Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resource-based policy examples for Amazon Network Firewall

The Network Firewall service supports only one type of resource-based policy called a resource policy, which is attached to a shared firewall policy or rule group. This policy defines which principals can share firewall policies and rule groups between accounts.

To learn how to attach a resource policy to a shared rule group or firewall policy, see Sharing firewall policies and rule groups.

Enable sharing of a firewall policy with an account

The following example grants permissions to the service principal to create or update a resource policy for a firewall policy that's shared across accounts. In the resource policy, you specify the accounts that you want to share the resource with and the operations that you want the accounts to be able to perform.

For information about sharing resources in Network Firewall, see Sharing firewall policies and rule groups.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
			      "AWS": "123456789012"
		  },
            "Action": ["network-firewall:AssociateFirewallPolicy", "network-firewall:ListFirewallPolicies"],
            "Resource": "arn:aws:network-firewall:aws-region:123456789012:firewall-policy/test-action"
        }
    ]
}