From 0cada616bc5574ae7f3f7eba37e98ef4bc926bb3 Mon Sep 17 00:00:00 2001
From: Troy B <81539149+miiiak@users.noreply.github.com>
Date: Wed, 10 Jan 2024 11:03:50 -0700
Subject: [PATCH] docs(route53): crossaccountrole scope-down guidance (#28624)

Reference [issue 28596](https://github.com/aws/aws-cdk/issues/28596)

The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation.

The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});
```
should be more like:
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });
```
Closes #28596.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-route53/README.md | 32 +++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md
index 91dc7baeee353..ce92008765691 100644
--- a/packages/aws-cdk-lib/aws-route53/README.md
+++ b/packages/aws-cdk-lib/aws-route53/README.md
@@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', {
 ### Cross Account Zone Delegation
 
 If you want to have your root domain hosted zone in one account and your subdomain hosted
-zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
+zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
 between them.
 
 In the account containing the parent hosted zone:
@@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
   roleName: 'MyDelegationRole',
   // The other account
   assumedBy: new iam.AccountPrincipal('12345678901'),
+  // You can scope down this role policy to be least privileged.
+  // If you want the other account to be able to manage specific records,
+  // you can scope down by resource and/or normalized record names
+  inlinePolicies: {
+    crossAccountPolicy: new iam.PolicyDocument({
+      statements: [
+        new iam.PolicyStatement({
+          sid: 'ListHostedZonesByName',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:ListHostedZonesByName'],
+          resources: ['*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'GetHostedZoneAndChangeResourceRecordSet',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'],
+          // This example assumes the RecordSet subdomain.somexample.com
+          // is contained in the HostedZone
+          resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
+          conditions: {
+            'ForAllValues:StringLike': {
+              'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
+                'subdomain.someexample.com',
+              ],
+            },
+          },
+        }),
+      ],
+    }),
+  },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```