# Identity and access management in Amazon Route 53
To perform any operation on Amazon Route 53 resources, such as registering a domain or updating a record, AWS Identity and Access Management (IAM) requires you to authenticate that you're an approved AWS user. If you're using the Route 53 console, you authenticate your identity by providing your AWS user name and a password.
After you authenticate your identity, IAM controls your access to AWS by verifying that you have permissions to perform operations and to access resources. If you are an account administrator, you can use IAM to control the access of other users to the resources that are associated with your account.
This chapter explains how to use [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and Route 53 to help secure your resources.
**Topics**
+ [
## Authenticating with identities
](#security_iam_authentication)
+ [
## Access control
](#access-control)
+ [
# Using Service-Linked Roles for Amazon Route 53 Resolver
](using-service-linked-roles.md)
+ [
# AWS managed policies for Amazon Route 53
](security-iam-awsmanpol-route53.md)
+ [
# Using IAM policy conditions for fine-grained access control
](specifying-conditions-route53.md)
+ [
# Amazon Route 53 API permissions: Actions, resources, and conditions reference
](r53-api-permissions-ref.md)
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Access control
To create, update, delete, or list Amazon Route 53 resources, you need permissions to perform the operation, and you need permission to access the corresponding resources.
The following sections describe how to manage permissions for Route 53. We recommend that you read the overview first.
**Topics**
+ [
# Overview of managing access permissions to your Amazon Route 53 resources
](access-control-overview.md)
+ [
# Using identity-based policies (IAM policies) for Amazon Route 53
](access-control-managing-permissions.md)
# Overview of managing access permissions to your Amazon Route 53 resources
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies.
**Note**
An *account administrator* (or administrator user) is a user that has administrator privileges. For more information about administrators, see [IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
When you grant permissions, you decide who gets the permissions, the resources they get permissions for, and the actions that they get permissions to perform.
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html) |
**Topics**
+ [
### ARNs for Amazon Route 53 resources
](#access-control-resources)
+ [
### Understanding resource ownership
](#access-control-owner)
+ [
### Managing access to resources
](#access-control-manage-access-intro)
+ [
### Specifying policy elements: Resources, actions, effects, and principals
](#access-control-specify-r53-actions)
+ [
### Specifying conditions in a policy
](#specifying-conditions)
### ARNs for Amazon Route 53 resources
Amazon Route 53 supports a variety of resource types for DNS, health checking, and domain registration. In a policy, you can grant or deny access to the following resources by using `*` for the ARN:
+ Health checks
+ Hosted zones
+ Reusable delegation sets
+ Status of a resource record set change batch (API only)
+ Traffic policies (traffic flow)
+ Traffic policy instances (traffic flow)
Not all Route 53 resources support permissions. You can't grant or deny access to the following resources:
+ Domains
+ Individual records
+ Tags for domains
+ Tags for health checks
+ Tags for hosted zones
Route 53 provides API actions to work with each of these types of resources. For more information, see the [Amazon Route 53 API Reference](https://docs.aws.amazon.com/Route53/latest/APIReference/). For a list of actions and the ARN that you specify to grant or deny permission to use each action, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
### Understanding resource ownership
An AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the principal entity (that is, the root account, or an IAM role) that authenticates the resource creation request.
The following examples illustrate how this works:
+ If you use the root account credentials of your AWS account to create a hosted zone, your AWS account is the owner of the resource.
+ If you create a user in your AWS account and grant permissions to create a hosted zone to that user, the user can create a hosted zone. However, your AWS account, to which the user belongs, owns the hosted zone resource.
+ If you create an IAM role in your AWS account with permissions to create a hosted zone, anyone who can assume the role can create a hosted zone. Your AWS account, to which the role belongs, owns the hosted zone resource.
### Managing access to resources
A *permissions policy* specifies who has access to what. This section explains the options for creating permissions policies for Amazon Route 53. For general information about IAM policy syntax and descriptions, see the [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM policies), and policies attached to a resource are referred to as *resource-based* policies. Route 53 supports only identity-based policies (IAM policies).
**Topics**
+ [
#### Identity-based policies (IAM policies)
](#access-control-manage-access-intro-iam-policies)
+ [
#### Resource-based policies
](#access-control-manage-access-intro-resource-policies)
#### Identity-based policies (IAM policies)
You can attach policies to IAM identities. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your account** – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create Amazon Route 53 resources.
+ **Attach a permissions policy to a role (grant cross-account permissions)** – You can grant permission to perform Route 53 actions to a user that was created by another AWS account. To do so, you attach a permissions policy to an IAM role, and then you allow the user in the other account to assume the role. The following example explains how this works for two AWS accounts, account A and account B:
1. Account A administrator creates an IAM role and attaches to the role a permissions policy that grants permissions to create or access resources that are owned by account A.
1. Account A administrator attaches a trust policy to the role. The trust policy identifies account B as the principal that can assume the role.
1. Account B administrator can then delegate permissions to assume the role to users or groups in Account B. This allows users in account B to create or access resources in account A.
For more information about how to delegate permissions to users in another AWS account, see [Access management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following example policy allows a user to perform the `CreateHostedZone` action to create a public hosted zone for any AWS account:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone"
],
"Resource":"*"
}
]
}
```
------
If you want the policy to also apply to private hosted zones, you need to grant permissions to use the Route 53 `AssociateVPCWithHostedZone` action and two Amazon EC2 actions, `DescribeVpcs` and `DescribeRegion`, as shown in the following example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:AssociateVPCWithHostedZone"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
```
------
For more information about attaching policies to identities for Route 53, see [Using identity-based policies (IAM policies) for Amazon Route 53](access-control-managing-permissions.md). For more information about users, groups, roles, and permissions, see [Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
#### Resource-based policies
Other services, such as Amazon S3, also support attaching permissions policies to resources. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Route 53 doesn't support attaching policies to resources.
### Specifying policy elements: Resources, actions, effects, and principals
Amazon Route 53 includes API actions (see the [Amazon Route 53 API Reference](https://docs.aws.amazon.com/Route53/latest/APIReference/)) that you can use on each Route 53 resource (see [ARNs for Amazon Route 53 resources](#access-control-resources)). You can grant a user or a federated user permissions to perform any or all of these actions. Note that some API actions, such as registering a domain, require permissions to perform more than one action.
The following are the basic policy elements:
+ **Resource** – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information, see [ARNs for Amazon Route 53 resources](#access-control-resources).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, depending on the specified `Effect`, the `route53:CreateHostedZone` permission allows or denies a user the ability to perform the Route 53 `CreateHostedZone` action.
+ **Effect** – You specify the effect, either allow or deny, when a user tries to perform the action on the specified resource. If you don't explicitly grant access to an action, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Route 53 doesn't support resource-based policies.
For more information about IAM policy syntax and descriptions, see the [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the Route 53 API operations and the resources that they apply to, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
### Specifying conditions in a policy
When you grant permissions, you can use the IAM policy language to specify when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. There are no condition keys specific to Route 53. However, there are AWS wide condition keys that you can use as needed. For a complete list of AWS wide keys, see [Available keys for conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
# Using identity-based policies (IAM policies) for Amazon Route 53
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities and thereby grant permissions to perform operations on Amazon Route 53 resources.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Route 53 resources. For more information, see [Overview of managing access permissions to your Amazon Route 53 resources](access-control-overview.md).
**Note**
When granting access, the hosted zone and the Amazon VPC must belong to the same partition. A partition is a group of AWS Regions. Each AWS account is scoped to one partition.
The following are the supported partitions:
`aws` - AWS Regions
`aws-cn` - China Regions
`aws-us-gov` - AWS GovCloud (US) Region
For more information, see [Access Management](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) and [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) in the *AWS General Reference*.
**Topics**
+ [
### Permissions required to use the Amazon Route 53 console
](#console-required-permissions)
+ [
### Example permissions for a domain record owner
](#example-permissions-record-owner)
+ [
### Route 53 customer managed key permissions required for DNSSEC signing
](#KMS-key-policy-for-DNSSEC)
+ [
### Customer managed policy examples
](#access-policy-examples-for-sdk-cli)
The following example shows a permissions policy. The `Sid`, or statement ID, is optional:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid" : "AllowPublicHostedZonePermissions",
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:UpdateHostedZoneComment",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:DeleteHostedZone",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHostedZoneCount",
"route53:ListHostedZonesByName"
],
"Resource": "*"
},
{
"Sid" : "AllowHealthCheckPermissions",
"Effect": "Allow",
"Action": [
"route53:CreateHealthCheck",
"route53:UpdateHealthCheck",
"route53:GetHealthCheck",
"route53:ListHealthChecks",
"route53:DeleteHealthCheck",
"route53:GetCheckerIpRanges",
"route53:GetHealthCheckCount",
"route53:GetHealthCheckStatus",
"route53:GetHealthCheckLastFailureReason"
],
"Resource": "*"
}
]
}
```
------
The policy includes two statements:
+ The first statement grants permissions to the actions that are required to create and manage public hosted zones and their records. The wildcard character (\$1) in the Amazon Resource Name (ARN) grants access to all the hosted zones that are owned by the current AWS account.
+ The second statement grants permissions to all the actions that are required to create and manage health checks.
For a list of actions and the ARN that you specify to grant or deny permission to use each action, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
### Permissions required to use the Amazon Route 53 console
To grant full access to the Amazon Route 53 console, you grant the permissions in the following permissions policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"route53:*",
"route53domains:*",
"tag:*",
"ssm:GetParametersByPath",
"cloudfront:ListDistributions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticbeanstalk:DescribeEnvironments",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketWebsite",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:ModifyNetworkInterfaceAttribute",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"kms:ListAliases",
"kms:DescribeKey",
"kms:CreateKey",
"kms:CreateAlias",
"kms:Sign",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource":"*"
},
{
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": "arn:aws:apigateway:*::/domainnames"
}
]
}
```
------
Here's why the permissions are required:
**`route53:*`**
Lets you perform all Route 53 actions *except* the following:
+ Create and update alias records for which the value of **Alias Target** is a CloudFront distribution, an Elastic Load Balancing load balancer, an Elastic Beanstalk environment, or an Amazon S3 bucket. (With these permissions, you can create alias records for which the value of **Alias Target** is another record in the same hosted zone.)
+ Work with private hosted zones.
+ Work with domains.
+ Create, delete, and view CloudWatch alarms.
+ Render CloudWatch metrics in the Route 53 console.
**`route53domains:*`**
Lets you work with domains.
If you list `route53` actions individually, you must include `route53:CreateHostedZone` to work with domains. When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permission to create hosted zones.
For domain registration, Route 53 doesn't support granting or denying permissions to individual resources.
**`route53resolver:*`**
Lets you work with Route 53 VPC Resolver.
**`ssm:GetParametersByPath`**
Lets you fetch publicly available Regions when you create new alias records, private hosted zones, and health checks.
**`cloudfront:ListDistributions`**
Lets you create and update alias records for which the value of **Alias Target** is a CloudFront distribution.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of distributions to display in the console.
**`elasticloadbalancing:DescribeLoadBalancers`**
Lets you create and update alias records for which the value of **Alias Target** is an ELB load balancer.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of load balancers to display in the console.
**`elasticbeanstalk:DescribeEnvironments`**
Lets you create and update alias records for which the value of **Alias Target** is an Elastic Beanstalk environment.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of environments to display in the console.
**`s3:ListAllMyBuckets`, `s3:GetBucketLocation`, and `s3:GetBucketWebsite`**
Let you create and update alias records for which the value of **Alias Target** is an Amazon S3 bucket. (You can create an alias to an Amazon S3 bucket only if the bucket is configured as a website endpoint; `s3:GetBucketWebsite` gets the required configuration information.)
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of buckets to display in the console.
**`ec2:DescribeVpcs` and `ec2:DescribeRegions`**
Let you work with private hosted zones.
**All listed `ec2` permissions**
Let you work with Route 53 VPC Resolver.
**`sns:ListTopics`, `sns:ListSubscriptionsByTopic`, `sns:CreateTopic`, `cloudwatch:DescribeAlarms`, `cloudwatch:PutMetricAlarm`, `cloudwatch:DeleteAlarms`**
Let you create, delete, and view CloudWatch alarms.
**`cloudwatch:GetMetricStatistics`**
Lets you create CloudWatch metric health checks.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get statistics to display in the console.
**`apigateway:GET`**
Lets you create and update alias records for which the value of **Alias Target** is an Amazon API Gateway API.
This permission isn't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of APIs to display in the console.
**`kms:*`**
Lets you work with AWS KMS to enable DNSSEC signing.
### Example permissions for a domain record owner
With resource record set permissions you can set granular permissions that limit what the AWS user can update or modify. For more information, see [Using IAM policy conditions for fine-grained access control](specifying-conditions-route53.md).
In some scenarios, a hosted zone owner might be responsible for the overall management of the hosted zone, while another person in the organization is responsible for a subset of those tasks. A hosted zone owner who has enabled DNSSEC signing, for example, might want to create an IAM policy that includes the permission for someone else to add and delete Resource Set Records (RRs) in the hosted zone, among other tasks. The specific permissions that a hosted zone owner chooses to enable for a record owner or other people will depend on their organization's policy.
The following is an example IAM policy that allows a record owner to make modifications to RRs, traffic policies, and health checks. A record owner with this policy is not allowed to do zone-level operations, such as creating or deleting a zone, enabling or disabling query logging, creating or deleting a reusable delegation set, or changing DNSSEC settings.
```
{
"Sid": "Do not allow zone-level modification ",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:CreateTrafficPolicy",
"route53:DeleteTrafficPolicy",
"route53:CreateTrafficPolicyInstance",
"route53:CreateTrafficPolicyVersion",
"route53:UpdateTrafficPolicyInstance",
"route53:UpdateTrafficPolicyComment",
"route53:DeleteTrafficPolicyInstance",
"route53:CreateHealthCheck",
"route53:UpdateHealthCheck",
"route53:DeleteHealthCheck",
"route53:List*",
"route53:Get*"
],
"Resource": [
"*"
]
}
```
### Route 53 customer managed key permissions required for DNSSEC signing
When you enable DNSSEC signing for Route 53, Route 53 creates a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS). You can use an existing customer managed key that supports DNSSEC signing or create a new one. Route 53 must have permission to access your customer managed key so that it can create the KSK for you.
To enable Route 53 to access your customer managed key, make sure that your customer managed key policy contains the following statements:
```
{
"Sid": "Allow Route 53 DNSSEC Service",
"Effect": "Allow",
"Principal": {
"Service": "dnssec-route53.amazonaws.com"
},
"Action": ["kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign"],
"Resource": "*"
},
{
"Sid": "Allow Route 53 DNSSEC to CreateGrant",
"Effect": "Allow",
"Principal": {
"Service": "dnssec-route53.amazonaws.com"
},
"Action": ["kms:CreateGrant"],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
```
The confused deputy problem is a security issue where an entity without a permission for an action can coerce a more-privileged entity to perform it. To protect your AWS KMS from it, you can optionally limit the permissions that a service has to a resource in a resource-based policy by supplying a combination of `aws:SourceAccount` and `aws:SourceArn` conditions (both or one). `aws:SourceAccount` is an AWS account ID of an owner of a hosted zone. `aws:SourceArn` is an ARN of a hosted zone.
The following are two examples of permissions you can add:
```
{
"Sid": "Allow Route 53 DNSSEC Service",
…
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:route53:::hostedzone/HOSTED_ZONE_ID"
}
}
},
```
- Or -
```
{
"Sid": "Allow Route 53 DNSSEC Service",
…
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["1111-2222-3333","4444-5555-6666"]
},
"ArnLike": {
"aws:SourceArn": "arn:aws:route53:::hostedzone/*"
}
}
},
```
For more information, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the *IAM User Guide*.
### Customer managed policy examples
You can create your own custom IAM policies to allow permissions for Route 53 actions. You can attach these custom policies to the IAM groups that require the specified permissions. These policies work when you are using the Route 53 API, the AWS SDKs, or the AWS CLI. The following examples show permissions for several common use cases. For the policy that grants a user full access to Route 53, see [Permissions required to use the Amazon Route 53 console](#console-required-permissions).
**Topics**
+ [
#### Example 1: Allow read access to all hosted zones
](#access-policy-example-allow-read-hosted-zones)
+ [
#### Example 2: Allow creation and deletion of hosted zones
](#access-policy-example-allow-create-delete-hosted-zones)
+ [
#### Example 3: Allow full access to all domains (public hosted zones only)
](#access-policy-example-allow-full-domain-access)
+ [
#### Example 4: Allow creation of inbound and outbound Route 53 VPC Resolver endpoints
](#access-policy-example-create-resolver-endpoints)
#### Example 1: Allow read access to all hosted zones
The following permissions policy grants the user permissions to list all hosted zones and view all the records in a hosted zone.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["route53:ListHostedZones"],
"Resource":"*"
}
]
}
```
------
#### Example 2: Allow creation and deletion of hosted zones
The following permissions policy allows users to create and delete hosted zones, and to track the progress of the change.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["route53:CreateHostedZone"],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["route53:DeleteHostedZone"],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["route53:GetChange"],
"Resource":"*"
}
]
}
```
------
#### Example 3: Allow full access to all domains (public hosted zones only)
The following permissions policy allows users to perform all actions on domain registrations, including permissions to register domains and create hosted zones.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"route53domains:*",
"route53:CreateHostedZone"
],
"Resource":"*"
}
]
}
```
------
When you register a domain, a hosted zone is created at the same time, so a policy that includes permissions to register domains also requires permissions to create hosted zones. (For domain registration, Route 53 doesn't support granting permissions to individual resources.)
For information about permissions that are required to work with private hosted zones, see [Permissions required to use the Amazon Route 53 console](#console-required-permissions).
#### Example 4: Allow creation of inbound and outbound Route 53 VPC Resolver endpoints
The following permissions policy allows users to use the Route 53 console to create Resolver inbound and outbound endpoints.
Some of these permissions are required only to create endpoints in the console. You can omit these permissions if you want to grant permissions only to create inbound and outbound endpoints programmatically:
+ `route53resolver:ListResolverEndpoints` lets users see the list of inbound or outbound endpoints so they can verify that an endpoint was created.
+ `DescribeAvailabilityZones` is required to display a list of Availability Zones.
+ `DescribeVpcs` is required to display a list of VPCs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53resolver:CreateResolverEndpoint",
"route53resolver:ListResolverEndpoints",
"ec2:CreateNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
```
------
# Using Service-Linked Roles for Amazon Route 53 Resolver
Route 53 VPC Resolver uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to VPC Resolver. Service-linked roles are predefined by VPC Resolver and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up VPC Resolver easier because you don’t have to manually add the necessary permissions. VPC Resolver defines the permissions of its service-linked roles, and unless defined otherwise, only VPC Resolver can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting the related resources. This protects your VPC Resolver resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services that Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [
## Service-Linked Role Permissions for VPC Resolver
](#slr-permissions)
+ [
## Creating a Service-Linked Role for VPC Resolver
](#create-slr)
+ [
## Editing a Service-Linked Role for VPC Resolver
](#edit-slr)
+ [
## Deleting a Service-Linked Role for VPC Resolver
](#delete-slr)
+ [
## Supported Regions for VPC Resolver Service-Linked Roles
](#slr-regions)
## Service-Linked Role Permissions for VPC Resolver
VPC Resolver uses the **`AWSServiceRoleForRoute53Resolver`** service-linked role to deliver query logs on your behalf.
The role permissions policy allows VPC Resolver to complete the following actions on your resources:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups",
"s3:GetBucketPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a Service-Linked Role for VPC Resolver
You don't need to manually create a service-linked role. When you create a resolver query log configuration association in the Amazon Route 53 console, the AWS CLI, or the AWS API, VPC Resolver creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the VPC Resolver service before August 12, 2020, when it began supporting service-linked roles, then VPC Resolver created the `AWSServiceRoleForRoute53Resolver` role in your account. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a new Resolver query log configuration association, the `AWSServiceRoleForRoute53Resolver` service-linked role is created for you again.
## Editing a Service-Linked Role for VPC Resolver
VPC Resolver does not allow you to edit the `AWSServiceRoleForRoute53Resolver` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for VPC Resolver
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the VPC Resolver service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete VPC Resolver resources used by the `AWSServiceRoleForRoute53Resolver`**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars (![\[Menu icon\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/menu-icon.png)) icon.
1. Within the **Resolver **menu, choose **Query logging**.
1. Select the check box next to the name of your query logging configuration, and then choose **Delete**.
1. In the **Delete query logging configuration** text box, select **Stop logging queries**.
This will disassociate the configuration from the VPC. You can also disassociate the query logging configuration programmatically. For more information, see [disassociate-resolver-query-log-config](https://docs.aws.amazon.com//cli/latest/reference/route53resolver/disassociate-resolver-query-log-config.html).
1. After logging queries has stopped, you can optionally type **delete** in the field and choose **Delete** to delete the query logging configuration. However, this is not necessary for deleting the resources used by `AWSServiceRoleForRoute53Resolver`.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSServiceRoleForRoute53Resolver` service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for VPC Resolver Service-Linked Roles
VPC Resolver does not support using service-linked roles in every Region where the service is available. You can use the `AWSServiceRoleForRoute53Resolver` role in the following Regions.
****
| Region name | Region identity | Support in VPC Resolver |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| US West (N. California) | us-west-1 | Yes |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | Yes |
| Asia Pacific (Osaka) | ap-northeast-3 | Yes |
| Asia Pacific (Seoul) | ap-northeast-2 | Yes |
| Asia Pacific (Singapore) | ap-southeast-1 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Canada (Central) | ca-central-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | Yes |
| Europe (Paris) | eu-west-3 | Yes |
| South America (São Paulo) | sa-east-1 | Yes |
| China (Beijing) | cn-north-1 | Yes |
| China (Ningxia) | cn-northwest-1 | Yes |
| AWS GovCloud (US) | us-gov-east-1 | Yes |
| AWS GovCloud (US) | us-gov-west-1 | Yes |
# AWS managed policies for Amazon Route 53
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AmazonRoute53FullAccess
You can attach the `AmazonRoute53FullAccess` policy to your IAM identities.
This policy grants full access to Route 53 resources, including domain registration and health checking, but excluding VPC Resolver.
**Permissions details**
This policy includes the following permissions.
+ `route53:*` – Lets you perform all Route 53 actions *except* the following:
+ Create and update alias records for which the value of **Alias Target** is a CloudFront distribution, an Elastic Load Balancing load balancer, an Elastic Beanstalk environment, or an Amazon S3 bucket. (With these permissions, you can create alias records for which the value of **Alias Target** is another record in the same hosted zone.)
+ Work with private hosted zones.
+ Work with domains.
+ Create, delete, and view CloudWatch alarms.
+ Render CloudWatch metrics in the Route 53 console.
+ `route53domains:*`– Lets you work with domains.
+ `cloudfront:ListDistributions` – Lets you create and update alias records for which the value of **Alias Target** is a CloudFront distribution.
This permission isn't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of distributions to display in the console.
+ `cloudfront:GetDistributionTenantByDomain` – Used to fetch the CloudFront multi-tenant distributions to let you create and update alias records for which the value of **Alias Target** is a CloudFront distribution tenant.
+ `cloudfront:GetConnectionGroup` – Used to fetch the CloudFront multi-tenant distributions to let you create and update alias records for which the value of **Alias Target** is a CloudFront distribution tenant.
+ `cloudwatch:DescribeAlarms` – Together with `sns:ListTopics` and `sns:ListSubscriptionsByTopic`, lets you create, delete, and view CloudWatch alarms.
+ `cloudwatch:GetMetricStatistics` – Lets you create CloudWatch metric health checks.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get statistics to display in the console.
+ `cloudwatch:GetMetricData` – Lets you display the status of your CloudWatch health check metrics.
+ `ec2:DescribeVpcs` – Lets you display a list of VPCs.
+ `ec2:DescribeVpcEndpoints` – Lets you display a list of VPC endpoints.
+ `ec2:DescribeRegions` – Lets you display a list of Availability Zones.
+ `elasticloadbalancing:DescribeLoadBalancers` – Lets you create and update alias records for which the value of **Alias Target** is an Elastic Load Balancing load balancer.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of load balancers to display in the console.
+ `elasticbeanstalk:DescribeEnvironments` – Lets you create and update alias records for which the value of **Alias Target** is an Elastic Beanstalk environment.
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses it only to get a list of environments to display in the console.
+ `es:ListDomainNames` – Lets you display the names of all Amazon OpenSearch Service domains owned by the current user in the active Region.
+ `es:DescribeDomains` – Lets you get the domain configuration for the specified Amazon OpenSearch Service domains.
+ `lightsail:GetContainerServices` – Lets you the Lightsail container services to let you create and update alias records for which the value of **Alias Target** is a Lightsail domain.
+ `s3:ListBucket`, `s3:GetBucketLocation`, and `s3:GetBucketWebsite` – Let you create and update alias records for which the value of **Alias Target** is an Amazon S3 bucket. (You can create an alias to an Amazon S3 bucket only if the bucket is configured as a website endpoint; `s3:GetBucketWebsite` gets the required configuration information.)
These permissions aren't required if you aren't using the Route 53 console. Route 53 uses these only to get a list of buckets to display in the console.
+ `sns:ListTopics`, `sns:ListSubscriptionsByTopic`, `cloudwatch:DescribeAlarms` – Let you create, delete, and view CloudWatch alarms.
+ `tag:GetResources` – Lets you display the tags in your resources. For example, names of your health checks.
+ `apigateway:GET` – Lets you create and update alias records for which the value of **Alias Target** is an Amazon API Gateway API.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:*",
"route53domains:*",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionTenantByDomain",
"cloudfront:GetConnectionGroup",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticbeanstalk:DescribeEnvironments",
"es:ListDomainNames",
"es:DescribeDomains",
"lightsail:GetContainerServices",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketWebsite",
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": "arn:aws:apigateway:*::/domainnames"
}
]
}
```
------
## AWS managed policy: AmazonRoute53ReadOnlyAccess
You can attach the `AmazonRoute53ReadOnlyAccess` policy to your IAM identities.
This policy grants read-only access to Route 53 resources, including domain registration and health checking, but excluding VPC Resolver.
**Permissions details**
This policy includes the following permissions.
+ `route53:Get*` – Gets the Route 53 resources.
+ `route53:List*` – Lists the Route 53 resources.
+ `route53:TestDNSAnswer` – Gets the value that Route 53 returns in response to a DNS request.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:Get*",
"route53:List*",
"route53:TestDNSAnswer"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: AmazonRoute53DomainsFullAccess
You can attach the `AmazonRoute53DomainsFullAccess` policy to your IAM identities.
This policy grants full access to Route 53 domain registration resources.
**Permissions details**
This policy includes the following permissions.
+ `route53:CreateHostedZone` – Lets you create a Route 53 hosted zone.
+ `route53domains:*` – Lets you register domain names and perform related operations.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53domains:*"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: AmazonRoute53DomainsReadOnlyAccess
You can attach the `AmazonRoute53DomainsReadOnlyAccess` policy to your IAM identities.
This policy grants read-only access to Route 53 domain registration resources.
**Permissions details**
This policy includes the following permissions.
+ `route53domains:Get*` – Lets you retrieve a list of domains from Route 53.
+ `route53domains:List*` – Lets you display a list of Route 53 domains.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53domains:Get*",
"route53domains:List*"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: AmazonRoute53ResolverFullAccess
You can attach the `AmazonRoute53ResolverFullAccess` policy to your IAM identities.
This policy grants full access to Route 53 VPC Resolver resources.
**Permissions details**
This policy includes the following permissions.
+ `route53resolver:*` – Lets you create and manage VPC Resolver resources on the Route 53 console.
+ `ec2:DescribeSubnets` – Lets you list your Amazon VPC subnets.
+ `ec2:CreateNetworkInterface`, `ec2:DeleteNetworkInterface`, and `ec2:ModifyNetworkInterfaceAttribute` – Let you create, modify, and delete network interfaces.
+ `ec2:DescribeNetworkInterfaces` – Lets you display a list of network interfaces.
+ `ec2:DescribeSecurityGroups` – Lets you display a list of all of your security groups.
+ `ec2:DescribeVpcs` – Lets you display a list of VPCs.
+ `ec2:DescribeAvailabilityZones` – Lets you list the zones that are available to you.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonRoute53ResolverFullAccess",
"Effect": "Allow",
"Action": [
"route53resolver:*",
"ec2:DescribeSubnets",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterfacePermission",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeAvailabilityZones"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: AmazonRoute53ResolverReadOnlyAccess
You can attach the `AmazonRoute53ResolverReadOnlyAccess` policy to your IAM identities.
This policy grants read-only access to Route 53 VPC Resolver resources.
**Permissions details**
This policy includes the following permissions.
+ `route53resolver:Get*` – Gets VPC Resolver resources.
+ `route53resolver:List*` – Lets you display a list of VPC Resolver resources.
+ `ec2:DescribeNetworkInterfaces` – Lets you display a list of network interfaces.
+ `ec2:DescribeSecurityGroups` – Lets you display a list of all of your security groups.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonRoute53ResolverReadOnlyAccess",
"Effect": "Allow",
"Action": [
"route53resolver:Get*",
"route53resolver:List*",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: Route53ResolverServiceRolePolicy
You can't attach `Route53ResolverServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Route 53 VPC Resolver to access AWS services and resources that are used or managed by VPC Resolver. For more information, see [Using Service-Linked Roles for Amazon Route 53 Resolver](using-service-linked-roles.md).
## AWS managed policy: AmazonRoute53ProfilesFullAccess
You can attach the `AmazonRoute53ProfilesReadOnlyAccess` policy to your IAM identities.
This policy grants full access to Amazon Route 53 Profile resources.
**Permissions details**
This policy includes the following permissions.
+ `route53profiles` – Lets you create and manage Profile resources on the Route 53 console.
+ `ec2` – Allows principals to get information about VPCs.
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonRoute53ProfilesFullAccess",
"Effect": "Allow",
"Action": [
"route53profiles:AssociateProfile",
"route53profiles:AssociateResourceToProfile",
"route53profiles:CreateProfile",
"route53profiles:DeleteProfile",
"route53profiles:DisassociateProfile",
"route53profiles:DisassociateResourceFromProfile",
"route53profiles:UpdateProfileResourceAssociation",
"route53profiles:GetProfile",
"route53profiles:GetProfileAssociation",
"route53profiles:GetProfileResourceAssociation",
"route53profiles:GetProfilePolicy",
"route53profiles:ListProfileAssociations",
"route53profiles:ListProfileResourceAssociations",
"route53profiles:ListProfiles",
"route53profiles:PutProfilePolicy",
"route53profiles:ListTagsForResource",
"route53profiles:TagResource",
"route53profiles:UntagResource",
"route53resolver:GetFirewallConfig",
"route53resolver:GetFirewallRuleGroup",
"route53resolver:GetResolverConfig",
"route53resolver:GetResolverDnssecConfig",
"route53resolver:GetResolverQueryLogConfig",
"route53resolver:GetResolverRule",
"ec2:DescribeVpcs",
"route53:GetHostedZone"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS managed policy: AmazonRoute53ProfilesReadOnlyAccess
You can attach the `AmazonRoute53ProfilesReadOnlyAccess` policy to your IAM identities.
This policy grants read-only access to Amazon Route 53 Profile resources.
**Permissions details**
For more information about the permissions, see [Amazon Route 53 API permissions: Actions, resources, and conditions reference](r53-api-permissions-ref.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonRoute53ProfilesReadOnlyAccess",
"Effect": "Allow",
"Action": [
"route53profiles:GetProfile",
"route53profiles:GetProfileAssociation",
"route53profiles:GetProfileResourceAssociation",
"route53profiles:GetProfilePolicy",
"route53profiles:ListProfileAssociations",
"route53profiles:ListProfileResourceAssociations",
"route53profiles:ListProfiles",
"route53profiles:ListTagsForResource",
"route53resolver:GetFirewallConfig",
"route53resolver:GetResolverConfig",
"route53resolver:GetResolverDnssecConfig",
"route53resolver:GetResolverQueryLogConfig"
],
"Resource": [
"*"
]
}
]
}
```
------
## Route 53 updates to AWS managed policies
View details about updates to AWS managed policies for Route 53 since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Route 53 [Document history page](History.md).
| Change | Description | Date |
| --- | --- | --- |
| [AmazonRoute53FullAccess](#security-iam-awsmanpol-AmazonRoute53FullAccess) – Updated policy | Adds permissions for `cloudwatch:GetMetricData` ,`tag:GetResources`, `es:ListDomainNames`, `es:DescribeDomains`, `cloudfront:GetDistributionTenantByDomain`, `cloudfront:GetConnectionGroup` and `lightsail:GetContainerServices`. These permissions enable you to fetch up to 500 CloudWatch health check metrics, up to 100 names of health checks, get the domain configuration for the specified Amazon OpenSearch Service domains, and list the names of all Amazon OpenSearch Service domains owned by the current user in the active Region, fetch the CloudFront multi-tenant distributions and get the Lightsail container services. | June 01, 2025 |
| [AmazonRoute53ProfilesFullAccess](#security-iam-awsmanpol-AmazonRoute53ProfilesFullAccess) – Updated policy | Adds permissions for `GetProfilePolicy` and `PutProfilePolicy`. These are permission-only IAM actions. If an IAM principal doesn't have these permissions granted, an error will occur when attempting to share the Profile using the AWS RAM service. | August 27, 2024 |
| [AmazonRoute53ProfilesReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53ProfilesReadOnlyAccess) – Updated policy | Adds permissions for `GetProfilePolicy`. This is a permission-only IAM action. If an IAM principal doesn't have this permission granted, an error will occur attempting to access the Profile's policy using the AWS RAM service. | August 27, 2024 |
| [AmazonRoute53ResolverFullAccess](#security-iam-awsmanpol-AmazonRoute53ResolverFullAccess)– Updated policy | Added a statement id (Sid) to uniquely identity the policy. | August 5, 2024 |
| [AmazonRoute53ResolverReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53ResolverReadOnlyAccess)– Updated policy | Added a statement id (Sid) to uniquely identity the policy. | August 5, 2024 |
| [AmazonRoute53ProfilesFullAccess](#security-iam-awsmanpol-AmazonRoute53ProfilesFullAccess) – New policy | Amazon Route 53 added a new policy to allow full access to Amazon Route 53 Profile resources. | April 22, 2024 |
| [AmazonRoute53ProfilesReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53ProfilesReadOnlyAccess) – New policy | Amazon Route 53 added a new policy to allow read-only access to Amazon Route 53 Profile resources. | April 22, 2024 |
| [Route53ResolverServiceRolePolicy](#security-iam-awsmanpol-Route53ResolverServiceRolePolicy)– New policy | Amazon Route 53 added a new policy that is attached to a service-linked role that allows VPC Resolver to access AWS services and resources that are used or managed by Resolver. | July 14, 2021 |
| [AmazonRoute53ResolverReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53ResolverReadOnlyAccess)– New policy | Amazon Route 53 added a new policy to allow read-only access to VPC Resolver resources. | July 14, 2021 |
| [AmazonRoute53ResolverFullAccess](#security-iam-awsmanpol-AmazonRoute53ResolverFullAccess)– New policy | Amazon Route 53 added a new policy to allow full access to VPC Resolver resources. | July 14, 2021 |
| [AmazonRoute53DomainsReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53DomainsReadOnlyAccess)– New policy | Amazon Route 53 added a new policy to allow read-only access to Route 53 domains resources. | July 14, 2021 |
| [AmazonRoute53DomainsFullAccess](#security-iam-awsmanpol-AmazonRoute53DomainsFullAccess)– New policy | Amazon Route 53 added a new policy to allow full access to Route 53 domains resources. | July 14, 2021 |
| [AmazonRoute53ReadOnlyAccess](#security-iam-awsmanpol-AmazonRoute53ReadOnlyAccess)– New policy | Amazon Route 53 added a new policy to allow read-only access to Route 53 resources. | July 14, 2021 |
| [AmazonRoute53FullAccess](#security-iam-awsmanpol-AmazonRoute53FullAccess)– New policy | Amazon Route 53 added a new policy to allow full access to Route 53 resources. | July 14, 2021 |
| Route 53 started tracking changes | Route 53 started tracking changes for its AWS managed policies. | July 14, 2021 |
# Using IAM policy conditions for fine-grained access control
In Route 53, you can specify conditions when granting permissions using an IAM policy (see [Access control](security-iam.md#access-control)). For example, you can:
+ Grant permissions to allow access to a single resource record set.
+ Grant permissions to allow users access to all resource record sets of a specific DNS record type in a hosted zone, for example A and AAAA records.
+ Grant permissions to allow users access to a resource record set where its name contains a specific string.
+ Grant permissions to allow users to perform only a subset of the `CREATE | UPSERT | DELETE` actions on the Route 53 console, or when using the [ChangeResourceRecordSets](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ChangeResourceRecordSets.html) API.
+ Grant permissions to allow users to associate or dissociate private hosted zones from a particular VPC.
+ Grant permissions to allow users to list hosted zones associated to a particular VPC.
+ Grant permissions to allow users access to create a new private hosted zone and associate it to a particular VPC.
+ Grant permissions to allow users to create or delete a VPC association authorization.
+ Grant permissions to allow users to manage (associate/disassociate/update) only specific resource types with a Route 53 Profile.
+ Grant permissions to allow users to manage (associate/disassociate/update) only specific resource ARNs with a Route 53 Profile.
+ Grant permissions to allow users to manage (associate/disassociate/update) only specific hosted zone domains with a Route 53 Profile.
+ Grant permissions to allow users to manage (associate/disassociate/update) only specific Resolver Rule domains with a Route 53 Profile.
+ Grant permissions to allow users to manage (associate/disassociate/update) Firewall Rule Groups with a specific priority range in a Route 53 Profile.
+ Grant permissions to allow users to manage (associate/disassociate) a Route 53 Profile with specific VPCs.
You can also create permissions that combine any of the granular permissions.
## Normalizing the Route 53 condition key values
The values you enter for the policy conditions must be formatted, or normalized, as follows:
**For `route53:ChangeResourceRecordSetsNormalizedRecordNames`:**
+ All letters must be lowercase.
+ The DNS name must be without the trailing dot.
+ Characters other than a–z, 0–9, - (hyphen), \$1 (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \$1three-digit octal code. For example, `\052 `is the octal code for character \$1.
**For `route53:ChangeResourceRecordSetsActions`, the value can be any of the following and must be uppercase:**
+ CREATE
+ UPSERT
+ DELETE
**For `route53:ChangeResourceRecordSetsRecordTypes`**:
+ The value must be in uppercase, and can be any of the Route 53 supported DNS record types. For more information, see [Supported DNS record types](ResourceRecordTypes.md).
**For `route53:VPCs`:**
+ The value must be in the format of `VPCId=,VPCRegion=`.
+ The value of `` and ``must be in lowercase, such as `VPCId=vpc-123abc` and `VPCRegion=us-east-1`.
+ The context keys and values are case sensitive.
**Important**
For your permissions to allow or restrict actions as you intend, you must follow these conventions. Only `VPCId` and `VPCRegion` elements are accepted by this condition key, any other AWS resources, such as AWS account, are not supported.
**For `route53profiles:ResourceTypes`, the value can be any of the following and is case sensitive:**
+ HostedZone
+ FirewallRuleGroup
+ ResolverQueryLoggingConfig
+ ResolverRule
+ VPCEndpoint
**For `route53profiles:ResourceArns`:**
+ The value must be a valid AWS resource ARN, such as `arn:aws:route53:::hostedzone/Z12345`.
+ Use the `ArnEquals` or `ArnLike` condition operator when comparing ARN values.
**For `route53profiles:HostedZoneDomains`:**
+ The value must be a valid domain name, such as `example.com`.
+ The domain name must be without the trailing dot.
+ The values are case sensitive.
**For `route53profiles:ResolverRuleDomains`:**
+ The value must be a valid domain name, such as `example.com`.
+ The domain name must be without the trailing dot.
+ The values are case sensitive.
**For `route53profiles:FirewallRuleGroupPriority`:**
+ The value must be a numeric value representing the priority of the Firewall Rule Group.
+ Use numeric condition operators such as `NumericEquals`, `NumericGreaterThanEquals`, or `NumericLessThanEquals` to compare priority values or define a priority range.
**For `route53profiles:ResourceIds`:**
+ The value must be a valid VPC ID, such as `vpc-1a2b3c4d5e6f`.
+ The values are case sensitive.
You can use the [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) or [Policy Simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html) in the *IAM User Guide* to validate that your policy grants or restricts the permissions as expected. You can also validate the permissions by applying an IAM policy to a test user or role to carry out Route 53 operations.
## Specifying conditions: using condition keys
AWS provides a set of predefined condition keys (AWS-wide condition keys) for all AWS services that support IAM for access control. For example, you can use the `aws:SourceIp` condition key to check the requester's IP address before allowing an action to be performed. For more information and a list of the AWS-wide keys, see [Available Keys for Conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
**Note**
Route 53 doesn't support tag-based condition keys.
The following table shows the Route 53 service-specific condition keys that apply to Route 53.
****
| Route 53 Condition Key | API operations | Value type | Description |
| --- | --- | --- | --- |
| route53:ChangeResourceRecordSetsNormalizedRecordNames | [ChangeResourceRecordSets](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ChangeResourceRecordSets.html) | Multi-valued | Represents a list of DNS record names in the request of ChangeResourceRecordSets. To get the expected behavior, DNS names in the IAM policy must be normalized as follows: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html) |
| route53:ChangeResourceRecordSetsRecordTypes | [ChangeResourceRecordSets](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ChangeResourceRecordSets.html) | Multi-valued | Represents a list of DNS record types in the request of `ChangeResourceRecordSets`. `ChangeResourceRecordSetsRecordTypes` can be any of the Route 53 supported DNS record types. For more information, see [Supported DNS record types](ResourceRecordTypes.md). All must be entered in uppercase in the policy. |
| route53:ChangeResourceRecordSetsActions | [ChangeResourceRecordSets](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ChangeResourceRecordSets.html) | Multi-valued | Represents a list of actions in the request of `ChangeResourceRecordSets`. `ChangeResourceRecordSetsActions` can be any of the following values (must be uppercase): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html) |
| route53:VPCs | [AssociateVPCWithHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html) [DisassociateVPCFromHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_DisassociateVPCFromHostedZone.html) [ListHostedZonesByVPC](https://docs.aws.amazon.com/Route53/latest/APIReference/API_ListHostedZonesByVPC.html) [CreateHostedZone](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateHostedZone.html) [CreateVPCAssociationAuthorization](https://docs.aws.amazon.com/Route53/latest/APIReference/API_CreateVPCAssociationAuthorization.html) [DeleteVPCAssociationAuthorization](https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteVPCAssociationAuthorization.html) | Multi-valued | Represents a list of VPCs in the request of AssociateVPCWithHostedZone, DisassociateVPCFromHostedZone, ListHostedZonesByVPC, CreateHostedZone, CreateVPCAssociationAuthorization, and DeleteVPCAssociationAuthorization, in the format of "VPCId=,VPCRegion= |
| route53profiles:ResourceTypes | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by specific resource type. `route53profiles:ResourceTypes` can be any of the following values (case sensitive): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html) |
| route53profiles:ResourceArns | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) | ARN | Filters access by specific resource ARNs. |
| route53profiles:HostedZoneDomains | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by Hosted Zone domains. To get the expected behavior, domain names in the IAM policy must be normalized as follows: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html) |
| route53profiles:ResolverRuleDomains | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by Resolver Rule domains. To get the expected behavior, domain names in the IAM policy must be normalized as follows: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html) |
| route53profiles:FirewallRuleGroupPriority | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | Numeric | Filters access by priority range of a Firewall Rule Group. |
| route53profiles:ResourceIds | [AssociateProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateProfile.html) [DisassociateProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateProfile.html) | String | Filters access by given VPCs. |
## Example policies: Using conditions for fine-grained access
Each of the examples in this section sets the Effect clause to Allow and specifies only the actions, resources, and parameters that are allowed. Access is permitted only to what is explicitly listed in the IAM policy.
In some cases, it is possible to rewrite these policies so that they are deny-based (that is, setting the Effect clause to Deny and inverting all of the logic in the policy). However, we recommend that you avoid using deny-based policies because they are difficult to write correctly, compared to allow-based policies. This is especially true for Route 53 due to text normalization that is required.
**Grant permissions that limit access to DNS records with specific names**
The following permissions policy grants permissions that allow `ChangeResourceRecordSets` actions on the Hosted Zone Z12345 for example.com and marketing.example.com. It uses the `route53:ChangeResourceRecordSetsNormalizedRecordNames` condition key to limit user actions only on the records that match the specified names.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringEquals":{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["example.com", "marketing.example.com"]
}
}
}
]
}
```
------
`ForAllValues:StringEquals` is an IAM condition operator that applies to multi-valued keys. The condition in the policy above will allow the operation only when all changes in `ChangeResourceRecordSets` have the DNS name of example.com. For more information, see [IAM condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) and [IAM condition with multiple keys or values](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html) in the IAM User Guide.
To implement the permission that matches names with certain suffixes, you can use the IAM wildcard (\$1) in the policy with condition operator `StringLike` or `StringNotLike`. The following policy will allow the operation when all changes in the `ChangeResourceRecordSets` operation have DNS names that end with “-beta.example.com”.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringLike":{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["*-beta.example.com"]
}
}
}
]
}
```
------
**Note**
The IAM wildcard isn't the same as the domain name wildcard. See the following example for how to use the wildcard with a domain name.
**Grant permissions that limit access to DNS records that match a domain name containing a wildcard**
The following permissions policy grants permissions that allow `ChangeResourceRecordSets` actions on the Hosted Zone Z12345 for example.com. It uses the `route53:ChangeResourceRecordSetsNormalizedRecordNames` condition key to limit user actions only to the records that match \$1.example.com.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringEquals":{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["\\052.example.com"]
}
}
}
]
}
```
------
`\052 `is the octal code for character \$1 in the DNS name, and `\` in `\052` is escaped to be `\\` to follow JSON syntax.
**Grant permissions that limit access to specific DNS records**
The following permissions policy grants permissions that allow `ChangeResourceRecordSets` actions on the Hosted Zone Z12345 for example.com. It uses the combination of three condition keys to limit user actions to allow only creating or editing DNS records with certain DNS name and type.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringEquals":{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["example.com"],
"route53:ChangeResourceRecordSetsRecordTypes": ["MX"],
"route53:ChangeResourceRecordSetsActions": ["CREATE", "UPSERT"]
}
}
}
]
}
```
------
**Grant permissions that limit access to creating and editing only the specified types of DNS records**
The following permissions policy grants permissions that allow `ChangeResourceRecordSets` actions on the Hosted Zone Z12345 for example.com. It uses the `route53:ChangeResourceRecordSetsRecordTypes` condition key to limit user actions only on the records which match the specified types (A and AAAA).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringEquals":{
"route53:ChangeResourceRecordSetsRecordTypes": ["A", "AAAA"]
}
}
}
]
}
```
------
**Grant permissions that specifies the VPC that the IAM principal can operate in**
The following permissions policy grants permissions that allow `AssociateVPCWithHostedZone` , `DisassociateVPCFromHostedZone`, `ListHostedZonesByVPC`, `CreateHostedZone`, `CreateVPCAssociationAuthorization`, and `DeleteVPCAssociationAuthorization` actions on the VPC specified by the vpc-id.
**Important**
The condition value must be in the format of `VPCId=,VPCRegion=`. If you specify a VPC ARN in the condition value, the condition key will not take effect.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"route53:VPCs": [
"VPCId=,VPCRegion="
]
}
}
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": "ec2:DescribeVpcs",
"Resource": "*"
}
]
}
```
------
**Important**
The `route53profiles` condition keys are available in all AWS Regions where Route 53 Route53Profiles is available, except for me-central-1 and me-south-1.
**Grant permissions that limit resource association to specific resource types in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateResourceToProfile` and `DisassociateResourceFromProfile` actions only when the resource type is a hosted zone. It uses the `route53profiles:ResourceTypes` condition key to restrict the resource types that can be associated with a profile.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateResourceToProfile",
"route53profiles:DisassociateResourceFromProfile"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"route53profiles:ResourceTypes": "HostedZone"
}
}
}
```
**Grant permissions that limit resource association to specific resource ARNs in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateResourceToProfile` and `DisassociateResourceFromProfile` actions only for the specified resource ARN. It uses the `route53profiles:ResourceArns` condition key to restrict which resources can be associated with a profile.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateResourceToProfile",
"route53profiles:DisassociateResourceFromProfile"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"route53profiles:ResourceArns": "arn:aws:route53:::hostedzone/Z12345"
}
}
}
```
**Grant permissions that limit resource association to specific hosted zone domains in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the hosted zone domain matches the specified value. It uses the `route53profiles:HostedZoneDomains` condition key to restrict which hosted zone domains can be associated with a profile.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateResourceToProfile",
"route53profiles:DisassociateResourceFromProfile",
"route53profiles:UpdateProfileResourceAssociation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"route53profiles:HostedZoneDomains": "example.com"
}
}
}
```
**Grant permissions that limit resource association to specific Resolver Rule domains in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the Resolver Rule domain matches the specified value. It uses the `route53profiles:ResolverRuleDomains` condition key to restrict which Resolver Rule domains can be associated with a profile.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateResourceToProfile",
"route53profiles:DisassociateResourceFromProfile",
"route53profiles:UpdateProfileResourceAssociation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"route53profiles:ResolverRuleDomains": "example.com"
}
}
}
```
**Grant permissions that limit Firewall Rule Group association to a specific priority range in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the Firewall Rule Group priority is within the specified range. It uses the `route53profiles:FirewallRuleGroupPriority` condition key to restrict the priority values that can be used.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateResourceToProfile",
"route53profiles:DisassociateResourceFromProfile",
"route53profiles:UpdateProfileResourceAssociation"
],
"Resource": "*",
"Condition": {
"NumericGreaterThanEquals": {
"route53profiles:FirewallRuleGroupPriority": "100"
}
}
}
```
**Grant permissions that limit profile association to specific VPCs in Route 53 Profiles**
The following permissions policy grants permissions that allow `AssociateProfile` and `DisassociateProfile` actions only for the specified VPC. It uses the `route53profiles:ResourceIds` condition key to restrict which VPCs a profile can be associated with.
```
{
"Effect": "Allow",
"Action": [
"route53profiles:AssociateProfile",
"route53profiles:DisassociateProfile"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"route53profiles:ResourceIds": "vpc-1a2b3c4d5e6f"
}
}
}
```
# Amazon Route 53 API permissions: Actions, resources, and conditions reference
When you set up [Access control](security-iam.md#access-control) and write a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the lists of [Actions, resources, and condition keys for Route 53](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html), [Actions, resources, and condition keys for Route 53 Domains](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html), [Actions, resources, and condition keys for VPC Resolver](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html), and [Actions, resources, and condition keys for Amazon Route 53 Profiles enables sharing DNS settings with VPCs](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53profilesenablessharingdnssettingswithvpcs.html) in the *Service Authorization Reference*. The pages include each Amazon Route 53 API action, the actions that you must grant permissions access to, and the AWS resource that you must grant access to. You specify the actions in the policy's `Action` field, and you specify the resource value in the policy's `Resource` field.
You can use AWS-wide condition keys in your Route 53 policies to express conditions. For a complete list of AWS-wide keys, see [Available keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
**Note**
When granting access, the hosted zone and the Amazon VPC must belong to the same partition. A partition is a group of AWS Regions. Each AWS account is scoped to one partition.
The following are the supported partitions:
`aws` - AWS Regions
`aws-cn` - China Regions
`aws-us-gov` - AWS GovCloud (US) Region
For more information, see [Access Management](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference*.
**Note**
To specify an action, use the applicable prefix (`route53`, `route53domains`, or `route53resolver`) followed by the API operation name, for example:
`route53:CreateHostedZone`
`route53domains:RegisterDomain`
`route53resolver:CreateResolverEndpoint`