Restrict access of IAM user to delete Route53 hostedzone NS and SOA record sets

Question

I have written IAM Policy to restrict IAM users to just use a single hosted zone for testing but how can I restrict IAM users to delete this hosted zone's NS record and SOA record sets.

PFB my IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListTrafficPolicyVersions",
                "route53:GetHostedZone",
                "route53:GetHealthCheck",
                "route53:DeleteHealthCheck",
                "route53:UpdateHealthCheck",
                "route53:ListQueryLoggingConfigs",
                "route53:ListResourceRecordSets",
                "route53:GetTrafficPolicyInstance",
                "route53:UpdateHostedZoneComment",
                "route53:GetQueryLoggingConfig",
                "route53:UpdateTrafficPolicyComment",
                "route53:UpdateTrafficPolicyInstance",
                "route53:GetHealthCheckLastFailureReason",
                "route53:GetHealthCheckStatus",
                "route53:ListTrafficPolicyInstancesByHostedZone",
                "route53:ListVPCAssociationAuthorizations",
                "route53:GetReusableDelegationSetLimit",
                "route53:ChangeResourceRecordSets",
                "route53:GetReusableDelegationSet",
                "route53:ListTagsForResource",
                "route53:ListTagsForResources",
                "route53:ListTrafficPolicyInstancesByPolicy",
                "route53:GetHostedZoneLimit",
                "route53:GetTrafficPolicy"
            ],
            "Resource": "arn:aws:route53:::hostedzone/Z03200001ZUWD7XXXXXXX"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "route53:ListReusableDelegationSets",
                "route53:ListTrafficPolicyInstances",
                "route53:GetTrafficPolicyInstanceCount",
                "route53:CreateReusableDelegationSet",
                "route53:CreateTrafficPolicy",
                "route53:TestDNSAnswer",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:GetAccountLimit",
                "route53:GetCheckerIpRanges",
                "route53:ListHealthChecks",
                "route53:CreateHealthCheck",
                "route53:ListTrafficPolicies",
                "route53:GetGeoLocation",
                "route53:ListGeoLocations",
                "route53:GetHostedZoneCount",
                "route53:GetHealthCheckCount"
            ],
            "Resource": "*"
        }
    ]
}

score 0 · Accepted Answer · answered Mar 31 '20 at 02:58

0

SOA record can't be deleted in Route53. It's an integral part of any DNS zone. And I believe NS records can't be deleted either, they are managed by Route53. Regardless of your IAM permissions.

answered Mar 31 '20 at 02:58

MLu

24,849
5
59
86

Thanks for your answer. Can I try to delete and verify? – Usman Apr 01 '20 at 13:35
@Usman create a new dummy hosted zone in Route53 (it doesn’t have to be officially registered) and play with it. That’s the easiest way to find out. – MLu Apr 01 '20 at 20:04
Let me try. Really appreciated your response. – Usman Apr 03 '20 at 20:37

score 0 · Answer 2 · answered Apr 07 '20 at 15:09

0

If you have created a hosted zone with Route53, 2 recordsets created automatically and those are NS record and SOA record. No one deletes NS and SOA records can't be deleted.

answered Apr 07 '20 at 15:09

Usman

13
2

Restrict access of IAM user to delete Route53 hostedzone NS and SOA record sets

2 Answers2