Amazon Route 53
Developer Guide (API Version 2013-04-01)

Amazon Route 53 API Permissions: Actions, Resources, and Conditions Reference

When you set up Access Control and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following lists as a reference. The lists include each Amazon Route 53 API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your Route 53 policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the applicable prefix (route53, route53domains, or route53resolver) followed by the API operation name, for example:

  • route53:CreateHostedZone

  • route53domains:RegisterDomain

  • route53resolver:CreateResolverEndpoint

Required Permissions for Actions on Public Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone

Resources: *

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Private Hosted Zones

CreateHostedZone

Required Permissions (API Action): route53:CreateHostedZone, ec2:DescribeVpcs, ec2:DescribeRegions

Resources: *, arn:aws:ec2::optional account id:*

DeleteHostedZone

Required Permissions (API Action): route53:DeleteHostedZone

Resources: *

AssociateVPCWithHostedZone

Required Permissions (API Action): route53:AssociateVPCWithHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

DisassociateVPCFromHostedZone

Required Permissions (API Action): route53:DisassociateVPCFromHostedZone, ec2:DescribeVpcs

Resources: *, arn:aws:ec2::optional account id:*

GetHostedZone

Required Permissions (API Action): route53:GetHostedZone

Resources: *

GetHostedZoneCount

Required Permissions (API Action): route53:GetHostedZoneCount

Resources: *

ListHostedZones

Required Permissions (API Action): route53:ListHostedZones

Resources: *

ListHostedZonesByName

Required Permissions (API Action): route53:ListHostedZonesByName

Resources: *

UpdateHostedZoneComment

Required Permissions (API Action): route53:UpdateHostedZoneComment

Resources: *

Required Permissions for Actions on Reusable Delegation Sets

CreateReusableDelegationSet

Required Permissions (API Action): route53:CreateReusableDelegationSet

Resources: *

DeleteReusableDelegationSet

Required Permissions (API Action): route53:DeleteReusableDelegationSet

Resources: *

GetReusableDelegationSet

Required Permissions (API Action): route53:GetReusableDelegationSet

Resources: *

ListReusableDelegationSets

Required Permissions (API Action): route53:ListReusableDelegationSets

Resources: *

Required Permissions for Actions on Records

ChangeResourceRecordSets

Required Permissions (API Action): route53:ChangeResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID

GetChange

Required Permissions (API Action): route53:GetChange

Resources: *

GetGeoLocation

Required Permissions (API Action): None

Resources: None

ListGeoLocations

Required Permissions (API Action): None

Resources: None

ListResourceRecordSets

Required Permissions (API Action): route53:ListResourceRecordSets

Resources: arn:aws:route53:::hostedzone/hosted zone ID

Required Permissions for Actions on Traffic Policies

CreateTrafficPolicy

Required Permissions (API Action): route53:CreateTrafficPolicy

Resources: *

CreateTrafficPolicyVersion

Required Permissions (API Action): route53:CreateTrafficPolicyVersion

Resources: *

DeleteTrafficPolicy

Required Permissions (API Action): route53:DeleteTrafficPolicy

Resources: *

GetTrafficPolicy

Required Permissions (API Action): route53:GetTrafficPolicy

Resources: *

ListTrafficPolicies

Required Permissions (API Action): route53:ListTrafficPolicies

Resources: *

ListTrafficPolicyVersions

Required Permissions (API Action): route53:ListTrafficPolicyVersions

Resources: *

UpdateTrafficPolicyComment

Required Permissions (API Action): route53:UpdateTrafficPolicyComment

Resources: *

Required Permissions for Actions on Traffic Policy Instances

CreateTrafficPolicyInstance

Required Permissions (API Action): route53:CreateTrafficPolicyInstance

Resources: *

DeleteTrafficPolicyInstance

Required Permissions (API Action): route53:DeleteTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstance

Required Permissions (API Action): route53:GetTrafficPolicyInstance

Resources: *

GetTrafficPolicyInstanceCount

Required Permissions (API Action): route53:GetTrafficPolicyInstanceCount

Resources: *

ListTrafficPolicyInstances

Required Permissions (API Action): route53:ListTrafficPolicyInstances

Resources: *

ListTrafficPolicyInstancesByHostedZone

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByHostedZone

Resources: *

ListTrafficPolicyInstancesByPolicy

Required Permissions (API Action): route53:ListTrafficPolicyInstancesByPolicy

Resources: *

UpdateTrafficPolicyInstance

Required Permissions (API Action): route53:UpdateTrafficPolicyInstance

Resources: *

Required Permissions for Actions on Health Checks

CreateHealthCheck

Required Permissions (API Action): route53:CreateHealthCheck

Resources: *, arn:aws:route53:::healthcheck/

DeleteHealthCheck

Required Permissions (API Action): route53:DeleteHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetCheckerIpRanges

Required Permissions (API Action): route53:GetCheckerIpRanges

Resources: *

GetHealthCheck

Required Permissions (API Action): route53:GetHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetHealthCheckCount

Required Permissions (API Action): route53:GetHealthCheckCount

Resources: *

GetHealthCheckLastFailureReason

Required Permissions (API Action): route53:GetHealthCheckLastFailureReason

Resources: *, arn:aws:route53:::healthcheck/health check ID

GetHealthCheckStatus

Required Permissions (API Action): route53:GetHealthCheckStatus

Resources: *, arn:aws:route53:::healthcheck/health check ID

ListHealthChecks

Required Permissions (API Action): route53:ListHealthChecks

Resources: *

UpdateHealthCheck

Required Permissions (API Action): route53:UpdateHealthCheck

Resources: *, arn:aws:route53:::healthcheck/health check ID

Required Permissions for Actions on Domain Registrations

AddDnssec (console only)

Required Permissions (API Action): route53domains:AddDnssec

Resources: *

CheckDomainAvailability

Required Permissions (API Action): route53domains:CheckDomainAvailability

Resources: *

DeleteDomain (console only)

Required Permissions (API Action): route53domains:DeleteDomain

Resources: *

DisableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

DisableDomainTransferLock

Required Permissions (API Action): route53domains:DisableDomainTransferLock

Resources: *

EnableDomainAutoRenew

Required Permissions (API Action): route53domains:ChangeAutoRenew

Resources: *

EnableDomainTransferLock

Required Permissions (API Action): route53domains:EnableDomainTransferLock

Resources: *

GetContactReachabilityStatus

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetDomainDetail

Required Permissions (API Action): route53domains:GetDomainDetail

Resources: *

GetDomainSuggestions

Required Permissions (API Action): route53domains:ListDomains

Resources: *

GetOperationDetail

Required Permissions (API Action): route53domains:GetOperationDetail

Resources: *

ListDnssec (console only)

Required Permissions (API Action): route53domains:ListDnssec

Resources: *

ListDomains

Required Permissions (API Action): route53domains:ListDomains

Resources: *

ListOperations

Required Permissions (API Action): route53domains:ListOperations

Resources: *

RegisterDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

RemoveDnssec (console only)

Required Permissions (API Action): route53domains:RemoveDnssec

Resources: *

RenewDomain

Required Permissions (API Action): route53domains:RegisterDomain

Resources: *

ResendContactReachabilityEmail

Required Permissions (API Action): route53domains:ListDomains

Resources: *

RetrieveDomainAuthCode

Required Permissions (API Action): route53domains:RetrieveDomainAuthCode

Resources: *

TransferDomain

Required Permissions (API Action): route53domains:TransferDomain

Resources: *

UpdateDomainContact

Required Permissions (API Action): route53domains:UpdateDomainContact

Resources: *

UpdateDomainContactPrivacy

Required Permissions (API Action): route53domains:UpdateDomainContactPrivacy

Resources: *

UpdateDomainNameservers

Required Permissions (API Action): route53domains:UpdateDomainNameservers

Resources: *

ViewBilling

Required Permissions (API Action): route53domains:ViewBilling

Resources: *

Required Permissions for Route 53 Resolver Actions

AssociateResolverEndpointIpAddress

Required Permissions (API Action): route53:route53resolver:AssociateResolverEndpointIpAddress, ec2:DescribeSubnets, ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterfacePermission

Resources: *

AssociateResolverRule

Required Permissions (API Action): route53resolver:AssociateResolverRule, ec2:DescribeVpcs

Resources: *

CreateResolverEndpoint

Required Permissions (API Action): route53resolver:CreateResolverEndpoint, ec2:DescribeSubnets, ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterfacePermission, ec2:DescribeSecurityGroups

Resources: *

CreateResolverRule

Required Permissions (API Action): route53resolver:CreateResolverRule

Resources: *

DeleteResolverEndpoint

Required Permissions (API Action): route53resolver:DeleteResolverEndpoint, ec2:DeleteNetworkInterface

Resources: *

DeleteResolverRule

Required Permissions (API Action): route53resolver:DeleteResolverRule

Resources: *

DisassociateResolverEndpointIpAddress

Required Permissions (API Action): route53resolver:DisassociateResolverEndpointIpAddress, ec2:DeleteNetworkInterface

Resources: *

DisassociateResolverRule

Required Permissions (API Action): route53resolver:DisassociateResolverRule

Resources: *

GetResolverEndpoint

Required Permissions (API Action): route53resolver:GetResolverEndpoint

Resources: *

GetResolverRule

Required Permissions (API Action): route53resolver:GetResolverRule

Resources: *

GetResolverRuleAssociation

Required Permissions (API Action): route53resolver:GetResolverRuleAssociation, ec2:DescribeVpcs

Resources: *

GetResolverRulePolicy

Required Permissions (API Action): route53resolver:GetResolverRulePolicy

Resources: *

ListResolverEndpointIpAddresses

Required Permissions (API Action): route53resolver:ListResolverEndpointIpAddresses

Resources: *

ListResolverEndpoints

Required Permissions (API Action): route53resolver:ListResolverEndpoints

Resources: *

ListResolverRuleAssociations

Required Permissions (API Action): route53resolver:ListResolverRuleAssociations, ec2:DescribeVpcs

Resources: *

ListResolverRules

Required Permissions (API Action): route53resolver:ListResolverRules

Resources: *

ListTagsForResource

Required Permissions (API Action): route53resolver:ListTagsForResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/

PutResolverRulePolicy

Required Permissions (API Action): route53resolver:PutResolverRulePolicy

Resources: *

TagResource

Required Permissions (API Action): route53resolver:TagResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/*

UntagResource

Required Permissions (API Action): route53resolver:UntagResource

Resources: arn:aws:route53resolver:::resolver-endpoint/*, arn:aws:route53resolver:::resolver-rule/*

UpdateResolverEndpoint

Required Permissions (API Action): route53resolver:UpdateResolverEndpoint

Resources: *

UpdateResolverRule

Required Permissions (API Action): route53resolver:UpdateResolverRule

Resources: *

Required Permissions for Actions to Get Limits for Accounts, Hosted Zones, and Reusable Delegation Sets

GetAccountLimit

Required Permissions (API Action): route53:GetAccountLimit

Resources: *

GetHostedZoneLimit

Required Permissions (API Action): route53:GetHostedZoneLimit

Resources: *

GetReusableDelegationSetLimit

Required Permissions (API Action): route53:GetReusableDelegationSetLimit

Resources: *

Required Permissions for Actions on Tags for Hosted Zones and Health Checks

ChangeTagsForResource

Required Permissions (API Action): route53:ChangeTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResource

Required Permissions (API Action): route53:ListTagsForResource

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResources

Required Permissions (API Action): route53:ListTagsForResources

Resources:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

Required Permissions for Actions on Tags for Domains

DeleteTagsForDomain

Required Permissions (API Action): route53domains:DeleteTagsForDomain

Resources: *

ListTagsForDomain

Required Permissions (API Action): route53domains:ListTagsForDomain

Resources: *

UpdateTagsForDomain

Required Permissions (API Action): route53domains:UpdateTagsForDomain

Resources: *