Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS WAF

AWS WAF (service prefix: waf) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS WAF

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateByteMatchSet Creates a ByteMatchSet.

Write

bytematchset*

CreateGeoMatchSet Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate from.

Write

geomatchset*

CreateIPSet Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate from.

Write

ipset*

CreateRateBasedRule Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period.

Write

ratebasedrule*

CreateRegexMatchSet Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a RegexPatternSet.

Write

regexmatchset*

CreateRegexPatternSet Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for.

Write

regexpatternset*

CreateRule Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block.

Write

rule*

CreateSizeConstraintSet Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length.

Write

sizeconstraintset*

CreateSqlInjectionMatchSet Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web requests.

Write

sqlinjectionmatchset*

CreateWebACL Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count.

Permissions management

webacl*

CreateXssMatchSet Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests.

Write

xssmatchset*

DeleteByteMatchSet Permanently deletes a ByteMatchSet.

Write

bytematchset*

DeleteGeoMatchSet Permanently deletes an GeoMatchSet.

Write

geomatchset*

DeleteIPSet Permanently deletes an IPSet.

Write

ipset*

DeleteRateBasedRule Permanently deletes a RateBasedRule.

Write

ratebasedrule*

DeleteRegexMatchSet Permanently deletes an RegexMatchSet.

Write

regexmatchset*

DeleteRegexPatternSet Permanently deletes an RegexPatternSet.

Write

regexpatternset*

DeleteRule Permanently deletes a Rule.

Write

rule*

DeleteSizeConstraintSet Permanently deletes a SizeConstraintSet.

Write

sizeconstraintset*

DeleteSqlInjectionMatchSet Permanently deletes a SqlInjectionMatchSet.

Write

sqlinjectionmatchset*

DeleteWebACL Permanently deletes a WebACL.

Permissions management

webacl*

DeleteXssMatchSet Permanently deletes an XssMatchSet.

Write

xssmatchset*

GetByteMatchSet Returns the ByteMatchSet specified by ByteMatchSetId.

Read

Write

bytematchset*

GetChangeToken When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete request.

Read

Write

GetChangeTokenStatus Returns the status of a ChangeToken that you got by calling GetChangeToken.

Read

Write

GetGeoMatchSet Returns the GeoMatchSet specified by GeoMatchSetId.

Read

Write

geomatchset*

GetIPSet Returns the IPSet that is specified by IPSetId.

Read

Write

ipset*

GetRateBasedRule Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request.

Read

Write

ratebasedrule*

GetRateBasedRuleManagedKeys Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId.

Read

Write

ratebasedrule*

GetRegexMatchSet Returns the RegexMatchSet specified by RegexMatchSetId.

Read

Write

regexmatchset*

GetRegexPatternSet Returns the RegexPatternSet specified by RegexPatternSetId.

Read

Write

regexpatternset*

GetRule Returns the Rule that is specified by the RuleId that you included in the GetRule request.

Read

Write

rule*

GetSampledRequests Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose.

Read

Write

rule

webacl

GetSizeConstraintSet Returns the SizeConstraintSet specified by SizeConstraintSetId.

Read

Write

sizeconstraintset*

GetSqlInjectionMatchSet Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId.

Read

Write

sqlinjectionmatchset*

GetWebACL Returns the WebACL that is specified by WebACLId.

Read

Write

webacl*

GetXssMatchSet Returns the XssMatchSet that is specified by XssMatchSetId.

Read

Write

xssmatchset*

ListByteMatchSets Returns an array of ByteMatchSetSummary objects.

Read

Write

List

ListGeoMatchSets Returns an array of GeoMatchSetSummary objects.

Read

Write

List

ListIPSets Returns an array of IPSetSummary objects in the response.

Read

Write

List

ListRateBasedRules Returns an array of RuleSummary objects.

Read

Write

List

ListRegexMatchSets Returns an array of RegexMatchSetSummary objects.

Read

Write

List

ListRegexPatternSets Returns an array of RegexPatternSetSummary objects.

Read

Write

List

ListRules Returns an array of RuleSummary objects.

Read

Write

List

ListSizeConstraintSets Returns an array of SizeConstraintSetSummary objects.

Read

Write

List

ListSqlInjectionMatchSets Returns an array of SqlInjectionMatchSet objects.

Read

Write

List

ListWebACLs Returns an array of WebACLSummary objects in the response.

Read

Write

List

ListXssMatchSets Returns an array of XssMatchSet objects.

Read

Write

List

UpdateByteMatchSet Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet.

Write

bytematchset*

UpdateGeoMatchSet Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet.

Write

geomatchset*

UpdateIPSet Inserts or deletes IPSetDescriptor objects in an IPSet.

Write

ipset*

UpdateRateBasedRule Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule.

Write

ratebasedrule*

UpdateRegexMatchSet Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet.

Write

regexmatchset*

UpdateRegexPatternSet Inserts or deletes RegexPatternStrings in a RegexPatternSet.

Write

regexpatternset*

UpdateRule Inserts or deletes Predicate objects in a Rule.

Write

rule*

UpdateSizeConstraintSet Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet.

Write

sizeconstraintset*

UpdateSqlInjectionMatchSet Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet.

Write

sqlinjectionmatchset*

UpdateWebACL Inserts or deletes ActivatedRule objects in a WebACL.

Permissions management

webacl*

UpdateXssMatchSet Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet.

Write

xssmatchset*

Resources Defined by WAF

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys

bytematchset

arn:${Partition}:waf::${Account}:bytematchset/${Id}

geomatchset

arn:${Partition}:waf::${Account}:geomatchset/${Id}

ipset

arn:${Partition}:waf::${Account}:ipset/${Id}

ratebasedrule

arn:${Partition}:waf::${Account}:ratebasedrule/${Id}

regexmatchset

arn:${Partition}:waf::${Account}:regexmatchset/${Id}

regexpatternset

arn:${Partition}:waf::${Account}:regexpatternset/${Id}

rule

arn:${Partition}:waf::${Account}:rule/${Id}

sizeconstraintset

arn:${Partition}:waf::${Account}:sizeconstraintset/${Id}

sqlinjectionmatchset

arn:${Partition}:waf::${Account}:sqlinjectionmatchset/${Id}

webacl

arn:${Partition}:waf::${Account}:webacl/${Id}

xssmatchset

arn:${Partition}:waf::${Account}:xssmatchset/${Id}

Condition Keys for AWS WAF

WAF has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.