Amazon Route 53
Developer Guide (API Version 2013-04-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using IAM to Control Access to Amazon Route 53 Resources

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Amazon Route 53 API actions a user can perform on which Amazon Route 53 resources. For example, you can create an IAM policy that gives certain users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Amazon Route 53 with IAM doesn't change how you use Amazon Route 53. There are no changes to Amazon Route 53 actions.

For an example of a policy that covers Amazon Route 53 actions, see Example IAM Policies for Amazon Route 53.

Amazon Route 53 ARNs

You can specify three types of Amazon Route 53 resources in an IAM policy: hosted zones, health checks, and changes. Amazon Route 53 Amazon Resource Names (ARNs) have the following general format:

arn:aws:route53:::resource/ID

The value of resource is hostedzone, healthcheck, or change, and ID is the ID of the hosted zone, the health check, or the change.

Note

Amazon Route 53 doesn't support resource-level policies for domain registration.

The following are examples of a hosted zone ARN, a health check ARN, and a change ARN.

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::healthcheck/02ec8401-9879-4259-91fa-example94674
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use wildcards (*) in place of the ID. For example, the following could specify all hosted zones managed by the AWS account:

arn:aws:route53:::hostedzone/*

For more information about ARNs, see ARNs at IAM ARNs in Using IAM.

Amazon Route 53 Actions

You can refer to any Amazon Route 53 API action in an IAM policy by adding the applicable prefix to the name of the action:

  • For actions related to hosted zones, resource record sets, and health checks, prefix the action name with the following lowercase string:

    route53:

    For example, specify route53:CreateHostedZone, route53:GetChange, or route53:* (for all actions).

  • For actions related to domain registration, prefix the action name with the following lowercase string:

    route53domains:

    For example, specify route53domains:CheckDomainAvailability, route53domains:RegisterDomain, or route53domains:* (for all domain-registration actions).

    When you grant permission to register domains, you must also grant permission to create hosted zones. When you register a domain, Amazon Route 53 automatically creates a hosted zone for the domain.

Most actions on hosted zones, resource record sets, and health checkss can be authorized to act on a specific resource or a set of resources using a wildcard ARN. However, the following actions don't act on specific resources, so policies for these actions must specify * as the resource:

  • CreateHostedZone

  • ListHostedZones

  • CreateHealthCheck

  • GetCheckerIpRanges

  • GetHealthCheckCount

  • ListHealthChecks

For a list of Amazon Route 53 action names, see the Amazon Route 53 API Reference.

Amazon Route 53 Keys

Amazon Route 53 implements only the following policy keys. For more information about policy keys, see "Available Keys for Conditions" in IAM Policy Elements Reference in Using IAM.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated to determine whether access is allowed.

Key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Amazon Route 53

This section shows a simple policy for controlling user access to Amazon Route 53.

Important

The value of the Version element must be the current version of the IAM policy language. For the current date, see Version in the "IAM Policy Elements Reference" in Using IAM.

Example 1: Allow Users read access to all hosted zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the hosted zones that are associated with the AWS account:

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:ListHostedZones"
         ],
         "Resource":"*"
      }
   ]
}

Example 2: Allow creation and deletion of hosted zones

This policy allows the group it is attached to (for example, the Managers group) to manage the creation and deletion of hosted zones:

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:DeleteHostedZone"
         ],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow modifications to a specific zone

This policy allows the group it is attached to (for example, a SysAdmins group) to make modifications to a specific zone. It also allows the group to query the status of the change:

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:ChangeResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}