Actions, resources, and condition keys for AWS WAF - Service Authorization Reference

Actions, resources, and condition keys for AWS WAF

AWS WAF (service prefix: waf) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS WAF

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateByteMatchSet Grants permission to create a ByteMatchSet Write

bytematchset*

CreateGeoMatchSet Grants permission to create a GeoMatchSet Write

geomatchset*

CreateIPSet Grants permission to create an IPSet Write

ipset*

CreateRateBasedRule Grants permission to create a RateBasedRule for limiting the volume of requests from a single IP address Write

ratebasedrule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRegexMatchSet Grants permission to create a RegexMatchSet Write

regexmatchset*

CreateRegexPatternSet Grants permission to create a RegexPatternSet Write

regexpatternset*

CreateRule Grants permission to create a Rule for filtering web requests Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRuleGroup Grants permission to create a RuleGroup, which is a collection of predefined rules that you can use in a WebACL Write

rulegroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSizeConstraintSet Grants permission to create a SizeConstraintSet Write

sizeconstraintset*

CreateSqlInjectionMatchSet Grants permission to create an SqlInjectionMatchSet Write

sqlinjectionmatchset*

CreateWebACL Grants permission to create a WebACL, which contains rules for filtering web requests Permissions management

webacl*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWebACLMigrationStack Grants permission to create a CloudFormation web ACL template in an S3 bucket for the purposes of migrating the web ACL from AWS WAF Classic to AWS WAF v2 Write

webacl*

s3:PutObject

CreateXssMatchSet Grants permission to create an XssMatchSet, which you use to detect requests that contain cross-site scripting attacks Write

xssmatchset*

DeleteByteMatchSet Grants permission to delete a ByteMatchSet Write

bytematchset*

DeleteGeoMatchSet Grants permission to delete a GeoMatchSet Write

geomatchset*

DeleteIPSet Grants permission to delete an IPSet Write

ipset*

DeleteLoggingConfiguration Grants permission to delete the LoggingConfiguration from a web ACL Write

webacl*

DeletePermissionPolicy Grants permission to delete an IAM policy from a rule group Permissions management

rulegroup*

DeleteRateBasedRule Grants permission to delete a RateBasedRule Write

ratebasedrule*

DeleteRegexMatchSet Grants permission to delete a RegexMatchSet Write

regexmatchset*

DeleteRegexPatternSet Grants permission to delete a RegexPatternSet Write

regexpatternset*

DeleteRule Grants permission to delete a Rule Write

rule*

DeleteRuleGroup Grants permission to delete a RuleGroup Write

rulegroup*

DeleteSizeConstraintSet Grants permission to delete a SizeConstraintSet Write

sizeconstraintset*

DeleteSqlInjectionMatchSet Grants permission to delete an SqlInjectionMatchSet Write

sqlinjectionmatchset*

DeleteWebACL Grants permission to delete a WebACL Permissions management

webacl*

DeleteXssMatchSet Grants permission to delete an XssMatchSet Write

xssmatchset*

GetByteMatchSet Grants permission to retrieve a ByteMatchSet Read

bytematchset*

GetChangeToken Grants permission to retrieve a change token to use in create, update, and delete requests Read
GetChangeTokenStatus Grants permission to retrieve the status of a change token Read
GetGeoMatchSet Grants permission to retrieve a GeoMatchSet Read

geomatchset*

GetIPSet Grants permission to retrieve an IPSet Read

ipset*

GetLoggingConfiguration Grants permission to retrieve a LoggingConfiguration for a web ACL Read

webacl*

GetPermissionPolicy Grants permission to retrieve an IAM policy for a rule group Read

rulegroup*

GetRateBasedRule Grants permission to retrieve a RateBasedRule Read

ratebasedrule*

GetRateBasedRuleManagedKeys Grants permission to retrieve the array of IP addresses that are currently being blocked by a RateBasedRule Read

ratebasedrule*

GetRegexMatchSet Grants permission to retrieve a RegexMatchSet Read

regexmatchset*

GetRegexPatternSet Grants permission to retrieve a RegexPatternSet Read

regexpatternset*

GetRule Grants permission to retrieve a Rule Read

rule*

GetRuleGroup Grants permission to retrieve a RuleGroup Read

rulegroup*

GetSampledRequests Grants permission to retrieve detailed information about a sample set of web requests Read

rule

webacl

GetSizeConstraintSet Grants permission to retrieve a SizeConstraintSet Read

sizeconstraintset*

GetSqlInjectionMatchSet Grants permission to retrieve an SqlInjectionMatchSet Read

sqlinjectionmatchset*

GetWebACL Grants permission to retrieve a WebACL Read

webacl*

GetXssMatchSet Grants permission to retrieve an XssMatchSet Read

xssmatchset*

ListActivatedRulesInRuleGroup Grants permission to retrieve an array of ActivatedRule objects List
ListByteMatchSets Grants permission to retrieve an array of ByteMatchSetSummary objects List
ListGeoMatchSets Grants permission to retrieve an array of GeoMatchSetSummary objects List
ListIPSets Grants permission to retrieve an array of IPSetSummary objects List
ListLoggingConfigurations Grants permission to retrieve an array of LoggingConfiguration objects List
ListRateBasedRules Grants permission to retrieve an array of RuleSummary objects List
ListRegexMatchSets Grants permission to retrieve an array of RegexMatchSetSummary objects List
ListRegexPatternSets Grants permission to retrieve an array of RegexPatternSetSummary objects List
ListRuleGroups Grants permission to retrieve an array of RuleGroup objects List
ListRules Grants permission to retrieve an array of RuleSummary objects List
ListSizeConstraintSets Grants permission to retrieve an array of SizeConstraintSetSummary objects List
ListSqlInjectionMatchSets Grants permission to retrieve an array of SqlInjectionMatchSet objects List
ListSubscribedRuleGroups Grants permission to retrieve an array of RuleGroup objects that you are subscribed to List
ListTagsForResource Grants permission to retrieve the tags for a resource Read

ratebasedrule

rule

rulegroup

webacl

ListWebACLs Grants permission to retrieve an array of WebACLSummary objects List
ListXssMatchSets Grants permission to retrieve an array of XssMatchSet objects List
PutLoggingConfiguration Grants permission to associate a LoggingConfiguration with a specified web ACL Write

webacl*

iam:CreateServiceLinkedRole

PutPermissionPolicy Grants permission to attach an IAM policy to a rule group, to share the rule group between accounts Permissions management

rulegroup*

TagResource Grants permission to add a Tag to a resource Tagging

ratebasedrule

rule

rulegroup

webacl

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove a Tag from a resource Tagging

ratebasedrule

rule

rulegroup

webacl

aws:TagKeys

UpdateByteMatchSet Grants permission to insert or delete ByteMatchTuple objects in a ByteMatchSet Write

bytematchset*

UpdateGeoMatchSet Grants permission to insert or delete GeoMatchConstraint objects in a GeoMatchSet Write

geomatchset*

UpdateIPSet Grants permission to insert or delete IPSetDescriptor objects in an IPSet Write

ipset*

UpdateRateBasedRule Grants permission to modify a rate based rule Write

ratebasedrule*

UpdateRegexMatchSet Grants permission to insert or delete RegexMatchTuple objects in a RegexMatchSet Write

regexmatchset*

UpdateRegexPatternSet Grants permission to insert or delete RegexPatternStrings in a RegexPatternSet Write

regexpatternset*

UpdateRule Grants permission to modify a Rule Write

rule*

UpdateRuleGroup Grants permission to insert or delete ActivatedRule objects in a RuleGroup Write

rulegroup*

UpdateSizeConstraintSet Grants permission to insert or delete SizeConstraint objects in a SizeConstraintSet Write

sizeconstraintset*

UpdateSqlInjectionMatchSet Grants permission to insert or delete SqlInjectionMatchTuple objects in an SqlInjectionMatchSet Write

sqlinjectionmatchset*

UpdateWebACL Grants permission to insert or delete ActivatedRule objects in a WebACL Permissions management

webacl*

UpdateXssMatchSet Grants permission to insert or delete XssMatchTuple objects in an XssMatchSet Write

xssmatchset*

Resource types defined by AWS WAF

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
bytematchset arn:${Partition}:waf::${Account}:bytematchset/${Id}
ipset arn:${Partition}:waf::${Account}:ipset/${Id}
ratebasedrule arn:${Partition}:waf::${Account}:ratebasedrule/${Id}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:waf::${Account}:rule/${Id}

aws:ResourceTag/${TagKey}

sizeconstraintset arn:${Partition}:waf::${Account}:sizeconstraintset/${Id}
sqlinjectionmatchset arn:${Partition}:waf::${Account}:sqlinjectionset/${Id}
webacl arn:${Partition}:waf::${Account}:webacl/${Id}

aws:ResourceTag/${TagKey}

xssmatchset arn:${Partition}:waf::${Account}:xssmatchset/${Id}
regexmatchset arn:${Partition}:waf::${Account}:regexmatch/${Id}
regexpatternset arn:${Partition}:waf::${Account}:regexpatternset/${Id}
geomatchset arn:${Partition}:waf::${Account}:geomatchset/${Id}
rulegroup arn:${Partition}:waf::${Account}:rulegroup/${Id}

aws:ResourceTag/${TagKey}

Condition keys for AWS WAF

AWS WAF defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value associated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request ArrayOfString