Amazon Route 53
Developer Guide (API Version 2013-04-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Using IAM to Control Access to Amazon Route 53 Resources

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Amazon Route 53 API actions a user can perform on which Amazon Route 53 resources. For example, you can create an IAM policy that gives certain users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Amazon Route 53 with IAM doesn't change how you use Amazon Route 53. There are no changes to Amazon Route 53 actions.

For an example of a policy that covers Amazon Route 53 actions, see Example IAM Policies for Amazon Route 53.

Amazon Route 53 ARNs

You can specify the following Amazon Route 53 resources in an IAM policy:

  • Health checks

  • Hosted zones

  • Reusable delegation sets

  • Changes

You can't specify resource record sets or domains in an IAM policy.

Amazon Route 53 Amazon Resource Names (ARNs) have the following general format:

arn:aws:route53:::resource/ID

The value of resource is healthcheck, hostedzone, delegationset, or change, and ID is the ID of the health check, hosted zone, reusable delegation set, or change.

The following are example ARNs for a health check, a hosted zone, a reusable delegation set, and a change:

arn:aws:route53:::healthcheck/02ec8401-9879-4259-91fa-example94674
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::delegationset/N1PA6795SAMPLE
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use wildcards (*) in place of the ID. For example, the following could specify all hosted zones associated with an AWS account:

arn:aws:route53:::hostedzone/*

For more information about ARNs, see ARNs at IAM ARNs in Using IAM.

Amazon Route 53 Actions

To grant or deny permission to perform an Amazon Route 53 operation, specify the name of the corresponding API action in an IAM policy. For example, to grant or deny permission to create hosted zones, add the CreateHostedZone API action to an IAM policy. When you specify an action in an IAM policy, you grant or deny permission to the operation regardless of how a user performs it—the Amazon Route 53 console and API, the AWS CLI, all AWS SDKs, and AWS Tools for Windows PowerShell.

For a list of Amazon Route 53 action names, see the Amazon Route 53 API Reference.

Actions on Hosted Zones, Resource Record Sets, Health Checks, and Reusable Delegation Sets

To grant or deny permission to use actions related to hosted zones, resource record sets, health checks, and reusable delegation sets, prefix the action name with the following lowercase string:

route53:

For example, specify route53:CreateHostedZone, route53:GetChange, or route53:* (for all actions).

If you're working with private hosted zones, the following commands require an additional permission so a user can access Amazon VPCs:

  • CreateHostedZone

  • AssociateVPCWithHostedZone

To grant permission to create a private hosted zone or associate an Amazon VPC with a private hosted zone, include the following in the IAM policy:

"Action":["ec2:DescribeVpcs"]

Actions on Domain Registration

To grant or deny permission to use actions related to domain registration, prefix the action name with the following lowercase string:

route53domains:

For example, specify route53domains:CheckDomainAvailability, route53domains:RegisterDomain, or route53domains:* (for all domain-registration actions).

When you grant permission to register domains, you must also grant permission to create hosted zones. When you register a domain, Amazon Route 53 automatically creates a hosted zone for the domain.

Actions on Specific Resources

For most actions on hosted zones, health checks, and reusable delegation sets, you can grant or deny permission to act on a resource or a set of resources. In the ARN, you specify either the type of resource and its ID, or the type of resource and * for the ID. However, the following actions don't act on specific resources, so policies for these actions must specify * for the ID:

Health Checks

  • CreateHealthCheck

  • GetCheckerIpRanges

  • GetHealthCheckCount

  • ListHealthChecks

Hosted Zones

  • CreateHostedZone

  • ListHostedZones

Reusable Delegation Sets

  • CreateReusableDelegationSet

  • ListReusableDelegationSets

If you're working with private hosted zones, the following commands require an additional permission so you can access Amazon VPCs:

  • CreateHostedZone

  • AssociateVPCWithHostedZone

The IAM policy for user creating private hosted zones or associating Amazon VPCs with a private hosted zone must have at least the following access:

"Action":["ec2:DescribeVpcs"]

For a list of Amazon Route 53 action names, see the Amazon Route 53 API Reference.

Amazon Route 53 Keys

Amazon Route 53 implements only the following policy keys. For more information about policy keys, see "Available Keys for Conditions" in IAM Policy Elements Reference in Using IAM.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated to determine whether access is allowed.

Key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Amazon Route 53

This section shows a simple policy for controlling user access to Amazon Route 53.

Important

The value of the Version element must be the current version of the IAM policy language. For the current date, see Version in the "IAM Policy Elements Reference" in Using IAM.

Example 1: Allow read access to all hosted zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the hosted zones that are associated with the AWS account.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:ListHostedZones"],
         "Resource":"*"
      }
   ]
}

Example 2: Allow creation and deletion of hosted zones

This policy allows the group it is attached to (for example, the Managers group) to create and delete hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:CreateHostedZone"],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:DeleteHostedZone"],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow changes to resource record sets in a specified hosted zone

This policy allows the group it is attached to (for example, a SysAdmins group) to add, delete, and change resource record sets in a specified hosted zone. It also allows the group to request the status of changes.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:ChangeResourceRecordSets"],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 4: Allow full access to all domains (public hosted zones only)

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all of the domains associated with an AWS account, including permissions to register domains and create hosted zones. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones. (Amazon Route 53 doesn't support resource-level permissions for domain registration.)

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53domains:*",
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      }
   ]
}

Example 5: Allow full access to the Amazon Route 53 console

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all functionality in the Amazon Route 53 console. Here's why each permission is required:

  • route53:* lets you perform all Amazon Route 53 actions except creating and updating alias resource record sets, working with private hosted zones, and working with domains.

  • cloudfront:ListDistributions, elasticloadbalancing:DescribeLoadBalancers, and s3:ListBucket let you create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution, an ELB load balancer, or an Amazon S3 bucket, respectively.

    These permissions are not required if you're using only the Amazon Route 53 API. Amazon Route 53 uses them only to get lists of distributions, load balancers, and buckets for display in the console.

  • ec2:DescribeVpcs and ec2:DescribeRegions let you work with private hosted zones.

  • route53domains:* lets you work with domains.

    Important

    If you list route53 actions individually, you must include route53:CreateHostedZone to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones.

    Amazon Route 53 doesn't support resource-level permissions for domain registration.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:*", 
            "cloudfront:ListDistributions",
            "elasticloadbalancing:DescribeLoadBalancers",
            "s3:ListBucket",
            "ec2:DescribeVpcs",
            "ec2:DescribeRegions",
            "route53domains:*"
         ],
         "Resource":"*"
      }
   ]
}