AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for AWS WAF Regional

AWS WAF Regional (service prefix: waf-regional) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS WAF Regional

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateWebACL Associates a WebACL with a resource. Write

loadbalancer/app/*

webacl*

CreateByteMatchSet Creates a ByteMatchSet. Write

bytematchset*

CreateGeoMatchSet Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate rom. Write

geomatchset*

CreateIPSet Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate rom. Write

ipset*

CreateRateBasedRule Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address n a five-minute period. Write

ratebasedrule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRegexMatchSet Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a egexPatternSet. Write

regexmatchset*

CreateRegexPatternSet Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for. Write

regexpatternset*

CreateRule Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to lock. Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRuleGroup Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL. Write

rulegroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSizeConstraintSet Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length. Write

sizeconstraintset*

CreateSqlInjectionMatchSet Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web equests. Write

sqlinjectionmatchset*

CreateWebACL Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count. Permissions management

webacl*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateXssMatchSet Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web equests. Write

xssmatchset*

DeleteByteMatchSet Permanently deletes a ByteMatchSet. Write

bytematchset*

DeleteGeoMatchSet Permanently deletes an GeoMatchSet. Write

geomatchset*

DeleteIPSet Permanently deletes an IPSet. Write

ipset*

DeleteLoggingConfiguration Permanently deletes the LoggingConfiguration from the specified web ACL. Write

webacl*

DeletePermissionPolicy Permanently deletes an IAM policy from the specified RuleGroup. Permissions management

rulegroup*

DeleteRateBasedRule Permanently deletes a RateBasedRule. Write

ratebasedrule*

DeleteRegexMatchSet Permanently deletes an RegexMatchSet. Write

regexmatchset*

DeleteRegexPatternSet Permanently deletes an RegexPatternSet. Write

regexpatternset*

DeleteRule Permanently deletes a Rule. Write

rule*

DeleteRuleGroup Permanently deletes a RuleGroup. Write

rulegroup*

DeleteSizeConstraintSet Permanently deletes a SizeConstraintSet. Write

sizeconstraintset*

DeleteSqlInjectionMatchSet Permanently deletes a SqlInjectionMatchSet. Write

sqlinjectionmatchset*

DeleteWebACL Permanently deletes a WebACL. Permissions management

webacl*

DeleteXssMatchSet Permanently deletes an XssMatchSet. Write

xssmatchset*

DisassociateWebACL Removes a WebACL from the specified resource. Write

loadbalancer/app/*

GetByteMatchSet Returns the ByteMatchSet specified by ByteMatchSetId. Read

bytematchset*

GetChangeToken When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete equest. Read
GetChangeTokenStatus Returns the status of a ChangeToken that you got by calling GetChangeToken. Read
GetGeoMatchSet Returns the GeoMatchSet specified by GeoMatchSetId. Read

geomatchset*

GetIPSet Returns the IPSet that is specified by IPSetId. Read

ipset*

GetLoggingConfiguration Returns the LoggingConfiguration for the specified web ACL. Read

webacl*

GetPermissionPolicy Returns the IAM policy attached to the RuleGroup. Read

rulegroup*

GetRateBasedRule Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request. Read

ratebasedrule*

GetRateBasedRuleManagedKeys Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId. Read

ratebasedrule*

GetRegexMatchSet Returns the RegexMatchSet specified by RegexMatchSetId. Read

regexmatchset*

GetRegexPatternSet Returns the RegexPatternSet specified by RegexPatternSetId. Read

regexpatternset*

GetRule Returns the Rule that is specified by the RuleId that you included in the GetRule request. Read

rule*

GetRuleGroup Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request. Read

rulegroup*

GetSampledRequests Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests hat your AWS resource received during a time range that you choose. Read

rule

webacl

GetSizeConstraintSet Returns the SizeConstraintSet specified by SizeConstraintSetId. Read

sizeconstraintset*

GetSqlInjectionMatchSet Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId. Read

sqlinjectionmatchset*

GetWebACL Returns the WebACL that is specified by WebACLId. Read

webacl*

GetWebACLForResource Returns the WebACL for the specified resource. Read

loadbalancer/app/*

GetXssMatchSet Returns the XssMatchSet that is specified by XssMatchSetId. Read

xssmatchset*

ListActivatedRulesInRuleGroup Returns an array of ActivatedRule objects. List
ListByteMatchSets Returns an array of ByteMatchSetSummary objects. List
ListGeoMatchSets Returns an array of GeoMatchSetSummary objects. List
ListIPSets Returns an array of IPSetSummary objects in the response. List
ListLoggingConfigurations Returns an array of LoggingConfiguration objects. List
ListRateBasedRules Returns an array of RuleSummary objects. List
ListRegexMatchSets Returns an array of RegexMatchSetSummary objects. List
ListRegexPatternSets Returns an array of RegexPatternSetSummary objects. List
ListResourcesForWebACL Returns an array of resources associated with the specified WebACL. List

webacl*

ListRuleGroups Returns an array of RuleGroup objects. List
ListRules Returns an array of RuleSummary objects. List
ListSizeConstraintSets Returns an array of SizeConstraintSetSummary objects. List
ListSqlInjectionMatchSets Returns an array of SqlInjectionMatchSet objects. List
ListSubscribedRuleGroups Returns an array of RuleGroup objects that you are subscribed to. List
ListTagsForResource Lists the Tags for a given resource. Read

ratebasedrule

rule

rulegroup

webacl

ListWebACLs Returns an array of WebACLSummary objects in the response. List
ListXssMatchSets Returns an array of XssMatchSet objects. List
PutLoggingConfiguration Associates a LoggingConfiguration with a specified web ACL. Write

webacl*

iam:CreateServiceLinkedRole

PutPermissionPolicy Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts. Permissions management

rulegroup*

TagResource Adds a Tag to a given resource. Tagging

ratebasedrule

rule

rulegroup

webacl

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Removes a Tag from a given resource. Tagging

ratebasedrule

rule

rulegroup

webacl

aws:TagKeys

UpdateByteMatchSet Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet. Write

bytematchset*

UpdateGeoMatchSet Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet. Write

geomatchset*

UpdateIPSet Inserts or deletes IPSetDescriptor objects in an IPSet. Write

ipset*

UpdateRateBasedRule Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule. Write

ratebasedrule*

UpdateRegexMatchSet Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet. Write

regexmatchset*

UpdateRegexPatternSet Inserts or deletes RegexPatternStrings in a RegexPatternSet. Write

regexpatternset*

UpdateRule Inserts or deletes Predicate objects in a Rule. Write

rule*

UpdateRuleGroup Inserts or deletes ActivatedRule objects in a RuleGroup. Write

rulegroup*

UpdateSizeConstraintSet Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet. Write

sizeconstraintset*

UpdateSqlInjectionMatchSet Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet. Write

sqlinjectionmatchset*

UpdateWebACL Inserts or deletes ActivatedRule objects in a WebACL. Permissions management

webacl*

UpdateXssMatchSet Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet. Write

xssmatchset*

Resources Defined by AWS WAF Regional

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
bytematchset arn:${Partition}:waf-regional:${Region}:${Account}:bytematchset/${Id}
ipset arn:${Partition}:waf-regional:${Region}:${Account}:ipset/${Id}
loadbalancer/app/ arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/app/${LoadBalancerName}/${LoadBalancerId}
ratebasedrule arn:${Partition}:waf-regional:${Region}:${Account}:ratebasedrule/${Id}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:waf-regional:${Region}:${Account}:rule/${Id}

aws:ResourceTag/${TagKey}

sizeconstraintset arn:${Partition}:waf-regional:${Region}:${Account}:sizeconstraintset/${Id}
sqlinjectionmatchset arn:${Partition}:waf-regional:${Region}:${Account}:sqlinjectionmatchset/${Id}
webacl arn:${Partition}:waf-regional:${Region}:${Account}:webacl/${Id}

aws:ResourceTag/${TagKey}

xssmatchset arn:${Partition}:waf-regional:${Region}:${Account}:xssmatchset/${Id}
regexmatchset arn:${Partition}:waf-regional:${Region}:${Account}:regexmatch/${Id}
regexpatternset arn:${Partition}:waf-regional:${Region}:${Account}:regexpatternset/${Id}
geomatchset arn:${Partition}:waf-regional:${Region}:${Account}:geomatchset/${Id}
rulegroup arn:${Partition}:waf-regional:${Region}:${Account}:rulegroup/${Id}

aws:ResourceTag/${TagKey}

Condition Keys for AWS WAF Regional

AWS WAF Regional defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value assoicated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request String