AWS WAF, AWS Firewall Manager 및 AWS Shield Advanced
개발자 가이드 (API 버전 2015-08-24)

AWS WAF API 권한: 작업, 리소스 및 조건 참조

자격 증명에 연결할 수 있는 및 쓰기 권한 정책(자격 증명 기반 정책)을 설정할 때 다음 표를 참조로 사용할 수 있습니다. 표에는 각 AWS WAF API 작업, 수행할 권한을 부여할 수 있는 해당 작업, 권한을 부여할 수 있는 AWS 리소스가 나열되어 있습니다. 정책의 Action 필드에서 작업을 지정하고, 정책의 Resource 필드에서 리소스 값을 지정합니다.

AWS WAF 정책에서 AWS 차원 조건 키를 사용하여 조건을 표시할 수 있습니다. AWS 차원 키의 전체 목록은 IAM 사용 설명서사용 가능한 조건 키 단원을 참조하십시오.

참고

작업을 지정하려면 waf: 접두사 다음에 API 작업 이름을 사용합니다(예: waf:CreateIPSet).

표의 오른쪽 위 모서리에 확장 화살표()가 보이는 경우 새 창에서 표를 열 수 있습니다. 창을 닫으려면 오른쪽 아래 모서리에 있는 닫기 버튼(X)을 선택합니다.

AWS WAF API 및 작업에 대한 필수 권한

AWS WAFAPI 연산 필요한 권한(API 작업) 리소스

AssociateWebACL

waf:AssociateWebACL

elasticloadbalancing:SetWebACL

AssociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

CreateByteMatchSet

waf:CreateByteMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:bytematchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

CreateIPSet

waf:CreateIPSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:ipset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

CreateRule

waf:CreateRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRateBasedRule

waf:CreateRateBasedRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRegexMatchSet

waf:CreateRegexMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexmatch/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID

CreateRegexPatternSet

waf:CreateRegexPatternSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexpatternset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
CreateSizeConstraintSet waf:CreateSizeConstraintSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
CreateSqlInjectionMatchSet waf:CreateSqlInjectionMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
CreateWebACL waf:CreateWebACL

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:webacl/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
CreateXssMatchSet waf:CreateXssMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:xssmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
DeleteByteMatchSet waf:DeleteByteMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:bytematchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
DeleteIPSet waf:DeleteIPSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:ipset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
DeleteRule waf:DeleteRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRateBasedRule waf:DeleteRateBasedRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRegexMatchSet waf:DeleteRegexMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexmatch/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
DeleteRegexPatternSet waf:DeleteRegexPatternSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexpatternset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
DeleteSizeConstraintSet waf:DeleteSizeConstraintSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
DeleteSqlInjectionMatchSet waf:DeleteSqlInjectionMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
DeleteWebACL waf:DeleteWebACL

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:webacl/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
DeleteXssMatchSet waf:DeleteXssMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:xssmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID

DisassociateWebACL

waf:DisassociateWebACL

elasticloadbalancing:SetWebACL

DisassociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

GetByteMatchSet waf:GetByteMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:bytematchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
GetChangeToken waf:GetChangeToken

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:changetoken/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:changetoken/entity-ID
GetChangeTokenStatus waf:GetChangeTokenStatus

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:changetoken/token-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:changetoken/token-ID
GetIPSet waf:GetIPSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:ipset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
GetRule waf:GetRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRule waf:GetRateBasedRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRuleManagedKeys waf:GetRateBasedRuleManagedKeys

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRegexMatchSet waf:GetRegexMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexmatch/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
GetRegexPatternSet waf:GetRegexPatternSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexpatternset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
GetSampledRequests waf:GetSampledRequests 리소스는 API 호출에 지정된 파라미터에 따라 다릅니다. 샘플에 대한 요청에 대응하는 규칙 또는 웹 ACL에 액세스할 수 있어야 합니다. 예:

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/example1 or arn:aws:waf::account-id:webacl/example2

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/example1 or arn:aws:waf-regional:region:account-id:webacl/example2
GetSizeConstraintSet waf:GetSizeConstraintSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
GetSqlInjectionMatchSet waf:GetSqlInjectionMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
GetWebACL waf:GetWebACL

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:webacl/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
GetXssMatchSet waf:GetXssMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:xssmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
ListByteMatchSets waf:ListByteMatchSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:bytematchsets/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:bytematchsets/entity-ID
ListIPSets waf:ListIPSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:ipsets/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:ipsets/entity-ID
ListRules waf:ListRules

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rules/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRateBasedRules waf:ListRateBasedRules

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rules/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRegexMatchSets waf:ListRegexMatchSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexmatch/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
ListRegexPatternSets waf:ListRegexPatternSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexpatternset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
ListSizeConstraintSets waf:ListSizeConstraintSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sizeconstaintsets/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sizeconstaintsets/entity-ID
ListSqlInjectionMatchSets waf:ListSqlInjectionMatchSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sqlinjectionmatchsets/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchsets/entity-ID
ListWebACLs waf:ListWebACLs

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:webacls/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:webacls/entity-ID
ListXssMatchSets waf:ListXssMatchSets

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:xssmatchsets/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:xssmatchsets/entity-ID
UpdateByteMatchSet waf:UpdateByteMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:bytematchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
UpdateIPSet waf:UpdateIPSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:ipset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

UpdateRule

waf:UpdateRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRateBasedRule

waf:UpdateRateBasedRule

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:rule/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRegexMatchSet

waf:UpdateRegexMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexmatch/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID

UpdateRegexPatternSet

waf:UpdateRegexPatternSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:regexpatternset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID

UpdateSizeConstraintSet

waf:UpdateSizeConstraintSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID

UpdateSqlInjectionMatchSet

waf:UpdateSqlInjectionMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID

UpdateWebACL

waf:UpdateWebACL

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:webacl/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:webacl/entity-ID

UpdateXssMatchSet

waf:UpdateXssMatchSet

글로벌(Amazon CloudFront의 경우):

arn:aws:waf::account-id:xssmatchset/entity-ID

리전(Application Load Balancer의 경우):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID