Amazon Route 53
Developer Guide (API Version 2012-12-12)
AWS Documentation » Amazon Route 53 » Developer Guide » Using IAM to Control Access to Route 53 Resources
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using IAM to Control Access to Route 53 Resources

Topics

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Route 53 API actions a User can perform on which Route 53 resources. For example, you can create an IAM policy that gives certain Users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Route 53 with IAM doesn't change how you use Route 53. There are no changes to Route 53 actions.

For an example of a policy that covers Route 53 actions, see Example IAM Policies for Route 53.

Route 53 ARNs

You can specify two types of Route 53 resources in an IAM policy: hosted zones and changes. Route 53 Amazon Resource Names (ARNs) have the following general format:

arn:aws:route53:::resource/ID

Resource is either hostedzone or change, and ID is the ID of the hosted zone or the change.

The following are examples of a hosted zone ARN and a change ARN, respectively.

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use wildcards (*) in place of the ID. For example, the following could specify all hosted zone resources owned by the AWS account.

arn:aws:route53:::hostedzone/*

For more information about ARNs, go to ARNs at Identifiers for IAM Entities in Using IAM.

Route 53 Actions

Currently, all Route 53 API actions can be referred to in an IAM policy. Each action name must be prefixed with the lowercase string route53:. For example: route53:CreateHostedZone, route53:GetChange or route53:* (for all actions).

Most actions can be authorized to act on a specific resource or a set of resources using a wildcard ARN. However, because the CreateHostedZone and ListHostedZones actions do not act on specific resources, policies for these actions must specify * as the resource. For a list of Route 53 actions, refer to the API action names in the Amazon Route 53 API Reference.

Route 53 Keys

Route 53 implements the following policy keys, but no others. For more information about policy keys, go to Available Keys in Condition at Element Descriptions in Using Identity and Access Management.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SecureTransport (Boolean representing whether the request was sent using SSL)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, we evaluate the instance's public IP address to determine if access is allowed.

For services that use only SSL, such as Amazon RDS and Route 53, the aws:SecureTransport key has no meaning.

The key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Route 53

This section shows a simple policy for controlling User access to Route 53.

Note

In the future, Route 53 might add new actions that should logically be included in one of the following policies, based on the policy's stated goals.

Example 1: Allow Users read access to all hosted zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the AWS Account's hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:ListHostedZones"
         ],
         "Resource":"*"
      }
   ]
}

Example 2: Allow creation and deletion of hosted zones

This policy allows the group it is attached to (for example, the Managers group) to manage the creation and deletion of hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:DeleteHostedZone"
         ],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow modifications to a specific zone

This policy allows the group it is attached to (for example, a SysAdmins group) to make modifications to a specific zone. It also allows the group to query the status of the change.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:ChangeResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...