Firewall Manager required permissions for API actions - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Firewall Manager required permissions for API actions

When you set up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), use the information in this section as a guide. For each AWS Firewall Manager API operation, you need to know the actions for which to grant permissions, and the AWS resource for which you grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.


To specify an action, use the fms: prefix followed by the API operation name (for example, fms:CreatePolicy).

This topic only list actions that require explicit resource permissions.

You can use AWS-wide condition keys in your AWS Firewall Manager policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

To use the following Firewall Manager API actions, you need permissions on the resource: arn:aws:fms:region:account:policy/ID.

Additionally, to use the Firewall Manager API action PutNotificationChannel, the Amazon SNS topic that you specify must allow the Firewall Manager service-linked role to publish messages to it. The following shows an example SNS topic permission setting:

{ "Sid": "AWSFirewallManagerSNSPolicy", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account ID:role/aws-service-role/" }, "Action": "sns:Publish", "Resource": "SNS topic ARN" }

For more information about Firewall Manager actions and resources, see the AWS Identity and Access Management guide topic Actions Defined by AWS Firewall Manager

For the full list of the API actions available for Firewall Manager, see AWS Firewall Manager API Reference.