Directory Service Data condition keys
Use Directory Service Data condition keys to add specific statements to users and group level access. This allows users to decide which principals can perform actions on what resources and under what conditions.
The Condition element, or Condition block, lets you specify conditions where a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals (=) or less than (<), to match the condition in the policy with values in the request.
If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, AWS evaluates them by using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition by using a logical OR operation. All of the conditions must be met before the statement's permissions are granted. You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it's tagged with their username. For information, see Condition with multiple keys or values in the IAM User Guide.
For a list of which actions support these condition keys, see Actions defined by AWS Directory Service Data in the Service Authorization Reference.
Note
For information about tag-based resource-level permissions, see Using tags with IAM policies.
ds-data:SAMAccountName
Works with String operators.
Checks that the policy with the specified SAMAccountName matches the input used in the request.
Only a single SAM account name can be supplied in each request.
Note
This condition key case insensitive.
You must use StringEqualsIgnoreCase or StringNotEqualsIgnoreCase condition operators to compare string values regardless of letter cases.
Allows a user or group to search AD objects
The following policy allows the user jstiles or any member
of test-group
to search users, members, and groups
in the AWS Managed Microsoft AD domain.
Important
When using SAMAccountName or MemberName, we recommend specifying ds-data:Identifier as SAMAccountName.
This prevents future identifiers that AWS Directory Service Data supports, such as SID, from breaking existing permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SearchOnTrustedDomain", "Effect": "Allow", "Action": "ds-data:Search*", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "ds-data:SAMAccountName": [ "jstiles", "test-group" ], "StringEqualsIgnoreCase": { "ds-data:identifier": [ "SAMAccountName" ] } } } } ] }
ds-data:Identifier
Works with String operators.
Specifies the type of identifier that is used in the request. We recommend always
specifying SAMAccountName in the Identifier condition key, so any future
identifiers supported in Directory Service Data won't break your existing permissions.
Note
Currently, SAMAccountName is the only permitted value.
However, more values might be permitted in the future.
Allows a user or group to update users by realm
The following policy allows the user jstiles or any member of test-group to update user information in the example-domain.com realm.
The identifier key ensures that SAMAccountName is the ID type passed in the request context.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "UpdateUsersonDomain", "Effect": "Allow", "Action": "ds-data:UpdateUser", "Resource": "*", "Condition": { "StringEquals": { "ds-data:SAMAccountName": [ "jstiles", "test-group" ], "StringEquals": { "ds-data:Identifier": [ "SAMAccountName" ], "StringEquals": { "ds-data:Realm": [ "example-domain.com" ] } } } } } ] }
ds-data:MemberName
Works with String operators.
Checks
that the policy
with the specified MemberName matches the name
of the member used in the request.
Note
This condition key is case insensitive.
You must use StringEqualsIgnoreCase or StringNotEqualsIgnoreCase condition operators to compare string values, regardless of letter cases.
Allows members to be added to a group
The following policy allows a user or role
to add a member
to a group
in the specified directory
if the MemberName
added
to the group
starts
with region-1.
Important
When using MemberName or SAMAccountName, we recommend specifying ds-data:Identifier as SAMAccountName.
This prevents future identifiers that Directory Service Data supports, such as SID, from breaking existing permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "UpdateGroupsWithRegionalMembers", "Effect": "Allow", "Action": "ds-data:UpdateGroup", "Resource": "arn:aws:ds::123456789012:directory/d-012345678", "Condition": { "StringEqualsIgnoreCase": { "ds-data:MemberName": [ "region-1-*" ] } } } ] }
ds-data:MemberRealm
Works with String operators.
Checks
that the MemberRealm
in the policy
matches the member realm
that's used
in the request.
Note
This condition key is case insensitive.
You must use StringEqualsIgnoreCase or StringNotEqualsIgnoreCase condition operators to compare string values, regardless of letter cases.
Allows members to be added to a group in a realm
The following policy allows a user or role to add a member to a group in a cross-domain trusted realm.
Note
The following example uses only the ds-data:MemberName context key.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "UpdateMembersInRealm", "Effect": "Allow", "Action": "ds-data:UpdateGroup", "Resource": "arn:aws:ds::123456789012:directory/d-012345678", "Condition": { "StringEqualsIgnoreCase": { "ds-data:MemberRealm": [ "region-1-*" ] } } } ] }
ds-data:Realm
Works with String operators.
Checks that the Realm in the policy matches the realm used in the
request.
Note
This condition key is case insensitive.
You must use StringEqualsIgnoreCase or StringNotEqualsIgnoreCase condition operators to compare string values regardless of letter cases.
Allows groups to be added to a realm
The following policy allows a user or role to create groups in the specified realm.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "UpdateGroupsInRealm", "Effect": "Allow", "Action": "ds-data:CreateGroup", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "ds-data:Realm": [ "example-domain.com" ] } } } ] }
