Amazon Route 53, restrict IAM user access to single record set

Question

I would like to programmatically change the CNAME of a Record Set inside an Hosted Zone on Amazon Route 53, but I would like to restrict the access of the user ONLY to that record set. For what I have seen on the documentation IAM allow to specify operation only based on "hosted-zone" or "changes". This means that my user need to have power over ALL my record set to change a single one.

The consequences of an error in the code in a case like this are more than catastrophic. If the checks on the hosted zone name are wrong, for any reason, I could for error apply the changes to more than one record set (imagine many Record Set pointing now on the same box/infrastructure).

My question is not about not making errors in the code, but about creating a user to protect the system from such possibilities. There is a way to restrict access (or a workaround) to allow a new IAM user to access one/a limited set of Hosted Zones only.

On IAM level, not programmatically.

Thank you.

Answer 1

One way you could do this is make a new zone that's a subdomain of the main domain, like stuff.example.com and delegate the subdomain's NS to that secondary zone. Give them IAM privileges to that subdomain's zone and they'd be able to create subdomains like my.stuff.example.com. For records that you want to be first-class citizens, you could CNAME my.example.com to my.stuff.example.com, which would functionally permit them to manage that subdomain without having full privileges.

Answer 2

I had the chance to ask this question to a couple of aws solutions architect at the last amazon aws conference and they confirmed me is not possible. IAM or better Route53 does not have that level of granularity.

Answer 3

You can create AWS Lambda function that make this change (only for this single record) and make an invocation policy for this function.