How do Route 53 resource record set IAM policies work?


AWS added granular Route 53 resource record set IAM conditions. There's documentation, but if you copy and paste one of the example policies into IAM, it shows an error that the condition doesn't exist, and a security warning that Forallvalues should not be used.

How would one actually write an IAM policy to, for example:

  • CREATE or DELETE record sets
  • of type TXT
  • with names matching _acme-challenge.*?
2 Answers

[+] This can be updated using the Policy feature of IAM
[+] Please find the JSON file for the LAB setup that I have performed.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.*"
                "StringEqualsIfExists": {
                    "route53:ChangeResourceRecordSetsRecordTypes": "TXT",
                    "route53:ChangeResourceRecordSetsActions": [

[+] How to go about this.
[-] Create New Policy by selecting service : Route53
[-] Navigate to Action --> Access level
[=] Collapse Write [access level]
[=] Select - ChangeResourceRecordSets

[-] Now navigate to Resources
[=] This would depend on use-case

[-] Navigate to Request Conditions
[=] Add Condition
[=] Under Condition Key you get to see all the options under [Service level condition keys]

Please refer the Json [from LAB setup] which would provide you with first-hand information as per the question.

answered 2 years ago
  • Hmm. Using the visual editor is a good idea. But clicking on the JSON tab still shows the "Invalid Service Condition Key" errors! :-/


This may be a display error since this is a new feature update and the console at IAM may be updating it soon. We have brought it to the attention. Can you please try to see if this is preventing you with creation of the policy. If you are able to proceed with the creation and test the permissions?

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions