Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

AWS WAF API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS WAF API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your AWS WAF policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

Note

To specify an action, use the waf: prefix followed by the API operation name (for example, waf:CreateIPSet).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS WAF API and Required Permissions for Actions

AWS WAF API Operations Required Permissions (API Actions) Resources

CreateByteMatchSet

CreateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

CreateIPSet

CreateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

CreateRule

CreateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRateBasedRule

CreateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
CreateSizeConstraintSet CreateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
CreateSqlInjectionMatchSet CreateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
CreateWebACL CreateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
CreateXssMatchSet CreateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
DeleteByteMatchSet DeleteByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
DeleteIPSet DeleteIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
DeleteRule DeleteRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRateBasedRule DeleteRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteSizeConstraintSet DeleteSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
DeleteSqlInjectionMatchSet DeleteSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
DeleteWebACL DeleteWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
DeleteXssMatchSet DeleteXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
GetByteMatchSet GetByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
GetChangeToken GetChangeToken

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:changetoken/entity-ID
GetChangeTokenStatus GetChangeTokenStatus

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/token-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:changetoken/token-ID
GetIPSet GetIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
GetRule GetRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRule GetRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRuleManagedKeys GetRateBasedRuleManagedKeys

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetSampledRequests GetSampledRequests The resource depends on the parameters that are specified in the API call. You must have access to the rule or web ACL that corresponds to the request for samples. For example:

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/example1 or arn:aws:waf::account-id:webacl/example2

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/example1 or arn:aws:waf-regional:region:account-id:webacl/example2
GetSizeConstraintSet GetSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
GetSqlInjectionMatchSet GetSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
GetWebACL GetWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
GetXssMatchSet GetXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
ListByteMatchSets ListByteMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchsets/entity-ID
ListIPSets ListIPSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipsets/entity-ID
ListRules ListRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRateBasedRules ListRateBasedRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListSizeConstraintSets ListSizeConstraintSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstaintsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstaintsets/entity-ID
ListSqlInjectionMatchSets ListSqlInjectionMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchsets/entity-ID
ListWebACLs ListWebACLs

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacls/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacls/entity-ID
ListXssMatchSets ListXssMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchsets/entity-ID
UpdateByteMatchSet UpdateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
UpdateIPSet UpdateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

UpdateRule

UpdateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRateBasedRule

UpdateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateSizeConstraintSet

UpdateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID

UpdateSqlInjectionMatchSet

UpdateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID

UpdateWebACL

UpdateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID

UpdateXssMatchSet

UpdateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID