You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(aws): scoping the IAM policy to explicitely defined Route53 zones (#5663)
* scoping the AWS IAM policy to explicitely defined AWS Route53 zones
* Apply suggestions from code review
Co-authored-by: Michel Loiseleur <[email protected]>
* Update aws.md
* Update docs/tutorials/aws.md
Co-authored-by: Michel Loiseleur <[email protected]>
* Update aws.md
breaking up lines to make it pass markdown linting
---------
Co-authored-by: Michel Loiseleur <[email protected]>
Copy file name to clipboardExpand all lines: docs/tutorials/aws.md
+13-11Lines changed: 13 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,17 +9,16 @@ Record Sets and Hosted Zones. You'll want to create this Policy in IAM first. In
9
9
our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call
10
10
it whatever you prefer).
11
11
12
-
If you prefer, you may fine-tune the policy to permit updates only to explicit
13
-
Hosted Zone IDs.
14
-
15
12
```json
16
13
{
17
14
"Version": "2012-10-17",
18
15
"Statement": [
19
16
{
20
17
"Effect": "Allow",
21
18
"Action": [
22
-
"route53:ChangeResourceRecordSets"
19
+
"route53:ChangeResourceRecordSets",
20
+
"route53:ListResourceRecordSets",
21
+
"route53:ListTagsForResources"
23
22
],
24
23
"Resource": [
25
24
"arn:aws:route53:::hostedzone/*"
@@ -28,9 +27,7 @@ Hosted Zone IDs.
28
27
{
29
28
"Effect": "Allow",
30
29
"Action": [
31
-
"route53:ListHostedZones",
32
-
"route53:ListResourceRecordSets",
33
-
"route53:ListTagsForResources"
30
+
"route53:ListHostedZones"
34
31
],
35
32
"Resource": [
36
33
"*"
@@ -51,7 +48,9 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
51
48
{
52
49
"Effect": "Allow",
53
50
"Action": [
54
-
"route53:ChangeResourceRecordSets"
51
+
"route53:ChangeResourceRecordSets",
52
+
"route53:ListResourceRecordSets",
53
+
"route53:ListTagsForResources"
55
54
],
56
55
"Resource": [
57
56
"arn:aws:route53:::hostedzone/*"
@@ -67,9 +66,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
67
66
{
68
67
"Effect": "Allow",
69
68
"Action": [
70
-
"route53:ListHostedZones",
71
-
"route53:ListResourceRecordSets",
72
-
"route53:ListTagsForResources"
69
+
"route53:ListHostedZones"
73
70
],
74
71
"Resource": [
75
72
"*"
@@ -79,6 +76,11 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
79
76
}
80
77
```
81
78
79
+
### Further improvements
80
+
81
+
Both policies can be further enhanced by tightening them down following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
82
+
Explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability.
83
+
82
84
Additional resources:
83
85
84
86
- AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A)
0 commit comments