Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Using IAM to Control Access to Amazon Route 53 Resources

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Amazon Route 53 API actions a user can perform on which Amazon Route 53 resources. For example, you can create an IAM policy that gives certain users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Amazon Route 53 with IAM doesn't change how you use Amazon Route 53. There are no changes to Amazon Route 53 actions.

For several examples, see Example IAM Policies for Amazon Route 53.

Amazon Route 53 ARNs

You can specify the following Amazon Route 53 resources in an IAM policy:

  • Health checks

  • Hosted zones

  • Traffic policies

  • Traffic policy instances (called policy records in the Amazon Route 53 console)

  • Reusable delegation sets

  • Reusable delegation sets

  • Changes

You can't specify resource record sets or domains in an IAM policy.

You specify resources in an IAM policy by using Amazon Resource Names (ARNs). ARNs have the following general format:

arn:aws:route53:::resource/ID

The value of resource is one of the following values:

  • healthcheck

  • hostedzone

  • trafficpolicy

  • trafficpolicyinstance

  • delegationset

  • change

ID is the ID of the corresponding resource, as shown in the following examples:

arn:aws:route53:::healthcheck/02ec8401-9879-4259-91fa-example94674
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::trafficpolicy/2bbf6184-c4e0-4d0a-87f0-example8e290
arn:aws:route53:::trafficpolicyinstance/c117c7e4-88e9-4937-a905-example20ba0
arn:aws:route53:::delegationset/N1PA6795SAMPLE
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use a wildcard (*) in place of the ID. The following example specifies all of the hosted zones that are associated with an AWS account:

arn:aws:route53:::hostedzone/*

For more information about ARNs, see IAM ARNs in the IAM User Guide.

Amazon Route 53 Actions

To grant or deny permission to perform an Amazon Route 53 operation, specify the name of the corresponding API action in an IAM policy. For example, to grant or deny permission to create hosted zones, add the CreateHostedZone API action to an IAM policy. When you specify an action in an IAM policy, you grant or deny permission to the operation regardless of how a user performs it—for example, by using the Amazon Route 53 console and API, the AWS CLI, any of the AWS SDKs, or AWS Tools for Windows PowerShell.

For a list of Amazon Route 53 action names, see the Amazon Route 53 API Reference.

Actions on Hosted Zones, Resource Record Sets, Traffic Policies, Traffic Policy Instances, Health Checks, and Reusable Delegation Sets

To grant or deny permission to use actions related to hosted zones, resource record sets, traffic policies, traffic policy instances, health checks, and reusable delegation sets, prefix the action name with the following lowercase string:

route53:

For example, you might specify one of the following values:

  • route53:CreateHostedZone

  • route53:GetChange

  • route53:* (for all actions)

Note the following additional requirements:

Private Hosted Zones

If you're working with private hosted zones, the following commands require an additional permission so that your users can access Amazon VPCs:

  • CreateHostedZone

  • AssociateVPCWithHostedZone

To grant permission to create a private hosted zone or associate an Amazon VPC with a private hosted zone, include the following in the IAM policy:

"Action":["ec2:DescribeVpcs"]

Health Checks Based on CloudWatch Alarms

To grant permission to create a health check that is based on a CloudWatch alarm, include the following in the IAM policy:

"Action":["cloudwatch:DescribeAlarms"]

Actions on Domain Registration

To grant or deny permission to use actions related to domain registration, prefix the action name with the following lowercase string:

route53domains:

For example, specify route53domains:CheckDomainAvailability, route53domains:RegisterDomain, or route53domains:* (for all domain-registration actions).

When you grant permission to register domains, you must also grant permission to create hosted zones. When you register a domain, Amazon Route 53 automatically creates a hosted zone for the domain.

Actions on Specific Resources

For most actions on hosted zones, traffic policies, traffic policy instances, health checks, and reusable delegation sets, you can grant or deny permission to act on a resource or a set of resources. In the ARN, you specify either the type of resource and its ID, or the type of resource and a wildcard * for the ID.

Actions on New Resources and on All Resources of the Same Type

The following actions act either on new resources or on all resources of the same type, so an ARN doesn't apply. (When you create a resource such as a hosted zone, the ID hasn't been assigned yet.) For these actions, specify a wildcard (*) for the ID:

Hosted Zones (Public and Private)

  • CreateHostedZone

  • GetHostedZoneCount

  • ListHostedZones

Traffic Policies

  • CreateTrafficPolicy

  • CreateTrafficPolicyVersion

  • ListTrafficPolicies

Traffic Policy Instances

  • CreateTrafficPolicyInstance

  • GetTrafficPolicyInstanceCount

  • ListTrafficPolicyInstances

Health Checks

  • CreateHealthCheck

  • GetCheckerIpRanges

  • GetHealthCheckCount

  • ListHealthChecks

Reusable Delegation Sets

  • CreateReusableDelegationSet

  • ListReusableDelegationSets

Amazon Route 53 Keys

Amazon Route 53 implements only the following policy keys. For more information about policy keys, see Available Keys for Conditions in the IAM User Guide.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated to determine whether access is allowed.

Key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Amazon Route 53

This section shows example policies for controlling user access to Amazon Route 53.

Important

The value of the Version element must be the current version of the IAM policy language. For the current date, see Version in the IAM User Guide.

Example 1: Allow Read Access to All Hosted Zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the hosted zones that are associated with the AWS account.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:ListHostedZones"],
         "Resource":"*"
      }
   ]
}

Example 2: Allow Creation and Deletion of Hosted Zones

This policy allows the group it is attached to (for example, the Managers group) to create and delete hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:CreateHostedZone"],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:DeleteHostedZone"],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow Changes to Resource Record Sets in a Specified Hosted Zone

This policy allows the group it is attached to (for example, a SysAdmins group) to add, delete, and change resource record sets in a specified hosted zone. It also allows the group to request the status of changes.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["route53:ChangeResourceRecordSets"],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":["route53:GetChange"],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 4: Allow Full Access to All Domains (Public Hosted Zones Only)

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all of the domains associated with an AWS account, including permissions to register domains and create hosted zones. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones. (For domain registration, Amazon Route 53 doesn't support granting or denying permissions to individual resources.)

See the next example for information about permissions that are required to work with private hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53domains:*",
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      }
   ]
}

Example 5: Allow Full Access to the Amazon Route 53 Console

This policy gives the group that it's attached to (for example, a SysAdmins group) full read and write permissions to all functionality in the Amazon Route 53 console.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:*", 
            "route53domains:*",
            "cloudfront:ListDistributions",
            "elasticloadbalancing:DescribeLoadBalancers",
            "s3:ListBucket",
            "ec2:DescribeVpcs",
            "ec2:DescribeRegions"
            "cloudwatch:DescribeAlarms"
         ],
         "Resource":"*"
      }
   ]
}

Here's why each permission is required:

route53:*

Lets you perform all Amazon Route 53 actions except creating and updating alias resource record sets, working with private hosted zones, and working with domains.

route53domains:*

Lets you work with domains.

Important

If you list route53 actions individually, you must include route53:CreateHostedZone to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permission to register domains also requires permission to create hosted zones.

For domain registration, Amazon Route 53 doesn't support granting or denying permissions to individual resources.

cloudfront:ListDistributions

Lets you create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution.

This permission isn't required if you're using only the Amazon Route 53 API. Amazon Route 53 uses it only to get a list of distributions for display in the console.

elasticloadbalancing:DescribeLoadBalancers

Lets you create and update alias resource record sets for which the value of Alias Target is an ELB load balancer.

This permission isn't required if you're using only the Amazon Route 53 API. Amazon Route 53 uses it only to get a list of load balancers for display in the console.

s3:ListBucket

Lets you create and update alias resource record sets for which the value of Alias Target is an Amazon S3 bucket.

This permission isn't required if you're using only the Amazon Route 53 API. Amazon Route 53 uses it only to get a list of buckets for display in the console.

ec2:DescribeVpcs and ec2:DescribeRegions

Let you work with private hosted zones.

cloudwatch:DescribeAlarms

Lets you create CloudWatch metric health checks.