Write an AWS JSON policy to allow an account to only manage certain domains in Route 53

Problem:

I needed to allow a 3rd party access to only two domains within Route 53 and nothing else within our AWS account.

Solution:

Use the following JSON code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicHostedZonePermissions",
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets",
                "route53:DeleteHostedZone",
                "route53:UpdateHostedZoneComment",
                "route53:CreateHostedZone",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:GetHealthCheckCount"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/Z6PSNF310ED93Q",
                "arn:aws:route53:::hostedzone/Z84SLOFLWBG2SL"
            ]
        }
    ]
}

You then need to send the user the link to the Route 53 zone including its ID like below:

https://console.aws.amazon.com/route53/home?region=us-east-1#resource-record-sets:<hosted-zone-ID>

AWS explains why this is necessary below:

‘API actions such as “ListHostedZones” do not support resource level permissions, when you go to the console page as the user you get no hosted-zones listed. This is due to the fact that a resource ARN was specified, and the API call doesn’t support it and therefore yields no results.

There is a workaround to this issue, although it is not a perfect solution. Essentially, you can use a policy such as the one listed above and still allow users to interact with a hosted-zone and all of its contents if you direct-link to the hosted-zones management page. What that means is, as the administrator with full access to Route 53, copy out the URL of the resource records page in AWS Route 53 and provide that link to the Route 53 user you are provisioning. This will allow the Route 53 user to bypass the hosted-zones list screen, effectively limiting the domains they can interact with (as per your request). The URL
will look similar to the one shown below:

https://console.aws.amazon.com/route53/home?region=us-east-1#resource-record-sets:<hosted-zone-ID>

You will have to ensure the <hosted-zone ID> on the URL reflects the ID of the hosted zone you want your user to have access to.  The same approach should be applied for the resource ARN’s in the policy listed above. Should you decide to use this workaround, I would recommend your Route 53 user bookmark those links to the hosted-zones for the sake of quick, convenient access.’