Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Using Identity-Based Policies (IAM Policies) for Amazon Route 53

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Amazon Route 53 resources.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Amazon Route 53 resources. For more information, see Overview of Managing Access Permissions to Your Amazon Route 53 Resources.

The following example shows a permissions policy. The Sid, or statement ID, is optional:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AllowPublicHostedZonePermissions", "Effect": "Allow", "Action": [ "route53:CreateHostedZone", "route53:UpdateHostedZoneComment", "route53:GetHostedZone", "route53:ListHostedZones", "route53:DeleteHostedZone", "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", "route53:GetHostedZoneCount", "route53:ListHostedZonesByName" ], "Resource": "*" }, { "Sid" : "AllowHealthCheckPermissions", "Effect": "Allow", "Action": [ "route53:CreateHealthCheck", "route53:UpdateHealthCheck", "route53:GetHealthCheck", "route53:ListHealthChecks", "route53:DeleteHealthCheck", "route53:GetCheckerIpRanges", "route53:GetHealthCheckCount", "route53:GetHealthCheckStatus", "route53:GetHealthCheckLastFailureReason" ], "Resource": "*" } ] }

The policy includes two statements:

  • The first statement grants permissions to the actions that are required to create and manage public hosted zones and their resource record sets. The wildcard character (*) in the Amazon Resource Name (ARN) grants access to all the hosted zones that are owned by the current AWS account.

  • The second statement grants permissions to all the actions that are required to create and manage health checks.

For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the Amazon Route 53 Console

To grant full access to the Amazon Route 53 console, you grant the permissions in the following permissions policy:

Copy
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53:*", "route53domains:*", "cloudfront:ListDistributions", "elasticloadbalancing:DescribeLoadBalancers", "elasticbeanstalk:DescribeEnvironments", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketWebsiteConfiguration", "ec2:DescribeVpcs", "ec2:DescribeRegions", "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:GetMetricStatistics" ], "Resource":"*" } ] }

Here's why the permissions are required:

route53:*

Lets you perform all Amazon Route 53 actions except the following:

  • Create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution, an Elastic Load Balancing load balancer, an Elastic Beanstalk environment, or an Amazon S3 bucket. (With these permissions, you can create alias resource records sets for which the value of Alias Target is another resource record set in the same hosted zone.)

  • Work with private hosted zones.

  • Work with domains.

  • Create, delete, and view CloudWatch alarms.

  • Render CloudWatch metrics in the Amazon Route 53 console.

route53domains:*

Lets you work with domains.

Important

If you list route53 actions individually, you must include route53:CreateHostedZone to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permission to create hosted zones.

For domain registration, Amazon Route 53 doesn't support granting or denying permissions to individual resources.

cloudfront:ListDistributions

Lets you create and update alias resource record sets for which the value of Alias Target is a CloudFront distribution.

These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of distributions to display in the console.

elasticloadbalancing:DescribeLoadBalancers

Lets you create and update alias resource record sets for which the value of Alias Target is an ELB load balancer.

These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of load balancers to display in the console.

elasticbeanstalk:DescribeEnvironments

Lets you create and update alias resource record sets for which the value of Alias Target is an Elastic Beanstalk environment.

These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of environments to display in the console.

s3:ListBucket, s3:GetBucketLocation, and s3:GetBucketWebsiteConfiguration

Let you create and update alias resource record sets for which the value of Alias Target is an Amazon S3 bucket. (You can create an alias to an Amazon S3 bucket only if the bucket is configured as a website endpoint; s3:GetBucketWebsiteConfiguration gets the required configuration information.)

These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get a list of buckets to display in the console.

ec2:DescribeVpcs and ec2:DescribeRegions

Let you work with private hosted zones.

sns:ListTopics, sns:ListSubscriptionsByTopic, sns:CreateTopic, cloudwatch:DescribeAlarms, cloudwatch:PutMetricAlarm, cloudwatch:DeleteAlarms

Let you create, delete, and view CloudWatch alarms.

cloudwatch:GetMetricStatistics

Lets you create CloudWatch metric health checks.

These permissions aren't required if you aren't using the Amazon Route 53 console. Amazon Route 53 uses it only to get statistics to display in the console.

AWS Managed (Predefined) Policies for Amazon Route 53

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide. For Amazon Route 53, IAM provides four managed policies:

  • AmazonRoute53FullAccess – Grants full access to Amazon Route 53 resources.

  • AmazonRoute53ReadOnlyAccess – Grants read-only access to Amazon Route 53 resources.

  • AmazonRoute53DomainsFullAccess – Grants full access to Amazon Route 53 domain registration resources.

  • AmazonRoute53DomainsReadOnlyAccess – Grants read-only access to Amazon Route 53 domain registration resources.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there. You can also create your own custom IAM policies to allow permissions for Amazon Route 53 API operations. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer Managed Policy Examples

You can create your own custom IAM policies to allow permissions for Amazon Route 53 actions. You can attach these custom policies to the IAM users or groups that require the specified permissions. These policies work when you are using the Amazon Route 53 API, the AWS SDKs, or the AWS CLI. The following examples show permissions for several common use cases. For the policy that grants a user full access to Amazon Route 53, see Permissions Required to Use the Amazon Route 53 Console.

Example 1: Allow Read Access to All Hosted Zones

The following permissions policy grants the user permissions to list all hosted zones and view all the resource record sets in a hosted zone.

Copy
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource":"*" }, { "Effect":"Allow", "Action":["route53:ListHostedZones"], "Resource":"*" } ] }

Example 2: Allow Creation and Deletion of Hosted Zones

The following permissions policy allows users to create and delete hosted zones, and to track the progress of the change.

Copy
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["route53:CreateHostedZone"], "Resource":"*" }, { "Effect":"Allow", "Action":["route53:DeleteHostedZone"], "Resource":"*" }, { "Effect":"Allow", "Action":["route53:GetChange"], "Resource":"*" } ] }

Example 3: Allow Changes to Resource Record Sets in a Specified Hosted Zone

The following permissions policy allows users to use the Amazon Route 53 console to add, change, and delete resource record sets in a specified hosted zone:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "route53:ListHostedZones" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53:GetHostedZone" ], "Resource": "arn:aws:route53:::hostedzone/hosted zone id" }, { "Effect": "Allow", "Action": [ "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/hosted zone id" }, { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/hosted zone id" } ] }

Example 4: Allow Full Access to All Domains (Public Hosted Zones Only)

The following permissions policy allows users to perform all actions on domain registrations, including permissions to register domains and create hosted zones.

Copy
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "route53domains:*", "route53:CreateHostedZone" ], "Resource":"*" } ] }

When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permissions to create hosted zones. (For domain registration, Amazon Route 53 doesn't support granting permissions to individual resources.)

For information about permissions that are required to work with private hosted zones, see Permissions Required to Use the Amazon Route 53 Console.