Amazon Route 53
Developer Guide (API Version 2013-04-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using IAM to Control Access to Amazon Route 53 Resources

Amazon Route 53 integrates with AWS Identity and Access Management (IAM) so that you can specify which Amazon Route 53 API actions a User can perform on which Amazon Route 53 resources. For example, you can create an IAM policy that gives certain Users in your organization permission to update resource record sets of specific hosted zones that your organization owns.

Important

Using Amazon Route 53 with IAM doesn't change how you use Amazon Route 53. There are no changes to Amazon Route 53 actions.

For an example of a policy that covers Amazon Route 53 actions, see Example IAM Policies for Amazon Route 53.

Amazon Route 53 ARNs

You can specify two types of Amazon Route 53 resources in an IAM policy: hosted zones and changes. Amazon Route 53 Amazon Resource Names (ARNs) have the following general format:

arn:aws:route53:::resource/ID

Resource is either hostedzone or change, and ID is the ID of the hosted zone or the change.

The following are examples of a hosted zone ARN and a change ARN, respectively.

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2

You can use wildcards (*) in place of the ID. For example, the following could specify all hosted zone resources owned by the AWS account.

arn:aws:route53:::hostedzone/*

For more information about ARNs, go to ARNs at Identifiers for IAM Entities in Using IAM.

Amazon Route 53 Actions

Currently, all Amazon Route 53 API actions can be referred to in an IAM policy. Each action name must be prefixed with the lowercase string route53:. For example: route53:CreateHostedZone, route53:GetChange or route53:* (for all actions).

Most actions can be authorized to act on a specific resource or a set of resources using a wildcard ARN. However, because the CreateHostedZone and ListHostedZones actions do not act on specific resources, policies for these actions must specify * as the resource. For a list of Amazon Route 53 actions, refer to the API action names in the Amazon Route 53 API Reference.

Amazon Route 53 Keys

Amazon Route 53 implements the following policy keys, but no others. For more information about policy keys, go to Available Keys in Condition at Element Descriptions in Using Identity and Access Management.

AWS-Wide Policy Keys

  • aws:CurrentTime (for date/time conditions)

  • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions)

  • aws:SecureTransport (Boolean representing whether the request was sent using SSL)

  • aws:SourceIp (the requester's IP address, for use with IP address conditions)

  • aws:UserAgent (information about the requester's client application, for use with string conditions)

If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, we evaluate the instance's public IP address to determine if access is allowed.

For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning.

The key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime.

Example IAM Policies for Amazon Route 53

This section shows a simple policy for controlling User access to Amazon Route 53. In the future, Amazon Route 53 might add new actions that should logically be included in one of the following policies, based on the policy's stated goals.

Important

The value of the Version element must be the current version of the IAM policy language. For the current date, see Version in the IAM Policy Elements Reference in Using IAM.

Example 1: Allow Users read access to all hosted zones

This policy allows the group it is attached to (for example, the AllUsers group) read access to all of the AWS Account's hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone", 
            "route53:ListResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:ListHostedZones"
         ],
         "Resource":"*"
      }
   ]
}

Example 2: Allow creation and deletion of hosted zones

This policy allows the group it is attached to (for example, the Managers group) to manage the creation and deletion of hosted zones.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:CreateHostedZone"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:DeleteHostedZone"
         ],
         "Resource":"arn:aws:route53:::change/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Example 3: Allow modifications to a specific zone

This policy allows the group it is attached to (for example, a SysAdmins group) to make modifications to a specific zone. It also allows the group to query the status of the change.

{
   "Version": "2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "route53:ChangeResourceRecordSets"
         ],
         "Resource":"arn:aws:route53:::hostedzone/Z148QEXAMPLE8V"
      },
      {
         "Effect":"Allow",
         "Action":[
            "route53:GetChange"
         ],
         "Resource":"arn:aws:route53:::change/*"
      }
   ]
}