Posted On: Sep 21, 2022
Today, AWS introduced DNS resource record set permissions, enabling customers to define AWS Identity and Access Management (IAM) create, edit, and delete policies for individual or groups of DNS record sets within a Route 53 public or private hosted zone.
Previously, customers using Route 53 could specify permissions only at the hosted zone level, which provided authorized users with access to all resource record sets within a hosted zone but did not enable customers to restrict users to manage only those resource record sets for which they are responsible. With today’s release, you can now specify granular IAM policies to control who can create, edit, or delete individual resource record sets within a hosted zone. These granular permissions give individual DNS administrators direct ownership at the resource record set level, which may help customers avoid relying on a central team to manage changes for each resource record set on behalf of multiple other teams, thereby saving time and potentially reducing operational risks. To accommodate a broad range of use cases, you can specify permissions for individual resource record sets, for all resource record sets of a specific record type, such as A, MX, or CNAME, and for resource record sets matching a specified domain name prefix string.
This feature is now generally available in all AWS commercial regions. For information about how to use this feature, please visit Resource record set permissions in the Route 53 documentation.