From 88af12931591ef8fa276a4e2de260e82c4c0f123 Mon Sep 17 00:00:00 2001
From: Mike Lim <88474310+limmike@users.noreply.github.com>
Date: Tue, 3 Feb 2026 03:18:05 +0800
Subject: [PATCH] Granular permissions (#9922)

Set granular permissions to TXT DNS records with names starting with
`_acme-challenge.` only
This replaces original policy that is too permissive

The `Condition` clause uses [Route 53 resource record set
permission](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-permissions.html)

Policy tested with Certbot 2.9.0
---
 .../examples/sample-aws-policy.json                | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/certbot-dns-route53/examples/sample-aws-policy.json b/certbot-dns-route53/examples/sample-aws-policy.json
index 10a17de19..04e8a659c 100644
--- a/certbot-dns-route53/examples/sample-aws-policy.json
+++ b/certbot-dns-route53/examples/sample-aws-policy.json
@@ -19,7 +19,19 @@
             ],
             "Resource" : [
                 "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
-            ]
+            ],
+            "Condition": {
+                "ForAllValues:StringLike": {
+                    "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
+                        "_acme-challenge.*"
+                    ]
+                },
+                "ForAllValues:StringEquals": {
+                    "route53:ChangeResourceRecordSetsRecordTypes": [
+                        "TXT"
+                    ]
+                }
+            }
         }
     ]
 }