Amazon Route 53 API 权限:操作、资源和条件参考
在设置 访问控制 和编写您可附加到 IAM 身份的权限策略(基于身份的策略)时,可以使用以下列表作为参考。这些列表包含每个 Amazon Route 53 API 操作、您必须授予访问权限的操作以及您必须授予访问权限的 Amazon 资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。
您可以在 Route 53 策略中使用 Amazon 范围的条件键来表示条件。有关 Amazon 范围内的键的完整列表,请参阅 《IAM 用户指南》中的可用键。
授予访问权限时,托管区域和 Amazon VPC 必须属于相同分区。分区是一组 Amazon Web Services 区域。每个 Amazon Web Services 账户 的作用域为一个分区。
以下是支持的分区:
aws- Amazon Web Services 区域aws-cn– 中国区域aws-us-gov- Amazon GovCloud (US) Region
有关更多信息,请参阅《Amazon 一般参考》中的访问权限管理。
要指定操作,请在 API 操作名称之前使用相应前缀(route53、route53domains 或 route53resolver),例如:
-
route53:CreateHostedZone -
route53domains:RegisterDomain -
route53resolver:CreateResolverEndpoint
主题
对公有托管区域执行操作所需的权限
- CreateHostedZone
-
所需权限(API 操作):
route53:CreateHostedZone资源:
* - DeleteHostedZone
-
所需权限(API 操作):
route53:DeleteHostedZone资源:
* - GetHostedZone
-
所需权限(API 操作):
route53:GetHostedZone资源:
* - GetHostedZoneCount
-
所需权限(API 操作):
route53:GetHostedZoneCount资源:
* - ListHostedZones
-
所需权限(API 操作):
route53:ListHostedZones资源:
* - ListHostedZonesByName
-
所需权限(API 操作):
route53:ListHostedZonesByName资源:
* - UpdateHostedZoneComment
-
所需权限(API 操作):
route53:UpdateHostedZoneComment资源:
*
对私有托管区域执行操作所需的权限
- CreateHostedZone
-
所需权限 (API 操作):
route53:CreateHostedZone、ec2:DescribeVpcs、ec2:DescribeRegions资源:
*、arn:aws:ec2::optional account id:* - DeleteHostedZone
-
所需权限(API 操作):
route53:DeleteHostedZone资源:
* - AssociateVPCWithHostedZone
-
所需权限 (API 操作):
route53:AssociateVPCWithHostedZone、ec2:DescribeVpcs资源:
*、arn:aws:ec2::optional account id:* - CreateVPCAssociationAuthorization
-
所需权限(API 操作):
route53:CreateVPCAssociationAuthorization资源:
* - DeleteVPCAssociationAuthorization
-
所需权限(API 操作):
route53:DeleteVPCAssociationAuthorization资源:
* - DisassociateVPCFromHostedZone
-
所需权限 (API 操作):
route53:DisassociateVPCFromHostedZone、ec2:DescribeVpcs资源:
*、arn:aws:ec2::optional account id:* - GetHostedZone
-
所需权限(API 操作):
route53:GetHostedZone资源:
* - GetHostedZoneCount
-
所需权限(API 操作):
route53:GetHostedZoneCount资源:
* - ListHostedZones
-
所需权限(API 操作):
route53:ListHostedZones资源:
* - ListHostedZonesByName
-
所需权限(API 操作):
route53:ListHostedZonesByName资源:
* - UpdateHostedZoneComment
-
所需权限(API 操作):
route53:UpdateHostedZoneComment资源:
*
对可重用委托集执行操作所需的权限
- CreateReusableDelegationSet
-
所需权限(API 操作):
route53:CreateReusableDelegationSet资源:
* - DeleteReusableDelegationSet
-
所需权限(API 操作):
route53:DeleteReusableDelegationSet资源:
* - GetReusableDelegationSet
-
所需权限(API 操作):
route53:GetReusableDelegationSet资源:
* - ListReusableDelegationSets
-
所需权限(API 操作):
route53:ListReusableDelegationSets资源:
*
对记录执行操作所需的权限
- ChangeResourceRecordSets
-
所需权限(API 操作):
route53:ChangeResourceRecordSets资源:
arn:aws:route53:::hostedzone/hosted zone ID - GetChange
-
所需权限(API 操作):
route53:GetChange资源:
* - GetGeoLocation
-
所需权限 (API 操作):无
资源:无
Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- ListGeoLocations
-
所需权限 (API 操作):无
资源:无
Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- ListResourceRecordSets
-
所需权限(API 操作):
route53:ListResourceRecordSets资源:
arn:aws:route53:::hostedzone/hosted zone ID
对流量策略执行操作所需的权限
- CreateTrafficPolicy
-
所需权限(API 操作):
route53:CreateTrafficPolicy资源:
* - CreateTrafficPolicyVersion
-
所需权限(API 操作):
route53:CreateTrafficPolicyVersion资源:
* - DeleteTrafficPolicy
-
所需权限(API 操作):
route53:DeleteTrafficPolicy资源:
* - GetTrafficPolicy
-
所需权限(API 操作):
route53:GetTrafficPolicy资源:
* - ListTrafficPolicies
-
所需权限(API 操作):
route53:ListTrafficPolicies资源:
* - ListTrafficPolicyVersions
-
所需权限(API 操作):
route53:ListTrafficPolicyVersions资源:
* - UpdateTrafficPolicyComment
-
所需权限(API 操作):
route53:UpdateTrafficPolicyComment资源:
*
对流量策略实例执行操作所需的权限
- CreateTrafficPolicyInstance
-
所需权限(API 操作):
route53:CreateTrafficPolicyInstance资源:
* - DeleteTrafficPolicyInstance
-
所需权限(API 操作):
route53:DeleteTrafficPolicyInstance资源:
* - GetTrafficPolicyInstance
-
所需权限(API 操作):
route53:GetTrafficPolicyInstance资源:
* - GetTrafficPolicyInstanceCount
-
所需权限(API 操作):
route53:GetTrafficPolicyInstanceCount资源:
* - ListTrafficPolicyInstances
-
所需权限(API 操作):
route53:ListTrafficPolicyInstances资源:
* - ListTrafficPolicyInstancesByHostedZone
-
所需权限(API 操作):
route53:ListTrafficPolicyInstancesByHostedZone资源:
* - ListTrafficPolicyInstancesByPolicy
-
所需权限(API 操作):
route53:ListTrafficPolicyInstancesByPolicy资源:
* - UpdateTrafficPolicyInstance
-
所需权限(API 操作):
route53:UpdateTrafficPolicyInstance资源:
*
对运行状况检查执行操作所需的权限
- CreateHealthCheck
-
所需权限(API 操作):
route53:CreateHealthCheck资源:
* - DeleteHealthCheck
-
所需权限(API 操作):
route53:DeleteHealthCheck资源:
*、arn:aws:route53:::healthcheck/health check ID - GetCheckerIpRanges
-
所需权限 (API 操作):无
资源:
*Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。
- GetHealthCheck
-
所需权限(API 操作):
route53:GetHealthCheck资源:
*、arn:aws:route53:::healthcheck/health check ID - GetHealthCheckCount
-
所需权限(API 操作):
route53:GetHealthCheckCount资源:
* - GetHealthCheckLastFailureReason
-
所需权限(API 操作):
route53:GetHealthCheckLastFailureReason资源:
*、arn:aws:route53:::healthcheck/health check ID - GetHealthCheckStatus
-
所需权限(API 操作):
route53:GetHealthCheckStatus资源:
*、arn:aws:route53:::healthcheck/health check ID - ListHealthChecks
-
所需权限(API 操作):
route53:ListHealthChecks资源:
* - UpdateHealthCheck
-
所需权限(API 操作):
route53:UpdateHealthCheck资源:
*、arn:aws:route53:::healthcheck/health check ID
对域注册执行操作所需的权限
- AcceptDomainTransferFromAnotherAwsAccount
-
所需权限(API 操作):
route53domains:AcceptDomainTransferFromAnotherAwsAccount资源:
* - AddDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:AddDnssec资源:
* - CancelDomainTransferToAnotherAwsAccount
-
所需权限(API 操作):
route53domains:CancelDomainTransferToAnotherAwsAccount资源:
* - CheckDomainAvailability
-
所需权限(API 操作):
route53domains:CheckDomainAvailability资源:
* - DeleteDomain (仅限于控制台)
-
所需权限(API 操作):
route53domains:DeleteDomain资源:
* - DisableDomainAutoRenew
-
所需权限(API 操作):
route53domains:ChangeAutoRenew资源:
* - DisableDomainTransferLock
-
所需权限(API 操作):
route53domains:DisableDomainTransferLock资源:
* - EnableDomainAutoRenew
-
所需权限(API 操作):
route53domains:ChangeAutoRenew资源:
* - EnableDomainTransferLock
-
所需权限(API 操作):
route53domains:EnableDomainTransferLock资源:
* - GetContactReachabilityStatus
-
所需权限(API 操作):
route53domains:ListDomains资源:
* - GetDomainDetail
-
所需权限(API 操作):
route53domains:GetDomainDetail资源:
* - GetDomainSuggestions
-
所需权限(API 操作):
route53domains:ListDomains资源:
* - GetOperationDetail
-
所需权限(API 操作):
route53domains:GetOperationDetail资源:
* - ListDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:ListDnssec资源:
* - ListDomains
-
所需权限(API 操作):
route53domains:ListDomains资源:
* - ListOperations
-
所需权限(API 操作):
route53domains:ListOperations资源:
* - RegisterDomain
-
所需权限(API 操作):
route53domains:RegisterDomain资源:
* - RejectDomainTransferFromAnotherAwsAccount
-
所需权限(API 操作):
route53domains:RejectDomainTransferFromAnotherAwsAccount资源:
* - RemoveDnssec (仅限于控制台)
-
所需权限(API 操作):
route53domains:RemoveDnssec资源:
* - RenewDomain
-
所需权限(API 操作):
route53domains:RegisterDomain资源:
* - ResendContactReachabilityEmail
-
所需权限(API 操作):
route53domains:ListDomains资源:
* - RetrieveDomainAuthCode
-
所需权限(API 操作):
route53domains:RetrieveDomainAuthCode资源:
* - TransferDomain
-
所需权限(API 操作):
route53domains:TransferDomain资源:
* - TransferDomainToAnotherAwsAccount
-
所需权限(API 操作):
route53domains:TransferDomainToAnotherAwsAccount资源:
* - UpdateDomainContact
-
所需权限(API 操作):
route53domains:UpdateDomainContact资源:
* - UpdateDomainContactPrivacy
-
所需权限(API 操作):
route53domains:UpdateDomainContactPrivacy资源:
* - UpdateDomainNameservers
-
所需权限(API 操作):
route53domains:UpdateDomainNameservers资源:
* - ViewBilling
-
所需权限(API 操作):
route53domains:ViewBilling资源:
*
Route 53 Resolver 操作所需的权限
- AssociateResolverEndpointIpAddress
-
所需权限(API 操作):
route53resolver:AssociateResolverEndpointIpAddress、ec2:CreateNetworkInterfacePermission、ec2:DescribeAvailabilityZones、ec2:DescribeNetworkInterfaces、ec2:DescribeSubnets资源:
* - AssociateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:AssociateResolverQueryLogConfig、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries、logs:PutResourcePolicy、logs:UpdateLogDelivery资源:
* - AssociateResolverRule
-
所需权限 (API 操作):
route53resolver:AssociateResolverRule、ec2:DescribeVpcs资源:
* - CreateResolverEndpoint
-
所需权限 (API 操作):
route53resolver:CreateResolverEndpoint、ec2:DescribeSubnets、ec2:CreateNetworkInterface、ec2:DescribeNetworkInterfaces、ec2:CreateNetworkInterfacePermission、ec2:DescribeSecurityGroups另请参阅 示例 4:允许创建入站和出站 Route 53 Resolver 终端节点。
资源:
* - CreateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:CreateResolverQueryLogConfig、ec2:DescribeVpcs、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:CreateLogDelivery、logs:DeleteLogDeliverylogs:GetLogDelivery、logs:ListLogDeliveries、logs:UpdateLogDelivery、iam:CreateServiceLinkedRole资源:
* - CreateResolverRule
-
所需权限(API 操作):
route53resolver:CreateResolverRule资源:
* - DeleteResolverEndpoint
-
所需权限 (API 操作):
route53resolver:DeleteResolverEndpoint、ec2:DeleteNetworkInterface、ec2:DescribeNetworkInterface资源:
* - DeleteResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:DeleteResolverQueryLogConfig、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:DeleteLogDeliverylogs:GetLogDelivery、logs:ListLogDeliveries、logs:UpdateLogDelivery资源:
* - DeleteResolverRule
-
所需权限(API 操作):
route53resolver:DeleteResolverRule资源:
* - DisassociateResolverEndpointIpAddress
-
所需权限 (API 操作):
route53resolver:DisassociateResolverEndpointIpAddress、ec2:DeleteNetworkInterface资源:
* - DisassociateResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:DisassociateResolverQueryLogConfig、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries、logs:PutResourcePolicy、logs:UpdateLogDelivery资源:
* - DisassociateResolverRule
-
所需权限(API 操作):
route53resolver:DisassociateResolverRule资源:
* - GetResolverEndpoint
-
所需权限(API 操作):
route53resolver:GetResolverEndpoint资源:
* - GetResolverQueryLogConfig
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfig、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries资源:
* - GetResolverQueryLogConfigAssociation
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfigAssociation、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries资源:
* - GetResolverQueryLogConfigPolicy
-
所需权限(API 操作):
route53resolver:GetResolverQueryLogConfigPolicy、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries资源:
* - GetResolverRule
-
所需权限(API 操作):
route53resolver:GetResolverRule资源:
* - GetResolverRuleAssociation
-
所需权限 (API 操作):
route53resolver:GetResolverRuleAssociation、ec2:DescribeVpcs资源:
* - GetResolverRulePolicy
-
所需权限(API 操作):
route53resolver:GetResolverRulePolicy资源:
* - ListResolverEndpointIpAddresses
-
所需权限(API 操作):
route53resolver:ListResolverEndpointIpAddresses资源:
* - ListResolverEndpoints
-
所需权限(API 操作):
route53resolver:ListResolverEndpoints资源:
* - ListResolverQueryLogConfigAssociations
-
所需权限(API 操作):
route53resolver:ListResolverQueryLogConfigAssociations、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries资源:
* - ListResolverQueryLogConfigs
-
所需权限(API 操作):
route53resolver:ListResolverQueryLogConfigs、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries资源:
* - ListResolverRuleAssociations
-
所需权限 (API 操作):
route53resolver:ListResolverRuleAssociations、ec2:DescribeVpcs资源:
* - ListResolverRules
-
所需权限(API 操作):
route53resolver:ListResolverRules资源:
* - ListTagsForResource
-
所需权限(API 操作):
route53resolver:ListTagsForResource资源:
arn:aws:route53resolver:::resolver-endpoint/*、arn:aws:route53resolver:::resolver-rule/ - PutResolverQueryLogConfigPolicy
-
所需权限(API 操作):
route53resolver:PutResolverQueryLogConfigPolicy、logs:DescribeResourcePolicies、logs:DescribeLogGroups、logs:GetLogDelivery、logs:ListLogDeliveries、logs:PutResourcePolicy、logs:UpdateLogDelivery资源:
* - PutResolverRulePolicy
-
所需权限(API 操作):
route53resolver:PutResolverRulePolicy资源:
* - TagResource
-
所需权限(API 操作):
route53resolver:TagResource资源:
arn:aws:route53resolver:::resolver-endpoint/*、arn:aws:route53resolver:::resolver-rule/* - UntagResource
-
所需权限(API 操作):
route53resolver:UntagResource资源:
arn:aws:route53resolver:::resolver-endpoint/*、arn:aws:route53resolver:::resolver-rule/* - UpdateResolverEndpoint
-
所需权限(API 操作):
route53resolver:UpdateResolverEndpoint资源:
* - UpdateResolverRule
-
所需权限(API 操作):
route53resolver:UpdateResolverRule资源:
*
Route 53 Resolver DNS 防火墙操作所需的权限
- AssociateFirewallRuleGroup
-
所需权限 (API 操作):
route53resolver:AssociateFirewallRuleGroup、ec2:DescribeVpcs可选的权限:
route53resolver:TagResource(如果您提供标记参数,则为必需)资源:
* - CreateFirewallDomainList
-
所需权限(API 操作):
route53resolver:CreateFirewallDomainList可选的权限:
route53resolver:TagResource(如果您提供标记参数,则为必需)资源:
* - CreateFirewallRule
-
所需权限(API 操作):
route53resolver:CreateFirewallRule资源:
* - CreateFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:CreateFirewallRuleGroup可选的权限:
route53resolver:TagResource(如果您提供标记参数,则为必需)资源:
* - DeleteFirewallDomainList
-
所需权限(API 操作):
route53resolver:DeleteFirewallDomainList资源:
* - DeleteFirewallRule
-
所需权限(API 操作):
route53resolver:DeleteFirewallRule资源:
* - DeleteFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:DeleteFirewallRuleGroup资源:
* - DisassociateFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:DisassociateFirewallRuleGroup资源:
* - GetFirewallConfig
-
所需的权限(API 操作):
route53resolver:GetFirewallConfigec2:DescribeVpcs资源:
* - GetFirewallDomainList
-
所需权限(API 操作):
route53resolver:GetFirewallDomainList资源:
* - GetFirewallRuleGroup
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroup资源:
* - GetFirewallRuleGroupAssociation
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroupAssociation资源:
* - GetFirewallRuleGroupPolicy
-
所需权限(API 操作):
route53resolver:GetFirewallRuleGroupPolicy资源:
* - ImportFirewallDomains
-
所需权限(API 操作):
route53resolver:ImportFirewallRuleDomains资源:
* - ListFirewallConfigs
-
所需的权限(API 操作):
route53resolver:ListFirewallConfigsec2:DescribeVpcs资源:
* - ListFirewallDomainLists
-
所需权限(API 操作):
route53resolver:ListFirewallDomainLists资源:
* - ListFirewallDomains
-
所需权限(API 操作):
route53resolver:ListFirewallDomains资源:
* - ListFirewallRuleGroupAssociations
-
所需权限(API 操作):
route53resolver:ListFirewallRuleGroupAssociations资源:
* - ListFirewallRuleGroups
-
所需权限(API 操作):
route53resolver:ListFirewallRuleGroups资源:
* - ListFirewallRules
-
所需权限(API 操作):
route53resolver:ListFirewallRules资源:
* - PutFirewallRuleGroupPolicy
-
所需权限(API 操作):
route53resolver:PutFirewallRuleGroupPolicy资源:
* - UpdateFirewallConfig
-
所需的权限(API 操作):
route53resolver:UpdateFirewallConfigec2:DescribeVpcs资源:
* - UpdateFirewallDomains
-
所需权限(API 操作):
route53resolver:UpdateFirewallDomains资源:
* - UpdateFirewallRule
-
所需权限(API 操作):
route53resolver:UpdateFirewallRule资源:
* - UpdateFirewallRuleGroupAssociation
-
所需权限(API 操作):
route53resolver:UpdateFirewallRuleGroupAssociation资源:
*
执行获取账户、托管区域和可重用委托集的限制的操作所需的权限
- GetAccountLimit
-
所需权限(API 操作):
route53:GetAccountLimit资源:
* - GetHostedZoneLimit
-
所需权限(API 操作):
route53:GetHostedZoneLimit资源:
* - GetReusableDelegationSetLimit
-
所需权限(API 操作):
route53:GetReusableDelegationSetLimit资源:
*
对托管区域和运行状况检查标签执行操作所需的权限
- ChangeTagsForResource
-
所需权限(API 操作):
route53:ChangeTagsForResource资源:
-
arn:aws:route53:::healthcheck/* -
arn:aws:route53:::hostedzone/*
-
- ListTagsForResource
-
所需权限(API 操作):
route53:ListTagsForResource资源:
-
arn:aws:route53:::healthcheck/* -
arn:aws:route53:::hostedzone/*
-
- ListTagsForResources
-
所需权限(API 操作):
route53:ListTagsForResources资源:
-
arn:aws:route53:::healthcheck/* -
arn:aws:route53:::hostedzone/*
-
对域标签执行操作所需的权限
- DeleteTagsForDomain
-
所需权限(API 操作):
route53domains:DeleteTagsForDomain资源:
* - ListTagsForDomain
-
所需权限(API 操作):
route53domains:ListTagsForDomain资源:
* - UpdateTagsForDomain
-
所需权限(API 操作):
route53domains:UpdateTagsForDomain资源:
*
DNSSEC 操作所需的权限
- GetDNSSEC
-
所需权限(API 操作):
route53domains:DeleteTagsForDomain资源:
* - CreateKeySigningKey
-
所需权限(API 操作):
route53:CreateKeySigningKey、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
* - DeleteKeySigningKey
-
所需权限(API 操作):
route53:DeleteKeySigningKey、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
* - ActivateKeySigningKey
-
所需权限(API 操作):
route53:ActivateKeySigningKey、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
* - DeactivateKeySigningKey
-
所需权限(API 操作):
route53:DeactivateKeySigningKey、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
* - EnableHostedZoneDNSSEC
-
所需权限(API 操作):
route53:EnableHostedZoneDNSSEC、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
* - DisableHostedZoneDNSSEC
-
所需权限(API 操作):
route53:DisableHostedZoneDNSSEC、kms:DescribeKey、kms:GetPublicKey、kms:Sign资源:
*