Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference

When you set up Access Control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each Amazon Route 53 API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Amazon Route 53 policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix route53:, route53domains, or servicediscovery) followed by the API operation name, for example:

  • route53:CreateHostedZone

  • route53domains:RegisterDomain

  • servicediscovery:CreatePublicDnsNamespace

Required Permissions for Actions on Public Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone

Resources: *

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Private Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

Resources: *, arn:aws:ec2::optional account id:*

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

AssociateVPCWithHostedZone

Required Permissions (API Action): route53:AssociateVPCWithHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

DisassociateVPCFromHostedZone

Required Permissions (API Action): route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Reusable Delegation Sets

CreateReusableDelegationSet

Required Permissions (API Action): route53:CreateReusableDelegationSet

Resources: *

DeleteReusableDelegationSet

Required Permissions (API Action): route53:DeleteReusableDelegationSet

Resources: *

GetReusableDelegationSet

Required Permissions (API Action): route53:GetReusableDelegationSet

Resources: *

ListReusableDelegationSets

Required Permissions (API Action): route53:ListReusableDelegationSets

Resources: *

Required Permissions for Actions on Resource Record Sets

ChangeResourceRecordSets

Required Permissions (API Action): route53:ChangeResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID/rrset

GetChange

Required Permissions (API Action): route53:GetChange

Resources: *

GetGeoLocation

Required Permissions (API Action): None

Resources: None

ListGeoLocations

Required Permissions (API Action): None

Resources: None

ListResourceRecordSets

Required Permissions (API Action): route53:ListResourceRecordSets

Resources: *

Required Permissions for Actions on Traffic Policies

CreateTrafficPolicy

Required Permissions (API Action): route53:CreateTrafficPolicy

Resources: *

CreateTrafficPolicyVersion

Required Permissions (API Action): route53:CreateTrafficPolicyVersion

Resources: *

DeleteTrafficPolicy

Required Permissions (API Action): route53:DeleteTrafficPolicy

Resources: *

GetTrafficPolicy

Required Permissions (API Action): route53:GetTrafficPolicy

Resources: *

ListTrafficPolicies

Required Permissions (API Action): route53:ListTrafficPolicies

Resources: *

ListTrafficPolicyVersions

Required Permissions (API Action): route53:ListTrafficPolicyVersions

Resources: *

UpdateTrafficPolicyComment

Required Permissions (API Action): route53:UpdateTrafficPolicyComment

Resources: *

Required Permissions for Actions on Traffic Policy Instances

CreateTrafficPolicyInstance

Required Permissions (API Action): route53:CreateTrafficPolicyInstance

Resources: *

DeleteTrafficPolicyInstance

Required Permissions (API Action): route53:DeleteTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstance

Required Permissions (API Action): route53:GetTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstanceCount

Required Permissions (API Action): route53:GetTrafficPolicyInstanceCount

Resources: *

ListTrafficPolicyInstances

Required Permissions (API Action): route53:ListTrafficPolicyInstances

Resources: *

ListTrafficPolicyInstancesByHostedZone

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByHostedZone

Resources: *

ListTrafficPolicyInstancesByPolicy

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByPolicy

Resources: *

UpdateTrafficPolicyInstance

Required Permissions (API Action): route53:UpdateTrafficPolicyInstance

Resources: *

Required Permissions for Actions on Health Checks

CreateHealthCheck

Required Permissions (API Action): route53:CreateHealthCheck

Resources: *

DeleteHealthCheck

Required Permissions (API Action): route53:DeleteHealthCheck

Resources: *

GetCheckerIpRanges

Required Permissions (API Action): route53:GetCheckerIpRanges

Resources: *

GetHealthCheck

Required Permissions (API Action): route53:GetHealthCheck

Resources: *

GetHealthCheckCount

Required Permissions (API Action): route53:GetHealthCheckCount

Resources: *

GetHealthCheckLastFailureReason

Required Permissions (API Action): route53:GetHealthCheckLastFailureReason

Resources: *

GetHealthCheckStatus

Required Permissions (API Action): route53:GetHealthCheckStatus

Resources: *

ListHealthChecks

Required Permissions (API Action): route53:ListHealthChecks

Resources: *

UpdateHealthCheck

Required Permissions (API Action): route53:UpdateHealthCheck

Resources: *

Required Permissions for Actions on Domain Registrations

AddDnssec (console only)

Required Permissions (API Action): route53domains:AddDnssec

Resources: *

CheckDomainAvailability

Required Permissions (API Action): route53domains:CheckDomainAvailability

Resources: *

DeleteDomain (console only)

Required Permissions (API Action): route53domains:DeleteDomain

Resources: *

DisableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

DisableDomainTransferLock

Required Permissions (API Action): route53domains:DisableDomainTransferLock

Resources: *

EnableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

EnableDomainTransferLock

Required Permissions (API Action): route53domains:EnableDomainTransferLock

Resources: *

GetContactReachabilityStatus

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetDomainDetail

Required Permissions (API Action): route53domains:GetDomainDetail

Resources: *

GetDomainSuggestions

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetOperationDetail

Required Permissions (API Action): route53domains:GetOperationDetail

Resources: *

ListDnssec (console only)

Required Permissions (API Action): route53domains:ListDnssec

Resources: *

ListDomains

Required Permissions (API Action): route53domains:ListDomains

Resources: *

ListOperations

Required Permissions (API Action): route53domains:ListOperations

Resources: *

RegisterDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

RemoveDnssec (console only)

Required Permissions (API Action): route53domains:RemoveDnssec

Resources: *

RenewDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

ResendContactReachabilityEmail

Required Permissions (API Action): route53domains:ListDomains

Resources: *

RetrieveDomainAuthCode

Required Permissions (API Action): route53domains:RetrieveDomainAuthCode

Resources: *

TransferDomain

Required Permissions (API Action): route53domains:TransferDomain

Resources: *

UpdateDomainContact

Required Permissions (API Action): route53domains:UpdateDomainContact

Resources: *

UpdateDomainContactPrivacy

Required Permissions (API Action): route53domains:UpdateDomainContactPrivacy

Resources: *

UpdateDomainNameservers

Required Permissions (API Action): route53domains:UpdateDomainNameservers

Resources: *

ViewBilling

Required Permissions (API Action): route53domains:ViewBilling

Resources: *

Required Permissions for Service Discovery Actions

CreatePrivateDnsNamespace

Required Permissions (API Action):

  • servicediscovery:CreatePrivateDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

  • ec2:DescribeVpcs

  • ec2:DescribeRegions

Resources: *

CreatePublicDnsNamespace

Required Permissions (API Action):

  • servicediscovery:CreatePublicDnsNamespace

  • route53:CreateHostedZone

  • route53:GetHostedZone

  • route53:ListHostedZonesByName

Resources: *

CreateService

Required Permissions (API Action): servicediscovery:CreateService

Resources: *

DeleteNamespace

Required Permissions (API Action):

  • servicediscovery:DeleteNamespace

  • route53:DeleteHostedZone

Resources: *

DeleteService

Required Permissions (API Action): servicediscovery:DeleteService

Resources: *

DeregisterInstance

Required Permissions (API Action):

  • servicediscovery:DeregisterInstance

  • route53:GetHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *

GetInstance

Required Permissions (API Action): servicediscovery:GetInstance

Resources: *

GetInstancesHealthStatus

Required Permissions (API Action): servicediscovery:GetInstancesHealthStatus

Resources: *

GetNamespace

Required Permissions (API Action): servicediscovery:GetNamespace

Resources: *

GetOperation

Required Permissions (API Action): servicediscovery:GetOperation

Resources: *

GetService

Required Permissions (API Action): servicediscovery:GetService

Resources: *

ListInstances

Required Permissions (API Action): servicediscovery:ListInstances

Resources: *

ListNamespaces

Required Permissions (API Action): servicediscovery:ListNamespaces

Resources: *

ListOperations

Required Permissions (API Action): servicediscovery:ListOperations

Resources: *

ListServices

Required Permissions (API Action): servicediscovery:ListServices

Resources: *

RegisterInstance

Required Permissions (API Action):

  • servicediscovery:RegisterInstance

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *

UpdateService

Required Permissions (API Action):

  • servicediscovery:UpdateService

  • route53:GetHealthCheck

  • route53:CreateHealthCheck

  • route53:DeleteHealthCheck

  • route53:UpdateHealthCheck

  • route53:ChangeResourceRecordSets

Resources: *

Required Permissions for Actions to Get Limits for Accounts, Hosted Zones, and Reusable Delegation Sets

GetAccountLimit

Required Permissions (API Action): route53:GetAccountLimit

Resources: *

GetHostedZoneLimit

Required Permissions (API Action): route53:GetHostedZoneLimit

Resources: *

GetReusableDelegationSetLimit

Required Permissions (API Action): route53:GetReusableDelegationSetLimit

Resources: *

Required Permissions for Actions on Tags for Hosted Zones and Health Checks

ChangeTagsForResource

Required Permissions (API Action): route53:ChangeTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResource

Required Permissions (API Action): route53:ListTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResources

Required Permissions (API Action): route53:ListTagsForResources

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

Required Permissions for Actions on Tags for Domains

DeleteTagsForDomain

Required Permissions (API Action): route53domains:DeleteTagsForDomain

Resources: *

ListTagsForDomain

Required Permissions (API Action): route53domains:ListTagsForDomain

Resources: *

UpdateTagsForDomain

Required Permissions (API Action): route53domains:UpdateTagsForDomain

Resources: *