Using identity-based policies (IAM policies) for AWS Firewall Manager - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Using identity-based policies (IAM policies) for AWS Firewall Manager

This section provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on AWS Firewall Manager resources.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS Firewall Manager resources. For more information, see Overview of managing access permissions to your AWS Firewall Manager resources.

For a table that shows all the AWS Firewall Manager API actions and the resources that they apply to, see Firewall Manager required permissions for API actions.

Topics

Permissions required to use the AWS Firewall Manager console

The AWS Firewall Manager console provides an integrated environment for you to create and manage Firewall Manager resources. The console provides many features and workflows that often require permissions to create a Firewall Manager resource in addition to the API-specific permissions that are documented in the Firewall Manager required permissions for API actions. For more information about these additional console permissions, see Customer managed policy examples.

Granting full access to AWS Firewall Manager resources

Follow this guidance if you have difficulty creating or managing your Firewall Manager policies with the managed policy, AWSFMAdminFullAccess. For information about working with managed policies for AWS Firewall Manager, see AWS managed policies.

This policy doesn't include permissions for setting up Amazon Simple Notification Service notifications in AWS Firewall Manager. For information about how to setting up access for Amazon Simple Notification Service, see Setting up access for Amazon Simple Notification Service.

Use the following policy to grant full administrative access to your account:

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "fms:*", "waf:*", "waf-regional:*", "elasticloadbalancing:SetWebACL", "firehose:ListDeliveryStreams", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListRoots", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "shield:GetSubscriptionState", "route53resolver:ListFirewallRuleGroups", "route53resolver:GetFirewallRuleGroup", "wafv2:ListRuleGroups", "wafv2:ListAvailableManagedRuleGroups", "wafv2:CheckCapacity", "wafv2:PutLoggingConfiguration", "wafv2:ListAvailableManagedRuleGroupVersions", "network-firewall:DescribeRuleGroup", "network-firewall:DescribeRuleGroupMetadata", "network-firewall:ListRuleGroups", "ec2:DescribeAvailabilityZones", "ec2:DescribeRegions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Resource":[ "arn:aws:s3:::aws-waf-logs-*" ] }, { "Effect":"Allow", "Action":"iam:CreateServiceLinkedRole", "Resource":"*", "Condition":{ "StringEquals":{ "iam:AWSServiceName":[ "fms.amazonaws.com" ] } } }, { "Effect":"Allow", "Action":[ "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource":"*", "Condition":{ "StringEquals":{ "organizations:ServicePrincipal":[ "fms.amazonaws.com" ] } } } ] }

Permission details

This policy includes the following permissions.:

  • fms:*:

    Lets you work with AWS Firewall Manager resources.

  • waf:*, waf-regional:*:

    Lets you work with AWS WAF policies.

  • waf:*, waf-regional:*:

    Lets you work with AWS WAF policies.

  • elasticloadbalancing:SetWebACL:

    Lets you associate web access control lists (ACLs) to Elastic Load Balancers.

  • firehose:ListDeliveryStreams:

    Lets you view AWS WAF logs.

  • organizations:DescribeAccount, organizations:DescribeOrganization, organizations:ListRoots, organizations:ListChildren, organizations:ListAccounts, organizations:ListAccountsForParent, organizations:ListOrganizationalUnitsForParent:

    Lets you work with AWS Organizations.

  • shield:GetSubscriptionState:

    Lets you view the subscription state for a AWS Shield policy.

  • route53resolver:ListFirewallRuleGroups, route53resolver:GetFirewallRuleGroup:

    Lets you work with RouteĀ 53 Private DNS for VPCs rule groups in an RouteĀ 53 Private DNS for VPCs policy.

  • wafv2:ListRuleGroups, wafv2:ListAvailableManagedRuleGroups, wafv2:CheckCapacity, wafv2:PutLoggingConfiguration, wafv2:ListAvailableManagedRuleGroupVersions:

    Lets you work with AWS WAFV2 policies.

  • network-firewall:DescribeRuleGroup, network-firewall:DescribeRuleGroupMetadata, network-firewall:ListRuleGroups:

    Lets you work with AWS Network Firewall policies.

  • ec2:DescribeAvailabilityZones:

    Lets you view a AWS Network Firewall policy's Availability Zones.

  • ec2:DescribeRegions:

    Lets you view a policy's Region in the AWS Firewall Manager console.

Customer managed policy examples

The examples in this section provide a group of sample policies that you can attach to a user. If you are new to creating policies, we recommend that you first create an IAM user in your account and attach the policies to the user, in the sequence outlined in the steps in this section.

You can use the console to verify the effects of each policy as you attach the policy to the user. Initially, the user doesn't have permissions, and the user won't be able to do anything on the console. As you attach policies to the user, you can verify that the user can perform various operations on the console.

We recommend that you use two browser windows: one to create the user and grant permissions, and the other to sign in to the AWS Management Console using the user's credentials and verify permissions as you grant them to the user.

For examples that show how to create an IAM role that you can use as an execution role for your Firewall Manager resource, see Creating IAM Roles in the IAM User Guide.

Example topics

Create an IAM user

First, you need to create an IAM user, add the user to an IAM group with administrative permissions, and then grant administrative permissions to the IAM user that you created. You then can access AWS using a special URL and the user's credentials.

For instructions, see Creating Your First IAM User and Administrators Group in the IAM User Guide.

Example: Give admin user read-only access to Firewall Manager security groups

The following policy grants admin users read-only access to Firewall Manager security groups and policies. These users can't create, update, or delete the Firewall Manager resources.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "fms:Get*", "fms:List*", "ec2:DescribeSecurityGroups" ], "Effect": "Allow", "Resource": "*" } ] }