.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "addbob",
"Effect": "Allow",
"Action": "ds-data:AddGroupMember",
"Resource": "arn:aws:ds:us-east-1:111122223333:directory/d-012345678",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:MemberName": "bob",
"ds-data:MemberRealm": "one.tru1.amazon.com"
}
}
}
]
}
```
------
## ds-data:Realm
Works with [String operators](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String).
Use this key to check whether the `ds-data:Realm` value in the policy matches the realm an IAM principal can use to make requests to Directory Service Data APIs.
**Note**
This condition key is case insensitive. You must use `[StringEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` or `[StringNotEqualsIgnoreCase](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String)` condition operators to compare string values regardless of letter cases.
The following policy denies the IAM principal from calling `ListUsers` on the realm `one.tru1.amazon.com`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyTrustedList",
"Effect": "Deny",
"Action": "ds-data:ListUsers",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ds-data:Realm": [
"one.tru1.amazon.com"
]
}
}
}
]
}
```
------