The aws-route53 mod contains resource, control and policy definitions for AWS Route 53 service.
Resource Types
Resource types covered by this mod:
Permissions
Taking a look at permissions and associated grant levels for each permission for Route 53:
| Permission | Grant Level | Help |
|---|---|---|
| cloudfront:ListDistributions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| ec2:DescribeRegions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| ec2:DescribeVpcs | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| elasticloadbalancing:DescribeLoadBalancers | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| route53:AssociateVPCWithHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
| route53:ChangeResourceRecordSets | Admin | |
| route53:ChangeTagsForResource | Admin | Typically Operator but no sense creating Operator group just for tagging permissions. |
| route53:CreateHealthCheck | Admin | Public zones only. |
| route53:CreateHostedZone | Admin | |
| route53:CreateQueryLoggingConfig | Admin | Admin can create a configuration for DNS query logging to publish log data to an Amazon CloudWatch Logs log group. |
| route53:CreateReusableDelegationSet | Admin | |
| route53:CreateTrafficPolicy | Admin | Admins manage traffic policies. |
| route53:CreateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53:CreateTrafficPolicyVersion | Admin | Admins manage traffic policies. |
| route53:CreateVPCAssociationAuthorization | Admin | |
| route53:DeleteHealthCheck | Admin | Public zones only. |
| route53:DeleteHostedZone | Admin | |
| route53:DeleteQueryLoggingConfig | Admin | Admin can delete a configuration for DNS query logging to stop publishing log data to an Amazon CloudWatch Logs log group. |
| route53:DeleteReusableDelegationSet | Admin | |
| route53:DeleteTrafficPolicy | Admin | Admins manage traffic policies. |
| route53:DeleteTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53:DeleteVPCAssociationAuthorization | Admin | |
| route53:DisassociateVPCFromHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
| route53:GetAccountLimit | Metadata | |
| route53:GetChange | Metadata | |
| route53:GetChangeDetails | Metadata | |
| route53:GetCheckerIpRanges | Metadata | |
| route53:GetGeoLocation | Metadata | |
| route53:GetHealthCheck | Metadata | |
| route53:GetHealthCheckCount | Metadata | |
| route53:GetHealthCheckLastFailureReason | Metadata | |
| route53:GetHealthCheckStatus | Metadata | |
| route53:GetHostedZone | Metadata | |
| route53:GetHostedZoneCount | Metadata | |
| route53:GetHostedZoneLimit | Metadata | |
| route53:GetQueryLoggingConfig | Metadata | Gets information about a specified configuration for DNS query logging. |
| route53:GetReusableDelegationSet | Metadata | |
| route53:GetReusableDelegationSetLimit | Metadata | |
| route53:GetTrafficPolicy | Metadata | |
| route53:GetTrafficPolicyInstance | Metadata | |
| route53:GetTrafficPolicyInstanceCount | Metadata | |
| route53:ListChangeBatchesByHostedZone | Metadata | |
| route53:ListChangeBatchesByRRSet | Metadata | |
| route53:ListGeoLocations | Metadata | |
| route53:ListHealthChecks | Metadata | |
| route53:ListHostedZones | Metadata | |
| route53:ListHostedZonesByName | Metadata | |
| route53:ListQueryLoggingConfigs | Metadata | Lists the configurations for DNS query logging that are associated with the current AWS account |
| route53:ListResourceRecordSets | Metadata | |
| route53:ListReusableDelegationSets | Metadata | |
| route53:ListTagsForResource | Metadata | |
| route53:ListTagsForResources | Metadata | |
| route53:ListTrafficPolicies | Metadata | |
| route53:ListTrafficPolicyInstances | Metadata | |
| route53:ListTrafficPolicyInstancesByHostedZone | Metadata | |
| route53:ListTrafficPolicyInstancesByPolicy | Metadata | |
| route53:ListTrafficPolicyVersions | Metadata | |
| route53:ListVPCAssociationAuthorizations | Metadata | |
| route53:TestDNSAnswer | Metadata | Not listed in policy simulator. |
| route53:UpdateHealthCheck | Admin | Public zones only. |
| route53:UpdateHostedZoneComment | Admin | |
| route53:UpdateTrafficPolicyComment | Admin | Admins manage traffic policies. |
| route53:UpdateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53domains:CheckDomainAvailability | Metadata | |
| route53domains:CheckDomainTransferability | Metadata | |
| s3:ListBucket | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
Learn More About Turbot
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
Version
6.4.0
Released On
Jun 01, 2023
Depends On
Resource Types
Control Types
- AWS > Route 53 > Hosted Zone > Active
- AWS > Route 53 > Hosted Zone > Approved
- AWS > Route 53 > Hosted Zone > CMDB
- AWS > Route 53 > Hosted Zone > Configured
- AWS > Route 53 > Hosted Zone > Discovery
- AWS > Route 53 > Hosted Zone > Tags
- AWS > Route 53 > Hosted Zone > Usage
Policy Types
- AWS > Route 53 > API Enabled
- AWS > Route 53 > Enabled
- AWS > Route 53 > Hosted Zone > Active
- AWS > Route 53 > Hosted Zone > Active > Age
- AWS > Route 53 > Hosted Zone > Active > Budget
- AWS > Route 53 > Hosted Zone > Active > Last Modified
- AWS > Route 53 > Hosted Zone > Approved
- AWS > Route 53 > Hosted Zone > Approved > Budget
- AWS > Route 53 > Hosted Zone > Approved > Custom
- AWS > Route 53 > Hosted Zone > Approved > Usage
- AWS > Route 53 > Hosted Zone > CMDB
- AWS > Route 53 > Hosted Zone > Configured
- AWS > Route 53 > Hosted Zone > Configured > Claim Precedence
- AWS > Route 53 > Hosted Zone > Configured > Source
- AWS > Route 53 > Hosted Zone > Tags
- AWS > Route 53 > Hosted Zone > Tags > Template
- AWS > Route 53 > Hosted Zone > Usage
- AWS > Route 53 > Hosted Zone > Usage > Limit
- AWS > Route 53 > Permissions
- AWS > Route 53 > Permissions > Levels
- AWS > Route 53 > Permissions > Levels > Modifiers
- AWS > Route 53 > Permissions > Lockdown
- AWS > Route 53 > Permissions > Lockdown > API Boundary
- AWS > Route 53 > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-route53
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-route53
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-route53
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-route53
Release Notes
6.4.0 (2023-06-01)
What's new?
- Resource's metadata will now also include
createdBydetails in Turbot CMDB. - README.md file is now available for users to check details about the resource types and service permissions that the mod covers.
6.3.1 (2022-12-16)
Bug fixes
- The
AWS > Route 53 > Hosted Zone > CMDBcontrol would fetch data for a maximum of 100 records for a hosted zone due to lack of pagination support. This is fixed and the control will now fetch details for all records for a hosted zone.
Action Types
Added
- AWS > Route 53 > Hosted Zone > Delete from AWS
- AWS > Route 53 > Hosted Zone > Set Tags
- AWS > Route 53 > Hosted Zone > Skip alarm for Active control
- AWS > Route 53 > Hosted Zone > Skip alarm for Active control [90 days]
- AWS > Route 53 > Hosted Zone > Skip alarm for Approved control
- AWS > Route 53 > Hosted Zone > Skip alarm for Approved control [90 days]
- AWS > Route 53 > Hosted Zone > Skip alarm for Tags control
- AWS > Route 53 > Hosted Zone > Skip alarm for Tags control [90 days]
6.3.0 (2022-06-23)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custompolicy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Turbot if their CMDB policy was set to
Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.
Policy Types
Added
- AWS > Route 53 > Hosted Zone > Approved > Custom
6.2.0 (2021-07-21)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
6.1.2 (2020-12-28)
Bug fixes
- Controls run faster now when in the
tbdandskippedstates thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbdandskipped, resulting in faster and lighter control runs.
6.1.1 (2020-12-14)
Bug fixes
- Controls run faster now when in the
tbdandskippedstates thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when intbdandskipped, resulting in faster and lighter control runs.
6.1.0 (2020-10-09)
What's new?
- We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to
Skip, its Active control will move toinvalidto prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
6.0.4 (2020-09-22)
Bug fixes
- We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.
6.0.3 (2020-08-13)
Bug fixes
- In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.
6.0.2 (2020-07-10)
Bug fixes
- Updated various resource configurations to provide better compatibility with AWS China regions.
6.0.1 (2020-07-01)
Bug fixes
- Sometimes when updating CMDB for resources with tags that have empty string values, e.g.,
[{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.
6.0.0 (2020-06-12)
Warning
- Permissions for Route 53 Domains have been moved into the
aws-route53domainsmod in order to allow granting of Route 53 and Route 53 Domains permissions separately. If you are currently using Route 53 Domains permissions, please install the latest version of theaws-route53domainsmod, enable permissions through theAWS > Route 53 Domains > Permissionspolicy, and assign the correct grant levels before updating to this version.
5.2.2 (2020-06-11)
What's new?
- All resource Router actions now run even if Turbot is outside of its allowed change window. This allows Turbot to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Turbot's ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.2.1 (2020-05-08)
Bug fixes
- Removed
AWS > Route 53 > Stackcontrols and policies. They were released incorrectly, stacks will be defined at VPC level.
Control Types
Removed
- AWS > Route 53 > Stack
Policy Types
Removed
- AWS > Route 53 > Stack
- AWS > Route 53 > Stack > Secret Variables
- AWS > Route 53 > Stack > Source
- AWS > Route 53 > Stack > Variables
5.2.0 (2020-04-30)
Control Types
Added
- AWS > Route 53 > Hosted Zone > Configured
- AWS > Route 53 > Stack
Policy Types
Added
- AWS > Route 53 > Hosted Zone > Configured
- AWS > Route 53 > Hosted Zone > Configured > Claim Precedence
- AWS > Route 53 > Hosted Zone > Configured > Source
- AWS > Route 53 > Stack
- AWS > Route 53 > Stack > Secret Variables
- AWS > Route 53 > Stack > Source
- AWS > Route 53 > Stack > Variables