Route53 - Allow Access to a Single Hosted Zone

May 21, 2021

Recently I had a situation where I needed to allow a person to access a single Rout53 hosted zone to make modifications.

The following is an IAM policy that allows a single user to modify the desired hosted zone via the AWS console.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:Get*",
        "route53domains:Get*",
        "route53domains:List*"
      ],
      "Resource": "arn:aws:route53:::hostedzone/<ZONE ID>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetHostedZoneCount",
        "route53:List*",
        "route53:TestDNSAnswer"
      ],
      "Resource": "*"
    }
  ]
}

The first statement allows users to make any modification to the records in the given hosted zone.

The second statement permits users to see the list of hosted zones in the AWS console, this way they can select the correct one.

If the user tries to select a hosted zone they don’t have permission to, they won’t see anything.