acme/dns01/route53: document stricter IAM policy

Signed-off-by: Alessandro Ogier <[email protected]>

Author: aogier

content/docs/configuration/acme/dns01/route53.md

@@ -35,7 +35,12 @@ permissions:
         "route53:ChangeResourceRecordSets",
         "route53:ListResourceRecordSets"
       ],
-      "Resource": "arn:aws:route53:::hostedzone/*"
+      "Resource": "arn:aws:route53:::hostedzone/*",
+      "Condition": {
+        "ForAllValues:StringEquals": {
+          "route53:ChangeResourceRecordSetsRecordTypes": ["TXT"]
+        }
+      }
     },
     {
       "Effect": "Allow",