diff --git a/infrastructure/stacks/account_wide/acm.tf b/infrastructure/stacks/account_wide/acm.tf
index 0b0189af..a623b4f6 100644
--- a/infrastructure/stacks/account_wide/acm.tf
+++ b/infrastructure/stacks/account_wide/acm.tf
@@ -13,6 +13,7 @@ resource "aws_acm_certificate" "custom_domain_api_cert" {
 }
 
 resource "aws_route53_record" "cert_validation" {
+  provider = aws.mgmt
   for_each = var.environment == "mgmt" ? {} : {
     for dvo in aws_acm_certificate.custom_domain_api_cert[0].domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
@@ -21,7 +22,7 @@ resource "aws_route53_record" "cert_validation" {
     }
   }
 
-  zone_id = aws_route53_zone.environment_zone[0].zone_id
+  zone_id = data.aws_route53_zone.root_zone[0].zone_id
   name    = each.value.name
   type    = each.value.type
   ttl     = var.cert_validation_record_ttl
diff --git a/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl b/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl
index a589ae5a..92995154 100644
--- a/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl
+++ b/infrastructure/stacks/github_runner/account_github_runner_security.policy.json.tpl
@@ -16,11 +16,11 @@
                 "route53:DisassociateVPCFromHostedZone",
                 "route53:GetHealthCheck",
                 "route53:GetHostedZone",
-                "route53:ListHostedZones",
+                "route53:ListResourceRecordSets",
                 "route53:ListTagsForResource"
             ],
             "Resource": [
-                "arn:aws:acm:${aws_region}:${account_id}:certificate/*",
+                "arn:aws:acm:*:${account_id}:certificate/*",
                 "arn:aws:route53:::hostedzone/*"
             ]
         },
diff --git a/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl b/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl
index 97ea1e37..9d45c1d3 100644
--- a/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl
+++ b/infrastructure/stacks/github_runner/app_github_runner_security.policy.json.tpl
@@ -7,6 +7,7 @@
             "Action": [
                 "acm:AddTagsToCertificate",
                 "acm:ListTagsForCertificate",
+                "acm:RequestCertificate",
                 "route53:AssociateVPCWithHostedZone",
                 "route53:ChangeResourceRecordSets",
                 "route53:ChangeTagsForResource",
@@ -16,7 +17,7 @@
                 "route53:ListTagsForResource"
             ],
             "Resource": [
-                "arn:aws:acm:${aws_region}:${account_id}:certificate/*",
+                "arn:aws:acm:*:${account_id}:certificate/*",
                 "arn:aws:route53:::hostedzone/*"
             ]
         },