Skip to content

docs(aws): scoping the IAM policy to explicitely defined Route53 zones #5663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 5 commits into from
Sep 5, 2025
+13 −11
Merged

docs(aws): scoping the IAM policy to explicitely defined Route53 zones #5663

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
62b5a52
scoping the AWS IAM policy to explicitely defined AWS Route53 zones
crtr109 Jul 19, 2025
4d6310d
Apply suggestions from code review
crtr109 Jul 30, 2025
9ad952f
Update aws.md
crtr109 Jul 30, 2025
681f1f7
Update docs/tutorials/aws.md
crtr109 Jul 31, 2025
fb3c87e
Update aws.md
crtr109 Aug 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions docs/tutorials/aws.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,16 @@ Record Sets and Hosted Zones. You'll want to create this Policy in IAM first. In
our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call
it whatever you prefer).

If you prefer, you may fine-tune the policy to permit updates only to explicit
Comment thread
crtr109 marked this conversation as resolved.
Hosted Zone IDs.

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
Expand All @@ -28,9 +27,7 @@ Hosted Zone IDs.
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
"route53:ListHostedZones"
],
"Resource": [
"*"
Expand All @@ -51,7 +48,9 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
Copy link
Copy Markdown
Member

@ivankatliarchuk ivankatliarchuk Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work with service specific conditions.

Copy link
Copy Markdown
Member

@ivankatliarchuk ivankatliarchuk Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ListTagsForResources will not work as it will require healthcheck resource id as well.

Copy link
Copy Markdown
Contributor Author

@crtr109 crtr109 Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should then ListTagsForResources be placed under a separate allow statement?
this way it will possible to fine tune it later passing either zone(s) or health check(s) to it

Copy link
Copy Markdown
Member

@ivankatliarchuk ivankatliarchuk Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard to say. IAM is tricky. I just pointed that is not going to work, probably if you have access to AWS, worth to validate a policy.

Copy link
Copy Markdown
Contributor Author

@crtr109 crtr109 Aug 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i do have a live cluster but unfortunately without health checks configured

i'm also not really sure how to test it since i've never come across that functionality to be honest
is that the relevant part in the docs? https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#associating-dns-records-with-healthchecks
if you can give me more hints on how to properly test i will do it

so for ListTagsForResources my suggestion will be the following:

      "Effect": "Allow",
      "Action": [
        "route53:ListTagsForResources"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*",
         "arn:aws:route53:::healthcheck/*",
      ]

this way if a user wants to make the policy tighter he has all the needed info to do it

please let me know how to proceed

Copy link
Copy Markdown
Member

@ivankatliarchuk ivankatliarchuk Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah arn:aws:route53:::healthcheck/* is nice to have, but I'm not using it as well, so not sure what are the exact requirement are, and how to lock them down. Here is some helper https://www.awsiamactions.io/?o=ListTagsForResources

],
"Resource": [
"arn:aws:route53:::hostedzone/*"
Expand All @@ -67,9 +66,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
"route53:ListHostedZones"
],
"Resource": [
"*"
Expand All @@ -79,6 +76,11 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
}
```

### Further improvements

Both policies can be further enhanced by tightening them down following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
Explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability.

Additional resources:

- AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A)
Expand Down
Loading