Resource record set permissions

Resource record set permissions use Identity and Access management (IAM) policy conditions to allow you to set granular permissions for actions on the Route 53 console or for using the ChangeResourceRecordSets API.

A resource record set is defined as multiple resource records with the same name and type (and class, but for most purposes the class is always IN, or internet), but they contain different data. For example, if you choose geolocation routing, you can have multiple A or AAAA records pointing to different endpoints for the same domain. All of these A or AAAA records combine to form a resource record set. For more information about DNS terminology, see RFC 7719.

With the IAM policy conditions, route53:ChangeResourceRecordSetsNormalizedRecordNames, route53:ChangeResourceRecordSetsRecordTypes, and route53:ChangeResourceRecordSetsActions, you can grant granular administrative rights to other AWS users in any other AWS account. This allows you to grant someone permissions to:

• A single resource record set.

• All resource record sets of a specific DNS record type.

• Resource record sets where the names contain a specific string.

• Perform any, or all of the CREATE | UPSERT | DELETE actions when using the ChangeResourceRecordSets API, or the Route 53 console.

You can also create access permissions that combine any of the Route 53 policy conditions. For example, you can grant someone permissions to modify the A record data for marketing-example.com, but not allow that user to delete any records.

For more information about resource record set permissions, see Using IAM policy conditions for fine-grained access control to manage resource record sets.

To learn how to authenticate AWS users, see Authenticating with identities and to learn how to control access to Route 53 resources, see Access control.