Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS WAF Regional

AWS WAF Regional (service prefix: waf-regional) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS WAF Regional

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateWebACL Associates a WebACL with a resource. Write

loadbalancer/app/*

webacl*

CreateByteMatchSet Creates a ByteMatchSet. Write

bytematchset*

CreateGeoMatchSet Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate rom. Write

geomatchset*

CreateIPSet Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate rom. Write

ipset*

CreateRateBasedRule Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address n a five-minute period. Write

ratebasedrule*

CreateRegexMatchSet Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a egexPatternSet. Write

regexmatchset*

CreateRegexPatternSet Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for. Write

regexpatternset*

CreateRule Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to lock. Write

rule*

CreateRuleGroup Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL. Write

rulegroup*

CreateSizeConstraintSet Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length. Write

sizeconstraintset*

CreateSqlInjectionMatchSet Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web equests. Write

sqlinjectionmatchset*

CreateWebACL Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count. Permissions management

webacl*

CreateXssMatchSet Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web equests. Write

xssmatchset*

DeleteByteMatchSet Permanently deletes a ByteMatchSet. Write

bytematchset*

DeleteGeoMatchSet Permanently deletes an GeoMatchSet. Write

geomatchset*

DeleteIPSet Permanently deletes an IPSet. Write

ipset*

DeletePermissionPolicy Permanently deletes an IAM policy from the specified RuleGroup. Permissions management

rulegroup*

DeleteRateBasedRule Permanently deletes a RateBasedRule. Write

ratebasedrule*

DeleteRegexMatchSet Permanently deletes an RegexMatchSet. Write

regexmatchset*

DeleteRegexPatternSet Permanently deletes an RegexPatternSet. Write

regexpatternset*

DeleteRule Permanently deletes a Rule. Write

rule*

DeleteRuleGroup Permanently deletes a RuleGroup. Write

rulegroup*

DeleteSizeConstraintSet Permanently deletes a SizeConstraintSet. Write

sizeconstraintset*

DeleteSqlInjectionMatchSet Permanently deletes a SqlInjectionMatchSet. Write

sqlinjectionmatchset*

DeleteWebACL Permanently deletes a WebACL. Permissions management

webacl*

DeleteXssMatchSet Permanently deletes an XssMatchSet. Write

xssmatchset*

DisassociateWebACL Removes a WebACL from the specified resource. Write

loadbalancer/app/*

GetByteMatchSet Returns the ByteMatchSet specified by ByteMatchSetId. Read

bytematchset*

GetChangeToken When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete equest. Read
GetChangeTokenStatus Returns the status of a ChangeToken that you got by calling GetChangeToken. Read
GetGeoMatchSet Returns the GeoMatchSet specified by GeoMatchSetId. Read

geomatchset*

GetIPSet Returns the IPSet that is specified by IPSetId. Read

ipset*

GetPermissionPolicy Returns the IAM policy attached to the RuleGroup. Read

rulegroup*

GetRateBasedRule Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request. Read

ratebasedrule*

GetRateBasedRuleManagedKeys Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId. Read

ratebasedrule*

GetRegexMatchSet Returns the RegexMatchSet specified by RegexMatchSetId. Read

regexmatchset*

GetRegexPatternSet Returns the RegexPatternSet specified by RegexPatternSetId. Read

regexpatternset*

GetRule Returns the Rule that is specified by the RuleId that you included in the GetRule request. Read

rule*

GetRuleGroup Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request. Read

rulegroup*

GetSampledRequests Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests hat your AWS resource received during a time range that you choose. Read

rule

webacl

GetSizeConstraintSet Returns the SizeConstraintSet specified by SizeConstraintSetId. Read

sizeconstraintset*

GetSqlInjectionMatchSet Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId. Read

sqlinjectionmatchset*

GetWebACL Returns the WebACL that is specified by WebACLId. Read

webacl*

GetWebACLForResource Returns the WebACL for the specified resource. Read

loadbalancer/app/*

GetXssMatchSet Returns the XssMatchSet that is specified by XssMatchSetId. Read

xssmatchset*

ListActivatedRulesInRuleGroup Returns an array of ActivatedRule objects. List
ListByteMatchSets Returns an array of ByteMatchSetSummary objects. List
ListGeoMatchSets Returns an array of GeoMatchSetSummary objects. List
ListIPSets Returns an array of IPSetSummary objects in the response. List
ListRateBasedRules Returns an array of RuleSummary objects. List
ListRegexMatchSets Returns an array of RegexMatchSetSummary objects. List
ListRegexPatternSets Returns an array of RegexPatternSetSummary objects. List
ListResourcesForWebACL Returns an array of resources associated with the specified WebACL. List

webacl*

ListRuleGroups Returns an array of RuleGroup objects. List
ListRules Returns an array of RuleSummary objects. List
ListSizeConstraintSets Returns an array of SizeConstraintSetSummary objects. List
ListSqlInjectionMatchSets Returns an array of SqlInjectionMatchSet objects. List
ListSubscribedRuleGroups Returns an array of RuleGroup objects that you are subscribed to. List
ListWebACLs Returns an array of WebACLSummary objects in the response. List
ListXssMatchSets Returns an array of XssMatchSet objects. List
PutPermissionPolicy Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts. Permissions management

rulegroup*

UpdateByteMatchSet Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet. Write

bytematchset*

UpdateGeoMatchSet Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet. Write

geomatchset*

UpdateIPSet Inserts or deletes IPSetDescriptor objects in an IPSet. Write

ipset*

UpdateRateBasedRule Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule. Write

ratebasedrule*

UpdateRegexMatchSet Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet. Write

regexmatchset*

UpdateRegexPatternSet Inserts or deletes RegexPatternStrings in a RegexPatternSet. Write

regexpatternset*

UpdateRule Inserts or deletes Predicate objects in a Rule. Write

rule*

UpdateRuleGroup Inserts or deletes ActivatedRule objects in a RuleGroup. Write

rulegroup*

UpdateSizeConstraintSet Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet. Write

sizeconstraintset*

UpdateSqlInjectionMatchSet Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet. Write

sqlinjectionmatchset*

UpdateWebACL Inserts or deletes ActivatedRule objects in a WebACL. Permissions management

webacl*

UpdateXssMatchSet Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet. Write

xssmatchset*

Resources Defined by WAF Regional

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
bytematchset arn:${Partition}:waf-regional:${Region}:${Account}:bytematchset/${Id}
ipset arn:${Partition}:waf-regional:${Region}:${Account}:ipset/${Id}
loadbalancer/app/ arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/app/${LoadBalancerName}/${LoadBalancerId}
ratebasedrule arn:${Partition}:waf-regional:${Region}:${Account}:ratebasedrule/${Id}
rule arn:${Partition}:waf-regional:${Region}:${Account}:rule/${Id}
sizeconstraintset arn:${Partition}:waf-regional:${Region}:${Account}:sizeconstraintset/${Id}
sqlinjectionmatchset arn:${Partition}:waf-regional:${Region}:${Account}:sqlinjectionmatchset/${Id}
webacl arn:${Partition}:waf-regional:${Region}:${Account}:webacl/${Id}
xssmatchset arn:${Partition}:waf-regional:${Region}:${Account}:xssmatchset/${Id}
regexmatchset arn:${Partition}:waf-regional:${Region}:${Account}:regexmatchset/${Id}
regexpatternset arn:${Partition}:waf-regional:${Region}:${Account}:regexpatternset/${Id}
geomatchset arn:${Partition}:waf-regional:${Region}:${Account}:geomatchset/${Id}
rulegroup arn:${Partition}:waf-regional:${Region}:${Account}:rulegroup/${Id}

Condition Keys for AWS WAF Regional

WAF Regional has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.