json code need to disallow Delete Domain by im user. "route53:DeleteDomain" ERROR

0

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" }, { "Effect": "Deny", "Action": [ "route53domains:AcceptDomainTransferFromAnotherAwsAccount", "route53domains:CancelDomainTransferToAnotherAwsAccount", "route53domains:CheckDomainTransferability", "route53domains:DisableDomainTransferLock", "route53domains:EnableDomainTransferLock", "route53domains:RejectDomainTransferFromAnotherAwsAccount", "route53domains:TransferDomain", "route53domains:TransferDomainToAnotherAwsAccount", "route53:DeleteHostedZone" "route53:DeleteDomain" (IT STATED ERROR JSON FOR THIS CODE) ], "Resource": "*" } ] }

asked 4 months ago175 views
2 Answers
2
Accepted Answer

Hello.

I made the same comment at the URL below.
https://repost.aws/questions/QUsHc9DBQXSraeueBCkOsuGw/admin-access-exception-of-domain-delete-transfer-and-closure-of-aws-account#ANOkus2jozRxa7FnFTwSBztA

There is no action called "route53:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html

You can control domain deletion with the action "route53domains:DeleteDomain".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
      },
      {
          "Effect": "Deny",
          "Action": [
              "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
              "route53domains:CancelDomainTransferToAnotherAwsAccount",
              "route53domains:CheckDomainTransferability",
              "route53domains:DisableDomainTransferLock",
              "route53domains:DeleteDomain",
              "route53domains:EnableDomainTransferLock",
              "route53domains:RejectDomainTransferFromAnotherAwsAccount",
              "route53domains:TransferDomain",
              "route53domains:TransferDomainToAnotherAwsAccount",
              "route53:DeleteHostedZone"
          ],
          "Resource": "*"
      }
  ]
}
profile picture
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 4 months ago
1

If you would like to prevent an IAM user (or any other principal - such as a role) from being able to make the deleteDomain call then you can attach this policy to them:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "route53domains:DeleteDomain",
            "Resource": "*"
        }
    ]
}

As for the policy you have - it isn't correctly formatted - and is not valid JSON. It should be formatted as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
                "route53domains:CancelDomainTransferToAnotherAwsAccount",
                "route53domains:CheckDomainTransferability",
                "route53domains:DisableDomainTransferLock",
                "route53domains:EnableDomainTransferLock",
                "route53domains:RejectDomainTransferFromAnotherAwsAccount",
                "route53domains:TransferDomain",
                "route53domains:TransferDomainToAnotherAwsAccount",
                "route53:DeleteHostedZone",
                "route53domains:DeleteDomain"
            ],
            "Resource": "*"
        }
    ]
}

You have ], at the wrong location - it should be in front of the "Resource": "*" clause. Obviously, these are only deny rules - you should also provide the corresponding allowed actions, either here, or in a different policy.

Deny always wins.

AWS
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions