AWS policy: need explaination for the "ForAllValues" qualifier


I have this SCP attached to account A in my org:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Deny",
      "Action": [
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "route53:ChangeResourceRecordSetsRecordTypes": [

As I understand:

  • the SCP will deny if each and every record's type in my request equals A or AAAA
  • the SCP will not deny if at least one record's type in my request is not equal A or AAAA

However, when I create R53 records in account A using the console: Enter image description here

the SCP still blocks the request even though the request contains a record of type "CNAME" which is not A or AAAA

What is wrong in my understanding of this "ForAllValues" ? Please help me. Thanks

1 Answer

Your understanding of the "ForAllValues" condition is correct, but it seems there might be a misunderstanding in the way Route 53 record types are handled in the SCP condition.

The "ForAllValues" condition in the SCP denies the action if all the specified values match in the request. However, in your case, the "route53:ChangeResourceRecordSetsRecordTypes" condition doesn't actually refer to the types of records you are creating (like A, AAAA, or CNAME). Instead, it refers to the record types that the IAM user or role performing the action is allowed to change.

So, the SCP you provided will deny the "route53:ChangeResourceRecordSets" action for all record types (A and AAAA) if all the values in the "route53:ChangeResourceRecordSetsRecordTypes" condition match those specified in the SCP. It doesn't check the record types being created; rather, it checks the types of records that can be changed.

To allow changes to CNAME records while still restricting changes to A and AAAA records, you need to modify the SCP to allow the "route53:ChangeResourceRecordSets" action for the CNAME record type. You can achieve this by modifying the SCP as follows:


{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "", "Condition": { "ForAllValues:StringEquals": { "route53:ChangeResourceRecordSetsRecordTypes": [ "A", "AAAA" ] } } }, { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "", "Condition": { "StringEquals": { "route53:ChangeResourceRecordSetsRecordTypes": "CNAME" } } } ] }

With this modification, the SCP denies changes to A and AAAA records but allows changes to CNAME records. Make sure to attach this updated SCP to your AWS account. After that, the IAM users or roles in your account will be able to change CNAME records without being blocked by the SCP.

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions