18

I would like to programmatically change the CNAME of a Record Set inside an Hosted Zone on Amazon Route 53, but I would like to restrict the access of the user ONLY to that record set. For what I have seen on the documentation IAM allow to specify operation only based on "hosted-zone" or "changes". This means that my user need to have power over ALL my record set to change a single one.

The consequences of an error in the code in a case like this are more than catastrophic. If the checks on the hosted zone name are wrong, for any reason, I could for error apply the changes to more than one record set (imagine many Record Set pointing now on the same box/infrastructure).

My question is not about not making errors in the code, but about creating a user to protect the system from such possibilities. There is a way to restrict access (or a workaround) to allow a new IAM user to access one/a limited set of Hosted Zones only.

On IAM level, not programmatically.

Thank you.

Fabrizio S
  • 353
  • 3
  • 9

3 Answers3

14

One way you could do this is make a new zone that's a subdomain of the main domain, like stuff.example.com and delegate the subdomain's NS to that secondary zone. Give them IAM privileges to that subdomain's zone and they'd be able to create subdomains like my.stuff.example.com. For records that you want to be first-class citizens, you could CNAME my.example.com to my.stuff.example.com, which would functionally permit them to manage that subdomain without having full privileges.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • 2
    Yes, I agree that probably that is viable. Is a good workaround while I wait for more granular permissions. – Fabrizio S May 05 '14 at 21:09
7

I had the chance to ask this question to a couple of aws solutions architect at the last amazon aws conference and they confirmed me is not possible. IAM or better Route53 does not have that level of granularity.

Fabrizio S
  • 353
  • 3
  • 9
  • 1
    There is currently planned developments for this feature. This is the last official answer from Amazon: > Thank you for mentioning this, we have raised this with our > development teams for future consideration. > > If you have any other suggestions please do let us know. > > Regards, Davin G. I would suggest you to upvote the related thread at: https://forums.aws.amazon.com/thread.jspa?messageID=563952򉫰 – tiagomatos Aug 18 '14 at 18:47
7

You can create AWS Lambda function that make this change (only for this single record) and make an invocation policy for this function.

Dmytro
  • 79
  • 1
  • 1