我已经编写了 IAM 策略来限制 IAM 用户仅使用单个托管区域进行测试,但是如何限制 IAM 用户删除此托管区域的 NS 记录和 SOA 记录集。
PFB 我的 IAM 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ListTrafficPolicyVersions",
"route53:GetHostedZone",
"route53:GetHealthCheck",
"route53:DeleteHealthCheck",
"route53:UpdateHealthCheck",
"route53:ListQueryLoggingConfigs",
"route53:ListResourceRecordSets",
"route53:GetTrafficPolicyInstance",
"route53:UpdateHostedZoneComment",
"route53:GetQueryLoggingConfig",
"route53:UpdateTrafficPolicyComment",
"route53:UpdateTrafficPolicyInstance",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:ListTrafficPolicyInstancesByHostedZone",
"route53:ListVPCAssociationAuthorizations",
"route53:GetReusableDelegationSetLimit",
"route53:ChangeResourceRecordSets",
"route53:GetReusableDelegationSet",
"route53:ListTagsForResource",
"route53:ListTagsForResources",
"route53:ListTrafficPolicyInstancesByPolicy",
"route53:GetHostedZoneLimit",
"route53:GetTrafficPolicy"
],
"Resource": "arn:aws:route53:::hostedzone/Z03200001ZUWD7XXXXXXX"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"route53:ListReusableDelegationSets",
"route53:ListTrafficPolicyInstances",
"route53:GetTrafficPolicyInstanceCount",
"route53:CreateReusableDelegationSet",
"route53:CreateTrafficPolicy",
"route53:TestDNSAnswer",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:GetAccountLimit",
"route53:GetCheckerIpRanges",
"route53:ListHealthChecks",
"route53:CreateHealthCheck",
"route53:ListTrafficPolicies",
"route53:GetGeoLocation",
"route53:ListGeoLocations",
"route53:GetHostedZoneCount",
"route53:GetHealthCheckCount"
],
"Resource": "*"
}
]
}
答案1
Route53 中的 SOA 记录无法删除。它是任何 DNS 区域的组成部分。我相信 NS 记录也无法删除,它们由 Route53 管理。无论您的 IAM 权限如何。
答案2
如果您使用 Route53 创建了托管区域,则会自动创建 2 个记录集,即 NS 记录和 SOA 记录。没有人会删除 NS,也无法删除 SOA 记录。