[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[AWS IAM] Policy settings that allow viewing only in specific hosted zones

*Butano Hoshi (Hyogo Amagasaki)

Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 12th post.

Last time, I wrote about how to display a WordPress site displayed in a subdirectory on the top page!
The change method is relatively easy, but if you make a mistake in the settings, problems such as a blank screen may occur.
We have also introduced a solution to this problem, so if you are interested, please check it out.

 

 

overview

"I want to create a user who can only view this hosted zone, but...
how do I create this?"

 

Do you have any of the above?
you want another company to just check a specific host zone, but
you don't know how to adjust the permissions so they can only view it.
I also researched the information based on AWS references and other articles, but it took quite a while. . .
However, if you look at this, you can easily set permissions, so let's take a look at it together!

 

 

Setting method

①Copy the hosted zone ID of the corresponding domain name in the Route53>hosted zone

 

 

 

②IAM > Policy > [Create policy]

 

 

 

③Create a policy> Write it in the JSON tab and click [Next step: Tag]

* Enter the hosted zone ID in place of arn:aws:route53:::hostedzone/ xxxxxxxxxxxxxxxxxx

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "route53:GetHostedZone", "route53:ListVPCAssociationAuthorizations }, " Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:GetHostedZoneCount" ], "Resource": "*" } ] }

 

Action list
action name explanation
GetHostedZone Grants permission to retrieve information about a specified hosted zone, including the four name servers that Route 53 has assigned to the hosted zone
ListVPCAssociationAuthorizations Grants permission to retrieve the list of VPCs created by other accounts that can be associated with the specified hosted zone
ListResourceRecordSets Grants permission to list records in the specified hosted zone
GetDNSSEC Grants permission to obtain information about DNSSEC for a specific hosted zone, including the hosted zone's key signing keys
ListTagsForResource Grants permission to list tags for one health check or hosted zone
GetHostedZoneLimit Grants permission to retrieve the specified limits for the specified hosted zone
ListHostedZones Grants permission to retrieve the list of public and private hosted zones associated with the current AWS account.
ListHostedZonesByName Grants permission to retrieve a lexicographical list of hosted zones. Hosted zones are sorted by name with the label reversed (e.g. com.example.www
GetHostedZoneCount Grants permission to retrieve the number of hosted zones associated with the current AWS account.

 

List of resource types
Resource type name explanation
hostedzone Actions can be restricted by specifying the hosted zone ID

 

 

 

 

④ Specify the following and click [Next step: Confirm]

Key: Name

Policy: *Please specify your favorite name

 

 

 

⑤ Specify the following in policy confirmation and click [Create policy]

Name: *Please specify your favorite name

 

 

 

 

⑥Attach the created policy to the user

 

 

 

⑦Log in and check operation

*If you try to check anything other than the host zone such as health check, the following error will occur.

 

 

*Due to permission specifications in the hosted zone list, you can only see a list of other hosted zones, but when you try to check the contents, the following error occurs.

Host zone list screen

 

error screen

 

 

*If you try to create, delete, or edit a record, the following error will occur.

 

 

 

summary

What do you think?
Policy settings allow for very detailed permission settings, so I think there are many things you won't understand even if you look at the official reference.
I also had a hard time understanding it. . . .

However, by using these steps, you can easily create a policy that allows viewing of a specific hosted zone, so
if you need it, please take a look!
Well then, thank you for watching!

If you found this article helpful , please give it a like!
3
Loading...
3 votes, average: 1.00 / 13
1,395
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

The person who wrote this article

About the author

Hide@Infrastructure Engineer

It all started with a very interesting interview.
A mid-career employee of the System Solutions Department in Osaka.My
job is to build and operate servers and clouds!
I have the qualifications of LPIC1, AWS SAA, and OCI Architect Associate.

Actually, I love ramen and
have investigated over 100 stores in Osaka (。-∀-) I'm striving to become the Ramen King of Nibi Beyond
!

I'm also on Twitter, so please follow me (´∇`)
Click on the Twitter mark on the right corner! !