Actions, resources, and condition keys for AWS Network Firewall - Service Authorization Reference

Actions, resources, and condition keys for AWS Network Firewall

AWS Network Firewall (service prefix: network-firewall) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Network Firewall

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateFirewallPolicy Grants permission to create an association between a firewall policy and a firewall Write

Firewall*

FirewallPolicy*

AssociateSubnets Grants permission to associate VPC subnets to a firewall Write

Firewall*

CreateFirewall Grants permission to create an AWS Network Firewall firewall Write

Firewall*

iam:CreateServiceLinkedRole

FirewallPolicy*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFirewallPolicy Grants permission to create an AWS Network Firewall firewall policy Write

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRuleGroup Grants permission to create an AWS Network Firewall rule group Write

StatefulRuleGroup

StatelessRuleGroup

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteFirewall Grants permission to delete a firewall Write

Firewall*

DeleteFirewallPolicy Grants permission to delete a firewall policy Write

FirewallPolicy*

DeleteResourcePolicy Grants permission to delete a resource policy for a firewall policy or rule group Write

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

DeleteRuleGroup Grants permission to delete a rule group Write

StatefulRuleGroup*

StatelessRuleGroup*

DescribeFirewall Grants permission to retrieve the data objects that define a firewall Read

Firewall*

DescribeFirewallPolicy Grants permission to retrieve the data objects that define a firewall policy Read

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

DescribeLoggingConfiguration Grants permission to describe the logging configuration of a firewall Read

Firewall*

DescribeResourcePolicy Grants permission to describe a resource policy for a firewall policy or rule group Read

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

DescribeRuleGroup Grants permission to retrieve the data objects that define a rule group Read

StatefulRuleGroup

StatelessRuleGroup

DescribeRuleGroupMetadata Grants permission to retrieve the high-level information about a rule group Read

StatefulRuleGroup

StatelessRuleGroup

DisassociateSubnets Grants permission to disassociate VPC subnets from a firewall Write

Firewall*

ListFirewallPolicies Grants permission to retrieve the metadata for firewall policies List

FirewallPolicy*

ListFirewalls Grants permission to retrieve the metadata for firewalls List

Firewall*

ListRuleGroups Grants permission to retrieve the metadata for rule groups List
ListTagsForResource Grants permission to retrieve the tags for a resource List

Firewall*

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

PutResourcePolicy Grants permission to put a resource policy for a firewall policy or rule group Write

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

TagResource Grants permission to attach tags to a resource Tagging

Firewall

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource Tagging

Firewall

FirewallPolicy

StatefulRuleGroup

StatelessRuleGroup

aws:TagKeys

UpdateFirewallDeleteProtection Grants permission to add or remove delete protection for a firewall Write

Firewall*

UpdateFirewallDescription Grants permission to modify the description for a firewall Write

Firewall*

UpdateFirewallPolicy Grants permission to modify a firewall policy Write

FirewallPolicy*

StatefulRuleGroup

StatelessRuleGroup

UpdateFirewallPolicyChangeProtection Grants permission to add or remove firewall policy change protection for a firewall Write

Firewall*

UpdateLoggingConfiguration Grants permission to modify the logging configuration of a firewall Write

Firewall*

UpdateRuleGroup Grants permission to modify a rule group Write

StatefulRuleGroup

StatelessRuleGroup

UpdateSubnetChangeProtection Grants permission to add or remove subnet change protection for a firewall Write

Firewall*

Resource types defined by AWS Network Firewall

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
Firewall arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}

aws:ResourceTag/${TagKey}

FirewallPolicy arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}

aws:ResourceTag/${TagKey}

StatefulRuleGroup arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}

aws:ResourceTag/${TagKey}

StatelessRuleGroup arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}

aws:ResourceTag/${TagKey}

Condition keys for AWS Network Firewall

AWS Network Firewall defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters access by the tag value associated with the resource String
aws:TagKeys Filters access by the presence of mandatory tags in the request ArrayOfString