Menu
Amazon Route 53
Developer Guide (API Version 2013-04-01)

Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following tables as a reference. The tables list each Amazon Route 53 API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Amazon Route 53 policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix (route53: or route53domains) followed by the API operation name (for example, route53:CreateHostedZone or route53domains:RegisterDomain).

Required Permissions for Actions on Public Hosted Zones

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHostedZone

route53:CreateHostedZone

*

DeleteHostedZone

route53:DeleteHostedZone

*

GetHostedZone

route53:GetHostedZone

*

GetHostedZoneCount

route53:GetHostedZoneCount

*

ListHostedZones

route53:ListHostedZones

*

ListHostedZonesByName

route53:ListHostedZonesByName

*

UpdateHostedZoneComment

route53:UpdateHostedZoneComment

*

Required Permissions for Actions on Private Hosted Zones

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHostedZone

route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

*, arn:aws:ec2::optional account id:*

DeleteHostedZone

route53:DeleteHostedZone

*

AssociateVPCWithHostedZone

route53:AssociateHostedZoneWithVPC, ec2:DescribeVpcs

*, arn:aws:ec2::optional account id:*

DisassociateVPCFromHostedZone

route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

*, arn:aws:ec2::optional account id:*

GetHostedZone

route53:GetHostedZone

*

GetHostedZoneCount

route53:GetHostedZoneCount

*

ListHostedZones

route53:ListHostedZones

*

ListHostedZonesByName

route53:ListHostedZonesByName

*

UpdateHostedZoneComment

route53:UpdateHostedZoneComment

*

Required Permissions for Actions on Reusable Delegation Sets

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateReusableDelegationSet

route53:CreateReusableDelegationSet

*

DeleteReusableDelegationSet

route53:DeleteReusableDelegationSet

*

GetReusableDelegationSet">

route53:GetReusableDelegationSet

*

ListReusableDelegationSets

route53:ListReusableDelegationSets

*

Required Permissions for Actions on Resource Record Sets

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

ChangeResourceRecordSets

route53:ChangeResourceRecordSets

arn:aws:route53:::hostedzone/hosted zone ID

GetChange

route53:GetChange

*

GetGeoLocation

None

None

ListGeoLocations

None

None

ListResourceRecordSets

route53:ListResourceRecordSets

*

Required Permissions for Actions on Traffic Policies

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateTrafficPolicy

route53:CreateTrafficPolicy

*

CreateTrafficPolicyVersion

route53:CreateTrafficPolicyVersion

*

DeleteTrafficPolicy

route53:DeleteTrafficPolicy

*

GetTrafficPolicy

route53:GetTrafficPolicy

*

ListTrafficPolicies

route53:ListTrafficPolicies

*

ListTrafficPolicyVersions

route53:ListTrafficPolicyVersions

*

UpdateTrafficPolicyComment

route53:UpdateTrafficPolicyComment

*

Required Permissions for Actions on Traffic Policy Instances

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateTrafficPolicyInstance

route53:CreateTrafficPolicyInstance

*

DeleteTrafficPolicyInstance

route53:DeleteTrafficPolicyInstance

*

GetTrafficPolicyInstance

route53:GetTrafficPolicyInstance

*

GetTrafficPolicyInstanceCount

route53:GetTrafficPolicyInstanceCount

*

ListTrafficPolicyInstances

route53:ListTrafficPolicyInstances

*

ListTrafficPolicyInstancesByHostedZone

route53:ListTrafficPolicyInstancesByHostedZone

*

ListTrafficPolicyInstancesByPolicy

route53:ListTrafficPolicyInstancesByPolicy

*

UpdateTrafficPolicyInstance

route53:UpdateTrafficPolicyInstance

*

Required Permissions for Actions on Health Checks

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

CreateHealthCheck

route53:CreateHealthCheck

*

DeleteHealthCheck

route53:DeleteHealthCheck

*

GetCheckerIpRanges

route53:GetCheckerIpRanges

*

GetHealthCheck

route53:GetHealthCheck

*

GetHealthCheckCount

route53:GetHealthCheckCount

*

GetHealthCheckLastFailureReason

route53:GetHealthCheckLastFailureReason

*

GetHealthCheckStatus

route53:GetHealthCheckStatus

*

ListHealthChecks

route53:ListHealthChecks

*

UpdateHealthCheck

route53:UpdateHealthCheck

*

Required Permissions for Actions on Domain Registrations

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

AddDnssec (console only)

route53domains:AddDnssec

arn:aws:route53domains:::*

CheckDomainAvailability

route53domains:CheckDomainAvailability

arn:aws:route53domains:::*

DeleteDomain (console only)

route53domains:DeleteDomain

arn:aws:route53domains:::*

DisableDomainAutoRenew

route53domains:ChangeAutoRenew

arn:aws:route53domains:::*

DisableDomainTransferLock

route53domains:DisableDomainTransferLock

arn:aws:route53domains:::*

EnableDomainAutoRenew

route53domains:ChangeAutoRenew

arn:aws:route53domains:::*

EnableDomainTransferLock

route53domains:EnableDomainTransferLock

arn:aws:route53domains:::*

GetContactReachabilityStatus

route53domains:ListDomains

arn:aws:route53domains:::*

GetDomainDetail

route53domains:GetDomainDetail

arn:aws:route53domains:::*

GetDomainSuggestions

route53domains:ListDomains

arn:aws:route53domains:::*

GetOperationDetail

route53domains:GetOperationDetail

arn:aws:route53domains:::*

ListDnssec (console only)

route53domains:ListDnssec

arn:aws:route53domains:::*

ListDomains

route53domains:ListDomains

arn:aws:route53domains:::*

ListOperations

route53domains:ListOperations

arn:aws:route53domains:::*

RegisterDomain

route53domains:RegisterDomain

arn:aws:route53domains:::*

RemoveDnssec (console only)

route53domains:RemoveDnssec

arn:aws:route53domains:::*

RenewDomain

route53domains:RenewDomain

arn:aws:route53domains:::*

ResendContactReachabilityEmail

route53domains:ListDomains

arn:aws:route53domains:::*

RetrieveDomainAuthCode

route53domains:RetrieveDomainAuthCode

arn:aws:route53domains:::*

TransferDomain

route53domains:TransferDomain

arn:aws:route53domains:::*

UpdateDomainContact

route53domains:UpdateDomainContact

arn:aws:route53domains:::*

UpdateDomainContactPrivacy

route53domains:UpdateDomainContactPrivacy

arn:aws:route53domains:::*

UpdateDomainNameservers

route53domains:UpdateDomainNameservers

arn:aws:route53domains:::*

ViewBilling

route53domains:ViewBilling

arn:aws:route53domains:::*

Required Permissions for Actions on Tags for Hosted Zones and Health Checks

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

ChangeTagsForResource">

route53:ChangeTagsForResource

arn:aws:route53:::tags/[healthcheck | hostedzone]/[health check ID | hosted zone ID]

ListTagsForResource

route53:ListTagsForResource

arn:aws:route53:::tags/[healthcheck | hostedzone]/[health check ID | hosted zone ID]

ListTagsForResources

route53:ListTagsForResources

arn:aws:route53:::tags/[healthcheck | hostedzone]/*

Required Permissions for Actions on Tags for Domains

Amazon Route 53 API Operations Required Permissions (API Actions) Resources

DeleteTagsForDomain

route53domains:DeleteTagsForDomain

arn:aws:route53domains:::tags/*

ListTagsForDomain

route53domains:ListTagsForDomain

arn:aws:route53domains:::tags/*

UpdateTagsForDomain

route53domains:UpdateTagsForDomain

arn:aws:route53domains:::tags/*