From 970fe28e210d8a1bf87b00f5b1543ae4cd191137 Mon Sep 17 00:00:00 2001
From: Alexander Woellhaf <alexanderwoellhaf@gmail.com>
Date: Tue, 18 Jul 2023 19:31:54 -0400
Subject: [PATCH] Making the "more restrictive policy" even more restrictive

---
 How-to-use-Amazon-Route53-API.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/How-to-use-Amazon-Route53-API.md b/How-to-use-Amazon-Route53-API.md
index 8b7cf53..9ed236d 100644
--- a/How-to-use-Amazon-Route53-API.md
+++ b/How-to-use-Amazon-Route53-API.md
@@ -53,9 +53,18 @@ If you want to use a much more restrictive AWS policy, use the following:
          "Action": [
             "route53:GetHostedZone",
             "route53:ListResourceRecordSets",
-            "route53:ChangeResourceRecordSets"
          ],
-         "Resource": "arn:aws:route53:::hostedzone/hosted zone id"
+         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>"
+      },
+      {
+         "Effect": "Allow",
+         "Action": "route53:ChangeResourceRecordSets",
+         "Resource": "arn:aws:route53:::hostedzone/<ZONE-ID>",
+         "Condition": {
+            "ForAllValues:StringEquals": {
+               "route53:ChangeResourceRecordSetsNormalizedRecordNames": "_acme-challenge.<SUB>.<DOMAIN>.<TLD>"
+            }
+         }
       }
    ]
 }