Actions, resources, and condition keys for AWS Network Firewall - Service Authorization Reference

Actions, resources, and condition keys for AWS Network Firewall

AWS Network Firewall (service prefix: network-firewall) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Network Firewall

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateFirewallPolicy Grants permission to create an association between a firewall policy and a firewall Write

Firewall*

FirewallPolicy*

AssociateSubnets Grants permission to associate VPC subnets to a firewall Write

Firewall*

CreateFirewall Grants permission to create an AWS Network Firewall firewall Write

Firewall*

iam:CreateServiceLinkedRole

FirewallPolicy*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFirewallPolicy Grants permission to create an AWS Network Firewall firewall policy Write

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRuleGroup Grants permission to create an AWS Network Firewall rule group Write

StatefulRuleGroup

StatelessRuleGroup

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTLSInspectionConfiguration Grants permission to create an AWS Network Firewall tls inspection configuration Write

TLSInspectionConfiguration*

iam:CreateServiceLinkedRole

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteFirewall Grants permission to delete a firewall Write

Firewall*

DeleteFirewallPolicy Grants permission to delete a firewall policy Write

FirewallPolicy*

DeleteResourcePolicy Grants permission to delete a resource policy for a firewall policy or rule group Write

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

DeleteRuleGroup Grants permission to delete a rule group Write

StatefulRuleGroup*

StatelessRuleGroup*

DeleteTLSInspectionConfiguration Grants permission to delete a tls inspection configuration Write

TLSInspectionConfiguration*

DescribeFirewall Grants permission to retrieve the data objects that define a firewall Read

Firewall*

DescribeFirewallPolicy Grants permission to retrieve the data objects that define a firewall policy Read

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

DescribeLoggingConfiguration Grants permission to describe the logging configuration of a firewall Read

Firewall*

logs:GetLogDelivery

logs:ListLogDeliveries

DescribeResourcePolicy Grants permission to describe a resource policy for a firewall policy or rule group Read

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

DescribeRuleGroup Grants permission to retrieve the data objects that define a rule group Read

StatefulRuleGroup

StatelessRuleGroup

DescribeRuleGroupMetadata Grants permission to retrieve the high-level information about a rule group Read

StatefulRuleGroup

StatelessRuleGroup

DescribeTLSInspectionConfiguration Grants permission to retrieve the data objects that define a tls inspection configuration Read

TLSInspectionConfiguration*

DisassociateSubnets Grants permission to disassociate VPC subnets from a firewall Write

Firewall*

ListFirewallPolicies Grants permission to retrieve the metadata for firewall policies List

FirewallPolicy*

ListFirewalls Grants permission to retrieve the metadata for firewalls List

Firewall*

ListRuleGroups Grants permission to retrieve the metadata for rule groups List
ListTLSInspectionConfigurations Grants permission to retrieve the metadata for tls inspection configurations List

TLSInspectionConfiguration*

ListTagsForResource Grants permission to retrieve the tags for a resource List

Firewall*

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

PutResourcePolicy Grants permission to put a resource policy for a firewall policy or rule group Write

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

TagResource Grants permission to attach tags to a resource Tagging

Firewall

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource Tagging

Firewall

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

aws:TagKeys

UpdateFirewallDeleteProtection Grants permission to add or remove delete protection for a firewall Write

Firewall*

UpdateFirewallDescription Grants permission to modify the description for a firewall Write

Firewall*

UpdateFirewallEncryptionConfiguration Grants permission to modify the encryption configuration of a firewall Write

Firewall*

UpdateFirewallPolicy Grants permission to modify a firewall policy Write

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

TLSInspectionConfiguration

UpdateFirewallPolicyChangeProtection Grants permission to add or remove firewall policy change protection for a firewall Write

Firewall*

UpdateLoggingConfiguration Grants permission to modify the logging configuration of a firewall Write

Firewall*

UpdateRuleGroup Grants permission to modify a rule group Write

StatefulRuleGroup

StatelessRuleGroup

UpdateSubnetChangeProtection Grants permission to add or remove subnet change protection for a firewall Write

Firewall*

UpdateTLSInspectionConfiguration Grants permission to modify a tls inspection configuration Write

TLSInspectionConfiguration*

Resource types defined by AWS Network Firewall

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
Firewall arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}

aws:ResourceTag/${TagKey}

FirewallPolicy arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}

aws:ResourceTag/${TagKey}

StatefulRuleGroup arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}

aws:ResourceTag/${TagKey}

StatelessRuleGroup arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}

aws:ResourceTag/${TagKey}

TLSInspectionConfiguration arn:${Partition}:network-firewall:${Region}:${Account}:tls-configuration/${Name}

aws:ResourceTag/${TagKey}

Condition keys for AWS Network Firewall

AWS Network Firewall defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters access by the tag value associated with the resource String
aws:TagKeys Filters access by the presence of mandatory tags in the request ArrayOfString