aws-route53: Include CrossAccountRole scope-down guidance

[miiiak]

Describe the issue

The Cross Account Zone Delegation guidance includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});

should be more like:

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com 
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });

Links

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53-readme.html#cross-account-zone-delegation

[miiiak]

Worth noting I work at AWS, alias tjbryant. Working on a PR, but I wanted to follow the process and submit an issue.

[pahud]

Yes we should always scope down the policies when necessary.

I guess we can improve here?

aws-cdk/packages/aws-cdk-lib/aws-route53/README.md

Lines 182 to 227 in fdf4830

	### Cross Account Zone Delegation
	If you want to have your root domain hosted zone in one account and your subdomain hosted
	zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
	between them.
	In the account containing the parent hosted zone:
	```ts
	const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
	zoneName: 'someexample.com',
	});
	const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
	// The role name must be predictable
	roleName: 'MyDelegationRole',
	// The other account
	assumedBy: new iam.AccountPrincipal('12345678901'),
	});
	parentZone.grantDelegation(crossAccountRole);
	```
	In the account containing the child zone to be delegated:
	```ts
	const subZone = new route53.PublicHostedZone(this, 'SubZone', {
	zoneName: 'sub.someexample.com',
	});
	// import the delegation role by constructing the roleArn
	const delegationRoleArn = Stack.of(this).formatArn({
	region: '', // IAM is global in each partition
	service: 'iam',
	account: 'parent-account-id',
	resource: 'role',
	resourceName: 'MyDelegationRole',
	});
	const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
	// create the record
	new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
	delegatedZone: subZone,
	parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
	delegationRole,
	});
	```

[miiiak]

Correct Pahud, that's my proposal. PR added #28624

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.