Actions, resources, and condition keys for Amazon Route 53 Resolver - Service Authorization Reference

Actions, resources, and condition keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver (service prefix: route53resolver) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Route 53 Resolver

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateFirewallRuleGroup Grants permission to associate an Amazon VPC with a specified firewall rule group Write

firewall-rule-group-association*

ec2:DescribeVpcs

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateResolverEndpointIpAddress Grants permission to associate a specified IP address with a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) Write

resolver-endpoint*

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

AssociateResolverQueryLogConfig Grants permission to associate an Amazon VPC with a specified query logging configuration Write

resolver-query-log-config*

ec2:DescribeVpcs

AssociateResolverRule Grants permission to associate a specified Resolver rule with a specified VPC Write

resolver-rule*

ec2:DescribeVpcs

CreateFirewallDomainList Grants permission to create a Firewall domain list Write

firewall-domain-list*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFirewallRule Grants permission to create a Firewall rule within a Firewall rule group Write

firewall-domain-list*

firewall-rule-group*

CreateFirewallRuleGroup Grants permission to create a Firewall rule group Write

firewall-rule-group*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateOutpostResolver Grants permission to create a Route 53 Resolver on Outposts Write

outpost-resolver*

outposts:GetOutpost

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResolverEndpoint Grants permission to create a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound Write

resolver-endpoint*

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResolverQueryLogConfig Grants permission to create a Resolver query logging configuration, which defines where you want Resolver to save DNS query logs that originate in your VPCs Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResolverRule Grants permission to define how to route queries originating from your VPC out of the VPC Write

resolver-rule*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteFirewallDomainList Grants permission to delete a Firewall domain list Write

firewall-domain-list*

DeleteFirewallRule Grants permission to delete a Firewall rule within a Firewall rule group Write

firewall-domain-list*

firewall-rule-group*

DeleteFirewallRuleGroup Grants permission to delete a Firewall rule group Write

firewall-rule-group*

DeleteOutpostResolver Grants permission to delete a Route 53 Resolver on Outposts Write

outpost-resolver*

DeleteResolverEndpoint Grants permission to delete a Resolver endpoint. The effect of deleting a Resolver endpoint depends on whether it's an inbound or an outbound endpoint Write

resolver-endpoint*

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

DeleteResolverQueryLogConfig Grants permission to delete a Resolver query logging configuration Write

resolver-query-log-config*

DeleteResolverRule Grants permission to delete a Resolver rule Write

resolver-rule*

DisassociateFirewallRuleGroup Grants permission to remove the association between a specified Firewall rule group and a specified VPC Write

firewall-rule-group-association*

DisassociateResolverEndpointIpAddress Grants permission to remove a specified IP address from a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) Write

resolver-endpoint*

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

DisassociateResolverQueryLogConfig Grants permission to remove the association between a specified Resolver query logging configuration and a specified VPC Write

resolver-query-log-config*

DisassociateResolverRule Grants permission to remove the association between a specified Resolver rule and a specified VPC Write

resolver-rule*

GetFirewallConfig Grants permission to get information about a specified Firewall config Read

firewall-config*

ec2:DescribeVpcs

GetFirewallDomainList Grants permission to get information about a specified Firewall domain list Read

firewall-domain-list*

GetFirewallRuleGroup Grants permission to get information about a specified Firewall rule group Read

firewall-rule-group*

GetFirewallRuleGroupAssociation Grants permission to get information about an association between a specified Firewall rule group and a VPC Read

firewall-rule-group-association*

GetFirewallRuleGroupPolicy Grants permission to get information about a specified Firewall rule group policy, which specifies the Firewall rule group operations and resources that you want to allow another AWS account to use Read

firewall-rule-group*

GetOutpostResolver Grants permission to get information about a specified Route 53 Resolver on Outposts Read

outpost-resolver*

GetResolverConfig Grants permission to get the Resolver Config status within the specified resource Read

resolver-config*

ec2:DescribeVpcs

GetResolverDnssecConfig Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource Read

resolver-dnssec-config*

GetResolverEndpoint Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC Read

resolver-endpoint*

GetResolverQueryLogConfig Grants permission to get information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to Read

resolver-query-log-config*

ec2:DescribeVpcs

GetResolverQueryLogConfigAssociation Grants permission to get information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC Read
GetResolverQueryLogConfigPolicy Grants permission to get information about a specified Resolver query logging policy, which specifies the Resolver query logging operations and resources that you want to allow another AWS account to use Read

resolver-query-log-config*

GetResolverRule Grants permission to get information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to Read

resolver-rule*

GetResolverRuleAssociation Grants permission to get information about an association between a specified Resolver rule and a VPC Read

resolver-rule*

GetResolverRulePolicy Grants permission to get information about a Resolver rule policy, which specifies the Resolver operations and resources that you want to allow another AWS account to use Read

resolver-rule*

ImportFirewallDomains Grants permission to add, remove or replace Firewall domains in a Firewall domain list Write

firewall-domain-list*

ListFirewallConfigs Grants permission to list all the Firewall config that current AWS account is able to check List

ec2:DescribeVpcs

ListFirewallDomainLists Grants permission to list all the Firewall domain list that current AWS account is able to use List
ListFirewallDomains Grants permission to list all the Firewall domain under a speicfied Firewall domain list List

firewall-domain-list*

ListFirewallRuleGroupAssociations Grants permission to list information about associations between Amazon VPCs and Firewall rule group List
ListFirewallRuleGroups Grants permission to list all the Firewall rule group that current AWS account is able to use List
ListFirewallRules Grants permission to list all the Firewall rule under a speicfied Firewall rule group List

firewall-rule-group*

ListOutpostResolvers Grants permission to list all instances of Route 53 Resolver on Outposts that were created using the current AWS account List
ListResolverConfigs Grants permission to list Resolver Config statuses List

resolver-config*

ec2:DescribeVpcs

ListResolverDnssecConfigs Grants permission to list the DNSSEC validation support status for DNS queries List

resolver-dnssec-config*

ListResolverEndpointIpAddresses Grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) for a specified Resolver endpoint List

resolver-endpoint*

ListResolverEndpoints Grants permission to list all the Resolver endpoints that were created using the current AWS account List
ListResolverQueryLogConfigAssociations Grants permission to list information about associations between Amazon VPCs and query logging configurations List

ec2:DescribeVpcs

ListResolverQueryLogConfigs Grants permission to list information about the specified query logging configurations, which define where you want Resolver to save DNS query logs and specify the VPCs that you want to log queries for List

ec2:DescribeVpcs

ListResolverRuleAssociations Grants permission to list the associations that were created between Resolver rules and VPCs using the current AWS account List

ec2:DescribeVpcs

ListResolverRules Grants permission to list the Resolver rules that were created using the current AWS account List
ListTagsForResource Grants permission to list the tags that you associated with the specified resource Read

firewall-domain-list

firewall-rule-group

firewall-rule-group-association

outpost-resolver

resolver-endpoint

resolver-query-log-config

resolver-rule

PutFirewallRuleGroupPolicy Grants permission to specify an AWS account that you want to share a Firewall rule group with, the Firewall rule group that you want to share, and the operations that you want the account to be able to perform on the configuration Permissions management

firewall-rule-group*

PutResolverQueryLogConfigPolicy Grants permission to specify an AWS account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration Permissions management

resolver-query-log-config*

PutResolverRulePolicy Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules Permissions management

resolver-rule*

TagResource Grants permission to add one or more tags to a specified resource Tagging

firewall-config

firewall-domain-list

firewall-rule-group

firewall-rule-group-association

outpost-resolver

resolver-dnssec-config

resolver-endpoint

resolver-query-log-config

resolver-rule

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove one or more tags from a specified resource Tagging

firewall-config

firewall-domain-list

firewall-rule-group

firewall-rule-group-association

outpost-resolver

resolver-dnssec-config

resolver-endpoint

resolver-query-log-config

resolver-rule

aws:TagKeys

UpdateFirewallConfig Grants permission to update selected settings for an Firewall config Write

firewall-config*

ec2:DescribeVpcs

UpdateFirewallDomains Grants permission to add, remove or replace Firewall domains in a Firewall domain list Write

firewall-domain-list*

UpdateFirewallRule Grants permission to update selected settings for an Firewall rule in a Firewall rule group Write

firewall-domain-list*

firewall-rule-group*

UpdateFirewallRuleGroupAssociation Grants permission to update selected settings for an Firewall rule group association Write

firewall-rule-group-association*

UpdateOutpostResolver Grants permission to update seletected settings for a specified Route 53 Resolver on Outposts Write

outpost-resolver*

UpdateResolverConfig Grants permission to update the Resolver Config status within the specified resource Write

resolver-config*

ec2:DescribeVpcs

UpdateResolverDnssecConfig Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource Write

resolver-dnssec-config*

UpdateResolverEndpoint Grants permission to update selected settings for an inbound or an outbound Resolver endpoint Write

resolver-endpoint*

ec2:AssignIpv6Addresses

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:ModifyNetworkInterfaceAttribute

ec2:UnassignIpv6Addresses

UpdateResolverRule Grants permission to update settings for a specified Resolver rule Write

resolver-rule*

Resource types defined by Amazon Route 53 Resolver

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
resolver-dnssec-config arn:${Partition}:route53resolver:${Region}:${Account}:resolver-dnssec-config/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-query-log-config arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-rule arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-endpoint arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}

aws:ResourceTag/${TagKey}

firewall-rule-group arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group/${ResourceId}

aws:ResourceTag/${TagKey}

firewall-rule-group-association arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group-association/${ResourceId}

aws:ResourceTag/${TagKey}

firewall-domain-list arn:${Partition}:route53resolver:${Region}:${Account}:firewall-domain-list/${ResourceId}

aws:ResourceTag/${TagKey}

firewall-config arn:${Partition}:route53resolver:${Region}:${Account}:firewall-config/${ResourceId}

aws:ResourceTag/${TagKey}

resolver-config arn:${Partition}:route53resolver:${Region}:${Account}:resolver-config/${ResourceId}
outpost-resolver arn:${Partition}:route53resolver:${Region}:${Account}:outpost-resolver/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Route 53 Resolver

Amazon Route 53 Resolver defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the presence of tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString