I need to give an IAM user Route 53 access to create records under a subdomain, say data.example.com. For example, the user should be able to create a CNAME for server1.data.example.com. At the same time, I don't want the user to be able to add/modify/delete any records other than *.data.example.com.
Is it possible to write a policy that does that?
You can restrict by hosted zone, but not by sub-domain. Your Route53 hosted zones should be split up by subdomain if you'd like to restrict to specific subdomains. You can create a hosted zone for a subdomain:
test you can do as the answer here summarizes well:Create a hosted zone for test.example.com.
Note the 4 name servers that Route 53 assigns to it the new hosted zone.
Back in the master zone, create a new resource record, with hostname "test" using record type NS, and enter the 4 name servers that Route 53 assigned, in the box below.
The above delegates control of that subdomain to this new hosted zone, which has a unique zone id we can use in an IAM policy
{
"Statement":[
{
"Action":[
"route53:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:route53:::hostedzone/<The new zone ID>"
]
},
{
"Action":[
"route53:ListHostedZones"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}
From here you can tweak this policy to fit the actions you'd like the user to be able to take in this zone.
From the AWS Documentation
In a policy, you can grant or deny access to the following resources by using * for the ARN:
Not all Route 53 resources support permissions. You can't grant or deny access to the following resources:
It basically means IAM finest grain control is individual hosted zone (DNS zone file).
You can create a hosted zone only for the particular subdomain by following this AWS Guide
