diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index 9f5ce6226..8e5a7bc78 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -6,7 +6,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Added
 
-*
+* Require explicit confirmation of snap plugin permissions before connecting.
 
 ### Changed
 
diff --git a/snap/hooks/configure b/snap/hooks/configure
new file mode 100644
index 000000000..2678c47b2
--- /dev/null
+++ b/snap/hooks/configure
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+exit 0
diff --git a/snap/hooks/prepare-plug-plugin b/snap/hooks/prepare-plug-plugin
new file mode 100644
index 000000000..ee309addf
--- /dev/null
+++ b/snap/hooks/prepare-plug-plugin
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+if [ "$(snapctl get trust-plugin-with-root)" = "ok" ]; then
+    # allow the connection, but reset config to allow for other slots to go through this auth flow
+    snapctl unset trust-plugin-with-root
+    exit 0
+else
+    echo "Only connect this interface if you trust the plugin author to have root on the system"
+    echo "Run \`snap set $SNAP_NAME trust-plugin-with-root=ok\` to acknowledge this and then run this command again to perform the connection"
+    exit 1
+fi