Menu
AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

AWS WAF API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS WAF API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

You can use AWS-wide condition keys in your AWS WAF policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

Note

To specify an action, use the waf: prefix followed by the API operation name (for example, waf:CreateIPSet).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS WAF API and Required Permissions for Actions

AWS WAF API Operations Required Permissions (API Actions) Resources

AssociateWebACL

waf:AssociateWebACL

elasticloadbalancing:SetWebACL

AssociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

CreateByteMatchSet

waf:CreateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

CreateIPSet

waf:CreateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

CreateRule

waf:CreateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRateBasedRule

waf:CreateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID

CreateRegexMatchSet

waf:CreateRegexMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexmatch/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID

CreateRegexPatternSet

waf:CreateRegexPatternSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexpatternset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
CreateSizeConstraintSet waf:CreateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
CreateSqlInjectionMatchSet waf:CreateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
CreateWebACL waf:CreateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
CreateXssMatchSet waf:CreateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
DeleteByteMatchSet waf:DeleteByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
DeleteIPSet waf:DeleteIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
DeleteRule waf:DeleteRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRateBasedRule waf:DeleteRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID
DeleteRegexMatchSet waf:DeleteRegexMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexmatch/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
DeleteRegexPatternSet waf:DeleteRegexPatternSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexpatternset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
DeleteSizeConstraintSet waf:DeleteSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
DeleteSqlInjectionMatchSet waf:DeleteSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
DeleteWebACL waf:DeleteWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
DeleteXssMatchSet waf:DeleteXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID

DisassociateWebACL

waf:DisassociateWebACL

elasticloadbalancing:SetWebACL

DisassociateWebACL:

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID

SetWebACL:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/entity-ID

GetByteMatchSet waf:GetByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
GetChangeToken waf:GetChangeToken

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:changetoken/entity-ID
GetChangeTokenStatus waf:GetChangeTokenStatus

Global (for Amazon CloudFront):

arn:aws:waf::account-id:changetoken/token-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:changetoken/token-ID
GetIPSet waf:GetIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:ipset/entity-ID
GetRule waf:GetRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRule waf:GetRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRateBasedRuleManagedKeys waf:GetRateBasedRuleManagedKeys

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID
GetRegexMatchSet waf:GetRegexMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexmatch/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
GetRegexPatternSet waf:GetRegexPatternSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexpatternset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
GetSampledRequests waf:GetSampledRequests The resource depends on the parameters that are specified in the API call. You must have access to the rule or web ACL that corresponds to the request for samples. For example:

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/example1 or arn:aws:waf::account-id:webacl/example2

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/example1 or arn:aws:waf-regional:region:account-id:webacl/example2
GetSizeConstraintSet waf:GetSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID
GetSqlInjectionMatchSet waf:GetSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID
GetWebACL waf:GetWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:webacl/entity-ID
GetXssMatchSet waf:GetXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID
ListByteMatchSets waf:ListByteMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchsets/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:bytematchsets/entity-ID
ListIPSets waf:ListIPSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipsets/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:ipsets/entity-ID
ListRules waf:ListRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRateBasedRules waf:ListRateBasedRules

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rules/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rules/entity-ID
ListRegexMatchSets waf:ListRegexMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexmatch/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID
ListRegexPatternSets waf:ListRegexPatternSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexpatternset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID
ListSizeConstraintSets waf:ListSizeConstraintSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstaintsets/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sizeconstaintsets/entity-ID
ListSqlInjectionMatchSets waf:ListSqlInjectionMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchsets/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchsets/entity-ID
ListWebACLs waf:ListWebACLs

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacls/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:webacls/entity-ID
ListXssMatchSets waf:ListXssMatchSets

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchsets/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:xssmatchsets/entity-ID
UpdateByteMatchSet waf:UpdateByteMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:bytematchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:bytematchset/entity-ID
UpdateIPSet waf:UpdateIPSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:ipset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:ipset/entity-ID

UpdateRule

waf:UpdateRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRateBasedRule

waf:UpdateRateBasedRule

Global (for Amazon CloudFront):

arn:aws:waf::account-id:rule/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:rule/entity-ID

UpdateRegexMatchSet

waf:UpdateRegexMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexmatch/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexmatch/entity-ID

UpdateRegexPatternSet

waf:UpdateRegexPatternSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:regexpatternset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:regexpatternset/entity-ID

UpdateSizeConstraintSet

waf:UpdateSizeConstraintSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sizeconstraintset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sizeconstraintset/entity-ID

UpdateSqlInjectionMatchSet

waf:UpdateSqlInjectionMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:sqlinjectionmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:sqlinjectionmatchset/entity-ID

UpdateWebACL

waf:UpdateWebACL

Global (for Amazon CloudFront):

arn:aws:waf::account-id:webacl/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:webacl/entity-ID

UpdateXssMatchSet

waf:UpdateXssMatchSet

Global (for Amazon CloudFront):

arn:aws:waf::account-id:xssmatchset/entity-ID

Regional (for an Application Load Balancer):

arn:aws:waf-regional:region:account-id:xssmatchset/entity-ID