Permissions for @turbot/aws-route53
Taking a look at permissions and associated grant levels for each permission for Route 53:
| Permission | Grant Level | Help |
|---|---|---|
| cloudfront:ListDistributions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| ec2:DescribeRegions | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| ec2:DescribeVpcs | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| elasticloadbalancing:DescribeLoadBalancers | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |
| route53:AssociateVPCWithHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
| route53:ChangeResourceRecordSets | Admin | |
| route53:ChangeResourceRecordSets | Admin | |
| route53:ChangeTagsForResource | Admin | Typically Operator but no sense creating Operator group just for tagging permissions. |
| route53:CreateHealthCheck | Admin | Public zones only. |
| route53:CreateHostedZone | Admin | |
| route53:CreateQueryLoggingConfig | Admin | Admin can create a configuration for DNS query logging to publish log data to an Amazon CloudWatch Logs log group. |
| route53:CreateReusableDelegationSet | Admin | |
| route53:CreateTrafficPolicy | Admin | Admins manage traffic policies. |
| route53:CreateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53:CreateTrafficPolicyVersion | Admin | Admins manage traffic policies. |
| route53:CreateVPCAssociationAuthorization | Admin | |
| route53:DeleteHealthCheck | Admin | Public zones only. |
| route53:DeleteHostedZone | Admin | |
| route53:DeleteQueryLoggingConfig | Admin | Admin can delete a configuration for DNS query logging to stop publishing log data to an Amazon CloudWatch Logs log group. |
| route53:DeleteReusableDelegationSet | Admin | |
| route53:DeleteTrafficPolicy | Admin | Admins manage traffic policies. |
| route53:DeleteTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53:DeleteVPCAssociationAuthorization | Admin | |
| route53:DisassociateVPCFromHostedZone | Admin | Allowed since network admins control the DNS servers (through VPC settings) so this will only work if they have chosen to use AmazonProvidedDNS. |
| route53:GetAccountLimit | Metadata | |
| route53:GetChange | Metadata | |
| route53:GetChangeDetails | Metadata | |
| route53:GetCheckerIpRanges | Metadata | |
| route53:GetGeoLocation | Metadata | |
| route53:GetHealthCheck | Metadata | |
| route53:GetHealthCheckCount | Metadata | |
| route53:GetHealthCheckLastFailureReason | Metadata | |
| route53:GetHealthCheckStatus | Metadata | |
| route53:GetHostedZone | Metadata | |
| route53:GetHostedZoneCount | Metadata | |
| route53:GetHostedZoneLimit | Metadata | |
| route53:GetQueryLoggingConfig | Metadata | Gets information about a specified configuration for DNS query logging. |
| route53:GetReusableDelegationSet | Metadata | |
| route53:GetReusableDelegationSetLimit | Metadata | |
| route53:GetTrafficPolicy | Metadata | |
| route53:GetTrafficPolicyInstance | Metadata | |
| route53:GetTrafficPolicyInstanceCount | Metadata | |
| route53:ListChangeBatchesByHostedZone | Metadata | |
| route53:ListChangeBatchesByRRSet | Metadata | |
| route53:ListGeoLocations | Metadata | |
| route53:ListHealthChecks | Metadata | |
| route53:ListHostedZones | Metadata | |
| route53:ListHostedZonesByName | Metadata | |
| route53:ListQueryLoggingConfigs | Metadata | Lists the configurations for DNS query logging that are associated with the current AWS account |
| route53:ListResourceRecordSets | Metadata | |
| route53:ListReusableDelegationSets | Metadata | |
| route53:ListTagsForResource | Metadata | |
| route53:ListTagsForResources | Metadata | |
| route53:ListTrafficPolicies | Metadata | |
| route53:ListTrafficPolicyInstances | Metadata | |
| route53:ListTrafficPolicyInstancesByHostedZone | Metadata | |
| route53:ListTrafficPolicyInstancesByPolicy | Metadata | |
| route53:ListTrafficPolicyVersions | Metadata | |
| route53:ListVPCAssociationAuthorizations | Metadata | |
| route53:TestDNSAnswer | Metadata | Not listed in policy simulator. |
| route53:UpdateHealthCheck | Admin | Public zones only. |
| route53:UpdateHostedZoneComment | Admin | |
| route53:UpdateTrafficPolicyComment | Admin | Admins manage traffic policies. |
| route53:UpdateTrafficPolicyInstance | Admin | Admins manage traffic policies. |
| route53domains:CheckDomainAvailability | Metadata | |
| route53domains:CheckDomainTransferability | Metadata | |
| s3:ListBucket | Metadata | Required for AWS console access to Route 53 per http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/UsingWithIAM.html |