mirror of
https://github.com/certbot/certbot.git
synced 2026-05-28 04:34:11 -04:00
88af129315
Set granular permissions to TXT DNS records with names starting with `_acme-challenge.` only This replaces original policy that is too permissive The `Condition` clause uses [Route 53 resource record set permission](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-permissions.html) Policy tested with Certbot 2.9.0
37 lines
1,020 B
JSON
37 lines
1,020 B
JSON
{
|
|
"Version": "2012-10-17",
|
|
"Id": "certbot-dns-route53 sample policy",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"route53:ListHostedZones",
|
|
"route53:GetChange"
|
|
],
|
|
"Resource": [
|
|
"*"
|
|
]
|
|
},
|
|
{
|
|
"Effect" : "Allow",
|
|
"Action" : [
|
|
"route53:ChangeResourceRecordSets"
|
|
],
|
|
"Resource" : [
|
|
"arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
|
|
],
|
|
"Condition": {
|
|
"ForAllValues:StringLike": {
|
|
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
|
|
"_acme-challenge.*"
|
|
]
|
|
},
|
|
"ForAllValues:StringEquals": {
|
|
"route53:ChangeResourceRecordSetsRecordTypes": [
|
|
"TXT"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|