diff --git a/docs/api-types/issuer/spec.md b/docs/api-types/issuer/spec.md
index d60b905e7..7b6e76860 100644
--- a/docs/api-types/issuer/spec.md
+++ b/docs/api-types/issuer/spec.md
@@ -126,12 +126,40 @@ clouddns:
 ```yaml
 route53:
   accessKeyID: AKIAIOSFODNN7EXAMPLE
+  hostedZoneID: DIKER8JPL21PSA
   region: eu-west-1
   secretAccessKeySecretRef:
     name: prod-route53-credentials-secret
     key: secret-access-key
 ```
 
+Cert-manager requires the following IAM policy.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "route53:GetChange",
+            "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ChangeResourceRecordSets",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:ListHostedZonesByName",
+            "Resource": "arn:aws:route53:::hostedzone/*"
+        }
+    ]
+}
+```
+
+The `route53:ListHostedZonesByName` statement can be removed if you specify the hosted zone ID (`spec.acme.dns01.providers[].hostedZoneID`) on the Issuer resource. You can further tighten this policy by limiting the hosted zone that cert-manager has access to (replace `arn:aws:route53:::hostedzone/*` with `arn:aws:route53:::hostedzone/DIKER8JPL21PSA`, for instance).
+
 ##### Cloudflare
 
 ```yaml