Actions, resources, and condition keys for Amazon Route 53 Resolver - Service Authorization Reference

Actions, resources, and condition keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver (service prefix: route53resolver) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Route 53 Resolver

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateResolverEndpointIpAddress Grants permission to associate a specified IP address with a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) Write

resolver-endpoint*

AssociateResolverQueryLogConfig Grants permission to associate an Amazon VPC with a specified query logging configuration Write

resolver-query-log-config*

AssociateResolverRule Grants permission to associate a specified Resolver rule with a specified VPC Write

resolver-rule*

CreateResolverEndpoint Grants permission to create a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound Write

resolver-endpoint*

CreateResolverQueryLogConfig Grants permission to create a Resolver query logging configuration, which defines where you want Resolver to save DNS query logs that originate in your VPCs Write

resolver-query-log-config*

CreateResolverRule For DNS queries that originate in your VPC, grants permission to define how to route the queries out of the VPC Write

resolver-rule*

DeleteResolverEndpoint Grants permission to delete a Resolver endpoint. The effect of deleting a Resolver endpoint depends on whether it's an inbound or an outbound endpoint Write

resolver-endpoint*

DeleteResolverQueryLogConfig Grants permission to delete a Resolver query logging configuration Write

resolver-query-log-config*

DeleteResolverRule Grants permission to delete a Resolver rule Write

resolver-rule*

DisassociateResolverEndpointIpAddress Grants permission to remove a specified IP address from a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) Write

resolver-endpoint*

DisassociateResolverQueryLogConfig Grants permission to remove the association between a specified Resolver query logging configuration and a specified VPC Write

resolver-query-log-config*

DisassociateResolverRule Grants permission to remove the association between a specified Resolver rule and a specified VPC Write

resolver-rule*

GetResolverEndpoint Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC Read

resolver-endpoint*

GetResolverQueryLogConfig Grants permission to get information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to Read

resolver-query-log-config*

GetResolverQueryLogConfigAssociation Grants permission to get information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC Read

resolver-query-log-config*

GetResolverQueryLogConfigPolicy Grants permission to get information about a specified Resolver query logging policy, which specifies the Resolver query logging operations and resources that you want to allow another AWS account to use Read

resolver-query-log-config*

GetResolverRule Grants permission to get information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to. Read

resolver-rule*

GetResolverRuleAssociation Grants permission to get information about an association between a specified Resolver rule and a VPC Read

resolver-rule*

GetResolverRulePolicy Grants permission to get information about a Resolver rule policy, which specifies the Resolver operations and resources that you want to allow another AWS account to use Read

resolver-rule*

ListResolverEndpointIpAddresses For a specified Resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) List

resolver-endpoint*

ListResolverEndpoints Grants permission to list all the Resolver endpoints that were created using the current AWS account List
ListResolverQueryLogConfigAssociations Grants permission to list information about associations between Amazon VPCs and query logging configurations List

resolver-query-log-config*

ListResolverQueryLogConfigs Grants permission to list information about the specified query logging configurations, which define where you want Resolver to save DNS query logs and specify the VPCs that you want to log queries for List

resolver-query-log-config*

ListResolverRuleAssociations Grants permission to list the associations that were created between Resolver rules and VPCs using the current AWS account List
ListResolverRules Grants permission to list the Resolver rules that were created using the current AWS account List
ListTagsForResource Grants permission to list the tags that you associated with the specified resource Read

resolver-endpoint

resolver-rule

PutResolverQueryLogConfigPolicy Grants permission to specify an AWS account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration Write

resolver-query-log-config*

PutResolverRulePolicy Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules Write

resolver-rule*

TagResource Grants permission to add one or more tags to a specified resource Tagging

resolver-endpoint

resolver-rule

UntagResource Grants permission to remove one or more tags from a specified resource Tagging

resolver-endpoint

resolver-rule

UpdateResolverEndpoint Grants permission to update selected settings for an inbound or an outbound Resolver endpoint Write

resolver-endpoint*

UpdateResolverRule Grants permission to update settings for a specified Resolver rule Write

resolver-rule*

Resource types defined by Amazon Route 53 Resolver

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
resolver-query-log-config arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-rule arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-endpoint arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String