Permissions for @turbot/aws-route53
Taking a look at permissions and associated grant levels for each permission for Route 53:
Permission | Grant Level | Help |
---|---|---|
cloudfront:ListDistributions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
ec2:DescribeRegions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
ec2:DescribeVpcs | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
elasticloadbalancing:DescribeLoadBalancers | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
route53:AssociateVPCWithHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
route53:ChangeResourceRecordSets | Admin | |
route53:ChangeResourceRecordSets | Admin | |
route53:ChangeTagsForResource | Admin | Typically Operator but no sense creating Operator group just for tagging permissions. |
route53:CreateHealthCheck | Admin | Public zones only. |
route53:CreateHostedZone | Admin | |
route53:CreateQueryLoggingConfig | Admin | Admin can create a configuration for DNS query logging to publish log data to an Amazon CloudWatch Logs log group. |
route53:CreateReusableDelegationSet | Admin | |
route53:CreateTrafficPolicy | Admin | Admins manage traffic policies. |
route53:CreateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
route53:CreateTrafficPolicyVersion | Admin | Admins manage traffic policies. |
route53:CreateVPCAssociationAuthorization | Admin | |
route53:DeleteHealthCheck | Admin | Public zones only. |
route53:DeleteHostedZone | Admin | |
route53:DeleteQueryLoggingConfig | Admin | Admin can delete a configuration for DNS query logging to stop publishing log data to an Amazon CloudWatch Logs log group. |
route53:DeleteReusableDelegationSet | Admin | |
route53:DeleteTrafficPolicy | Admin | Admins manage traffic policies. |
route53:DeleteTrafficPolicyInstance | Admin | Admins manage traffic policies. |
route53:DeleteVPCAssociationAuthorization | Admin | |
route53:DisassociateVPCFromHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
route53:GetAccountLimit | Metadata | |
route53:GetChange | Metadata | |
route53:GetChangeDetails | Metadata | |
route53:GetCheckerIpRanges | Metadata | |
route53:GetGeoLocation | Metadata | |
route53:GetHealthCheck | Metadata | |
route53:GetHealthCheckCount | Metadata | |
route53:GetHealthCheckLastFailureReason | Metadata | |
route53:GetHealthCheckStatus | Metadata | |
route53:GetHostedZone | Metadata | |
route53:GetHostedZoneCount | Metadata | |
route53:GetHostedZoneLimit | Metadata | |
route53:GetQueryLoggingConfig | Metadata | Gets information about a specified configuration for DNS query logging. |
route53:GetReusableDelegationSet | Metadata | |
route53:GetReusableDelegationSetLimit | Metadata | |
route53:GetTrafficPolicy | Metadata | |
route53:GetTrafficPolicyInstance | Metadata | |
route53:GetTrafficPolicyInstanceCount | Metadata | |
route53:ListChangeBatchesByHostedZone | Metadata | |
route53:ListChangeBatchesByRRSet | Metadata | |
route53:ListGeoLocations | Metadata | |
route53:ListHealthChecks | Metadata | |
route53:ListHostedZones | Metadata | |
route53:ListHostedZonesByName | Metadata | |
route53:ListQueryLoggingConfigs | Metadata | Lists the configurations for DNS query logging that are associated with the current AWS account |
route53:ListResourceRecordSets | Metadata | |
route53:ListReusableDelegationSets | Metadata | |
route53:ListTagsForResource | Metadata | |
route53:ListTagsForResources | Metadata | |
route53:ListTrafficPolicies | Metadata | |
route53:ListTrafficPolicyInstances | Metadata | |
route53:ListTrafficPolicyInstancesByHostedZone | Metadata | |
route53:ListTrafficPolicyInstancesByPolicy | Metadata | |
route53:ListTrafficPolicyVersions | Metadata | |
route53:ListVPCAssociationAuthorizations | Metadata | |
route53:TestDNSAnswer | Metadata | Not listed in policy simulator. |
route53:UpdateHealthCheck | Admin | Public zones only. |
route53:UpdateHostedZoneComment | Admin | |
route53:UpdateTrafficPolicyComment | Admin | Admins manage traffic policies. |
route53:UpdateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
route53domains:CheckDomainAvailability | Metadata | |
route53domains:CheckDomainTransferability | Metadata | |
s3:ListBucket | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |