AWS policy: need explaination for the "ForAllValues" qualifier

Your understanding of the "ForAllValues" condition is correct, but it seems there might be a misunderstanding in the way Route 53 record types are handled in the SCP condition.

The "ForAllValues" condition in the SCP denies the action if all the specified values match in the request. However, in your case, the "route53:ChangeResourceRecordSetsRecordTypes" condition doesn't actually refer to the types of records you are creating (like A, AAAA, or CNAME). Instead, it refers to the record types that the IAM user or role performing the action is allowed to change.

So, the SCP you provided will deny the "route53:ChangeResourceRecordSets" action for all record types (A and AAAA) if all the values in the "route53:ChangeResourceRecordSetsRecordTypes" condition match those specified in the SCP. It doesn't check the record types being created; rather, it checks the types of records that can be changed.

To allow changes to CNAME records while still restricting changes to A and AAAA records, you need to modify the SCP to allow the "route53:ChangeResourceRecordSets" action for the CNAME record type. You can achieve this by modifying the SCP as follows:

json

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "", "Condition": { "ForAllValues:StringEquals": { "route53:ChangeResourceRecordSetsRecordTypes": [ "A", "AAAA" ] } } }, { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "", "Condition": { "StringEquals": { "route53:ChangeResourceRecordSetsRecordTypes": "CNAME" } } } ] }

With this modification, the SCP denies changes to A and AAAA records but allows changes to CNAME records. Make sure to attach this updated SCP to your AWS account. After that, the IAM users or roles in your account will be able to change CNAME records without being blocked by the SCP.