I use AWS Route53 and you can get incredibly granular with API permissions

Key condition keys for this purpose include:

    route53:ChangeResourceRecordSetsActions: Limits actions to CREATE, UPDATE, or DELETE.

    route53:ChangeResourceRecordSetsRecordTypes: Limits actions to specific DNS record types (e.g., A, CNAME, TXT).

    route53:ChangeResourceRecordSetsRecordValues: Limits actions based on the specific value of the DNS record.

    route53:ChangeResourceRecordSetsResourceRecords: For more complex scenarios, this can be used to control access based on the full record set details.