Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Do IAM policies support route53 hosted zones as resources?

0

I've been having some permissions issues - namely IAM policies with "Resource": "arn:aws:route53:::hostedzone/{Route53HostedZoneID}" and some route53:actions result in "This action does not have an applicable resource." warnings and no permissions being granted for the associated action. Using "Resource": "*" works. Am I missing some additional required configuration, is this a bug, or intended behavior? It seems to conflict with published documentation...

For example, from this article: https://aws.amazon.com/blogs/networking-and-content-delivery/implementing-fine-grained-amazon-route-53-access-using-aws-iam-condition-keys-part-1/, trying to create an IAM policy with the first example json (appropriately replacing {Route53HostedZoneID} and ${aws:PrincipalTag/{custom-attribute}}):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/{Route53HostedZoneID}",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                        "${aws:PrincipalTag/{custom-attribute}}"
                    ]
                }
            }
        }
    ]
}

results in a policy summary that lists Route 53 as a service, but access level, resource, and request condition are all "none", and clicking on the Route 53 service fails to load a list of actions for Route 53. Adding another action with "Resource": "*", such as

{
	"Effect": "Allow",
	"Action": "route53:ListResourceRecordSets",
	"Resource": "*"
}

results in a summary that will load the list of actions when clicking on Route 53, but when the list of actions is expanded, the ListResourceRecordSets appears to be granted as expected (access to all resources), but the ChangeResourceRecordSets action says "(No Access) This action does not have an applicable resource." I'm lost as to why this is happening since https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html and pretty much everything else I've found about this suggests that "Resource": "arn:aws:route53:::hostedzone/{Route53HostedZoneID}" is supported and should work in this case. What am I missing? Does this require some additional configuration for the hosted zone? For reference, I've tested this with a public hosted zone and the end goal is to create a policy that allows users to update record sets on just the specified zone.

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53IAM Policies
Language
English
asked 9 months ago327 views
2 Answers
0

Appears to have been a bug, as permissions now show as having been granted properly in the interface without any actual changes to the policies. Have yet to actually test and confirm the permissions are working, but thanks for the fix!

answered 9 months ago
-1

Based on the information available, it appears that you're encountering an issue with specifying Route 53 hosted zones as resources in IAM policies.

When working with Amazon Route 53 IAM policies, some actions do support resource-level permissions while others require you to specify "" as the resource. The examples in the AWS documentation show that for managing public hosted zones and their records, the policy typically uses a wildcard character () in the Amazon Resource Name (ARN) to grant access to all hosted zones owned by the current AWS account.

For example, the AmazonRoute53DomainsFullAccess policy uses "*" as the resource identifier:

{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53domains:*"
],
"Resource": [
"*"
]
}

For private hosted zones, the policy examples also show using "*" as the resource, along with the necessary permissions:

{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:AssociateVPCWithHostedZone"
],
"Resource": "*"
}

The issue you're experiencing with the specific ARN format "arn:aws:route53:::hostedzone/{Route53HostedZoneID}" causing "This action does not have an applicable resource" warnings suggests that despite what some documentation might indicate, certain Route 53 actions may not support resource-level permissions in the way you're trying to implement them.

For your goal of allowing users to update record sets on just a specific zone, you might need to use a combination of "*" for the Resource element and then use condition keys to restrict access to specific hosted zones. The VPC permissions example shows that Route 53 supports IAM policy conditions for fine-grained access control, which might be a better approach for your use case.
Sources
Using identity-based policies (IAM policies) for Amazon Route 53 - Amazon Route 53
AmazonRoute53DomainsFullAccess - AWS Managed Policy
Overview of managing access permissions to your Amazon Route 53 resources - Amazon Route 53
AWS managed policies for Amazon Route 53 - Amazon Route 53
VPC permissions - Amazon Route 53

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content