Amazon Route 53
Developer Guide (API Version 2013-04-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Using IAM to Control Access to Amazon Route 53 Resources

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Amazon Route 53 API actions a user can perform on which Amazon Route 53 resources. For example, you can create an IAM policy that gives certain users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Amazon Route 53 with IAM doesn't change how you use Amazon Route 53. There are no changes to Amazon Route 53 actions.

For an example of a policy that covers Amazon Route 53 actions, see Example IAM Policies for Amazon Route 53.

Amazon Route 53 ARNs

You can specify three types of Amazon Route 53 resources in an IAM policy: hosted zones, health checks, and changes. Amazon Route 53 Amazon Resource Names (ARNs) have the following general format:

arn:aws:route53:::resource/ID

The value of resource is hostedzone, healthcheck, or change, and ID is the ID of the hosted zone, the health check, or the change.

Note

Amazon Route 53 doesn't support resource-level permissions for domain registration.

The following are examples of a hosted zone ARN, a health check ARN, and a change ARN.

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::healthcheck/02ec8401-9879-4259-91fa-example94674
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use wildcards (*) in place of the ID. For example, the following could specify all hosted zones managed by the AWS account:

arn:aws:route53:::hostedzone/*

For more information about ARNs, see ARNs at IAM ARNs in Using IAM.

Amazon Route 53 Actions

You can refer to any Amazon Route 53 API action in an IAM policy by adding the applicable prefix to the name of the action:

  • For actions related to hosted zones, resource record sets, and health checks, prefix the action name with the following lowercase string:

    route53:

    For example, specify route53:CreateHostedZone, route53:GetChange, or route53:* (for all actions).

  • For actions related to domain registration, prefix the action name with the following lowercase string:

    route53domains:

    For example, specify route53domains:CheckDomainAvailability, route53domains:RegisterDomain, or route53domains:* (for all domain-registration actions).

    When you grant permission to register domains, you must also grant permission to create hosted zones. When you register a domain, Amazon Route 53 automatically creates a hosted zone for the domain.

Most actions on hosted zones, resource record sets, and health checks can be authorized to act on a specific resource or a set of resources using a wildcard ARN. However, the following actions don't act on specific resources, so policies for these actions must specify * as the resource:

  • CreateHostedZone

  • ListHostedZones

  • CreateHealthCheck

  • GetCheckerIpRanges

  • GetHealthCheckCount

  • ListHealthChecks

If you're working with private hosted zones, the following commands require an additional permission so you can access Amazon VPCs:

  • CreateHostedZone

  • AssociateVPCWithHostedZone

The IAM policy for user creating private hosted zones or associating Amazon VPCs with a private hosted zone must have at least the following access:

"Action":["ec2:DescribeVpcs"]

For a list of Amazon Route 53 action names, see the Amazon Route 53 API Reference.

Amazon Route 53 Keys

Amazon Route 53 implements only the following policy keys. For more information about policy keys, see "Available Keys for Conditions" in IAM Policy Elements Reference in Using IAM.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated to determine whether access is allowed.

Key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Amazon Route 53

This section shows a simple policy for controlling user access to Amazon Route 53.

Important

The value of the Version element must be the current version of the IAM policy language. For the current date, see Version in the "IAM Policy Elements Reference" in Using IAM.

Example 1: Allow read access to all hosted zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the hosted zones that are associated with the AWS account.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:ListHostedZones"],
         "Resource":"*"
      }
   ]
}

Example 2: Allow creation and deletion of hosted zones

This policy allows the group it is attached to (for example, the Managers group) to create and delete hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:CreateHostedZone"],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:DeleteHostedZone"],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow changes to resource record sets in a specified hosted zone

This policy allows the group it is attached to (for example, a SysAdmins group) to add, delete, and change resource record sets in a specified hosted zone. It also allows the group to request the status of changes.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:ChangeResourceRecordSets"],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 4: Allow full access to all domains (public hosted zones only)

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all of the domains associated with an AWS account, including permissions to register domains and create hosted zones. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones. (Amazon Route 53 doesn't support resource-level permissions for domain registration.)

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53domains:*",
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      }
   ]
}

Example 5: Allow full access to the Amazon Route 53 console

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all functionality in the Amazon Route 53 console. Here's why each permission is required:

  • route53:* lets you perform all Amazon Route 53 actions except creating and updating alias resource record sets, working with private hosted zones, and working with domains.

  • cloudfront:ListDistributions, elasticloadbalancing:DescribeLoadBalancers, and s3:ListBucket let you create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution, an ELB load balancer, or an Amazon S3 bucket, respectively.

    These permissions are not required if you're using only the Amazon Route 53 API. Amazon Route 53 uses them only to get lists of distributions, load balancers, and buckets for display in the console.

  • ec2:DescribeVpcs and ec2:DescribeRegions let you work with private hosted zones.

  • route53domains:* lets you work with domains.

    Important

    If you list route53 actions individually, you must include route53:CreateHostedZone to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones.

    Amazon Route 53 doesn't support resource-level permissions for domain registration.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:*", 
            "cloudfront:ListDistributions",
            "elasticloadbalancing:DescribeLoadBalancers",
            "s3:ListBucket",
            "ec2:DescribeVpcs",
            "ec2:DescribeRegions",
            "route53domains:*"
         ],
         "Resource":"*"
      }
   ]
}