Permissions for @turbot/aws-directoryservice
Taking a look at permissions and associated grant levels for each permission for Directory Service:
Permission | Grant Level | Help |
---|---|---|
ds:AcceptSharedDirectory | Admin | Admin can accept the shared directory. |
ds:AddIpRoutes | Admin | Higher risk permission since it can manage networking configurations on directory. |
ds:AddTagsToResource | Operator | Operators can manage configurations on existing directories and connectors. |
ds:AuthorizeApplication | Admin | |
ds:CancelSchemaExtension | Operator | Operators can manage configurations on existing directories and connectors. |
ds:CheckAlias | Metadata | Not in API docs or IAM policy generator but in IAM DS read only managed policy. |
ds:ConnectDirectory | Admin | Creates AD Connectors. |
ds:CreateAlias | Admin | Higher risk permission since it cannot be altered when completed. |
ds:CreateComputer | Operator | Adds a computer account to an existing directory. |
ds:CreateConditionalForwarder | Admin | Creates trust with another domain. |
ds:CreateDirectory | Admin | Creates Simple AD directories. |
ds:CreateIdentityPoolDirectory | Admin | |
ds:CreateLogSubscription | Admin | |
ds:CreateMicrosoftAD | Admin | Creates Microsoft AD directories. |
ds:CreateSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
ds:CreateTrust | Admin | Creates trust for DS Microsoft AD directories with another domain. |
ds:DeleteConditionalForwarder | Admin | Deletes trust with another domain. |
ds:DeleteDirectory | Admin | Deletes Simple AD directories. |
ds:DeleteLogSubscription | Admin | |
ds:DeleteSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
ds:DeleteTrust | Admin | Deletes trust for DS Microsoft AD directories with another domain. |
ds:DeregisterCertificate | Admin | |
ds:DeregisterEventTopic | Operator | Operators can manage configurations on existing directories and connectors. |
ds:DescribeCertificate | Metadata | |
ds:DescribeConditionalForwarders | Metadata | |
ds:DescribeDirectories | Metadata | |
ds:DescribeDomainControllers | Metadata | |
ds:DescribeEventTopics | Metadata | |
ds:DescribeLDAPSSettings | Metadata | |
ds:DescribeSharedDirectories | Metadata | |
ds:DescribeSnapshots | Metadata | |
ds:DescribeTrusts | Metadata | |
ds:DisableLDAPS | Admin | |
ds:DisableRadius | Admin | Higher risk permission since it can remove MFA. |
ds:DisableSso | Operator | Operators can manage configurations on existing directories and connectors -- only used for AD Connector Directories |
ds:EnableLDAPS | Admin | |
ds:EnableRadius | Admin | Higher risk permission since it can create MFA. |
ds:EnableSso | Operator | Operators can manage configurations on existing directories and connectors -- only used for AD Connector Directories |
ds:GetAuthorizedApplicationDetails | Metadata | |
ds:GetDirectoryLimits | Metadata | Only describes metadata configurations on directory |
ds:GetSnapshotLimits | Metadata | Only describes metadata configurations on directory |
ds:ListAuthorizedApplications | Metadata | |
ds:ListCertificates | Metadata | |
ds:ListIpRoutes | Metadata | |
ds:ListLogSubscriptions | Metadata | |
ds:ListSchemaExtensions | Metadata | |
ds:ListTagsForResource | Metadata | |
ds:RegisterCertificate | Admin | |
ds:RegisterEventTopic | Operator | Operators can manage configurations on existing directories and connectors. |
ds:RejectSharedDirectory | Admin | Admin can reject the directory sharing request sent from another AWS account. |
ds:RemoveIpRoutes | Admin | Higher risk permission since it can manage networking configurations on directory. |
ds:RemoveTagsFromResource | Operator | Operators can manage configurations on existing directories and connectors. |
ds:ResetUserPassword | Admin | Admin can reset the password for any user in your AWS Managed Microsoft AD or Simple AD directory. |
ds:RestoreFromSnapshot | Operator | Operators can manage configurations on existing directories and connectors. |
ds:ShareDirectory | Admin | Admin can share the directory to other AWS account. |
ds:StartSchemaExtension | Operator | Operators can manage configurations on existing directories and connectors. |
ds:UnauthorizeApplication | Admin | |
ds:UnshareDirectory | Admin | Admin can stop the directory sharing between the directory owner and other consumer accounts. |
ds:UpdateConditionalForwarder | Admin | Updates trust with another domain. |
ds:UpdateNumberOfDomainControllers | Admin | |
ds:UpdateRadius | Operator | Operators can manage configurations on existing directories and connectors. |
ds:UpdateTrust | Admin | |
ds:VerifyTrust | Metadata | Only returns verification confirmation whether the Trust is established. |
ec2:DescribeNetworkInterfaces | Metadata | Required for directory management. |
ec2:DescribeSubnets | Metadata | Required for directory management. |
ec2:DescribeVpcs | Metadata | Required for directory management. |
sns:GetTopicAttributes | Metadata | Required for registering event topics. |
sns:ListSubscriptions | Metadata | Required for registering event topics. |
sns:ListSubscriptionsByTopic | Metadata | Required for registering event topics. |
sns:ListTopics | Metadata | Required for registering event topics. |