기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# Directory Service API 권한: 작업, 리소스 및 조건 참조
[액세스 관리](iam_auth_access.md#access_control)를 설정하고 IAM ID에 연결할 수 있는 사용 권한 정책(ID 기반 정책)을 작성할 때 이 [Directory Service API 권한: 작업, 리소스 및 조건 참조](#UsingWithDS_IAM_ResourcePermissions) 표를 참조로 사용할 수 있습니다. 표의 각 API 항목에는 다음이 포함됩니다.
+ API 작업의 이름.
+ 각 API 작업의 해당 작업 또는 작업 수행 권한을 부여할 수 있는 작업
+ 권한을 부여할 수 있는 AWS 리소스
정책의 `Action` 필드에서 작업을 지정하고 정책의 `Resource` 필드에서 리소스 값을 지정합니다. 작업을 지정하려면 `ds:` 접두사 다음에 API 작업 명칭을 사용합니다(예: `ds:CreateDirectory`). 일부 AWS 애플리케이션에서는 정책`ds:UnauthorizeApplication`에서 `ds:AuthorizeApplication`, , `ds:CheckAlias`, `ds:CreateIdentityPoolDirectory`, `ds:UpdateAuthorizedApplication`, 등의 비공개 Directory Service API 작업을 사용해야 `ds:GetAuthorizedApplicationDetails`할 수 있습니다.
일부 Directory Service APIs를 통해서만 호출할 수 있습니다 AWS Management Console. 프로그래밍 방식으로 호출할 수 없다는 점에서 퍼블릭 API가 아니며 SDK에서 제공하지 않습니다. 사용자 자격 증명을 수락합니다. 이러한 API 작업에는 `ds:DisableRoleAccess`, `ds:EnableRoleAccess` 및 `ds:UpdateDirectory`가 포함됩니다.
Directory Service 및 디렉터리 서비스 데이터 정책에서 AWS 전역 조건 키를 사용하여 조건을 표시할 수 있습니다. AWS 키의 전체 목록은 *IAM 사용 설명서*의 [사용 가능한 전역 조건 키를 참조하세요](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys).
## Directory Service API 및 작업에 필요한 권한
| Directory Service API 작업 | 필요한 권한(API 작업) | 리소스 |
| --- | --- | --- |
| [AcceptSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AcceptSharedDirectory.html) | ds:AcceptSharedDirectory | \* |
| [AddIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddIpRoutes.html) | `ds:AddIpRoutes`
`ec2:DescribeSecurityGroup`
`ec2:AuthorizeSecurityGroupIngress`
`ec2:AuthorizeSecurityGroupEgress` | \* |
| [AddTagsToResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_AddTagsToResource.html) | ds:AddTagsToResource`ec2:CreateTags` | \* |
| [CancelSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CancelSchemaExtension.html) | ds:CancelSchemaExtension | \* |
| [ConnectDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ConnectDirectory.html) | `ds:ConnectDirectory`
`ec2:DescribeSubnets`
`ec2:DescribeVpcs`
`ec2:CreateSecurityGroup`
`ec2:CreateNetworkInterface`
`ec2:DescribeNetworkInterfaces`
`ec2:AuthorizeSecurityGroupIngress`
`ec2:AuthorizeSecurityGroupEgress`
`ec2:CreateTags` | \* |
| [CreateAlias](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateAlias.html) | `ds:CreateAlias` | \* |
| [CreateComputer](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateComputer.html) | `ds:CreateComputer` | \* |
| [CreateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateConditionalForwarder.html) | `ds:CreateConditionalForwarder` | \* |
| [CreateDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateDirectory.html) | `ds:CreateDirectory`
`ec2:DescribeSubnets`
`ec2:DescribeVpcs`
`ec2:CreateSecurityGroup`
`ec2:CreateNetworkInterface`
`ec2:DescribeNetworkInterfaces`
`ec2:AuthorizeSecurityGroupIngress`
`ec2:AuthorizeSecurityGroupEgress`
`ec2:CreateTags` | \* |
| [CreateLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateLogSubscription.html) | ds:CreateLogSubscription | \* |
| [CreateMicrosoftAD](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateMicrosoftAD.html) | `ds:CreateMicrosoftAD`
`ec2:DescribeSubnets`
`ec2:DescribeVpcs`
`ec2:CreateSecurityGroup`
`ec2:CreateNetworkInterface`
`ec2:DescribeNetworkInterfaces`
`ec2:AuthorizeSecurityGroupIngress`
`ec2:AuthorizeSecurityGroupEgress`
`ec2:RevokeSecurityGroupEgress`
`ec2:CreateTags` | \* |
| [CreateSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateSnapshot.html) | `ds:CreateSnapshot` | \* |
| [CreateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_CreateTrust.html) | `ds:CreateTrust` | \* |
| [DeleteConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteConditionalForwarder.html) | `ds:DeleteConditionalForwarder` | \* |
| [DeleteDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteDirectory.html) | `ds:DeleteDirectory`
`ec2:DescribeNetworkInterfaces`
`ec2:DeleteSecurityGroup`
`ec2:DeleteNetworkInterface`
`ec2:RevokeSecurityGroupIngress`
`ec2:RevokeSecurityGroupEgress`
`ec2:DeleteTags` | \* |
| [DeleteLogSubscription](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteLogSubscription.html) | ds:DeleteLogSubscription | \* |
| [DeleteSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteSnapshot.html) | `ds:DeleteSnapshot` | \* |
| [DeleteTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeleteTrust.html) | `ds:DeleteTrust` | \* |
| [DeregisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DeregisterEventTopic.html) | `ds:DeregisterEventTopic` | \* |
| [DescribeConditionalForwarders](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeConditionalForwarders.html) | `ds:DescribeConditionalForwarders` | \* |
| [DescribeDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) | `ds:DescribeDirectories` | \* |
| [DescribeDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDomainControllers.html) | ds:DescribeDomainControllers | \* |
| [DescribeEventTopics](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeEventTopics.html) | `ds:DescribeEventTopics` | \* |
| [DescribeSharedDirectories](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSharedDirectories.html) | ds:DescribeSharedDirectories | \* |
| [DescribeSnapshots](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeSnapshots.html) | `ds:DescribeSnapshots` | \* |
| [DescribeTrusts](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeTrusts.html) | `ds:DescribeTrusts` | \* |
| [DisableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableRadius.html) | `ds:DisableRadius` | \* |
| [DisableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DisableSso.html) | `ds:DisableSso` | \* |
| [EnableRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableRadius.html) | `ds:EnableRadius` | \* |
| [EnableSso](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_EnableSso.html) | `ds:EnableSso` | \* |
| [GetDirectoryLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetDirectoryLimits.html) | `ds:GetDirectoryLimits` | \* |
| [GetSnapshotLimits](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_GetSnapshotLimits.html) | `ds:GetSnapshotLimits` | \* |
| [ListIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListIpRoutes.html) | `ds:ListIpRoutes` | \* |
| [ListLogSubscriptions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListLogSubscriptions.html) | ds:ListLogSubscriptions | \* |
| [ListSchemaExtensions](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListSchemaExtensions.html) | `ds:ListSchemaExtensions` | \* |
| [ListTagsForResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ListTagsForResource.html) | `ds:ListTagsForResource` | \* |
| [RegisterEventTopic](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RegisterEventTopic.html) | `ds:RegisterEventTopic`
`sns:GetTopicAttributes` | \* |
| [RejectSharedDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RejectSharedDirectory.html) | ds:RejectSharedDirectory | \* |
| [RemoveIpRoutes](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveIpRoutes.html) | `ds:RemoveIpRoutes` | \* |
| [RemoveTagsFromResource](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RemoveTagsFromResource.html) | `ds:RemoveTagsFromResource`
`ec2:DeleteTags` | \* |
| [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) | ds:ResetUserPassword | \* |
| [RestoreFromSnapshot](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_RestoreFromSnapshot.html) | `ds:RestoreFromSnapshot` | \* |
| [ShareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ShareDirectory.html) | `ds:ShareDirectory`
`organizations:DescribeAccount`
`organizations:DescribeOrganization`
`organizations:ListAWSServiceAccessForOrganization` | \* |
| [StartSchemaExtension](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_StartSchemaExtension.html) | `ds:StartSchemaExtension` | \* |
| [UnshareDirectory](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UnshareDirectory.html) | ds:UnshareDirectory | \* |
| [UpdateConditionalForwarder](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateConditionalForwarder.html) | `ds:UpdateConditionalForwarder` | \* |
| [UpdateNumberOfDomainControllers](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateNumberOfDomainControllers.html) | `ds:UpdateNumberOfDomainControllers`
`ec2:DescribeSubnets`
`ec2:DescribeVpcs`
`ec2:CreateNetworkInterface`
`ec2:DescribeNetworkInterfaces`
`ec2:DeleteNetworkInterface` | \* |
| [UpdateRadius](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateRadius.html) | `ds:UpdateRadius` | \* |
| [UpdateTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_UpdateTrust.html) | ds:UpdateTrust | \* |
| [VerifyTrust](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_VerifyTrust.html) | `ds:VerifyTrust` | \* |
## AWS 디렉터리 서비스 데이터 API 및 작업에 필요한 권한
**참고**
작업을 지정하려면 `ds-data:` 접두사 다음에 API 작업의 명칭을 사용합니다(예: `ds-data:AddGroupMember`).
| 디렉터리 서비스 데이터 API 작업 | 필요한 권한(API 작업) | 리소스 |
| --- | --- | --- |
| [AddGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_AddGroupMember.html) | `ds-data:AddGroupMember` | \* |
| [CreateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) | `ds-data:CreateGroup` | \* |
| [CreateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) | `ds-data:CreateUser` | \* |
| [DeleteGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DeleteGroup.html) | `ds-data:DeleteGroup` | \* |
| [DeleteUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/DeleteUser.html) | `ds-data:DeleteUser` | \* |
| [DescribeGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeGroup.html) | `ds-data:DescribeGroup` | \* |
| [DescribeUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DescribeUser.html) | `ds-data:DescribeUser` | \* |
| [DisableUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_DisableUser.html) | `ds-data:DisableUser` | \* |
| [ListGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroups.html) | `ds-data:ListGroups` | \* |
| [ListGroupMembers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupMembers.html) | `ds-data:ListGroupMembers` | \* |
| [ListGroupsForMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListGroupsForMember.html) | `ds-data:ListGroupsForMember` | \* |
| [ListUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_ListUsers.html) | `ds-data:ListUsers` | \* |
| [RemoveGroupMember](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_RemoveGroupMember.html) | `ds-data:RemoveGroupMember` | \* |
| [SearchGroups](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchGroups.html) | `ds-data:DescribeGroup`
`ds-data:SearchGroups` | \* |
| [SearchUsers](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_SearchUsers.html) | `ds-data:DescribeUser`
`ds-data:SearchUsers` | \* |
| [UpdateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateGroup.html) | `ds-data:UpdateGroup` | \* |
| [UpdateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_UpdateUser.html) | `ds-data:UpdateUser` | \* |
## 관련 항목
+ [액세스 관리](iam_auth_access.md#access_control)