How do Route 53 resource record set IAM policies work?

0

AWS added granular Route 53 resource record set IAM conditions. There's documentation, but if you copy and paste one of the example policies into IAM, it shows an error that the condition doesn't exist, and a security warning that Forallvalues should not be used.

How would one actually write an IAM policy to, for example:

  • CREATE or DELETE record sets
  • of type TXT
  • with names matching _acme-challenge.*?
2개 답변
1

[+] This can be updated using the Policy feature of IAM
[+] Please find the JSON file for the LAB setup that I have performed.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.*"
                },
                "StringEqualsIfExists": {
                    "route53:ChangeResourceRecordSetsRecordTypes": "TXT",
                    "route53:ChangeResourceRecordSetsActions": [
                        "CREATE",
                        "DELETE"
                    ]
                }
            }
        }
    ]
}

[+] How to go about this.
[-] Create New Policy by selecting service : Route53
[-] Navigate to Action --> Access level
[=] Collapse Write [access level]
[=] Select - ChangeResourceRecordSets

[-] Now navigate to Resources
[=] This would depend on use-case

[-] Navigate to Request Conditions
[=] Add Condition
[=] Under Condition Key you get to see all the options under [Service level condition keys]
ChangeResourceRecordSetsNormalizedRecordNames
ChangeResourceRecordSetsActions
ChangeResourceRecordSetsRecordTypes

Please refer the Json [from LAB setup] which would provide you with first-hand information as per the question.

AWS
RiKa
답변함 2년 전
  • Hmm. Using the visual editor is a good idea. But clicking on the JSON tab still shows the "Invalid Service Condition Key" errors! :-/

1

This may be a display error since this is a new feature update and the console at IAM may be updating it soon. We have brought it to the attention. Can you please try to see if this is preventing you with creation of the policy. If you are able to proceed with the creation and test the permissions?

profile pictureAWS
전문가
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인