[AWS IAM] Policy settings that allow viewing only in specific hosted zones
*Butano Hoshi (Hyogo Amagasaki)
Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 12th post.
Last time, I wrote about how to display a WordPress site displayed in a subdirectory on the top page!
The change method is relatively easy, but if you make a mistake in the settings, problems such as a blank screen may occur.
We have also introduced a solution to this problem, so if you are interested, please check it out.
overview
"I want to create a user who can only view this hosted zone, but...
how do I create this?"
Do you have any of the above?
you want another company to just check a specific host zone, but
you don't know how to adjust the permissions so they can only view it.
I also researched the information based on AWS references and other articles, but it took quite a while. . .
However, if you look at this, you can easily set permissions, so let's take a look at it together!
Setting method
①Copy the hosted zone ID of the corresponding domain name in the Route53>hosted zone
②IAM > Policy > [Create policy]
③Create a policy> Write it in the JSON tab and click [Next step: Tag]
* Enter the hosted zone ID in place of arn:aws:route53:::hostedzone/
xxxxxxxxxxxxxxxxxx
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "route53:GetHostedZone", "route53:ListVPCAssociationAuthorizations }, " Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:GetHostedZoneCount" ], "Resource": "*" } ] }
Action list | |
action name | explanation |
GetHostedZone | Grants permission to retrieve information about a specified hosted zone, including the four name servers that Route 53 has assigned to the hosted zone |
ListVPCAssociationAuthorizations | Grants permission to retrieve the list of VPCs created by other accounts that can be associated with the specified hosted zone |
ListResourceRecordSets | Grants permission to list records in the specified hosted zone |
GetDNSSEC | Grants permission to obtain information about DNSSEC for a specific hosted zone, including the hosted zone's key signing keys |
ListTagsForResource | Grants permission to list tags for one health check or hosted zone |
GetHostedZoneLimit | Grants permission to retrieve the specified limits for the specified hosted zone |
ListHostedZones | Grants permission to retrieve the list of public and private hosted zones associated with the current AWS account. |
ListHostedZonesByName | Grants permission to retrieve a lexicographical list of hosted zones. Hosted zones are sorted by name with the label reversed (e.g. com.example.www |
GetHostedZoneCount | Grants permission to retrieve the number of hosted zones associated with the current AWS account. |
List of resource types | |
Resource type name | explanation |
hostedzone | Actions can be restricted by specifying the hosted zone ID |
④ Specify the following and click [Next step: Confirm]
Key: Name
Policy: *Please specify your favorite name
⑤ Specify the following in policy confirmation and click [Create policy]
Name: *Please specify your favorite name
⑥Attach the created policy to the user
⑦Log in and check operation
*If you try to check anything other than the host zone such as health check, the following error will occur.
*Due to permission specifications in the hosted zone list, you can only see a list of other hosted zones, but when you try to check the contents, the following error occurs.
・Host zone list screen
・error screen
*If you try to create, delete, or edit a record, the following error will occur.
summary
What do you think?
Policy settings allow for very detailed permission settings, so I think there are many things you won't understand even if you look at the official reference.
I also had a hard time understanding it. . . .
However, by using these steps, you can easily create a policy that allows viewing of a specific hosted zone, so
if you need it, please take a look!
Well then, thank you for watching!