Amazon Route 53 API permissions: Actions, resources, and conditions reference - Amazon Route 53

Amazon Route 53 API permissions: Actions, resources, and conditions reference

When you set up Access control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each Amazon Route 53 API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Route 53 policies to express conditions. For a complete list of AWS-wide keys, see Available keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix (route53, route53domains, or route53resolver) followed by the API operation name, for example:

  • route53:CreateHostedZone

  • route53domains:RegisterDomain

  • route53resolver:CreateResolverEndpoint

Required permissions for actions on public hosted zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone

Resources: *

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required permissions for actions on private hosted zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

Resources: *, arn:aws:ec2::optional account id:*

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

AssociateVPCWithHostedZone

Required Permissions (API Action): route53:AssociateVPCWithHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

CreateVPCAssociationAuthorization

Required Permissions (API Action): route53:CreateVPCAssociationAuthorization

Resources: *

DeleteVPCAssociationAuthorization

Required Permissions (API Action): route53:DeleteVPCAssociationAuthorization

Resources: *

DisassociateVPCFromHostedZone

Required Permissions (API Action): route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required permissions for actions on reusable delegation sets

CreateReusableDelegationSet

Required Permissions (API Action): route53:CreateReusableDelegationSet

Resources: *

DeleteReusableDelegationSet

Required Permissions (API Action): route53:DeleteReusableDelegationSet

Resources: *

GetReusableDelegationSet

Required Permissions (API Action): route53:GetReusableDelegationSet

Resources: *

ListReusableDelegationSets

Required Permissions (API Action): route53:ListReusableDelegationSets

Resources: *

Required permissions for actions on records

ChangeResourceRecordSets

Required Permissions (API Action): route53:ChangeResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID

GetChange

Required Permissions (API Action): route53:GetChange

Resources: *

GetGeoLocation

Required Permissions (API Action): None

Resources: None

Route 53 does not perform authorization for this API because it retrieves information that is already available to the public.

ListGeoLocations

Required Permissions (API Action): None

Resources: None

Route 53 does not perform authorization for this API because it retrieves information that is already available to the public.

ListResourceRecordSets

Required Permissions (API Action): route53:ListResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID

Required permissions for actions on traffic policies

CreateTrafficPolicy

Required Permissions (API Action): route53:CreateTrafficPolicy

Resources: *

CreateTrafficPolicyVersion

Required Permissions (API Action): route53:CreateTrafficPolicyVersion

Resources: *

DeleteTrafficPolicy

Required Permissions (API Action): route53:DeleteTrafficPolicy

Resources: *

GetTrafficPolicy

Required Permissions (API Action): route53:GetTrafficPolicy

Resources: *

ListTrafficPolicies

Required Permissions (API Action): route53:ListTrafficPolicies

Resources: *

ListTrafficPolicyVersions

Required Permissions (API Action): route53:ListTrafficPolicyVersions

Resources: *

UpdateTrafficPolicyComment

Required Permissions (API Action): route53:UpdateTrafficPolicyComment

Resources: *

Required permissions for actions on traffic policy instances

CreateTrafficPolicyInstance

Required Permissions (API Action): route53:CreateTrafficPolicyInstance

Resources: *

DeleteTrafficPolicyInstance

Required Permissions (API Action): route53:DeleteTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstance

Required Permissions (API Action): route53:GetTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstanceCount

Required Permissions (API Action): route53:GetTrafficPolicyInstanceCount

Resources: *

ListTrafficPolicyInstances

Required Permissions (API Action): route53:ListTrafficPolicyInstances

Resources: *

ListTrafficPolicyInstancesByHostedZone

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByHostedZone

Resources: *

ListTrafficPolicyInstancesByPolicy

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByPolicy

Resources: *

UpdateTrafficPolicyInstance

Required Permissions (API Action): route53:UpdateTrafficPolicyInstance

Resources: *

Required permissions for actions on health checks

CreateHealthCheck

Required Permissions (API Action): route53:CreateHealthCheck

Resources: *, arn:aws:route53:::healthcheck/

DeleteHealthCheck

Required Permissions (API Action): route53:DeleteHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetCheckerIpRanges

Required Permissions (API Action): None

Resources: *

Route 53 does not perform authorization for this API because it retrieves information that is already available to the public.

GetHealthCheck

Required Permissions (API Action): route53:GetHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetHealthCheckCount

Required Permissions (API Action): route53:GetHealthCheckCount

Resources: *

GetHealthCheckLastFailureReason

Required Permissions (API Action): route53:GetHealthCheckLastFailureReason

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetHealthCheckStatus

Required Permissions (API Action): route53:GetHealthCheckStatus

Resources: *, arn:aws:route53:::healthcheck/health check ID

ListHealthChecks

Required Permissions (API Action): route53:ListHealthChecks

Resources: *

UpdateHealthCheck

Required Permissions (API Action): route53:UpdateHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

Required permissions for actions on domain registrations

AcceptDomainTransferFromAnotherAwsAccount

Required Permissions (API Action): route53domains:AcceptDomainTransferFromAnotherAwsAccount

Resources: *

AddDnssec (console only)

Required Permissions (API Action): route53domains:AddDnssec

Resources: *

CancelDomainTransferToAnotherAwsAccount

Required Permissions (API Action): route53domains:CancelDomainTransferToAnotherAwsAccount

Resources: *

CheckDomainAvailability

Required Permissions (API Action): route53domains:CheckDomainAvailability

Resources: *

DeleteDomain (console only)

Required Permissions (API Action): route53domains:DeleteDomain

Resources: *

DisableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

DisableDomainTransferLock

Required Permissions (API Action): route53domains:DisableDomainTransferLock

Resources: *

EnableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

EnableDomainTransferLock

Required Permissions (API Action): route53domains:EnableDomainTransferLock

Resources: *

GetContactReachabilityStatus

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetDomainDetail

Required Permissions (API Action): route53domains:GetDomainDetail

Resources: *

GetDomainSuggestions

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetOperationDetail

Required Permissions (API Action): route53domains:GetOperationDetail

Resources: *

ListDnssec (console only)

Required Permissions (API Action): route53domains:ListDnssec

Resources: *

ListDomains

Required Permissions (API Action): route53domains:ListDomains

Resources: *

ListOperations

Required Permissions (API Action): route53domains:ListOperations

Resources: *

RegisterDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

RejectDomainTransferFromAnotherAwsAccount

Required Permissions (API Action): route53domains:RejectDomainTransferFromAnotherAwsAccount

Resources: *

RemoveDnssec (console only)

Required Permissions (API Action): route53domains:RemoveDnssec

Resources: *

RenewDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

ResendContactReachabilityEmail

Required Permissions (API Action): route53domains:ListDomains

Resources: *

RetrieveDomainAuthCode

Required Permissions (API Action): route53domains:RetrieveDomainAuthCode

Resources: *

TransferDomain

Required Permissions (API Action): route53domains:TransferDomain

Resources: *

TransferDomainToAnotherAwsAccount

Required Permissions (API Action): route53domains:TransferDomainToAnotherAwsAccount

Resources: *

UpdateDomainContact

Required Permissions (API Action): route53domains:UpdateDomainContact

Resources: *

UpdateDomainContactPrivacy

Required Permissions (API Action): route53domains:UpdateDomainContactPrivacy

Resources: *

UpdateDomainNameservers

Required Permissions (API Action): route53domains:UpdateDomainNameservers

Resources: *

ViewBilling

Required Permissions (API Action): route53domains:ViewBilling

Resources: *

Required permissions for Route 53 Resolver actions

AssociateResolverEndpointIpAddress

Required Permissions (API Action): route53resolver:AssociateResolverEndpointIpAddress, ec2:CreateNetworkInterfacePermission, ec2:DescribeAvailabilityZones, ec2:DescribeNetworkInterfaces, ec2:DescribeSubnets

Resources: *

AssociateResolverQueryLogConfig

Required Permissions (API Action): route53resolver:AssociateResolverQueryLogConfig, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries, logs:PutResourcePolicy, logs:UpdateLogDelivery

Resources: *

AssociateResolverRule

Required Permissions (API Action): route53resolver:AssociateResolverRule, ec2:DescribeVpcs

Resources: *

CreateResolverEndpoint

Required Permissions (API Action): route53resolver:CreateResolverEndpoint, ec2:DescribeSubnets, ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterfacePermission, ec2:DescribeSecurityGroups

See also Example 4: Allow creation of inbound and outbound Route 53 Resolver endpoints.

Resources: *

CreateResolverQueryLogConfig

Required Permissions (API Action): route53resolver:CreateResolverQueryLogConfig, ec2:DescribeVpcs, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:CreateLogDelivery, logs:DeleteLogDelivery logs:GetLogDelivery, logs:ListLogDeliveries, logs:UpdateLogDelivery

Resources: *

CreateResolverRule

Required Permissions (API Action): route53resolver:CreateResolverRule

Resources: *

DeleteResolverEndpoint

Required Permissions (API Action): route53resolver:DeleteResolverEndpoint, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterface

Resources: *

DeleteResolverQueryLogConfig

Required Permissions (API Action): route53resolver:DeleteResolverQueryLogConfig, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:DeleteLogDelivery logs:GetLogDelivery, logs:ListLogDeliveries, logs:UpdateLogDelivery

Resources: *

DeleteResolverRule

Required Permissions (API Action): route53resolver:DeleteResolverRule

Resources: *

DisassociateResolverEndpointIpAddress

Required Permissions (API Action): route53resolver:DisassociateResolverEndpointIpAddress, ec2:DeleteNetworkInterface

Resources: *

DisassociateResolverQueryLogConfig

Required Permissions (API Action): route53resolver:DisassociateResolverQueryLogConfig, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries, logs:PutResourcePolicy, logs:UpdateLogDelivery

Resources: *

DisassociateResolverRule

Required Permissions (API Action): route53resolver:DisassociateResolverRule

Resources: *

GetResolverEndpoint

Required Permissions (API Action): route53resolver:GetResolverEndpoint

Resources: *

GetResolverQueryLogConfig

Required Permissions (API Action): route53resolver:GetResolverQueryLogConfig, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries

Resources: *

GetResolverQueryLogConfigAssociation

Required Permissions (API Action): route53resolver:GetResolverQueryLogConfigAssociation, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries

Resources: *

GetResolverQueryLogConfigPolicy

Required Permissions (API Action): route53resolver:GetResolverQueryLogConfigPolicy, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries

Resources: *

GetResolverRule

Required Permissions (API Action): route53resolver:GetResolverRule

Resources: *

GetResolverRuleAssociation

Required Permissions (API Action): route53resolver:GetResolverRuleAssociation, ec2:DescribeVpcs

Resources: *

GetResolverRulePolicy

Required Permissions (API Action): route53resolver:GetResolverRulePolicy

Resources: *

ListResolverEndpointIpAddresses

Required Permissions (API Action): route53resolver:ListResolverEndpointIpAddresses

Resources: *

ListResolverEndpoints

Required Permissions (API Action): route53resolver:ListResolverEndpoints

Resources: *

ListResolverQueryLogConfigAssociations

Required Permissions (API Action): route53resolver:ListResolverQueryLogConfigAssociations, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries

Resources: *

ListResolverQueryLogConfigs

Required Permissions (API Action): route53resolver:ListResolverQueryLogConfigs, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries

Resources: *

ListResolverRuleAssociations

Required Permissions (API Action): route53resolver:ListResolverRuleAssociations, ec2:DescribeVpcs

Resources: *

ListResolverRules

Required Permissions (API Action): route53resolver:ListResolverRules

Resources: *

ListTagsForResource

Required Permissions (API Action): route53resolver:ListTagsForResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/

PutResolverQueryLogConfigPolicy

Required Permissions (API Action): route53resolver:PutResolverQueryLogConfigPolicy, logs:DescribeResourcePolicies, logs:DescribeLogGroups, logs:GetLogDelivery, logs:ListLogDeliveries, logs:PutResourcePolicy, logs:UpdateLogDelivery

Resources: *

PutResolverRulePolicy

Required Permissions (API Action): route53resolver:PutResolverRulePolicy

Resources: *

TagResource

Required Permissions (API Action): route53resolver:TagResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/*

UntagResource

Required Permissions (API Action): route53resolver:UntagResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/*

UpdateResolverEndpoint

Required Permissions (API Action): route53resolver:UpdateResolverEndpoint

Resources: *

UpdateResolverRule

Required Permissions (API Action): route53resolver:UpdateResolverRule

Resources: *

Required permissions for Route 53 Resolver DNS Firewall actions

AssociateFirewallRuleGroup

Required Permissions (API Action): route53resolver:AssociateFirewallRuleGroup, ec2:DescribeVpcs

Optional Permissions: route53resolver:TagResource (Required if you provide a tagging parameter)

Resources: *

CreateFirewallDomainList

Required Permissions (API Action): route53resolver:CreateFirewallDomainList

Optional Permissions: route53resolver:TagResource (Required if you provide a tagging parameter)

Resources: *

CreateFirewallRule

Required Permissions (API Action): route53resolver:CreateFirewallRule

Resources: *

CreateFirewallRuleGroup

Required Permissions (API Action): route53resolver:CreateFirewallRuleGroup

Optional Permissions: route53resolver:TagResource (Required if you provide a tagging parameter)

Resources: *

DeleteFirewallDomainList

Required Permissions (API Action): route53resolver:DeleteFirewallDomainList

Resources: *

DeleteFirewallRule

Required Permissions (API Action): route53resolver:DeleteFirewallRule

Resources: *

DeleteFirewallRuleGroup

Required Permissions (API Action): route53resolver:DeleteFirewallRuleGroup

Resources: *

DisassociateFirewallRuleGroup

Required Permissions (API Action): route53resolver:DisassociateFirewallRuleGroup

Resources: *

GetFirewallConfig

Required Permissions (API Action): route53resolver:GetFirewallConfig ec2:DescribeVpcs

Resources: *

GetFirewallDomainList

Required Permissions (API Action): route53resolver:GetFirewallDomainList

Resources: *

GetFirewallRuleGroup

Required Permissions (API Action): route53resolver:GetFirewallRuleGroup

Resources: *

GetFirewallRuleGroupAssociation

Required Permissions (API Action): route53resolver:GetFirewallRuleGroupAssociation

Resources: *

GetFirewallRuleGroupPolicy

Required Permissions (API Action): route53resolver:GetFirewallRuleGroupPolicy

Resources: *

ImportFirewallDomains

Required Permissions (API Action): route53resolver:ImportFirewallRuleDomains

Resources: *

ListFirewallConfigs

Required Permissions (API Action): route53resolver:ListFirewallConfigs ec2:DescribeVpcs

Resources: *

ListFirewallDomainLists

Required Permissions (API Action): route53resolver:ListFirewallDomainLists

Resources: *

ListFirewallDomains

Required Permissions (API Action): route53resolver:ListFirewallDomains

Resources: *

ListFirewallRuleGroupAssociations

Required Permissions (API Action): route53resolver:ListFirewallRuleGroupAssociations

Resources: *

ListFirewallRuleGroups

Required Permissions (API Action): route53resolver:ListFirewallRuleGroups

Resources: *

ListFirewallRules

Required Permissions (API Action): route53resolver:ListFirewallRules

Resources: *

PutFirewallRuleGroupPolicy

Required Permissions (API Action): route53resolver:PutFirewallRuleGroupPolicy

Resources: *

UpdateFirewallConfig

Required Permissions (API Action): route53resolver:UpdateFirewallConfig ec2:DescribeVpcs

Resources: *

UpdateFirewallDomains

Required Permissions (API Action): route53resolver:UpdateFirewallDomains

Resources: *

UpdateFirewallRule

Required Permissions (API Action): route53resolver:UpdateFirewallRule

Resources: *

UpdateFirewallRuleGroupAssociation

Required Permissions (API Action): route53resolver:UpdateFirewallRuleGroupAssociation

Resources: *

Required permissions for actions to get limits for accounts, hosted zones, and reusable delegation sets

GetAccountLimit

Required Permissions (API Action): route53:GetAccountLimit

Resources: *

GetHostedZoneLimit

Required Permissions (API Action): route53:GetHostedZoneLimit

Resources: *

GetReusableDelegationSetLimit

Required Permissions (API Action): route53:GetReusableDelegationSetLimit

Resources: *

Required permissions for actions on tags for hosted zones and health checks

ChangeTagsForResource

Required Permissions (API Action): route53:ChangeTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResource

Required Permissions (API Action): route53:ListTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResources

Required Permissions (API Action): route53:ListTagsForResources

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

Required permissions for actions on tags for domains

DeleteTagsForDomain

Required Permissions (API Action): route53domains:DeleteTagsForDomain

Resources: *

ListTagsForDomain

Required Permissions (API Action): route53domains:ListTagsForDomain

Resources: *

UpdateTagsForDomain

Required Permissions (API Action): route53domains:UpdateTagsForDomain

Resources: *

Required permissions for DNSSEC actions

GetDNSSEC

Required Permissions (API Action): route53domains:DeleteTagsForDomain

Resources: *

CreateKeySigningKey

Required Permissions (API Action): route53:CreateKeySigningKey, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *

DeleteKeySigningKey

Required Permissions (API Action): route53:DeleteKeySigningKey, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *

ActivateKeySigningKey

Required Permissions (API Action): route53:ActivateKeySigningKey, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *

DeactivateKeySigningKey

Required Permissions (API Action): route53:DeactivateKeySigningKey, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *

EnableHostedZoneDNSSEC

Required Permissions (API Action): route53:EnableHostedZoneDNSSEC, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *

DisableHostedZoneDNSSEC

Required Permissions (API Action): route53:DisableHostedZoneDNSSEC, kms:DescribeKey, kms:GetPublicKey, kms:Sign

Resources: *