AWS Route53 documentation change
Summary
Added comprehensive documentation for new Route 53 Profiles condition keys including ResourceTypes, ResourceArns, HostedZoneDomains, ResolverRuleDomains, FirewallRuleGroupPriority, and ResourceIds with detailed usage examples and policy samples.
Security assessment
This change adds documentation for IAM condition keys that enable fine-grained access control for Route 53 Profiles operations. While this enhances security by allowing more precise permission scoping, there is no evidence in the diff that this addresses a specific security vulnerability or incident. The documentation provides security best practices for implementing least-privilege access controls.
Diff
diff --git a/Route53/latest/DeveloperGuide/specifying-conditions-route53.md b/Route53/latest/DeveloperGuide/specifying-conditions-route53.md index 11e4d0e9b..d21534e61 100644 --- a//Route53/latest/DeveloperGuide/specifying-conditions-route53.md +++ b//Route53/latest/DeveloperGuide/specifying-conditions-route53.md @@ -26,0 +27,12 @@ In Route 53, you can specify conditions when granting permissions using an IAM p + * Grant permissions to allow users to manage (associate/disassociate/update) only specific resource types with a Route 53 Profile. + + * Grant permissions to allow users to manage (associate/disassociate/update) only specific resource ARNs with a Route 53 Profile. + + * Grant permissions to allow users to manage (associate/disassociate/update) only specific hosted zone domains with a Route 53 Profile. + + * Grant permissions to allow users to manage (associate/disassociate/update) only specific Resolver Rule domains with a Route 53 Profile. + + * Grant permissions to allow users to manage (associate/disassociate/update) Firewall Rule Groups with a specific priority range in a Route 53 Profile. + + * Grant permissions to allow users to manage (associate/disassociate) a Route 53 Profile with specific VPCs. + @@ -79,0 +92,64 @@ For your permissions to allow or restrict actions as you intend, you must follow +**For`route53profiles:ResourceTypes`, the value can be any of the following and is case sensitive:** + + * HostedZone + + * FirewallRuleGroup + + * ResolverQueryLoggingConfig + + * ResolverRule + + * VPCEndpoint + + + + +**For`route53profiles:ResourceArns`:** + + * The value must be a valid AWS resource ARN, such as `arn:aws:route53:::hostedzone/Z12345`. + + * Use the `ArnEquals` or `ArnLike` condition operator when comparing ARN values. + + + + +**For`route53profiles:HostedZoneDomains`:** + + * The value must be a valid domain name, such as `example.com`. + + * The domain name must be without the trailing dot. + + * The values are case sensitive. + + + + +**For`route53profiles:ResolverRuleDomains`:** + + * The value must be a valid domain name, such as `example.com`. + + * The domain name must be without the trailing dot. + + * The values are case sensitive. + + + + +**For`route53profiles:FirewallRuleGroupPriority`:** + + * The value must be a numeric value representing the priority of the Firewall Rule Group. + + * Use numeric condition operators such as `NumericEquals`, `NumericGreaterThanEquals`, or `NumericLessThanEquals` to compare priority values or define a priority range. + + + + +**For`route53profiles:ResourceIds`:** + + * The value must be a valid VPC ID, such as `vpc-1a2b3c4d5e6f`. + + * The values are case sensitive. + + + + @@ -109,0 +186,24 @@ Route 53 Condition Key | API operations | Value type | Description +`route53profiles:ResourceTypes` | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by specific resource type. `route53profiles:ResourceTypes` can be any of the following values (case sensitive): + + * HostedZone + * FirewallRuleGroup + * ResolverQueryLoggingConfig + * ResolverRule + * VPCEndpoint + + +`route53profiles:ResourceArns` | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) | ARN | Filters access by specific resource ARNs. +`route53profiles:HostedZoneDomains` | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by Hosted Zone domains. To get the expected behavior, domain names in the IAM policy must be normalized as follows: + + * The domain name must be without the trailing dot. + * The values are case sensitive. + + +`route53profiles:ResolverRuleDomains` | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | String | Filters access by Resolver Rule domains. To get the expected behavior, domain names in the IAM policy must be normalized as follows: + + * The domain name must be without the trailing dot. + * The values are case sensitive. + + +`route53profiles:FirewallRuleGroupPriority` | [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html) [DisassociateResourceFromProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateResourceFromProfile.html) [UpdateProfileResourceAssociation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_UpdateProfileResourceAssociation.html) | Numeric | Filters access by priority range of a Firewall Rule Group. +`route53profiles:ResourceIds` | [AssociateProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateProfile.html) [DisassociateProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_DisassociateProfile.html) | String | Filters access by given VPCs. @@ -309,0 +410,121 @@ JSON +###### Important + +The `route53profiles` condition keys are available in all AWS Regions where Route 53 Route53Profiles is available, except for me-central-1 and me-south-1. + +###### Grant permissions that limit resource association to specific resource types in Route 53 Profiles + +The following permissions policy grants permissions that allow `AssociateResourceToProfile` and `DisassociateResourceFromProfile` actions only when the resource type is a hosted zone. It uses the `route53profiles:ResourceTypes` condition key to restrict the resource types that can be associated with a profile. + + + { + "Effect": "Allow", + "Action": [ + "route53profiles:AssociateResourceToProfile", + "route53profiles:DisassociateResourceFromProfile" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "route53profiles:ResourceTypes": "HostedZone" + } + } + } + +###### Grant permissions that limit resource association to specific resource ARNs in Route 53 Profiles + +The following permissions policy grants permissions that allow `AssociateResourceToProfile` and `DisassociateResourceFromProfile` actions only for the specified resource ARN. It uses the `route53profiles:ResourceArns` condition key to restrict which resources can be associated with a profile. + + + { + "Effect": "Allow", + "Action": [ + "route53profiles:AssociateResourceToProfile", + "route53profiles:DisassociateResourceFromProfile" + ], + "Resource": "*", + "Condition": { + "ArnEquals": { + "route53profiles:ResourceArns": "arn:aws:route53:::hostedzone/Z12345" + } + } + } + +###### Grant permissions that limit resource association to specific hosted zone domains in Route 53 Profiles + +The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the hosted zone domain matches the specified value. It uses the `route53profiles:HostedZoneDomains` condition key to restrict which hosted zone domains can be associated with a profile. + + + { + "Effect": "Allow", + "Action": [ + "route53profiles:AssociateResourceToProfile", + "route53profiles:DisassociateResourceFromProfile", + "route53profiles:UpdateProfileResourceAssociation" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "route53profiles:HostedZoneDomains": "example.com" + } + } + } + +###### Grant permissions that limit resource association to specific Resolver Rule domains in Route 53 Profiles + +The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the Resolver Rule domain matches the specified value. It uses the `route53profiles:ResolverRuleDomains` condition key to restrict which Resolver Rule domains can be associated with a profile. + + + { + "Effect": "Allow", + "Action": [ + "route53profiles:AssociateResourceToProfile", + "route53profiles:DisassociateResourceFromProfile", + "route53profiles:UpdateProfileResourceAssociation" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "route53profiles:ResolverRuleDomains": "example.com" + } + } + } + +###### Grant permissions that limit Firewall Rule Group association to a specific priority range in Route 53 Profiles + +The following permissions policy grants permissions that allow `AssociateResourceToProfile`, `DisassociateResourceFromProfile`, and `UpdateProfileResourceAssociation` actions only when the Firewall Rule Group priority is within the specified range. It uses the `route53profiles:FirewallRuleGroupPriority` condition key to restrict the priority values that can be used. + + + { + "Effect": "Allow", + "Action": [ + "route53profiles:AssociateResourceToProfile", + "route53profiles:DisassociateResourceFromProfile",