From b8cdbb4b5402a2e9caaa07ab29eaa78fa7293288 Mon Sep 17 00:00:00 2001
From: Fernando Miguel <FernandoMiguel@users.noreply.github.com>
Date: Mon, 22 May 2017 14:09:10 +0100
Subject: [PATCH] add a more restrictive policy

---
 How-to-use-Amazon-Route53-API.md | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/How-to-use-Amazon-Route53-API.md b/How-to-use-Amazon-Route53-API.md
index b37a60b..ecc64d7 100644
--- a/How-to-use-Amazon-Route53-API.md
+++ b/How-to-use-Amazon-Route53-API.md
@@ -34,6 +34,30 @@ You can now use the new API keys with acme.sh
 
 [https://github.com/Neilpang/acme.sh/tree/master/dnsapi#10-use-amazon-route53-domain-api](https://github.com/Neilpang/acme.sh/tree/master/dnsapi#10-use-amazon-route53-domain-api)
 
-
-
+### appendix
+If you want to use a must more restrictive AWS policy, use the following:
+- http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-managing-permissions.html
+```json
+{
+   "Version": "2012-10-17",
+   "Statement": [
+      {
+         "Effect": "Allow",
+         "Action": [
+            "route53:ListHostedZones"
+         ],
+         "Resource": "*"
+      },
+      {
+         "Effect": "Allow",
+         "Action": [
+            "route53:GetHostedZone"
+            "route53:ListResourceRecordSets"
+            "route53:ChangeResourceRecordSets"
+         ],
+         "Resource": "arn:aws:route53:::hostedzone/hosted zone id"
+      }
+   ]
+}
+```