Actions, resources, and condition keys for AWS WAF
AWS WAF (service prefix: waf
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Actions defined by AWS WAF
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
CreateByteMatchSet | Creates a ByteMatchSet. | Write | |||
CreateGeoMatchSet | Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate from. | Write | |||
CreateIPSet | Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate from. | Write | |||
CreateRateBasedRule | Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period. | Write | |||
CreateRegexMatchSet | Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a RegexPatternSet. | Write | |||
CreateRegexPatternSet | Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for. | Write | |||
CreateRule | Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block. | Write | |||
CreateRuleGroup | Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL. | Write | |||
CreateSizeConstraintSet | Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length. | Write | |||
CreateSqlInjectionMatchSet | Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web requests. | Write | |||
CreateWebACL | Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count. | Permissions management | |||
CreateWebACLMigrationStack | Create and store a CloudFormation tempalte that creates an equivalent WAF v2 WebACL from the given WAF Classic WebACL in the given S3 bucket. | Write |
s3:PutObject |
||
CreateXssMatchSet | Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests. | Write | |||
DeleteByteMatchSet | Permanently deletes a ByteMatchSet. | Write | |||
DeleteGeoMatchSet | Permanently deletes an GeoMatchSet. | Write | |||
DeleteIPSet | Permanently deletes an IPSet. | Write | |||
DeleteLoggingConfiguration | Permanently deletes the LoggingConfiguration from the specified web ACL. | Write | |||
DeletePermissionPolicy | Permanently deletes an IAM policy from the specified RuleGroup. | Permissions management | |||
DeleteRateBasedRule | Permanently deletes a RateBasedRule. | Write | |||
DeleteRegexMatchSet | Permanently deletes an RegexMatchSet. | Write | |||
DeleteRegexPatternSet | Permanently deletes an RegexPatternSet. | Write | |||
DeleteRule | Permanently deletes a Rule. | Write | |||
DeleteRuleGroup | Permanently deletes a RuleGroup. | Write | |||
DeleteSizeConstraintSet | Permanently deletes a SizeConstraintSet. | Write | |||
DeleteSqlInjectionMatchSet | Permanently deletes a SqlInjectionMatchSet. | Write | |||
DeleteWebACL | Permanently deletes a WebACL. | Permissions management | |||
DeleteXssMatchSet | Permanently deletes an XssMatchSet. | Write | |||
GetByteMatchSet | Returns the ByteMatchSet specified by ByteMatchSetId. | Read | |||
GetChangeToken | When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete request. | Read | |||
GetChangeTokenStatus | Returns the status of a ChangeToken that you got by calling GetChangeToken. | Read | |||
GetGeoMatchSet | Returns the GeoMatchSet specified by GeoMatchSetId. | Read | |||
GetIPSet | Returns the IPSet that is specified by IPSetId. | Read | |||
GetLoggingConfiguration | Returns the LoggingConfiguration for the specified web ACL. | Read | |||
GetPermissionPolicy | Returns the IAM policy attached to the RuleGroup. | Read | |||
GetRateBasedRule | Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request. | Read | |||
GetRateBasedRuleManagedKeys | Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId. | Read | |||
GetRegexMatchSet | Returns the RegexMatchSet specified by RegexMatchSetId. | Read | |||
GetRegexPatternSet | Returns the RegexPatternSet specified by RegexPatternSetId. | Read | |||
GetRule | Returns the Rule that is specified by the RuleId that you included in the GetRule request. | Read | |||
GetRuleGroup | Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request. | Read | |||
GetSampledRequests | Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose. | Read | |||
GetSizeConstraintSet | Returns the SizeConstraintSet specified by SizeConstraintSetId. | Read | |||
GetSqlInjectionMatchSet | Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId. | Read | |||
GetWebACL | Returns the WebACL that is specified by WebACLId. | Read | |||
GetXssMatchSet | Returns the XssMatchSet that is specified by XssMatchSetId. | Read | |||
ListActivatedRulesInRuleGroup | Returns an array of ActivatedRule objects. | List | |||
ListByteMatchSets | Returns an array of ByteMatchSetSummary objects. | List | |||
ListGeoMatchSets | Returns an array of GeoMatchSetSummary objects. | List | |||
ListIPSets | Returns an array of IPSetSummary objects in the response. | List | |||
ListLoggingConfigurations | Returns an array of LoggingConfiguration objects. | List | |||
ListRateBasedRules | Returns an array of RuleSummary objects. | List | |||
ListRegexMatchSets | Returns an array of RegexMatchSetSummary objects. | List | |||
ListRegexPatternSets | Returns an array of RegexPatternSetSummary objects. | List | |||
ListRuleGroups | Returns an array of RuleGroup objects. | List | |||
ListRules | Returns an array of RuleSummary objects. | List | |||
ListSizeConstraintSets | Returns an array of SizeConstraintSetSummary objects. | List | |||
ListSqlInjectionMatchSets | Returns an array of SqlInjectionMatchSet objects. | List | |||
ListSubscribedRuleGroups | Returns an array of RuleGroup objects that you are subscribed to. | List | |||
ListTagsForResource | Lists the Tags for a given resource. | Read | |||
ListWebACLs | Returns an array of WebACLSummary objects in the response. | List | |||
ListXssMatchSets | Returns an array of XssMatchSet objects. | List | |||
PutLoggingConfiguration | Associates a LoggingConfiguration with a specified web ACL. | Write |
iam:CreateServiceLinkedRole |
||
PutPermissionPolicy | Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts. | Permissions management | |||
TagResource | Adds a Tag to a given resource. | Tagging | |||
UntagResource | Removes a Tag from a given resource. | Tagging | |||
UpdateByteMatchSet | Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet. | Write | |||
UpdateGeoMatchSet | Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet. | Write | |||
UpdateIPSet | Inserts or deletes IPSetDescriptor objects in an IPSet. | Write | |||
UpdateRateBasedRule | Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule. | Write | |||
UpdateRegexMatchSet | Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet. | Write | |||
UpdateRegexPatternSet | Inserts or deletes RegexPatternStrings in a RegexPatternSet. | Write | |||
UpdateRule | Inserts or deletes Predicate objects in a Rule. | Write | |||
UpdateRuleGroup | Inserts or deletes ActivatedRule objects in a RuleGroup. | Write | |||
UpdateSizeConstraintSet | Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet. | Write | |||
UpdateSqlInjectionMatchSet | Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet. | Write | |||
UpdateWebACL | Inserts or deletes ActivatedRule objects in a WebACL. | Permissions management | |||
UpdateXssMatchSet | Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet. | Write |
Resource types defined by AWS WAF
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Resource types | ARN | Condition keys |
---|---|---|
bytematchset |
arn:${Partition}:waf::${Account}:bytematchset/${Id}
|
|
ipset |
arn:${Partition}:waf::${Account}:ipset/${Id}
|
|
ratebasedrule |
arn:${Partition}:waf::${Account}:ratebasedrule/${Id}
|
|
rule |
arn:${Partition}:waf::${Account}:rule/${Id}
|
|
sizeconstraintset |
arn:${Partition}:waf::${Account}:sizeconstraintset/${Id}
|
|
sqlinjectionmatchset |
arn:${Partition}:waf::${Account}:sqlinjectionset/${Id}
|
|
webacl |
arn:${Partition}:waf::${Account}:webacl/${Id}
|
|
xssmatchset |
arn:${Partition}:waf::${Account}:xssmatchset/${Id}
|
|
regexmatchset |
arn:${Partition}:waf::${Account}:regexmatch/${Id}
|
|
regexpatternset |
arn:${Partition}:waf::${Account}:regexpatternset/${Id}
|
|
geomatchset |
arn:${Partition}:waf::${Account}:geomatchset/${Id}
|
|
rulegroup |
arn:${Partition}:waf::${Account}:rulegroup/${Id}
|
Condition keys for AWS WAF
AWS WAF defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters actions based on the allowed set of values for each of the tags | String |
aws:ResourceTag/${TagKey} | Filters actions based on tag-value assoicated with the resource | String |
aws:TagKeys | Filters actions based on the presence of mandatory tags in the request | String |