docs(route53): crossaccountrole scope-down guidance

[miiiak]

Reference issue 28596

The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation.

The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});

should be more like:

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com 
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });

Closes #28596.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[miiiak]

Clarification Request - Are test file / integration tests required for README updates? If yes, should I assume the necessary test is to prove that the updated snippets synthesize and build correctly, or what is the expectation?

[kaizencc]

I'm happy to accept this, and thanks for improving our docs. However, the build has to succeed, and we run our readme examples to make sure they compile (and yours does not). once yours does, i'll approve.

to check if your example compiles, you can run yarn rosetta after building aws-cdk-lib

[kaizencc]

nit: i want a comma here and in all other places that should have punctuation

[miiiak]

Ack, should be resolved.

[kaizencc]

the formatting here is inconsistent with the rest of the doc in terms of tabs

[miiiak]

Not sure I follow, I see other comments in the doc follow the tab alignment of the line of code below it that it speaks to. Can you clarify?

[kaizencc]

here is your rich diff. the tab alignment is off

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[kaizencc]

Thanks @miiiak!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: e235532
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).