How to – AWS IAM permissions & Route 53

Amazon Web Services (AWS) is super-duper awesome. I use AWS to administer Route53 (DNS hosting), CloudFront (CDN) and S3 (mainly storing offsite backups) for various client WordPress Websites, as well my own.
Through AWS Internet Access Management (IAM) it’s possible to add people to manage all or parts of your AWS account. It takes just a few minutes to setup permissions, roles and a new user but one item I battled to find was how to restrict the permissions of a certain user or group.

So, without further ado, here is the change that is needed to restrict permissions to a certain domain in IAM:

  1. Setup your new User and Permissions (and Roles if needed).
  2. From within Route 53 copy the Hosted Zone ID for the domain you want to allow access.
  3. From the IAM dashboard click on the Permissions tab for the Group which you want to allow access. Then click Manage Policy:
    How to restrict permissions to a single Hosted Zone in AWS IAM for Route53.
  4. In the Policy Document section you’ll see something like
    {
     "Statement": [
     {
     "Effect": "Allow",
     "Action": [
     "route53:*"
     ],
     "Resource": [
     "*"
     ]
     },
     {
     "Effect": "Allow",
     "Action": [
     "elasticloadbalancing:DescribeLoadBalancers"
     ],
     "Resource": [
     "*"
     ]
     }
     ]
    }
    
    
  5. Change the Policy Document to
    {
       "Statement":[
          {
             "Action":[
                "route53:ChangeResourceRecordSets",
                "route53:GetHostedZone",
                "route53:ListResourceRecordSets"
             ],
             "Effect":"Allow",
             "Resource":[
                "arn:aws:route53:::hostedzone/<Your zone ID>"
             ]
          },
          {
             "Action":[
                "route53:ListHostedZones"
             ],
             "Effect":"Allow",
             "Resource":[
                "*"
             ]
          }
       ]
    }
    
  6. Click Apply Policy

Remember to change the

<Your zone ID>

in the code above to the ID of the zone to which you want to allow access. Note too that the route53:ListHostedZones action is required or else the user won’t be able to see the list of Zones.
Please share via Facebook, Twitter, Google+ etc. so that others too may benefit :)

Comments

  1. Jack Smith says

    Thanks for the tutorial! One thing I’m having trouble with is trying to restrict the user to only see the zones that I want them to be able to access. Below is the policy that I’m using and the Zone ID is the hosted zone ID of the domain that I want them to be able to access. Have you actually been able to get this to work?

    {
    “Statement”:[
    {
    "Action":[
    "route53:ChangeResourceRecordSets",
    "route53:GetHostedZone",
    "route53:ListResourceRecordSets"
    ],
    “Effect”:”Allow”,
    “Resource”:[
    "arn:aws:route53:::hostedzone/"
    ]
    },
    {
    “Action”:[
    "route53:ListHostedZones"
    ],
    “Effect”:”Allow”,
    “Resource”:[
    "arn:aws:route53:::hostedzone/"
    ]
    }
    ]
    }

    • Jack Smith says

      Oops, those ARNs are “arn:aws:route53:::hostedzone/ZONE_ID”, but your blog thought they were HTML tags because I surrounded ZONE_ID with > & <.

    • says

      @Jack. I don’t believe that it’s possible to add restrictions to view only specific Zone IDs. I recently had this requirement and spent forever trying to get it right but just couldn’t find a way so that the permissions will only allow the user to view a specific ZoneID :(

  2. says

    Gary is right. According to the documentation: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html
    “Most actions can be authorized to act on a specific resource or a set of resources using a wildcard ARN. However, because the CreateHostedZone and ListHostedZones actions do not act on specific resources, policies for these actions must specify * as the resource. For a list of Route 53 actions, refer to the API action names in the Amazon Route 53 API Reference.”

  3. says

    Hey Gary, thanks for the post – easier to read than the AWS stuff. But could you take out this from the post “(you should also be able to restrict the listing of zones by using arn:aws:route53:::hostedzone/HostedZoneID”

    That led me on a bit of a wild goose chase until I got back here and read these comments… seems like you really can’t.

Australian WordPress Specialist

Australian WordPress Specialists.

OrganicWeb provides leading WordPress solutions. Specialities include developing high converting Websites built with SEO from the ground up. Contact us to get more customers from your Website.

Leave a Reply