Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following tables as a reference. The tables list each Amazon Route 53 API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS wide condition keys in your Amazon Route 53 policies to express conditions. For a complete list of AWS wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix (route53: or route53domains) followed by the API operation name (for example, route53:CreateHostedZone or route53domains:RegisterDomain).

Required Permissions for Actions on Public Hosted Zones

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHostedZone

route53:CreateHostedZone

*

DeleteHostedZone

route53:DeleteHostedZone

*

GetHostedZone

route53:GetHostedZone

*

GetHostedZoneCount

route53:GetHostedZoneCount

*

ListHostedZones

route53:ListHostedZones

*

ListHostedZonesByName

route53:ListHostedZonesByName

*

UpdateHostedZoneComment

route53:UpdateHostedZoneComment

*

Required Permissions for Actions on Private Hosted Zones

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHostedZone

route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

*, arn:aws:ec2::optional account id:*

DeleteHostedZone

route53:DeleteHostedZone

*

AssociateVPCWithHostedZone

route53:AssociateHostedZoneWithVPC, ec2:DescribeVpcs

*, arn:aws:ec2::optional account id:*

DisassociateVPCFromHostedZone

route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

*, arn:aws:ec2::optional account id:*

GetHostedZone

route53:GetHostedZone

*

GetHostedZoneCount

route53:GetHostedZoneCount

*

ListHostedZones

route53:ListHostedZones

*

ListHostedZonesByName

route53:ListHostedZonesByName

*

UpdateHostedZoneComment

route53:UpdateHostedZoneComment

*

Required Permissions for Actions on Reusable Delegation Sets

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateReusableDelegationSet

route53:CreateReusableDelegationSet

*

DeleteReusableDelegationSet

route53:DeleteReusableDelegationSet

*

GetReusableDelegationSet">

route53:GetReusableDelegationSet

*

ListReusableDelegationSets

route53:ListReusableDelegationSets

*

Required Permissions for Actions on Resource Record Sets

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

ChangeResourceRecordSets

route53:ChangeResourceRecordSets

arn:aws:route53:::hostedzone/hosted zone ID

GetChange

route53:GetChange

*

GetGeoLocation

None

None

ListGeoLocations

None

None

ListResourceRecordSets

route53:ListResourceRecordSets

*

Required Permissions for Actions on Traffic Policies

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateTrafficPolicy

route53:CreateTrafficPolicy

*

CreateTrafficPolicyVersion

route53:CreateTrafficPolicyVersion

*

DeleteTrafficPolicy

route53:DeleteTrafficPolicy

*

GetTrafficPolicy

route53:GetTrafficPolicy

*

ListTrafficPolicies

route53:ListTrafficPolicies

*

ListTrafficPolicyVersions

route53:ListTrafficPolicyVersions

*

UpdateTrafficPolicyComment

route53:UpdateTrafficPolicyComment

*

Required Permissions for Actions on Traffic Policy Instances

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateTrafficPolicyInstance

route53:CreateTrafficPolicyInstance

*

DeleteTrafficPolicyInstance

route53:DeleteTrafficPolicyInstance

*

GetTrafficPolicyInstance

route53:GetTrafficPolicyInstance

*

GetTrafficPolicyInstanceCount

route53:GetTrafficPolicyInstanceCount

*

ListTrafficPolicyInstances

route53:ListTrafficPolicyInstances

*

ListTrafficPolicyInstancesByHostedZone

route53:ListTrafficPolicyInstancesByHostedZone

*

ListTrafficPolicyInstancesByPolicy

route53:ListTrafficPolicyInstancesByPolicy

*

UpdateTrafficPolicyInstance

route53:UpdateTrafficPolicyInstance

*

Required Permissions for Actions on Health Checks

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHealthCheck

route53:CreateHealthCheck

*

DeleteHealthCheck

route53:DeleteHealthCheck

*

GetCheckerIpRanges

route53:GetCheckerIpRanges

*

GetHealthCheck

route53:GetHealthCheck

*

GetHealthCheckCount

route53:GetHealthCheckCount

*

GetHealthCheckLastFailureReason

route53:GetHealthCheckLastFailureReason

*

GetHealthCheckStatus

route53:GetHealthCheckStatus

*

ListHealthChecks

route53:ListHealthChecks

*

UpdateHealthCheck

route53:UpdateHealthCheck

*

Required Permissions for Actions on Domain Registrations

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

AddDnssec (console only)

route53domains:AddDnssec

*

CheckDomainAvailability

route53domains:CheckDomainAvailability

*

DeleteDomain (console only)

route53domains:DeleteDomain

*

DisableDomainAutoRenew

route53domains:ChangeAutoRenew

*

DisableDomainTransferLock

route53domains:DisableDomainTransferLock

*

EnableDomainAutoRenew

route53domains:ChangeAutoRenew

*

EnableDomainTransferLock

route53domains:EnableDomainTransferLock

*

GetContactReachabilityStatus

route53domains:ListDomains

*

GetDomainDetail

route53domains:GetDomainDetail

*

GetDomainSuggestions

route53domains:ListDomains

*

GetOperationDetail

route53domains:GetOperationDetail

*

ListDnssec (console only)

route53domains:ListDnssec

*

ListDomains

route53domains:ListDomains

*

ListOperations

route53domains:ListOperations

*

RegisterDomain

route53domains:RegisterDomain

*

RemoveDnssec (console only)

route53domains:RemoveDnssec

*

RenewDomain

route53domains:RenewDomain

*

ResendContactReachabilityEmail

route53domains:ListDomains

*

RetrieveDomainAuthCode

route53domains:RetrieveDomainAuthCode

*

TransferDomain

route53domains:TransferDomain

*

UpdateDomainContact

route53domains:UpdateDomainContact

*

UpdateDomainContactPrivacy

route53domains:UpdateDomainContactPrivacy

*

UpdateDomainNameservers

route53domains:UpdateDomainNameservers

*

ViewBilling

route53domains:ViewBilling

*

Required Permissions for Actions on Tags for Hosted Zones and Health Checks

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

ChangeTagsForResource

route53:ChangeTagsForResource

arn:aws:route53:::healthcheck/*

arn:aws:route53:::hostedzone/*

ListTagsForResource

route53:ListTagsForResource

arn:aws:route53:::healthcheck/*

arn:aws:route53:::hostedzone/*

ListTagsForResources

route53:ListTagsForResources

arn:aws:route53:::healthcheck/*

arn:aws:route53:::hostedzone/*

Required Permissions for Actions on Tags for Domains

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

DeleteTagsForDomain

route53domains:DeleteTagsForDomain

*

ListTagsForDomain

route53domains:ListTagsForDomain

*

UpdateTagsForDomain

route53domains:UpdateTagsForDomain

*