diff --git a/packages/aws-cdk-lib/aws-route53/README.md b/packages/aws-cdk-lib/aws-route53/README.md index 91dc7baeee353..ce92008765691 100644 --- a/packages/aws-cdk-lib/aws-route53/README.md +++ b/packages/aws-cdk-lib/aws-route53/README.md @@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', { ### Cross Account Zone Delegation If you want to have your root domain hosted zone in one account and your subdomain hosted -zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation +zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation between them. In the account containing the parent hosted zone: @@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), + // You can scope down this role policy to be least privileged. + // If you want the other account to be able to manage specific records, + // you can scope down by resource and/or normalized record names + inlinePolicies: { + crossAccountPolicy: new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + sid: 'ListHostedZonesByName', + effect: iam.Effect.ALLOW, + actions: ['route53:ListHostedZonesByName'], + resources: ['*'], + }), + new iam.PolicyStatement({ + sid: 'GetHostedZoneAndChangeResourceRecordSet', + effect: iam.Effect.ALLOW, + actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'], + // This example assumes the RecordSet subdomain.somexample.com + // is contained in the HostedZone + resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'], + conditions: { + 'ForAllValues:StringLike': { + 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [ + 'subdomain.someexample.com', + ], + }, + }, + }), + ], + }), + }, }); parentZone.grantDelegation(crossAccountRole); ```