![[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!](https://beyondjapan.com/cms/wp-content/uploads/2022/12/recruit_blog_banner-768x344.jpg)
[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!
![[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services](https://beyondjapan.com/cms/wp-content/uploads/2021/03/AWS_構築・運用保守-768x344.png)
[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services
![[Successor to CentOS] AlmaLinux OS server construction/migration service](https://beyondjapan.com/cms/wp-content/uploads/2023/08/almalinux_blogbanner-768x344.png)
[Successor to CentOS] AlmaLinux OS server construction/migration service
![[For WordPress only] Cloud server “Web Speed”](https://beyondjapan.com/cms/wp-content/uploads/2022/11/webspeed_blog_banner-768x344.png)
[For WordPress only] Cloud server “Web Speed”
![[Cheap] Website security automatic diagnosis “Quick Scanner”](https://beyondjapan.com/cms/wp-content/uploads/2023/04/quick_eyecatch_blogbanner-768x345.jpg)
[Cheap] Website security automatic diagnosis “Quick Scanner”
![[Reservation system development] EDISONE customization development service](https://beyondjapan.com/cms/wp-content/uploads/2023/06/edisone_blog_banner-768x345.jpg)
[Reservation system development] EDISONE customization development service
![[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”](https://beyondjapan.com/cms/wp-content/uploads/2021/03/Appmill_ブログバナー-768x344.png)
[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”
![[Compatible with over 200 countries] Global eSIM “Beyond SIM”](https://beyondjapan.com/cms/wp-content/uploads/2024/05/beyond_esim_blog_slider1-768x345.jpg)
[Compatible with over 200 countries] Global eSIM “Beyond SIM”
![[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”](https://beyondjapan.com/cms/wp-content/uploads/2024/05/china-sim_blogbanner-768x345.jpg)
[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”
![[Global exclusive service] Beyond's MSP in North America and China](https://beyondjapan.com/cms/wp-content/uploads/2024/06/gloval_surport_blog_slider-768x345.jpg)
[Global exclusive service] Beyond's MSP in North America and China
![[YouTube] Beyond official channel “Biyomaru Channel”](https://beyondjapan.com/cms/wp-content/uploads/2021/07/バナー1-768x339.jpg)
[YouTube] Beyond official channel “Biyomaru Channel”
[AWS IAM] Policy settings that allow viewing only in specific hosted zones
table of contents
- 1 overview
- 2 Setting method
- 2.1 ①Copy the hosted zone ID of the corresponding domain name in the Route53>hosted zone
- 2.2 ②IAM > Policy > [Create policy]
- 2.3 ③Create a policy> Write it in the JSON tab and click [Next step: Tag]
- 2.4 ④ Specify the following and click [Next step: Confirm]
- 2.5 ⑤ Specify the following in policy confirmation and click [Create policy]
- 2.6 ⑥Attach the created policy to the user
- 2.7 ⑦Log in and check operation
- 3 summary
*Butano Hoshi (Hyogo Amagasaki)
Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 12th post.
Last time, I wrote about how to display a WordPress site displayed in a subdirectory on the top page!
The change method is relatively easy, but if you make a mistake in the settings, problems such as a blank screen may occur.
We have also introduced a solution to this problem, so if you are interested, please check it out.
overview
"I want to create a user who can only view this hosted zone, but...
how do I create this?"
Do you have any of the above?
you want another company to just check a specific host zone, but
you don't know how to adjust the permissions so they can only view it.
I also researched the information based on AWS references and other articles, but it took quite a while. . .
However, if you look at this, you can easily set permissions, so let's take a look at it together!
Setting method
①Copy the hosted zone ID of the corresponding domain name in the Route53>hosted zone
②IAM > Policy > [Create policy]
③Create a policy> Write it in the JSON tab and click [Next step: Tag]
* Enter the hosted zone ID in place of arn:aws:route53:::hostedzone/ xxxxxxxxxxxxxxxxxx
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "route53:GetHostedZone", "route53:ListVPCAssociationAuthorizations }, " Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:GetHostedZoneCount" ], "Resource": "*" } ] }
| Action list | |
| action name | explanation |
| GetHostedZone | Grants permission to retrieve information about a specified hosted zone, including the four name servers that Route 53 has assigned to the hosted zone |
| ListVPCAssociationAuthorizations | Grants permission to retrieve the list of VPCs created by other accounts that can be associated with the specified hosted zone |
| ListResourceRecordSets | Grants permission to list records in the specified hosted zone |
| GetDNSSEC | Grants permission to obtain information about DNSSEC for a specific hosted zone, including the hosted zone's key signing keys |
| ListTagsForResource | Grants permission to list tags for one health check or hosted zone |
| GetHostedZoneLimit | Grants permission to retrieve the specified limits for the specified hosted zone |
| ListHostedZones | Grants permission to retrieve the list of public and private hosted zones associated with the current AWS account. |
| ListHostedZonesByName | Grants permission to retrieve a lexicographical list of hosted zones. Hosted zones are sorted by name with the label reversed (e.g. com.example.www |
| GetHostedZoneCount | Grants permission to retrieve the number of hosted zones associated with the current AWS account. |
| List of resource types | |
| Resource type name | explanation |
| hostedzone | Actions can be restricted by specifying the hosted zone ID |
④ Specify the following and click [Next step: Confirm]
Key: Name
Policy: *Please specify your favorite name
⑤ Specify the following in policy confirmation and click [Create policy]
Name: *Please specify your favorite name
⑥Attach the created policy to the user
⑦Log in and check operation
*If you try to check anything other than the host zone such as health check, the following error will occur.
*Due to permission specifications in the hosted zone list, you can only see a list of other hosted zones, but when you try to check the contents, the following error occurs.
・Host zone list screen
・error screen
*If you try to create, delete, or edit a record, the following error will occur.
summary
What do you think?
Policy settings allow for very detailed permission settings, so I think there are many things you won't understand even if you look at the official reference.
I also had a hard time understanding it. . . .
However, by using these steps, you can easily create a policy that allows viewing of a specific hosted zone, so
if you need it, please take a look!
Well then, thank you for watching!
3
Loading...3 
![[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution](https://beyondjapan.com/cms/wp-content/uploads/2024/05/59b34db220409b6211b90ac6a7729303-1024x444.png)
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution
![[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!](https://beyondjapan.com/cms/wp-content/uploads/2022/12/20221215_recruit_blog_banner.jpg)
[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!
The person who wrote this article
About the author
