From 62b5a52340dbce1716ad6735bb603628f34aaf5b Mon Sep 17 00:00:00 2001 From: crtr109 <209275807+crtr109@users.noreply.github.com> Date: Sat, 19 Jul 2025 15:18:37 +0200 Subject: [PATCH 1/5] scoping the AWS IAM policy to explicitely defined AWS Route53 zones --- docs/tutorials/aws.md | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 6585aa9e3..f59f0df3b 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -9,9 +9,6 @@ Record Sets and Hosted Zones. You'll want to create this Policy in IAM first. In our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call it whatever you prefer). -If you prefer, you may fine-tune the policy to permit updates only to explicit -Hosted Zone IDs. - ```json { "Version": "2012-10-17", @@ -19,18 +16,18 @@ Hosted Zone IDs. { "Effect": "Allow", "Action": [ - "route53:ChangeResourceRecordSets" + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:ListTagsForResources" ], "Resource": [ - "arn:aws:route53:::hostedzone/*" + "arn:aws:route53:::hostedzone/" ] }, { "Effect": "Allow", "Action": [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResources" + "route53:ListHostedZones" ], "Resource": [ "*" @@ -51,10 +48,12 @@ You can use Attribute-based access control(ABAC) for advanced deployments. { "Effect": "Allow", "Action": [ - "route53:ChangeResourceRecordSets" + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets", + "route53:ListTagsForResources" ], "Resource": [ - "arn:aws:route53:::hostedzone/*" + "arn:aws:route53:::hostedzone/" ], "Condition": { "ForAllValues:StringLike": { @@ -67,9 +66,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments. { "Effect": "Allow", "Action": [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResources" + "route53:ListHostedZones" ], "Resource": [ "*" From 4d6310d5436ff89f1b31b88d9262606346acd7f0 Mon Sep 17 00:00:00 2001 From: crtr109 <209275807+crtr109@users.noreply.github.com> Date: Wed, 30 Jul 2025 17:24:31 +0200 Subject: [PATCH 2/5] Apply suggestions from code review Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com> --- docs/tutorials/aws.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index f59f0df3b..506bdb84d 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -21,7 +21,7 @@ it whatever you prefer). "route53:ListTagsForResources" ], "Resource": [ - "arn:aws:route53:::hostedzone/" + "arn:aws:route53:::hostedzone/*" ] }, { @@ -53,7 +53,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments. "route53:ListTagsForResources" ], "Resource": [ - "arn:aws:route53:::hostedzone/" + "arn:aws:route53:::hostedzone/*" ], "Condition": { "ForAllValues:StringLike": { From 9ad952f5459c0281b19617c23681977c18abee2d Mon Sep 17 00:00:00 2001 From: crtr109 <209275807+crtr109@users.noreply.github.com> Date: Wed, 30 Jul 2025 17:32:07 +0200 Subject: [PATCH 3/5] Update aws.md --- docs/tutorials/aws.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 506bdb84d..482ca7950 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -76,6 +76,10 @@ You can use Attribute-based access control(ABAC) for advanced deployments. } ``` +### Further improvements + +Both policies can be further enhanced by tightening them down. Following the [principle of least privelege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) and explicitely providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability. + Additional resources: - AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A) From 681f1f7f7d6aff1973c15c49a63383017a6fabd6 Mon Sep 17 00:00:00 2001 From: crtr109 <209275807+crtr109@users.noreply.github.com> Date: Thu, 31 Jul 2025 19:48:20 +0200 Subject: [PATCH 4/5] Update docs/tutorials/aws.md Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com> --- docs/tutorials/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 482ca7950..fe46fd587 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -78,7 +78,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments. ### Further improvements -Both policies can be further enhanced by tightening them down. Following the [principle of least privelege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) and explicitely providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability. +Both policies can be further enhanced by tightening them down. Following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) and explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability. Additional resources: From fb3c87e2be6f63dab599c85af4841fe297e5875e Mon Sep 17 00:00:00 2001 From: crtr109 <209275807+crtr109@users.noreply.github.com> Date: Sun, 3 Aug 2025 11:26:34 +0200 Subject: [PATCH 5/5] Update aws.md breaking up lines to make it pass markdown linting --- docs/tutorials/aws.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index fe46fd587..b308de16e 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -78,7 +78,8 @@ You can use Attribute-based access control(ABAC) for advanced deployments. ### Further improvements -Both policies can be further enhanced by tightening them down. Following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) and explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability. +Both policies can be further enhanced by tightening them down following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). +Explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability. Additional resources: