AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver (service prefix: route53resolver) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Route 53 Resolver

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateResolverEndpointIpAddress Grants permission to associate a specified IP address with a resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound). Write

resolver-endpoint*

AssociateResolverRule Grants permission to associate a specified resolver rule with a specified VPC. Write

resolver-rule*

CreateResolverEndpoint Grants permission to create a resolver endpoint. There are two types of resolver endpoints, inbound and outbound. Write

resolver-endpoint*

CreateResolverRule For DNS queries that originate in your VPC, grants permission to define how to route the queries out of the VPC. Write

resolver-rule*

DeleteResolverEndpoint Grants permission to delete a resolver endpoint. The effect of deleting a resolver endpoint depends on whether it's an inbound or an outbound resolver endpoint. Write

resolver-endpoint*

DeleteResolverRule Grants permission to delete a resolver rule. Write

resolver-rule*

DisassociateResolverEndpointIpAddress Grants permission to remove a specified IP address from a resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound). Write

resolver-endpoint*

DisassociateResolverRule Grants permission to remove the association between a specified resolver rule and a specified VPC. Write

resolver-rule*

GetResolverEndpoint Grants permission to get information about a specified resolver endpoint, such as whether it's an inbound or an outbound resolver endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC. Read

resolver-endpoint*

GetResolverRule Grants permission to get information about a specified resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to. Read

resolver-rule*

GetResolverRuleAssociation Grants permission to get information about an association between a specified resolver rule and a VPC. Read

resolver-rule*

GetResolverRulePolicy Grants permission to get information about a resolver rule policy. Read

resolver-rule*

ListResolverEndpointIpAddresses For a specified resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound). List

resolver-endpoint*

ListResolverEndpoints Grants permission to list all the resolver endpoints that were created using the current AWS account. List

resolver-endpoint*

ListResolverRuleAssociations Grants permission to list the associations that were created between resolver rules and VPCs using the current AWS account. List

resolver-rule*

ListResolverRules Grants permission to list the resolver rules that were created using the current AWS account. List

resolver-rule*

ListTagsForResource Grants permission to list the tags that you associated with the specified resource. Read

resolver-endpoint

resolver-rule

PutResolverRulePolicy Grants permission to specify the Resolver operations and resources that you want to allow another AWS account to use. Write

resolver-rule*

TagResource Grants permission to add one or more tags to a specified resource. Tagging

resolver-endpoint

resolver-rule

UntagResource Grants permission to remove one or more tags from a specified resource. Tagging

resolver-endpoint

resolver-rule

UpdateResolverEndpoint Grants permission to update selected settings for an inbound or an outbound resolver endpoint. Write

resolver-endpoint*

UpdateResolverRule Grants permission to update settings for a specified resolver rule. Write

resolver-rule*

Resources Defined by Route 53 Resolver

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
resolver-rule arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}
resolver-endpoint arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}

Condition Keys for Amazon Route 53 Resolver

Route 53 Resolver has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.