I am trying to write an iam policy to restrict public hosted zones and allow only private zones.
I see that iam action is same for both private and public Create
route53:CreateHostedZone.
How can this be achieved.
I don't think this is possible using IAM policies.
Taking a look at the table that lists the actions and supported condition keys we can see, that there is no specific condition key for the CreateHostedZone action.
That means the only applicable condition keys are the global condition keys which unfortunately won't help you either. As a result of that preventing this action doesn't appear to be possible.
This leaves you with the option of detecting it and in that case you might want to use AWS config and write a custom rule for it. You can then also configure a Lambda function to delete the public hosted zone automatically if it has been created.