Menu
AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

AWS WAF API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS WAF API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your AWS WAF policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

Note

To specify an action, use the waf: prefix followed by the API operation name (for example, waf:CreateIPSet).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS WAF API and Required Permissions for Actions

AWS WAF API Operations Required Permissions (API Actions) Resources

AssociateWebACL

waf:AssociateWebACL

elasticloadbalancing:SetWebACL

AssociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

CreateByteMatchSet

waf:CreateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

CreateIPSet

waf:CreateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

CreateRule

waf:CreateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRateBasedRule

waf:CreateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
CreateSizeConstraintSet waf:CreateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
CreateSqlInjectionMatchSet waf:CreateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
CreateWebACL waf:CreateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
CreateXssMatchSet waf:CreateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
DeleteByteMatchSet waf:DeleteByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
DeleteIPSet waf:DeleteIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
DeleteRule waf:DeleteRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRateBasedRule waf:DeleteRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteSizeConstraintSet waf:DeleteSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
DeleteSqlInjectionMatchSet waf:DeleteSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
DeleteWebACL waf:DeleteWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
DeleteXssMatchSet waf:DeleteXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID

DisassociateWebACL

waf:DisassociateWebACL

elasticloadbalancing:SetWebACL

DisassociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

GetByteMatchSet waf:GetByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
GetChangeToken waf:GetChangeToken

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:changetoken/entity-ID
GetChangeTokenStatus waf:GetChangeTokenStatus

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/token-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:changetoken/token-ID
GetIPSet waf:GetIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
GetRule waf:GetRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRule waf:GetRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRuleManagedKeys waf:GetRateBasedRuleManagedKeys

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetSampledRequests waf:GetSampledRequests The resource depends on the parameters that are specified in the API call. You must have access to the rule or web ACL that corresponds to the request for samples. For example:

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/example1 or arn:aws:waf::account-id:webacl/example2

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/example1 or arn:aws:waf-regional:region:account-id:webacl/example2
GetSizeConstraintSet waf:GetSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
GetSqlInjectionMatchSet waf:GetSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
GetWebACL waf:GetWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
GetXssMatchSet waf:GetXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
ListByteMatchSets waf:ListByteMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchsets/entity-ID
ListIPSets waf:ListIPSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipsets/entity-ID
ListRules waf:ListRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRateBasedRules waf:ListRateBasedRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListSizeConstraintSets waf:ListSizeConstraintSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstaintsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstaintsets/entity-ID
ListSqlInjectionMatchSets waf:ListSqlInjectionMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchsets/entity-ID
ListWebACLs waf:ListWebACLs

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacls/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacls/entity-ID
ListXssMatchSets waf:ListXssMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchsets/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchsets/entity-ID
UpdateByteMatchSet waf:UpdateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
UpdateIPSet waf:UpdateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

UpdateRule

waf:UpdateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRateBasedRule

waf:UpdateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateSizeConstraintSet

waf:UpdateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID

UpdateSqlInjectionMatchSet

waf:UpdateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID

UpdateWebACL

waf:UpdateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:webacl/entity-ID

UpdateXssMatchSet

waf:UpdateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for Application Load Balancers):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID