diff --git a/pkg/model/components/addonmanifests/certmanager/iam.go b/pkg/model/components/addonmanifests/certmanager/iam.go
index 6df7b747c261e..8861d166ea69d 100644
--- a/pkg/model/components/addonmanifests/certmanager/iam.go
+++ b/pkg/model/components/addonmanifests/certmanager/iam.go
@@ -57,12 +57,24 @@ func addCertManagerPermissions(b *iam.PolicyBuilder, p *iam.Policy) {
 
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect: iam.StatementEffectAllow,
-		Action: stringorset.Of("route53:ChangeResourceRecordSets",
-			"route53:ListResourceRecordSets",
-		),
+		Action: stringorset.Of("route53:ListResourceRecordSets"),
 		Resource: stringorset.Set(zoneResources),
 	})
 
+	p.Statement = append(p.Statement, &iam.Statement{
+		Effect: iam.StatementEffectAllow,
+		Action: stringorset.Of("route53:ChangeResourceRecordSets"),
+		Resource: stringorset.Set(zoneResources),
+		Condition: iam.Condition{
+			"ForAllValues:StringLike": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsNormalizedRecordNames": []string{"_acme-challenge.*"},
+			},
+			"ForAllValues:StringEquals": map[string]interface{}{
+				"route53:ChangeResourceRecordSetsRecordTypes": []string{"TXT"},
+			},
+		},
+	})
+
 	p.Statement = append(p.Statement, &iam.Statement{
 		Effect:   iam.StatementEffectAllow,
 		Action:   stringorset.Set([]string{"route53:GetChange"}),