Actions, resources, and condition keys for Amazon Route 53 Resolver
Amazon Route 53 Resolver (service prefix: route53resolver) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Route 53 Resolver
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateFirewallRuleGroup | Grants permission to associate an Amazon VPC with a specified firewall rule group | Write |
ec2:DescribeVpcs |
||
| AssociateResolverEndpointIpAddress | Grants permission to associate a specified IP address with a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) | Write |
ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets |
||
| AssociateResolverQueryLogConfig | Grants permission to associate an Amazon VPC with a specified query logging configuration | Write |
ec2:DescribeVpcs |
||
| AssociateResolverRule | Grants permission to associate a specified Resolver rule with a specified VPC | Write |
ec2:DescribeVpcs |
||
| CreateFirewallDomainList | Grants permission to create a Firewall domain list | Write | |||
| CreateFirewallRule | Grants permission to create a Firewall rule within a Firewall rule group | Write | |||
| CreateFirewallRuleGroup | Grants permission to create a Firewall rule group | Write | |||
| CreateOutpostResolver | Grants permission to create a Route 53 Resolver on Outposts | Write |
outposts:GetOutpost |
||
| CreateResolverEndpoint | Grants permission to create a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound | Write |
ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs |
||
| CreateResolverQueryLogConfig | Grants permission to create a Resolver query logging configuration, which defines where you want Resolver to save DNS query logs that originate in your VPCs | Write | |||
| CreateResolverRule | Grants permission to define how to route queries originating from your VPC out of the VPC | Write | |||
| DeleteFirewallDomainList | Grants permission to delete a Firewall domain list | Write | |||
| DeleteFirewallRule | Grants permission to delete a Firewall rule within a Firewall rule group | Write | |||
| DeleteFirewallRuleGroup | Grants permission to delete a Firewall rule group | Write | |||
| DeleteOutpostResolver | Grants permission to delete a Route 53 Resolver on Outposts | Write | |||
| DeleteResolverEndpoint | Grants permission to delete a Resolver endpoint. The effect of deleting a Resolver endpoint depends on whether it's an inbound or an outbound endpoint | Write |
ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces |
||
| DeleteResolverQueryLogConfig | Grants permission to delete a Resolver query logging configuration | Write | |||
| DeleteResolverRule | Grants permission to delete a Resolver rule | Write | |||
| DisassociateFirewallRuleGroup | Grants permission to remove the association between a specified Firewall rule group and a specified VPC | Write | |||
| DisassociateResolverEndpointIpAddress | Grants permission to remove a specified IP address from a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) | Write |
ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces |
||
| DisassociateResolverQueryLogConfig | Grants permission to remove the association between a specified Resolver query logging configuration and a specified VPC | Write | |||
| DisassociateResolverRule | Grants permission to remove the association between a specified Resolver rule and a specified VPC | Write | |||
| GetFirewallConfig | Grants permission to get information about a specified Firewall config | Read |
ec2:DescribeVpcs |
||
| GetFirewallDomainList | Grants permission to get information about a specified Firewall domain list | Read | |||
| GetFirewallRuleGroup | Grants permission to get information about a specified Firewall rule group | Read | |||
| GetFirewallRuleGroupAssociation | Grants permission to get information about an association between a specified Firewall rule group and a VPC | Read | |||
| GetFirewallRuleGroupPolicy | Grants permission to get information about a specified Firewall rule group policy, which specifies the Firewall rule group operations and resources that you want to allow another Amazon Web Services account to use | Read | |||
| GetOutpostResolver | Grants permission to get information about a specified Route 53 Resolver on Outposts | Read | |||
| GetResolverConfig | Grants permission to get the Resolver Config status within the specified resource | Read |
ec2:DescribeVpcs |
||
| GetResolverDnssecConfig | Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource | Read | |||
| GetResolverEndpoint | Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC | Read | |||
| GetResolverQueryLogConfig | Grants permission to get information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to | Read |
ec2:DescribeVpcs |
||
| GetResolverQueryLogConfigAssociation | Grants permission to get information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC | Read | |||
| GetResolverQueryLogConfigPolicy | Grants permission to get information about a specified Resolver query logging policy, which specifies the Resolver query logging operations and resources that you want to allow another Amazon Web Services account to use | Read | |||
| GetResolverRule | Grants permission to get information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to | Read | |||
| GetResolverRuleAssociation | Grants permission to get information about an association between a specified Resolver rule and a VPC | Read | |||
| GetResolverRulePolicy | Grants permission to get information about a Resolver rule policy, which specifies the Resolver operations and resources that you want to allow another Amazon Web Services account to use | Read | |||
| ImportFirewallDomains | Grants permission to add, remove or replace Firewall domains in a Firewall domain list | Write | |||
| ListFirewallConfigs | Grants permission to list all the Firewall config that current Amazon Web Services account is able to check | List |
ec2:DescribeVpcs |
||
| ListFirewallDomainLists | Grants permission to list all the Firewall domain list that current Amazon Web Services account is able to use | List | |||
| ListFirewallDomains | Grants permission to list all the Firewall domain under a speicfied Firewall domain list | List | |||
| ListFirewallRuleGroupAssociations | Grants permission to list information about associations between Amazon VPCs and Firewall rule group | List | |||
| ListFirewallRuleGroups | Grants permission to list all the Firewall rule group that current Amazon Web Services account is able to use | List | |||
| ListFirewallRules | Grants permission to list all the Firewall rule under a speicfied Firewall rule group | List | |||
| ListOutpostResolvers | Grants permission to list all instances of Route 53 Resolver on Outposts that were created using the current Amazon Web Services account | List | |||
| ListResolverConfigs | Grants permission to list Resolver Config statuses | List |
ec2:DescribeVpcs |
||
| ListResolverDnssecConfigs | Grants permission to list the DNSSEC validation support status for DNS queries | List | |||
| ListResolverEndpointIpAddresses | Grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) for a specified Resolver endpoint | List | |||
| ListResolverEndpoints | Grants permission to list all the Resolver endpoints that were created using the current Amazon Web Services account | List | |||
| ListResolverQueryLogConfigAssociations | Grants permission to list information about associations between Amazon VPCs and query logging configurations | List |
ec2:DescribeVpcs |
||
| ListResolverQueryLogConfigs | Grants permission to list information about the specified query logging configurations, which define where you want Resolver to save DNS query logs and specify the VPCs that you want to log queries for | List |
ec2:DescribeVpcs |
||
| ListResolverRuleAssociations | Grants permission to list the associations that were created between Resolver rules and VPCs using the current Amazon Web Services account | List |
ec2:DescribeVpcs |
||
| ListResolverRules | Grants permission to list the Resolver rules that were created using the current Amazon Web Services account | List | |||
| ListTagsForResource | Grants permission to list the tags that you associated with the specified resource | Read | |||
| PutFirewallRuleGroupPolicy | Grants permission to specify an Amazon Web Services account that you want to share a Firewall rule group with, the Firewall rule group that you want to share, and the operations that you want the account to be able to perform on the configuration | Permissions management | |||
| PutResolverQueryLogConfigPolicy | Grants permission to specify an Amazon Web Services account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration | Permissions management | |||
| PutResolverRulePolicy | Grants permission to specify an Amazon Web Services account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules | Permissions management | |||
| TagResource | Grants permission to add one or more tags to a specified resource | Tagging | |||
| UntagResource | Grants permission to remove one or more tags from a specified resource | Tagging | |||
| UpdateFirewallConfig | Grants permission to update selected settings for an Firewall config | Write |
ec2:DescribeVpcs |
||
| UpdateFirewallDomains | Grants permission to add, remove or replace Firewall domains in a Firewall domain list | Write | |||
| UpdateFirewallRule | Grants permission to update selected settings for an Firewall rule in a Firewall rule group | Write | |||
| UpdateFirewallRuleGroupAssociation | Grants permission to update selected settings for an Firewall rule group association | Write | |||
| UpdateOutpostResolver | Grants permission to update seletected settings for a specified Route 53 Resolver on Outposts | Write | |||
| UpdateResolverConfig | Grants permission to update the Resolver Config status within the specified resource | Write |
ec2:DescribeVpcs |
||
| UpdateResolverDnssecConfig | Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource | Write | |||
| UpdateResolverEndpoint | Grants permission to update selected settings for an inbound or an outbound Resolver endpoint | Write |
ec2:AssignIpv6Addresses ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:ModifyNetworkInterfaceAttribute ec2:UnassignIpv6Addresses |
||
| UpdateResolverRule | Grants permission to update settings for a specified Resolver rule | Write |
Resource types defined by Amazon Route 53 Resolver
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| resolver-dnssec-config |
arn:${Partition}:route53resolver:${Region}:${Account}:resolver-dnssec-config/${ResourceId}
|
|
| resolver-query-log-config |
arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}
|
|
| resolver-rule |
arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}
|
|
| resolver-endpoint |
arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}
|
|
| firewall-rule-group |
arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group/${ResourceId}
|
|
| firewall-rule-group-association |
arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group-association/${ResourceId}
|
|
| firewall-domain-list |
arn:${Partition}:route53resolver:${Region}:${Account}:firewall-domain-list/${ResourceId}
|
|
| firewall-config |
arn:${Partition}:route53resolver:${Region}:${Account}:firewall-config/${ResourceId}
|
|
| resolver-config |
arn:${Partition}:route53resolver:${Region}:${Account}:resolver-config/${ResourceId}
|
|
| outpost-resolver |
arn:${Partition}:route53resolver:${Region}:${Account}:outpost-resolver/${ResourceId}
|
Condition keys for Amazon Route 53 Resolver
Amazon Route 53 Resolver defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the presence of tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |