Notes

IAM User policy to edit DNS records for selected domains

Edit on GitHub

Amazon Web Services (AWS)
2 minutes

Create the following IAM policy and attach it to the user/group

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Effect": "Allow",
 6      "Action": [
 7        "route53:GetHostedZone",
 8        "route53:GetHostedZoneCount",
 9        "route53:ListHostedZones",
10        "route53:ListHostedZonesByName",
11        "route53:ListResourceRecordSets",
12        "route53:ChangeResourceRecordSets"
13      ],
14      "Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
15    },
16    {
17      "Effect": "Allow",
18      "Action": [
19        "route53:GetHostedZone",
20        "route53:GetHostedZoneCount",
21        "route53:ListHostedZones",
22        "route53:ListHostedZonesByName",
23        "route53:ListResourceRecordSets",
24        "route53:ChangeResourceRecordSets"
25      ],
26      "Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
27    }
28  ]
29}

Above will only work by going directly to the domain management URL. If you were giving access to someone else, you’ll have to provide them with the direct URL for every domain (as well as create their IAM user)

https://console.aws.amazon.com/route53/v2/hostedzones#ListRecordSets/<ZONE_ID>

You will not be able to list any domains in the Dashboard or get a list of the hosted domains..

If you want them to be able to list all domains as well (but only see or edit records of the selected zone IDS, you can add these three additional grants for * resources)

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Effect": "Allow",
 6      "Action": ["route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:ListHostedZonesByName"],
 7      "Resource": "*"
 8    },
 9    {
10      "Effect": "Allow",
11      "Action": [
12        "route53:GetHostedZone",
13        "route53:GetHostedZoneCount",
14        "route53:ListHostedZones",
15        "route53:ListHostedZonesByName",
16        "route53:ListResourceRecordSets",
17        "route53:ChangeResourceRecordSets"
18      ],
19      "Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
20    },
21    {
22      "Effect": "Allow",
23      "Action": [
24        "route53:GetHostedZone",
25        "route53:GetHostedZoneCount",
26        "route53:ListHostedZones",
27        "route53:ListHostedZonesByName",
28        "route53:ListResourceRecordSets",
29        "route53:ChangeResourceRecordSets"
30      ],
31      "Resource": "arn:aws:route53:::hostedzone/<ZONE_ID>"
32    }
33  ]
34}

Read access for all hosted zones

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Effect": "Allow",
 6      "Action": [
 7        "route53:GetHostedZone",
 8        "route53:GetHostedZoneCount",
 9        "route53:ListHostedZones",
10        "route53:ListHostedZonesByName",
11        "route53:ListResourceRecordSets"
12      ],
13      "Resource": "*"
14    }
15  ]
16}