Learn about the various AWS IAM roles and permissions that you require to configure DNS for private IPs between the two AWS accounts. These roles or permissions ensure that DNS queries resolve securely across AWS accounts with proper access control.

Note:

Verify that the VPCs in both accounts peer properly. For more information about VPC peering, see Setting up VPC peering between the AWS accounts.

Control Room account permissions

The IAM user or role requires the following permissions in the Control Room AWS account:

Route 53 permissions
  • route53:CreateHostedZone - To create a new hosted zone.
  • route53:ListHostedZones - To list all hosted zones.
  • route53:GetHostedZone - To retrieve the details of a specific hosted zone.
  • route53:ChangeResourceRecordSets - To create, update, and delete DNS records.
  • route53:ListResourceRecordSets - To list DNS records in a hosted zone.
  • route53:CreateVPCAssociationAuthorization - To authorize a VPC from API Task Infrastructure AWS account to associate with a hosted zone of Control Room AWS account.
  • route53:ListVPCAssociationAuthorizations - To list existing VPC association authorizations.
VPC permissions
ec2:DescribeVpcs - To retrieve information about one or more Virtual Private Clouds (VPCs).
ACM permissions
  • acm:RequestCertificate - To request a new certificate.
  • acm:DescribeCertificate - To retrieve details of a specific certificate.
  • acm:ListCertificates - To list all the certificates.
EC2 Load balancer permissions
  • elasticloadbalancing:DescribeLoadBalancers - To retrieve details of all load balancers.
  • elasticloadbalancing:CreateListener - To create a new listener for a load balancer.
  • elasticloadbalancing:ModifyListener - To modify an existing listener.
  • elasticloadbalancing:DescribeListeners - To retrieve details of all listeners.
The following is an example of a policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Route53Permissions",
      "Effect": "Allow",
      "Action": [
        "route53:CreateHostedZone",
        "route53:ListHostedZones",
        "route53:GetHostedZone",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets",
        "route53:CreateVPCAssociationAuthorization",
        "route53:ListVPCAssociationAuthorizations"
      ],
      "Resource": ""
    },
    {
      "Sid": "AllowDescribeVpcs",
      "Effect": "Allow",
      "Action": "ec2:DescribeVpcs",
      "Resource": ""
    },
    {
      "Sid": "ACMPermissions",
      "Effect": "Allow",
      "Action": [
        "acm:RequestCertificate",
        "acm:DescribeCertificate",
        "acm:ListCertificates"
      ],
      "Resource": ""
    },
    {
      "Sid": "ELBPermissions",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:ModifyListener",
        "elasticloadbalancing:DescribeListeners"
      ],
      "Resource": ""
    }
  ]
}

Enter your Amazon Resource Names (ARN) in the Resource parameter.

API Task account permissions

The IAM user or role requires the following permissions in the API Task AWS account:

Route 53 permissions
route53:AssociateVPCWithHostedZone - To associate a VPC with a hosted zone. This permission allows you to associate the VPC in the API Task AWS account with the private hosted zone in the Control Room AWS account.
VPC permissions
ec2:DescribeVpcs - To retrieve information about one or more Virtual Private Clouds (VPCs).
The following is an example of a policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Route53Permissions",
      "Effect": "Allow",
      "Action": "route53:AssociateVPCWithHostedZone ",
      "Resource": ""
    },
    {
      "Sid": "AllowDescribeVpcs",
      "Effect": "Allow",
      "Action": "ec2:DescribeVpcs",
      "Resource": ""
    }
  ]
}

Enter your Amazon Resource Names (ARN) in the Resource parameter.

Trust relationship policy

For cross-account operations, IAM roles or the users in both accounts must configure necessary trust relationships. A trust relationship is a policy that you add to an IAM role and specify the trusted entities or services that can assume that IAM role. Follow the example and create a trust relationship policy in the Control Room account IAM policy to allow an IAM role in API Task account to assume an IAM role in the Control Room account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:role/RoleNameInAccountB"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Where ACCOUNT_B_ID is the account name and RoleNameInAccountB is the IAM role in the API Task account.