diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
index e9bfe1b1d787c..5cfa1edb47ad1 100644
--- a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -75,7 +75,7 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
         }));
         requestorFunction.addToRolePolicy(new iam.PolicyStatement({
             actions: ['route53:changeResourceRecordSets'],
-            resources: [`arn:aws:route53:::hostedzone/${this.hostedZoneId}`],
+            resources: [`arn:${cdk.Stack.of(requestorFunction).partition}:route53:::hostedzone/${this.hostedZoneId}`],
         }));
 
         const certificate = new cfn.CustomResource(this, 'CertificateRequestorResource', {
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
index a78d9c03f7c91..3b62fbc3f309b 100644
--- a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
@@ -66,10 +66,10 @@ export = {
               'Fn::Join': [
                 '',
                 [
-                  'arn:aws:route53:::hostedzone/',
-                  {
-                    Ref: 'ExampleDotCom4D1B83AA'
-                  }
+                  'arn:',
+                  { Ref: 'AWS::Partition' },
+                  ':route53:::hostedzone/',
+                  { Ref: 'ExampleDotCom4D1B83AA' }
                 ]
               ]
             }