To allow our platform to manage DMARC, SPF, and other email security records in your AWS account, you need to create an IAM Role. This role grants our service temporary, limited permissions to modify specific DNS records in your Route 53 hosted zones. This is the most secure method recommended by AWS, as it does not require you to share your permanent security credentials with us. The process involves three main steps: creating a permissions policy, creating the role with a trust relationship, and providing the role's ARN to our platform.
Step 1: Create the Least-Privilege IAM Permissions Policy
This policy defines the exact actions our service is allowed to perform. It is crafted according to the principle of least privilege, granting only the absolute minimum permissions required for our service to function.
1. Navigate to the IAM service in your AWS Management Console.
2. In the left navigation pane, select Policies.
3. Click the Create policy button.
4. Select the JSON tab.
5. Delete the existing content in the editor and paste the following policy document. This policy allows our service to list your hosted zones (so you can select the correct one in our dashboard) and to change only TXT and CNAME records, which are necessary for email security protocols.
JSON {
"Version": "2012-10-17",
"Statement":,
"Resource": "*"
},
{
"Sid": "AllowChangeEmailSecurityRecords",
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:iam::*:hostedzone/*",
"Condition": {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsRecordTypes":
}
}
}
]
}
The ability to construct such a granular policy is a direct result of powerful condition keys that AWS provides for Route 53. Official AWS documentation confirms the availability of route53:ChangeResourceRecordSetsRecordTypes, allowing permissions to be restricted to specific record types. This ensures our platform cannot modify critical records like A, AAAA, or MX records.
6. Click Next: Tags.
7. (Optional) Add any tags you wish to associate with this policy. Click Next: Review.
8. Give the policy a descriptive name, such as EasyDMARC-Route53-Access-Policy.
9. Provide a brief description, for example, "Allows EasyDMARC to manage DMARC, SPF, and MTA-STS records in Route 53."
10. Review the policy summary and click Create policy.
Step 2: Create the IAM Role and Establish the Trust Relationship
Now you will create the IAM Role that our service will assume. This step involves establishing the trust relationship between your AWS account and ours.
1. In the IAM console, select Roles from the left navigation pane.
2. Click the Create role button.
3. For the trusted entity type, select AWS account.
4. Below that, select Another AWS account.
5. In the Account ID field, enter our service's AWS Account ID: ``.
6. Under Options, check the box for Require external ID. This is a critical security measure that prevents the "confused deputy" problem, where a malicious actor could trick our service into accessing your account.
7. In the External ID field, enter the unique ID generated for you in our platform's integration setup page. It will look similar to easydmarc-a1b2c3d4e5f6. This ID is a shared secret between you and our service, ensuring that only our legitimate requests on your behalf can assume this role.
8. Click Next.
9. On the Add permissions page, search for the policy you created in Step 1 (e.g., EasyDMARC-Route53-Access-Policy).
10. Check the box next to the policy and click Next.
11. Give the role a descriptive name, such as EasyDMARC-Route53-Integration-Role.
12. Review the role details, ensuring the trusted entity is correct and the correct permissions policy is attached.
13. Click Create role.
Step 3: Finalize the Connection
The final step is to retrieve the Amazon Resource Name (ARN) of the role you just created and provide it to our platform.
1. From the IAM Roles list, click on the name of the role you just created (e.g., EasyDMARC-Route53-Integration-Role).
2. On the role's summary page, you will see the ARN. It will look like arn:aws:iam:::role/EasyDMARC-Route53-Integration-Role.
3. Click the copy icon next to the ARN to copy it to your clipboard.
4. Return to the Route 53 integration page in our dashboard, paste the ARN into the designated field, and click "Connect" or "Save". Our platform will then test the connection to ensure the role is configured correctly.
Note: You can configure multiple accounts for every DNS provider we are supporting. The integration page will show an overview of all accounts that are configured with EasyDMARC.
In case of any questions feel free to reach out to EasyDMARC's Support team!