Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following tables as a reference. The tables list each Amazon Route 53 API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS wide condition keys in your Amazon Route 53 policies to express conditions. For a complete list of AWS wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix (route53: or route53domains) followed by the API operation name (for example, route53:CreateHostedZone or route53domains:RegisterDomain).

Required Permissions for Actions on Public Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone

Resources: *

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Private Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

Resources: *, arn:aws:ec2::optional account id:*

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

AssociateVPCWithHostedZone

Required Permissions (API Action): route53:AssociateVPCWithHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

DisassociateVPCFromHostedZone

Required Permissions (API Action): route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Reusable Delegation Sets

CreateReusableDelegationSet

Required Permissions (API Action): route53:CreateReusableDelegationSet

Resources: *

DeleteReusableDelegationSet

Required Permissions (API Action): route53:DeleteReusableDelegationSet

Resources: *

GetReusableDelegationSet

Required Permissions (API Action): route53:GetReusableDelegationSet

Resources: *

ListReusableDelegationSets

Required Permissions (API Action): route53:ListReusableDelegationSets

Resources: *

Required Permissions for Actions on Resource Record Sets

ChangeResourceRecordSets

Required Permissions (API Action): route53:ChangeResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID/rrset

GetChange

Required Permissions (API Action): route53:GetChange

Resources: *

GetGeoLocation

Required Permissions (API Action): None

Resources: None

ListGeoLocations

Required Permissions (API Action): None

Resources: None

ListResourceRecordSets

Required Permissions (API Action): route53:ListResourceRecordSets

Resources: *

Required Permissions for Actions on Traffic Policies

CreateTrafficPolicy

Required Permissions (API Action): route53:CreateTrafficPolicy

Resources: *

CreateTrafficPolicyVersion

Required Permissions (API Action): route53:CreateTrafficPolicyVersion

Resources: *

DeleteTrafficPolicy

Required Permissions (API Action): route53:DeleteTrafficPolicy

Resources: *

GetTrafficPolicy

Required Permissions (API Action): route53:GetTrafficPolicy

Resources: *

ListTrafficPolicies

Required Permissions (API Action): route53:ListTrafficPolicies

Resources: *

ListTrafficPolicyVersions

Required Permissions (API Action): route53:ListTrafficPolicyVersions

Resources: *

UpdateTrafficPolicyComment

Required Permissions (API Action): route53:UpdateTrafficPolicyComment

Resources: *

Required Permissions for Actions on Traffic Policy Instances

CreateTrafficPolicyInstance

Required Permissions (API Action): route53:CreateTrafficPolicyInstance

Resources: *

DeleteTrafficPolicyInstance

Required Permissions (API Action): route53:DeleteTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstance

Required Permissions (API Action): route53:GetTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstanceCount

Required Permissions (API Action): route53:GetTrafficPolicyInstanceCount

Resources: *

ListTrafficPolicyInstances

Required Permissions (API Action): route53:ListTrafficPolicyInstances

Resources: *

ListTrafficPolicyInstancesByHostedZone

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByHostedZone

Resources: *

ListTrafficPolicyInstancesByPolicy

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByPolicy

Resources: *

UpdateTrafficPolicyInstance

Required Permissions (API Action): route53:UpdateTrafficPolicyInstance

Resources: *

Required Permissions for Actions on Health Checks

CreateHealthCheck

Required Permissions (API Action): route53:CreateHealthCheck

Resources: *

DeleteHealthCheck

Required Permissions (API Action): route53:DeleteHealthCheck

Resources: *

GetCheckerIpRanges

Required Permissions (API Action): route53:GetCheckerIpRanges

Resources: *

GetHealthCheck

Required Permissions (API Action): route53:GetHealthCheck

Resources: *

GetHealthCheckCount

Required Permissions (API Action): route53:GetHealthCheckCount

Resources: *

GetHealthCheckLastFailureReason

Required Permissions (API Action): route53:GetHealthCheckLastFailureReason

Resources: *

GetHealthCheckStatus

Required Permissions (API Action): route53:GetHealthCheckStatus

Resources: *

ListHealthChecks

Required Permissions (API Action): route53:ListHealthChecks

Resources: *

UpdateHealthCheck

Required Permissions (API Action): route53:UpdateHealthCheck

Resources: *

Required Permissions for Actions on Domain Registrations

AddDnssec (console only)

Required Permissions (API Action): route53domains:AddDnssec

Resources: *

CheckDomainAvailability

Required Permissions (API Action): route53domains:CheckDomainAvailability

Resources: *

DeleteDomain (console only)

Required Permissions (API Action): route53domains:DeleteDomain

Resources: *

DisableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

DisableDomainTransferLock

Required Permissions (API Action): route53domains:DisableDomainTransferLock

Resources: *

EnableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

EnableDomainTransferLock

Required Permissions (API Action): route53domains:EnableDomainTransferLock

Resources: *

GetContactReachabilityStatus

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetDomainDetail

Required Permissions (API Action): route53domains:GetDomainDetail

Resources: *

GetDomainSuggestions

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetOperationDetail

Required Permissions (API Action): route53domains:GetOperationDetail

Resources: *

ListDnssec (console only)

Required Permissions (API Action): route53domains:ListDnssec

Resources: *

ListDomains

Required Permissions (API Action): route53domains:ListDomains

Resources: *

ListOperations

Required Permissions (API Action): route53domains:ListOperations

Resources: *

RegisterDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

RemoveDnssec (console only)

Required Permissions (API Action): route53domains:RemoveDnssec

Resources: *

RenewDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

ResendContactReachabilityEmail

Required Permissions (API Action): route53domains:ListDomains

Resources: *

RetrieveDomainAuthCode

Required Permissions (API Action): route53domains:RetrieveDomainAuthCode

Resources: *

TransferDomain

Required Permissions (API Action): route53domains:TransferDomain

Resources: *

UpdateDomainContact

Required Permissions (API Action): route53domains:UpdateDomainContact

Resources: *

UpdateDomainContactPrivacy

Required Permissions (API Action): route53domains:UpdateDomainContactPrivacy

Resources: *

UpdateDomainNameservers

Required Permissions (API Action): route53domains:UpdateDomainNameservers

Resources: *

ViewBilling

Required Permissions (API Action): route53domains:ViewBilling

Resources: *

Required Permissions for Actions on Tags for Hosted Zones and Health Checks

ChangeTagsForResource

Required Permissions (API Action): route53:ChangeTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResource

Required Permissions (API Action): route53:ListTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResources

Required Permissions (API Action): route53:ListTagsForResources

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

Required Permissions for Actions on Tags for Domains

DeleteTagsForDomain

Required Permissions (API Action): route53domains:DeleteTagsForDomain

Resources: *

ListTagsForDomain

Required Permissions (API Action): route53domains:ListTagsForDomain

Resources: *

UpdateTagsForDomain

Required Permissions (API Action): route53domains:UpdateTagsForDomain

Resources: *