Skip to content

aws-route53: restrict domain names in cross-account delegation #28078

New issue
New issue
Open
#35129
Open
aws-route53: restrict domain names in cross-account delegation#28078
#35129
Labels
@aws-cdk/aws-route53Related to Amazon Route 53effort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p3
@marcogrcr

Description

@marcogrcr
marcogrcr
opened on Nov 21, 2023

Describe the feature

IHostedZone has a convenient grantDelegation() method for granting an IAM role the necessary permissions for cross-account delegation. I would like to be able to restrict the names of the NS records that the grantee role can UPSERT and DELETE.

Use Case

Take the following infrastructure:

  • Root account: example.com
  • Beta account: beta.example.com
  • Prod account: prod.example.com

I want to make sure that the IAM role assumed from the Beta account can only UPSERT and DELETE the NS record beta.example.com and not prod.example.com. This way I can be certain that if the Beta account is compromised, there will be no impact to the production domain.

Proposed Solution

Add a backwards compatible parameter to grantDelegation() that would allow a user to optionally add this restriction. For example:

const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
  zoneName: 'example.com',
});

const betaCrossAccountRole = new iam.Role(this, 'BetaCrossAccountRole', {
  // ...
});
parentZone.grantDelegation(betaCrossAccountRole, route53.DelegationGrantNames.ofEquals('beta.example.com'));

const prodCrossAccountRole = new iam.Role(this, 'ProdCrossAccountRole', {
  // ...
});
parentZone.grantDelegation(prodCrossAccountRole, route53.DelegationGrantNames.ofEquals('prod.example.com'));

Internally, the grant would add the route53:ChangeResourceRecordSetsNormalizedRecordNames condition key with the specified names.

The DelegationGrantNames is a new class that allows the user to specify exact name matching (i.e. ForAllValues:StringEquals) or pattern matching (i.e. ForAllValues:StringLike). It's design would be based on the pattern used by aws-cdk-lib » aws_dynamodb » Billing:

For example:

abstract class DelegationGrantNames {
  public static ofEquals(...names: string[]): DelegationGrantNames;
  public static ofLike(...names: string[]): DelegationGrantNames;
}

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.110.0

Environment details (OS name and version, etc.)

Apple Silicon / macOS 14.1.1 / nodejs 20.9.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-route53Related to Amazon Route 53effort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p3

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions