Actions, resources, and condition keys for Amazon Route 53 - Service Authorization Reference

Actions, resources, and condition keys for Amazon Route 53

Amazon Route 53 (service prefix: route53) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Route 53

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
ActivateKeySigningKey Grants permission to activate a key-signing key so that it can be used for signing by DNSSEC Write

hostedzone*

AssociateVPCWithHostedZone Grants permission to associate an additional Amazon VPC with a private hosted zone Write

hostedzone

ec2:DescribeVpcs

ChangeCidrCollection Grants permission to create or delete CIDR blocks within a CIDR collection Write

cidrcollection*

ChangeResourceRecordSets Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name Write

hostedzone*

route53:ChangeResourceRecordSetsNormalizedRecordNames

route53:ChangeResourceRecordSetsRecordTypes

route53:ChangeResourceRecordSetsActions

ChangeTagsForResource Grants permission to add, edit, or delete tags for a health check or a hosted zone Tagging

healthcheck*

hostedzone*

CreateCidrCollection Grants permission to create a new CIDR collection Write
CreateHealthCheck Grants permission to create a new health check, which monitors the health and performance of your web applications, web servers, and other resources Write
CreateHostedZone Grants permission to create a public hosted zone, which you use to specify how the Domain Name System (DNS) routes traffic on the Internet for a domain, such as example.com, and its subdomains Write

ec2:DescribeVpcs

CreateKeySigningKey Grants permission to create a new key-signing key associated with a hosted zone Write

hostedzone*

CreateQueryLoggingConfig Grants permission to create a configuration for DNS query logging Write

hostedzone*

CreateReusableDelegationSet Grants permission to create a delegation set (a group of four name servers) that can be reused by multiple hosted zones Write
CreateTrafficPolicy Grants permission to create a traffic policy, which you use to create multiple DNS records for one domain name (such as example.com) or one subdomain name (such as www.example.com) Write
CreateTrafficPolicyInstance Grants permission to create records in a specified hosted zone based on the settings in a specified traffic policy version Write

hostedzone*

trafficpolicy*

CreateTrafficPolicyVersion Grants permission to create a new version of an existing traffic policy Write

trafficpolicy*

CreateVPCAssociationAuthorization Grants permission to authorize the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request, which associates the VPC with a specified hosted zone that was created by a different account Write

hostedzone*

DeactivateKeySigningKey Grants permission to deactivate a key-signing key so that it will not be used for signing by DNSSEC Write

hostedzone*

DeleteCidrCollection Grants permission to delete a CIDR collection Write

cidrcollection*

DeleteHealthCheck Grants permission to delete a health check Write

healthcheck*

DeleteHostedZone Grants permission to delete a hosted zone Write

hostedzone*

DeleteKeySigningKey Grants permission to delete a key-signing key Write

hostedzone*

DeleteQueryLoggingConfig Grants permission to delete a configuration for DNS query logging Write

queryloggingconfig*

DeleteReusableDelegationSet Grants permission to delete a reusable delegation set Write

delegationset*

DeleteTrafficPolicy Grants permission to delete a traffic policy Write

trafficpolicy*

DeleteTrafficPolicyInstance Grants permission to delete a traffic policy instance and all the records that Route 53 created when you created the instance Write

trafficpolicyinstance*

DeleteVPCAssociationAuthorization Grants permission to remove authorization for associating an Amazon Virtual Private Cloud with a Route 53 private hosted zone Write

hostedzone*

DisableHostedZoneDNSSEC Grants permission to disable DNSSEC signing in a specific hosted zone Write

hostedzone*

DisassociateVPCFromHostedZone Grants permission to disassociate an Amazon Virtual Private Cloud from a Route 53 private hosted zone Write

hostedzone

ec2:DescribeVpcs

EnableHostedZoneDNSSEC Grants permission to enable DNSSEC signing in a specific hosted zone Write

hostedzone*

GetAccountLimit Grants permission to get the specified limit for the current account, for example, the maximum number of health checks that you can create using the account Read
GetChange Grants permission to get the current status of a request to create, update, or delete one or more records List

change*

GetCheckerIpRanges Grants permission to get a list of the IP ranges that are used by Route 53 health checkers to check the health of your resources List
GetDNSSEC Grants permission to get information about DNSSEC for a specific hosted zone, including the key-signing keys in the hosted zone Read

hostedzone*

GetGeoLocation Grants permission to get information about whether a specified geographic location is supported for Route 53 geolocation records List
GetHealthCheck Grants permission to get information about a specified health check Read

healthcheck*

GetHealthCheckCount Grants permission to get the number of health checks that are associated with the current AWS account List
GetHealthCheckLastFailureReason Grants permission to get the reason that a specified health check failed most recently List

healthcheck*

GetHealthCheckStatus Grants permission to get the status of a specified health check List

healthcheck*

GetHostedZone Grants permission to get information about a specified hosted zone including the four name servers that Route 53 assigned to the hosted zone List

hostedzone*

GetHostedZoneCount Grants permission to get the number of hosted zones that are associated with the current AWS account List
GetHostedZoneLimit Grants permission to get the specified limit for a specified hosted zone Read

hostedzone*

GetQueryLoggingConfig Grants permission to get information about a specified configuration for DNS query logging Read

queryloggingconfig*

GetReusableDelegationSet Grants permission to get information about a specified reusable delegation set, including the four name servers that are assigned to the delegation set List

delegationset*

GetReusableDelegationSetLimit Grants permission to get the maximum number of hosted zones that you can associate with the specified reusable delegation set Read

delegationset*

GetTrafficPolicy Grants permission to get information about a specified traffic policy version Read

trafficpolicy*

GetTrafficPolicyInstance Grants permission to get information about a specified traffic policy instance Read

trafficpolicyinstance*

GetTrafficPolicyInstanceCount Grants permission to get the number of traffic policy instances that are associated with the current AWS account Read
ListCidrBlocks Grants permission to get a list of the CIDR blocks within a specified CIDR collection List

cidrcollection*

ListCidrCollections Grants permission to get a list of the CIDR collections that are associated with the current AWS account List
ListCidrLocations Grants permission to get a list of the CIDR locations that belong to a specified CIDR collection List

cidrcollection*

ListGeoLocations Grants permission to get a list of geographic locations that Route 53 supports for geolocation Read
ListHealthChecks Grants permission to get a list of the health checks that are associated with the current AWS account Read
ListHostedZones Grants permission to get a list of the public and private hosted zones that are associated with the current AWS account List
ListHostedZonesByName Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www List
ListHostedZonesByVPC Grants permission to get a list of all the private hosted zones that a specified VPC is associated with List

ec2:DescribeVpcs

ListQueryLoggingConfigs Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone List

hostedzone

ListResourceRecordSets Grants permission to list the records in a specified hosted zone List

hostedzone*

ListReusableDelegationSets Grants permission to list the reusable delegation sets that are associated with the current AWS account. Read
ListTagsForResource Grants permission to list tags for one health check or hosted zone Read

healthcheck

hostedzone

ListTagsForResources Grants permission to list tags for up to 10 health checks or hosted zones Read

healthcheck

hostedzone

ListTrafficPolicies Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created List
ListTrafficPolicyInstances Grants permission to get information about the traffic policy instances that you created by using the current AWS account Read
ListTrafficPolicyInstancesByHostedZone Grants permission to get information about the traffic policy instances that you created in a specified hosted zone List

hostedzone*

ListTrafficPolicyInstancesByPolicy Grants permission to get information about the traffic policy instances that you created using a specified traffic policy version List

trafficpolicy*

ListTrafficPolicyVersions Grants permission to get information about all the versions for a specified traffic policy List

trafficpolicy*

ListVPCAssociationAuthorizations Grants permission to get a list of the VPCs that were created by other accounts and that can be associated with a specified hosted zone List

hostedzone*

TestDNSAnswer Grants permission to get the value that Route 53 returns in response to a DNS query for a specified record name and type Read
UpdateHealthCheck Grants permission to update an existing health check Write

healthcheck*

UpdateHostedZoneComment Grants permission to update the comment for a specified hosted zone Write

hostedzone*

UpdateTrafficPolicyComment Grants permission to update the comment for a specified traffic policy version Write

trafficpolicy*

UpdateTrafficPolicyInstance Grants permission to update the records in a specified hosted zone that were created based on the settings in a specified traffic policy version Write

trafficpolicyinstance*

Resource types defined by Amazon Route 53

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
cidrcollection arn:${Partition}:route53:::cidrcollection/${Id}
change arn:${Partition}:route53:::change/${Id}
delegationset arn:${Partition}:route53:::delegationset/${Id}
healthcheck arn:${Partition}:route53:::healthcheck/${Id}
hostedzone arn:${Partition}:route53:::hostedzone/${Id}
trafficpolicy arn:${Partition}:route53:::trafficpolicy/${Id}
trafficpolicyinstance arn:${Partition}:route53:::trafficpolicyinstance/${Id}
queryloggingconfig arn:${Partition}:route53:::queryloggingconfig/${Id}
vpc arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}

Condition keys for Amazon Route 53

Amazon Route 53 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
route53:ChangeResourceRecordSetsActions Filters access by the change actions, CREATE, UPSERT, or DELETE, in a ChangeResourceRecordSets request ArrayOfString
route53:ChangeResourceRecordSetsNormalizedRecordNames Filters access by the normalized DNS record names in a ChangeResourceRecordSets request ArrayOfString
route53:ChangeResourceRecordSetsRecordTypes Filters access by the DNS record types in a ChangeResourceRecordSets request ArrayOfString