Amazon Route 53 API 权限:操作、资源和条件参考 - Amazon Route 53
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Amazon Route 53 API 权限:操作、资源和条件参考

在设置 访问控制 和编写您可附加到 IAM 身份的权限策略(基于身份的策略)时,可以使用以下列表作为参考。这些列表包含每个 Amazon Route 53 API 操作、您必须授予访问权限的操作以及您必须授予访问权限的 Amazon 资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

您可以在 Route 53 策略中使用 Amazon 范围的条件键来表示条件。有关 Amazon 范围内的键的完整列表,请参阅 《IAM 用户指南》中的可用键

注意

授予访问权限时,托管区域和 Amazon VPC 必须属于相同分区。分区是一组 Amazon Web Services 区域。每个 Amazon Web Services 账户 的作用域为一个分区。

以下是支持的分区:

  • aws - Amazon Web Services 区域

  • aws-cn – 中国区域

  • aws-us-gov - Amazon GovCloud (US) Region

有关更多信息,请参阅《Amazon 一般参考》中的访问权限管理

注意

要指定操作,请在 API 操作名称之前使用相应前缀(route53route53domainsroute53resolver),例如:

  • route53:CreateHostedZone

  • route53domains:RegisterDomain

  • route53resolver:CreateResolverEndpoint

对公有托管区域执行操作所需的权限

CreateHostedZone

所需权限(API 操作):route53:CreateHostedZone

资源: *

DeleteHostedZone

所需权限(API 操作):route53:DeleteHostedZone

资源: *

GetHostedZone

所需权限(API 操作):route53:GetHostedZone

资源: *

GetHostedZoneCount

所需权限(API 操作):route53:GetHostedZoneCount

资源: *

ListHostedZones

所需权限(API 操作):route53:ListHostedZones

资源: *

ListHostedZonesByName

所需权限(API 操作):route53:ListHostedZonesByName

资源: *

UpdateHostedZoneComment

所需权限(API 操作):route53:UpdateHostedZoneComment

资源: *

对私有托管区域执行操作所需的权限

CreateHostedZone

所需权限 (API 操作):route53:CreateHostedZoneec2:DescribeVpcsec2:DescribeRegions

资源:*arn:aws:ec2::optional account id:*

DeleteHostedZone

所需权限(API 操作):route53:DeleteHostedZone

资源: *

AssociateVPCWithHostedZone

所需权限 (API 操作):route53:AssociateVPCWithHostedZoneec2:DescribeVpcs

资源:*arn:aws:ec2::optional account id:*

CreateVPCAssociationAuthorization

所需权限(API 操作):route53:CreateVPCAssociationAuthorization

资源: *

DeleteVPCAssociationAuthorization

所需权限(API 操作):route53:DeleteVPCAssociationAuthorization

资源: *

DisassociateVPCFromHostedZone

所需权限 (API 操作):route53:DisassociateVPCFromHostedZoneec2:DescribeVpcs

资源:*arn:aws:ec2::optional account id:*

GetHostedZone

所需权限(API 操作):route53:GetHostedZone

资源: *

GetHostedZoneCount

所需权限(API 操作):route53:GetHostedZoneCount

资源: *

ListHostedZones

所需权限(API 操作):route53:ListHostedZones

资源: *

ListHostedZonesByName

所需权限(API 操作):route53:ListHostedZonesByName

资源: *

UpdateHostedZoneComment

所需权限(API 操作):route53:UpdateHostedZoneComment

资源: *

对可重用委托集执行操作所需的权限

CreateReusableDelegationSet

所需权限(API 操作):route53:CreateReusableDelegationSet

资源: *

DeleteReusableDelegationSet

所需权限(API 操作):route53:DeleteReusableDelegationSet

资源: *

GetReusableDelegationSet

所需权限(API 操作):route53:GetReusableDelegationSet

资源: *

ListReusableDelegationSets

所需权限(API 操作):route53:ListReusableDelegationSets

资源: *

对记录执行操作所需的权限

ChangeResourceRecordSets

所需权限(API 操作):route53:ChangeResourceRecordSets

资源: arn:aws:route53:::hostedzone/hosted zone ID

GetChange

所需权限(API 操作):route53:GetChange

资源: *

GetGeoLocation

所需权限 (API 操作):无

资源:无

Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。

ListGeoLocations

所需权限 (API 操作):无

资源:无

Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。

ListResourceRecordSets

所需权限(API 操作):route53:ListResourceRecordSets

资源: arn:aws:route53:::hostedzone/hosted zone ID

对流量策略执行操作所需的权限

CreateTrafficPolicy

所需权限(API 操作):route53:CreateTrafficPolicy

资源: *

CreateTrafficPolicyVersion

所需权限(API 操作):route53:CreateTrafficPolicyVersion

资源: *

DeleteTrafficPolicy

所需权限(API 操作):route53:DeleteTrafficPolicy

资源: *

GetTrafficPolicy

所需权限(API 操作):route53:GetTrafficPolicy

资源: *

ListTrafficPolicies

所需权限(API 操作):route53:ListTrafficPolicies

资源: *

ListTrafficPolicyVersions

所需权限(API 操作):route53:ListTrafficPolicyVersions

资源: *

UpdateTrafficPolicyComment

所需权限(API 操作):route53:UpdateTrafficPolicyComment

资源: *

对流量策略实例执行操作所需的权限

CreateTrafficPolicyInstance

所需权限(API 操作):route53:CreateTrafficPolicyInstance

资源: *

DeleteTrafficPolicyInstance

所需权限(API 操作):route53:DeleteTrafficPolicyInstance

资源: *

GetTrafficPolicyInstance

所需权限(API 操作):route53:GetTrafficPolicyInstance

资源: *

GetTrafficPolicyInstanceCount

所需权限(API 操作):route53:GetTrafficPolicyInstanceCount

资源: *

ListTrafficPolicyInstances

所需权限(API 操作):route53:ListTrafficPolicyInstances

资源: *

ListTrafficPolicyInstancesByHostedZone

所需权限(API 操作):route53:ListTrafficPolicyInstancesByHostedZone

资源: *

ListTrafficPolicyInstancesByPolicy

所需权限(API 操作):route53:ListTrafficPolicyInstancesByPolicy

资源: *

UpdateTrafficPolicyInstance

所需权限(API 操作):route53:UpdateTrafficPolicyInstance

资源: *

对运行状况检查执行操作所需的权限

CreateHealthCheck

所需权限(API 操作):route53:CreateHealthCheck

资源: *

DeleteHealthCheck

所需权限(API 操作):route53:DeleteHealthCheck

资源:*arn:aws:route53:::healthcheck/health check ID

GetCheckerIpRanges

所需权限 (API 操作):无

资源: *

Route 53 不会对此 API 执行授权,因为它会检索已向公众提供的信息。

GetHealthCheck

所需权限(API 操作):route53:GetHealthCheck

资源:*arn:aws:route53:::healthcheck/health check ID

GetHealthCheckCount

所需权限(API 操作):route53:GetHealthCheckCount

资源: *

GetHealthCheckLastFailureReason

所需权限(API 操作):route53:GetHealthCheckLastFailureReason

资源:*arn:aws:route53:::healthcheck/health check ID

GetHealthCheckStatus

所需权限(API 操作):route53:GetHealthCheckStatus

资源:*arn:aws:route53:::healthcheck/health check ID

ListHealthChecks

所需权限(API 操作):route53:ListHealthChecks

资源: *

UpdateHealthCheck

所需权限(API 操作):route53:UpdateHealthCheck

资源:*arn:aws:route53:::healthcheck/health check ID

对域注册执行操作所需的权限

AcceptDomainTransferFromAnotherAwsAccount

所需权限(API 操作):route53domains:AcceptDomainTransferFromAnotherAwsAccount

资源: *

AddDnssec (仅限于控制台)

所需权限(API 操作):route53domains:AddDnssec

资源: *

CancelDomainTransferToAnotherAwsAccount

所需权限(API 操作):route53domains:CancelDomainTransferToAnotherAwsAccount

资源: *

CheckDomainAvailability

所需权限(API 操作):route53domains:CheckDomainAvailability

资源: *

DeleteDomain (仅限于控制台)

所需权限(API 操作):route53domains:DeleteDomain

资源: *

DisableDomainAutoRenew

所需权限(API 操作):route53domains:ChangeAutoRenew

资源: *

DisableDomainTransferLock

所需权限(API 操作):route53domains:DisableDomainTransferLock

资源: *

EnableDomainAutoRenew

所需权限(API 操作):route53domains:ChangeAutoRenew

资源: *

EnableDomainTransferLock

所需权限(API 操作):route53domains:EnableDomainTransferLock

资源: *

GetContactReachabilityStatus

所需权限(API 操作):route53domains:ListDomains

资源: *

GetDomainDetail

所需权限(API 操作):route53domains:GetDomainDetail

资源: *

GetDomainSuggestions

所需权限(API 操作):route53domains:ListDomains

资源: *

GetOperationDetail

所需权限(API 操作):route53domains:GetOperationDetail

资源: *

ListDnssec (仅限于控制台)

所需权限(API 操作):route53domains:ListDnssec

资源: *

ListDomains

所需权限(API 操作):route53domains:ListDomains

资源: *

ListOperations

所需权限(API 操作):route53domains:ListOperations

资源: *

RegisterDomain

所需权限(API 操作):route53domains:RegisterDomain

资源: *

RejectDomainTransferFromAnotherAwsAccount

所需权限(API 操作):route53domains:RejectDomainTransferFromAnotherAwsAccount

资源: *

RemoveDnssec (仅限于控制台)

所需权限(API 操作):route53domains:RemoveDnssec

资源: *

RenewDomain

所需权限(API 操作):route53domains:RegisterDomain

资源: *

ResendContactReachabilityEmail

所需权限(API 操作):route53domains:ListDomains

资源: *

RetrieveDomainAuthCode

所需权限(API 操作):route53domains:RetrieveDomainAuthCode

资源: *

TransferDomain

所需权限(API 操作):route53domains:TransferDomain

资源: *

TransferDomainToAnotherAwsAccount

所需权限(API 操作):route53domains:TransferDomainToAnotherAwsAccount

资源: *

UpdateDomainContact

所需权限(API 操作):route53domains:UpdateDomainContact

资源: *

UpdateDomainContactPrivacy

所需权限(API 操作):route53domains:UpdateDomainContactPrivacy

资源: *

UpdateDomainNameservers

所需权限(API 操作):route53domains:UpdateDomainNameservers

资源: *

ViewBilling

所需权限(API 操作):route53domains:ViewBilling

资源: *

Route 53 Resolver 操作所需的权限

AssociateResolverEndpointIpAddress

所需权限(API 操作):route53resolver:AssociateResolverEndpointIpAddressec2:CreateNetworkInterfacePermissionec2:DescribeAvailabilityZonesec2:DescribeNetworkInterfacesec2:DescribeSubnets

资源: *

AssociateResolverQueryLogConfig

所需权限(API 操作):route53resolver:AssociateResolverQueryLogConfiglogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliverieslogs:PutResourcePolicylogs:UpdateLogDelivery

资源: *

AssociateResolverRule

所需权限 (API 操作):route53resolver:AssociateResolverRuleec2:DescribeVpcs

资源: *

CreateResolverEndpoint

所需权限 (API 操作):route53resolver:CreateResolverEndpointec2:DescribeSubnetsec2:CreateNetworkInterfaceec2:DescribeNetworkInterfacesec2:CreateNetworkInterfacePermissionec2:DescribeSecurityGroups

另请参阅 示例 4:允许创建入站和出站 Route 53 Resolver 终端节点

资源: *

CreateResolverQueryLogConfig

所需权限(API 操作):route53resolver:CreateResolverQueryLogConfigec2:DescribeVpcslogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:CreateLogDeliverylogs:DeleteLogDelivery logs:GetLogDeliverylogs:ListLogDeliverieslogs:UpdateLogDeliveryiam:CreateServiceLinkedRole

资源: *

CreateResolverRule

所需权限(API 操作):route53resolver:CreateResolverRule

资源: *

DeleteResolverEndpoint

所需权限 (API 操作):route53resolver:DeleteResolverEndpointec2:DeleteNetworkInterfaceec2:DescribeNetworkInterface

资源: *

DeleteResolverQueryLogConfig

所需权限(API 操作):route53resolver:DeleteResolverQueryLogConfiglogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:DeleteLogDelivery logs:GetLogDeliverylogs:ListLogDeliverieslogs:UpdateLogDelivery

资源: *

DeleteResolverRule

所需权限(API 操作):route53resolver:DeleteResolverRule

资源: *

DisassociateResolverEndpointIpAddress

所需权限 (API 操作):route53resolver:DisassociateResolverEndpointIpAddressec2:DeleteNetworkInterface

资源: *

DisassociateResolverQueryLogConfig

所需权限(API 操作):route53resolver:DisassociateResolverQueryLogConfiglogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliverieslogs:PutResourcePolicylogs:UpdateLogDelivery

资源: *

DisassociateResolverRule

所需权限(API 操作):route53resolver:DisassociateResolverRule

资源: *

GetResolverEndpoint

所需权限(API 操作):route53resolver:GetResolverEndpoint

资源: *

GetResolverQueryLogConfig

所需权限(API 操作):route53resolver:GetResolverQueryLogConfiglogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliveries

资源: *

GetResolverQueryLogConfigAssociation

所需权限(API 操作):route53resolver:GetResolverQueryLogConfigAssociationlogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliveries

资源: *

GetResolverQueryLogConfigPolicy

所需权限(API 操作):route53resolver:GetResolverQueryLogConfigPolicylogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliveries

资源: *

GetResolverRule

所需权限(API 操作):route53resolver:GetResolverRule

资源: *

GetResolverRuleAssociation

所需权限 (API 操作):route53resolver:GetResolverRuleAssociationec2:DescribeVpcs

资源: *

GetResolverRulePolicy

所需权限(API 操作):route53resolver:GetResolverRulePolicy

资源: *

ListResolverEndpointIpAddresses

所需权限(API 操作):route53resolver:ListResolverEndpointIpAddresses

资源: *

ListResolverEndpoints

所需权限(API 操作):route53resolver:ListResolverEndpoints

资源: *

ListResolverQueryLogConfigAssociations

所需权限(API 操作):route53resolver:ListResolverQueryLogConfigAssociationslogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliveries

资源: *

ListResolverQueryLogConfigs

所需权限(API 操作):route53resolver:ListResolverQueryLogConfigslogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliveries

资源: *

ListResolverRuleAssociations

所需权限 (API 操作):route53resolver:ListResolverRuleAssociationsec2:DescribeVpcs

资源: *

ListResolverRules

所需权限(API 操作):route53resolver:ListResolverRules

资源: *

ListTagsForResource

所需权限(API 操作):route53resolver:ListTagsForResource

资源:arn:aws:route53resolver:::resolver-endpoint/*arn:aws:route53resolver:::resolver-rule/

PutResolverQueryLogConfigPolicy

所需权限(API 操作):route53resolver:PutResolverQueryLogConfigPolicylogs:DescribeResourcePolicieslogs:DescribeLogGroupslogs:GetLogDeliverylogs:ListLogDeliverieslogs:PutResourcePolicylogs:UpdateLogDelivery

资源: *

PutResolverRulePolicy

所需权限(API 操作):route53resolver:PutResolverRulePolicy

资源: *

TagResource

所需权限(API 操作):route53resolver:TagResource

资源:arn:aws:route53resolver:::resolver-endpoint/*arn:aws:route53resolver:::resolver-rule/*

UntagResource

所需权限(API 操作):route53resolver:UntagResource

资源:arn:aws:route53resolver:::resolver-endpoint/*arn:aws:route53resolver:::resolver-rule/*

UpdateResolverEndpoint

所需权限(API 操作):route53resolver:UpdateResolverEndpoint

资源: *

UpdateResolverRule

所需权限(API 操作):route53resolver:UpdateResolverRule

资源: *

Route 53 Resolver DNS 防火墙操作所需的权限

AssociateFirewallRuleGroup

所需权限 (API 操作):route53resolver:AssociateFirewallRuleGroupec2:DescribeVpcs

可选的权限:route53resolver:TagResource(如果您提供标记参数,则为必需)

资源: *

CreateFirewallDomainList

所需权限(API 操作):route53resolver:CreateFirewallDomainList

可选的权限:route53resolver:TagResource(如果您提供标记参数,则为必需)

资源: *

CreateFirewallRule

所需权限(API 操作):route53resolver:CreateFirewallRule

资源: *

CreateFirewallRuleGroup

所需权限(API 操作):route53resolver:CreateFirewallRuleGroup

可选的权限:route53resolver:TagResource(如果您提供标记参数,则为必需)

资源: *

DeleteFirewallDomainList

所需权限(API 操作):route53resolver:DeleteFirewallDomainList

资源: *

DeleteFirewallRule

所需权限(API 操作):route53resolver:DeleteFirewallRule

资源: *

DeleteFirewallRuleGroup

所需权限(API 操作):route53resolver:DeleteFirewallRuleGroup

资源: *

DisassociateFirewallRuleGroup

所需权限(API 操作):route53resolver:DisassociateFirewallRuleGroup

资源: *

GetFirewallConfig

所需的权限(API 操作):route53resolver:GetFirewallConfig ec2:DescribeVpcs

资源: *

GetFirewallDomainList

所需权限(API 操作):route53resolver:GetFirewallDomainList

资源: *

GetFirewallRuleGroup

所需权限(API 操作):route53resolver:GetFirewallRuleGroup

资源: *

GetFirewallRuleGroupAssociation

所需权限(API 操作):route53resolver:GetFirewallRuleGroupAssociation

资源: *

GetFirewallRuleGroupPolicy

所需权限(API 操作):route53resolver:GetFirewallRuleGroupPolicy

资源: *

ImportFirewallDomains

所需权限(API 操作):route53resolver:ImportFirewallRuleDomains

资源: *

ListFirewallConfigs

所需的权限(API 操作):route53resolver:ListFirewallConfigs ec2:DescribeVpcs

资源: *

ListFirewallDomainLists

所需权限(API 操作):route53resolver:ListFirewallDomainLists

资源: *

ListFirewallDomains

所需权限(API 操作):route53resolver:ListFirewallDomains

资源: *

ListFirewallRuleGroupAssociations

所需权限(API 操作):route53resolver:ListFirewallRuleGroupAssociations

资源: *

ListFirewallRuleGroups

所需权限(API 操作):route53resolver:ListFirewallRuleGroups

资源: *

ListFirewallRules

所需权限(API 操作):route53resolver:ListFirewallRules

资源: *

PutFirewallRuleGroupPolicy

所需权限(API 操作):route53resolver:PutFirewallRuleGroupPolicy

资源: *

UpdateFirewallConfig

所需的权限(API 操作):route53resolver:UpdateFirewallConfig ec2:DescribeVpcs

资源: *

UpdateFirewallDomains

所需权限(API 操作):route53resolver:UpdateFirewallDomains

资源: *

UpdateFirewallRule

所需权限(API 操作):route53resolver:UpdateFirewallRule

资源: *

UpdateFirewallRuleGroupAssociation

所需权限(API 操作):route53resolver:UpdateFirewallRuleGroupAssociation

资源: *

执行获取账户、托管区域和可重用委托集的限制的操作所需的权限

GetAccountLimit

所需权限(API 操作):route53:GetAccountLimit

资源: *

GetHostedZoneLimit

所需权限(API 操作):route53:GetHostedZoneLimit

资源: *

GetReusableDelegationSetLimit

所需权限(API 操作):route53:GetReusableDelegationSetLimit

资源: *

对托管区域和运行状况检查标签执行操作所需的权限

ChangeTagsForResource

所需权限(API 操作):route53:ChangeTagsForResource

资源:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResource

所需权限(API 操作):route53:ListTagsForResource

资源:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

ListTagsForResources

所需权限(API 操作):route53:ListTagsForResources

资源:

  • arn:aws:route53:::healthcheck/*

  • arn:aws:route53:::hostedzone/*

对域标签执行操作所需的权限

DeleteTagsForDomain

所需权限(API 操作):route53domains:DeleteTagsForDomain

资源: *

ListTagsForDomain

所需权限(API 操作):route53domains:ListTagsForDomain

资源: *

UpdateTagsForDomain

所需权限(API 操作):route53domains:UpdateTagsForDomain

资源: *

DNSSEC 操作所需的权限

GetDNSSEC

所需权限(API 操作):route53domains:DeleteTagsForDomain

资源: *

CreateKeySigningKey

所需权限(API 操作):route53:CreateKeySigningKeykms:DescribeKeykms:GetPublicKeykms:Sign

资源: *

DeleteKeySigningKey

所需权限(API 操作):route53:DeleteKeySigningKeykms:DescribeKeykms:GetPublicKeykms:Sign

资源: *

ActivateKeySigningKey

所需权限(API 操作):route53:ActivateKeySigningKeykms:DescribeKeykms:GetPublicKeykms:Sign

资源: *

DeactivateKeySigningKey

所需权限(API 操作):route53:DeactivateKeySigningKeykms:DescribeKeykms:GetPublicKeykms:Sign

资源: *

EnableHostedZoneDNSSEC

所需权限(API 操作):route53:EnableHostedZoneDNSSECkms:DescribeKeykms:GetPublicKeykms:Sign

资源: *

DisableHostedZoneDNSSEC

所需权限(API 操作):route53:DisableHostedZoneDNSSECkms:DescribeKeykms:GetPublicKeykms:Sign

资源: *