docs(route53): crossaccountrole scope-down guidance (#28624)

Reference [issue 28596](#28596) The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation. The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance. E.g. ``` const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { // The role name must be predictable roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), }); ``` should be more like: ``` const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { // The role name must be predictable roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), // You can scope down this role policy to be least privileged. // If you want the other account to be able to manage specific records, // you can scope down by resource and/or normalized record names inlinePolicies: { "crossAccountPolicy": new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ sid: "ListHostedZonesByName", effect: iam.Effect.ALLOW, actions: ["route53:ListHostedZonesByName"], resources: ["*"] }), new iam.PolicyStatement({ sid: "GetHostedZoneAndChangeResourceRecordSet", effect: iam.Effect.ALLOW, actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"], // This example assumes the RecordSet subdomain.somexample.com // is contained in the HostedZone resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"], conditions: { "ForAllValues:StringLike": { "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ "subdomain.someexample.com" ] } } }) }); ``` Closes #28596. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jan 10, 2024 · 0cada61 · 0cada61
1 parent a04fe7a
commit 0cada61
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md
@@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', {
 ### Cross Account Zone Delegation
 
 If you want to have your root domain hosted zone in one account and your subdomain hosted
-zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
+zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
 between them.
 
 In the account containing the parent hosted zone:
@@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
   roleName: 'MyDelegationRole',
   // The other account
   assumedBy: new iam.AccountPrincipal('12345678901'),
+  // You can scope down this role policy to be least privileged.
+  // If you want the other account to be able to manage specific records,
+  // you can scope down by resource and/or normalized record names
+  inlinePolicies: {
+    crossAccountPolicy: new iam.PolicyDocument({
+      statements: [
+        new iam.PolicyStatement({
+          sid: 'ListHostedZonesByName',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:ListHostedZonesByName'],
+          resources: ['*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'GetHostedZoneAndChangeResourceRecordSet',
+          effect: iam.Effect.ALLOW,
+          actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'],
+          // This example assumes the RecordSet subdomain.somexample.com
+          // is contained in the HostedZone
+          resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
+          conditions: {
+            'ForAllValues:StringLike': {
+              'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
+                'subdomain.someexample.com',
+              ],
+            },
+          },
+        }),
+      ],
+    }),
+  },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```