Amazon managed policies for Amazon Route 53 Application Recovery Controller - Amazon Route 53 Application Recovery Controller
Route53RecoveryReadinessServiceRolePolicyAmazonRoute53RecoveryReadinessFullAccessAmazonRoute53RecoveryReadinessReadOnlyAccessAmazonRoute53RecoveryControlConfigFullAccessAmazonRoute53RecoveryControlConfigReadOnlyAccessAmazonRoute53RecoveryClusterFullAccessAmazonRoute53RecoveryClusterReadOnlyAccessPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Route 53 Application Recovery Controller

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: Route53RecoveryReadinessServiceRolePolicy

You can't attach Route53RecoveryReadinessServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Route 53 Application Recovery Controller to access Amazon services and resources that are used or managed by Route 53 ARC. For more information, see Using service-linked roles for Route 53 ARC.

Amazon managed policy: AmazonRoute53RecoveryReadinessFullAccess

You can attach AmazonRoute53RecoveryReadinessFullAccess to your IAM entities. This policy grants full access to actions for working with recovery readiness (readiness check) in Route 53 ARC. Attach it to IAM users and other principals who need full access to recovery readiness actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-readiness:*"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AmazonRoute53RecoveryReadinessReadOnlyAccess

You can attach AmazonRoute53RecoveryReadinessReadOnlyAccess to your IAM entities. This policy grants read-only access to actions for working with recovery readiness in Route 53 ARC. It's useful for users who need to view readiness statuses and recovery group configurations. These users can't create, update, or delete recovery readiness resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-readiness:GetCell",
                "route53-recovery-readiness:GetReadinessCheck",
                "route53-recovery-readiness:GetReadinessCheckResourceStatus",
                "route53-recovery-readiness:GetReadinessCheckStatus",
                "route53-recovery-readiness:GetRecoveryGroup",
                "route53-recovery-readiness:GetRecoveryGroupReadinessSummary",
                "route53-recovery-readiness:GetResourceSet",
                "route53-recovery-readiness:ListCells",
                "route53-recovery-readiness:ListCrossAccountAuthorizations",
                "route53-recovery-readiness:ListReadinessChecks",
                "route53-recovery-readiness:ListRecoveryGroups",
                "route53-recovery-readiness:ListResourceSets",
                "route53-recovery-readiness:ListRules",
                "route53-recovery-readiness:ListTagsForResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-readiness:GetArchitectureRecommendations",
                "route53-recovery-readiness:GetCellReadinessSummary"
            ],
            "Resource": "arn:aws:route53-recovery-readiness::*:*"
        }
    ]
}

Amazon managed policy: AmazonRoute53RecoveryControlConfigFullAccess

You can attach AmazonRoute53RecoveryControlConfigFullAccess to your IAM entities. This policy grants full access to actions for working with recovery control configuration in Route 53 ARC. Attach it to IAM users and other principals who need full access to recovery control configuration actions.

At your discretion, you can add access to additional Amazon Route 53 actions to enable users to create health checks for routing controls. For example, you might allow permission for one or more of the following actions: route53:GetHealthCheck, route53:CreateHealthCheck, route53:DeleteHealthCheck, and route53:ChangeTagsForResource.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-control-config:*"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AmazonRoute53RecoveryControlConfigReadOnlyAccess

You can attach AmazonRoute53RecoveryControlConfigReadOnlyAccess to your IAM entities. It's useful for users who need to view routing control and safety rule configurations. This policy grants read-only access to actions for working with recovery control configuration in Route 53 ARC. These users can't create, update, or delete recovery control resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-control-config:DescribeCluster",
                "route53-recovery-control-config:DescribeControlPanel",
                "route53-recovery-control-config:DescribeRoutingControl",
                "route53-recovery-control-config:DescribeRoutingControlByName",
                "route53-recovery-control-config:DescribeSafetyRule",
                "route53-recovery-control-config:ListAssociatedRoute53HealthChecks",
                "route53-recovery-control-config:ListClusters",
                "route53-recovery-control-config:ListControlPanels",
                "route53-recovery-control-config:ListRoutingControls",
                "route53-recovery-control-config:ListSafetyRules",
                "route53-recovery-control-config:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AmazonRoute53RecoveryClusterFullAccess

You can attach AmazonRoute53RecoveryClusterFullAccess to your IAM entities. This policy grants full access to actions for working with the cluster data plane in Route 53 ARC. Attach it to IAM users and other principals who need full access to updating and retrieving routing control states.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-cluster:*"
            ],
            "Resource": "*"
        }
    ]
}

Amazon managed policy: AmazonRoute53RecoveryClusterReadOnlyAccess

You can attach AmazonRoute53RecoveryClusterReadOnlyAccess to your IAM entities. This policy grants read-only access to the cluster data plane in Route 53 ARC. These users can retrieve routing control states but can't update them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53-recovery-cluster:GetRoutingControlState",
                "route53-recovery-cluster:ListRoutingControls"
            ],
            "Resource": "*"
        }
    ]
}

Route 53 ARC updates to Amazon managed policies

View details about updates to Amazon managed policies for Route 53 ARC since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Route 53 ARC Document history page.

Change Description Date

Route53RecoveryReadinessServiceRolePolicy – Updated policy

Route 53 ARC added new permissions to query information about Amazon EC2 instances.

Route 53 ARC uses the following permissions to support polling Amazon EC2 instances, to run readiness checks and determine the readiness status for the instances.

ec2:DescribeVpnGateways

ec2:DescribeCustomerGateways

 February 17, 2023

Route53RecoveryReadinessServiceRolePolicy – Updated policy

Route 53 ARC added a new permission to query information about Lambda functions.

Route 53 ARC uses the following permission to query information about Lambda functions to run readiness checks and determine the readiness status for the functions.

lambda:ListProvisionedConcurrencyConfigs

 August 31, 2022

AmazonRoute53RecoveryControlConfigFullAccess – Updated policy

Removed Amazon Route 53 permissions from the policy and added note listing the optional permissions.

 May 26, 2022

AmazonRoute53RecoveryControlConfigFullAccess – Updated policy

Added missing required Amazon Route 53 permissions to the policy.

 April 15, 2022

AmazonRoute53RecoveryClusterReadOnlyAccess – Updated policy

Route 53 ARC added a new permission, route53-recovery-cluster:ListRoutingControls, to allow listing routing control ARNs with high availability.

 March 15, 2022

AmazonRoute53RecoveryControlConfigReadOnlyAccess – Updated policy

Route 53 ARC added a new permission, route53-recovery-control-config:ListTagsForResources, to allow listing tags for a resource.

 December 20, 2021

Route53RecoveryReadinessServiceRolePolicy – Updated policy

Route 53 ARC added a new permission to query information about Amazon API Gateway.

Route 53 ARC uses the permission, apigateway:GET, to query information about API Gateway to run readiness checks and determine the readiness status.

 October 28, 2021

AmazonRoute53RecoveryReadinessReadOnlyAccess - Added new permissions

Route 53 ARC added two new permissions to AmazonRoute53RecoveryReadinessReadOnlyAccess:

Route 53 ARC uses route53-recovery-readiness:GetArchitectureRecommendations and route53-recovery-readiness:GetCellReadinessSummary to allow read-only access to these actions for working with recovery readiness.

 October 15, 2021

Route53RecoveryReadinessServiceRolePolicy – Updated policy

Route 53 ARC added new permissions to query information about Lambda functions.

Route 53 ARC uses the following permissions to query information about Lambda functions to run readiness checks and determine the readiness status for those functions.

lambda:GetFunctionConcurrency

lambda:GetFunctionConfiguration

lambda:GetProvisionedConcurrencyConfig

lambda:ListAliases

lambda:ListVersionsByFunction

lambda:ListEventSourceMappings

lambda:ListFunctions

 October 8, 2021

Added new managed policies

Route 53 ARC added the following new managed policies:

AmazonRoute53RecoveryReadinessFullAccess

AmazonRoute53RecoveryReadinessReadOnlyAccess

AmazonRoute53RecoveryClusterFullAccess

AmazonRoute53RecoveryClusterReadOnlyAccess

AmazonRoute53RecoveryControlConfigFullAccess

AmazonRoute53RecoveryControlConfigReadOnlyAccess

 August 18, 2021

Route 53 ARC started tracking changes

Route 53 ARC started tracking changes for its Amazon managed policies.

 July 27, 2021