Permissions for @turbot/aws-directoryservice
Taking a look at permissions and associated grant levels for each permission for Directory Service:
| Permission | Grant Level | Help |
|---|---|---|
| ds:AcceptSharedDirectory | Admin | Admin can accept the shared directory. |
| ds:AddIpRoutes | Admin | Higher risk permission since it can manage networking configurations on directory. |
| ds:AddTagsToResource | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:AuthorizeApplication | Admin | |
| ds:CancelSchemaExtension | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:CheckAlias | Metadata | Not in API docs or IAM policy generator but in IAM DS read only managed policy. |
| ds:ConnectDirectory | Admin | Creates AD Connectors. |
| ds:CreateAlias | Admin | Higher risk permission since it cannot be altered when completed. |
| ds:CreateComputer | Operator | Adds a computer account to an existing directory. |
| ds:CreateConditionalForwarder | Admin | Creates trust with another domain. |
| ds:CreateDirectory | Admin | Creates Simple AD directories. |
| ds:CreateIdentityPoolDirectory | Admin | |
| ds:CreateLogSubscription | Admin | |
| ds:CreateMicrosoftAD | Admin | Creates Microsoft AD directories. |
| ds:CreateSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:CreateTrust | Admin | Creates trust for DS Microsoft AD directories with another domain. |
| ds:DeleteConditionalForwarder | Admin | Deletes trust with another domain. |
| ds:DeleteDirectory | Admin | Deletes Simple AD directories. |
| ds:DeleteLogSubscription | Admin | |
| ds:DeleteSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:DeleteTrust | Admin | Deletes trust for DS Microsoft AD directories with another domain. |
| ds:DeregisterCertificate | Admin | |
| ds:DeregisterEventTopic | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:DescribeCertificate | Metadata | |
| ds:DescribeConditionalForwarders | Metadata | |
| ds:DescribeDirectories | Metadata | |
| ds:DescribeDomainControllers | Metadata | |
| ds:DescribeEventTopics | Metadata | |
| ds:DescribeLDAPSSettings | Metadata | |
| ds:DescribeSharedDirectories | Metadata | |
| ds:DescribeSnapshots | Metadata | |
| ds:DescribeTrusts | Metadata | |
| ds:DisableLDAPS | Admin | |
| ds:DisableRadius | Admin | Higher risk permission since it can remove MFA. |
| ds:DisableSso | Operator | Operators can manage configurations on existing directories and connectors -- only used for AD Connector Directories |
| ds:EnableLDAPS | Admin | |
| ds:EnableRadius | Admin | Higher risk permission since it can create MFA. |
| ds:EnableSso | Operator | Operators can manage configurations on existing directories and connectors -- only used for AD Connector Directories |
| ds:GetAuthorizedApplicationDetails | Metadata | |
| ds:GetDirectoryLimits | Metadata | Only describes metadata configurations on directory |
| ds:GetSnapshotLimits | Metadata | Only describes metadata configurations on directory |
| ds:ListAuthorizedApplications | Metadata | |
| ds:ListCertificates | Metadata | |
| ds:ListIpRoutes | Metadata | |
| ds:ListLogSubscriptions | Metadata | |
| ds:ListSchemaExtensions | Metadata | |
| ds:ListTagsForResource | Metadata | |
| ds:RegisterCertificate | Admin | |
| ds:RegisterEventTopic | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:RejectSharedDirectory | Admin | Admin can reject the directory sharing request sent from another AWS account. |
| ds:RemoveIpRoutes | Admin | Higher risk permission since it can manage networking configurations on directory. |
| ds:RemoveTagsFromResource | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:ResetUserPassword | Admin | Admin can reset the password for any user in your AWS Managed Microsoft AD or Simple AD directory. |
| ds:RestoreFromSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:ShareDirectory | Admin | Admin can share the directory to other AWS account. |
| ds:StartSchemaExtension | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:UnauthorizeApplication | Admin | |
| ds:UnshareDirectory | Admin | Admin can stop the directory sharing between the directory owner and other consumer accounts. |
| ds:UpdateConditionalForwarder | Admin | Updates trust with another domain. |
| ds:UpdateNumberOfDomainControllers | Admin | |
| ds:UpdateRadius | Operator | Operators can manage configurations on existing directories and connectors. |
| ds:UpdateTrust | Admin | |
| ds:VerifyTrust | Metadata | Only returns verification confirmation whether the Trust is established. |
| ec2:DescribeNetworkInterfaces | Metadata | Required for directory management. |
| ec2:DescribeSubnets | Metadata | Required for directory management. |
| ec2:DescribeVpcs | Metadata | Required for directory management. |
| sns:GetTopicAttributes | Metadata | Required for registering event topics. |
| sns:ListSubscriptions | Metadata | Required for registering event topics. |
| sns:ListSubscriptionsByTopic | Metadata | Required for registering event topics. |
| sns:ListTopics | Metadata | Required for registering event topics. |