View a markdown version of this page

Actions, resources, and condition keys for Amazon WAF V2 - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon WAF V2

Amazon WAF V2 (service prefix: wafv2) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon WAF V2

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateWebACL

wafv2:AssociateWebACL

Write

apigateway:SetWebACL

Permissions management, Write

appsync:AssociateWebACL

Write

appsync:SetWebACL

Permissions management, Write

elasticloadbalancing:CreateWebACLAssociation

Write

elasticloadbalancing:SetWebAcl

Write

CheckCapacity

wafv2:CheckCapacity

Read

CreateAPIKey

wafv2:CreateAPIKey

Write

CreateIPSet

wafv2:CreateIPSet

Write

wafv2:TagResource

Tagging, Write

CreateRegexPatternSet

wafv2:CreateRegexPatternSet

Write

wafv2:TagResource

Tagging, Write

CreateRuleGroup

wafv2:CreateRuleGroup

Write

wafv2:TagResource

Tagging, Write

CreateWebACL

wafv2:CreateWebACL

Write

wafv2:TagResource

Tagging, Write

DeleteAPIKey

wafv2:DeleteAPIKey

Write

DeleteFirewallManagerRuleGroups

wafv2:DeleteFirewallManagerRuleGroups

Write

DeleteIPSet

wafv2:DeleteIPSet

Write

DeleteLoggingConfiguration

wafv2:DeleteLoggingConfiguration

Write

DeletePermissionPolicy

wafv2:DeletePermissionPolicy

Permissions management, Write

DeleteRegexPatternSet

wafv2:DeleteRegexPatternSet

Write

DeleteRuleGroup

wafv2:DeleteRuleGroup

Write

DeleteWebACL

wafv2:DeleteWebACL

Write

DescribeAllManagedProducts

wafv2:DescribeAllManagedProducts

Read

DescribeManagedProductsByVendor

wafv2:DescribeManagedProductsByVendor

Read

DescribeManagedRuleGroup

wafv2:DescribeManagedRuleGroup

Read

DisassociateWebACL

wafv2:DisassociateWebACL

Write

apigateway:SetWebACL

Permissions management, Write

appsync:DisassociateWebACL

Write

appsync:SetWebACL

Permissions management, Write

elasticloadbalancing:DeleteWebACLAssociation

Write

elasticloadbalancing:SetWebAcl

Write

GenerateMobileSdkReleaseUrl

wafv2:GenerateMobileSdkReleaseUrl

Read

GetDecryptedAPIKey

wafv2:GetDecryptedAPIKey

Read

GetIPSet

wafv2:GetIPSet

Read

GetLoggingConfiguration

wafv2:GetLoggingConfiguration

Read

GetManagedRuleSet

wafv2:GetManagedRuleSet

Read

GetMobileSdkRelease

wafv2:GetMobileSdkRelease

Read

GetPermissionPolicy

wafv2:GetPermissionPolicy

Read

GetRateBasedStatementManagedKeys

wafv2:GetRateBasedStatementManagedKeys

Read

GetRegexPatternSet

wafv2:GetRegexPatternSet

Read

GetRevenueStatistics

wafv2:GetRevenueStatistics

Read

GetRevenueStatisticsSummary

wafv2:GetRevenueStatisticsSummary

Read

GetRevenueStatisticsTimeSeries

wafv2:GetRevenueStatisticsTimeSeries

Read

GetRuleGroup

wafv2:GetRuleGroup

Read

GetSampledRequests

wafv2:GetSampledRequests

Read

GetTopPathStatisticsByTraffic

wafv2:GetTopPathStatisticsByTraffic

Read

GetWebACL

wafv2:GetWebACL

Read

GetWebACLForResource

wafv2:GetWebACLForResource

Read

appsync:GetWebACLForResource

Read

elasticloadbalancing:GetLoadBalancerWebACL

Read

ListAPIKeys

wafv2:ListAPIKeys

List

ListAvailableManagedRuleGroupVersions

wafv2:ListAvailableManagedRuleGroupVersions

List

ListAvailableManagedRuleGroups

wafv2:ListAvailableManagedRuleGroups

List

ListIPSets

wafv2:ListIPSets

List

ListLoggingConfigurations

wafv2:ListLoggingConfigurations

List

ListManagedRuleSets

wafv2:ListManagedRuleSets

List

ListMobileSdkReleases

wafv2:ListMobileSdkReleases

List

ListRegexPatternSets

wafv2:ListRegexPatternSets

List

ListResourcesForWebACL

wafv2:ListResourcesForWebACL

List

appsync:ListResourcesForWebACL

List

elasticloadbalancing:DescribeWebACLAssociation

List

ListRuleGroups

wafv2:ListRuleGroups

List

ListSettlementRecords

wafv2:ListSettlementRecords

List

ListTagsForResource

wafv2:ListTagsForResource

Read

ListWebACLs

wafv2:ListWebACLs

List

PutLoggingConfiguration

wafv2:PutLoggingConfiguration

Write

PutManagedRuleSetVersions

wafv2:PutManagedRuleSetVersions

Write

PutPermissionPolicy

wafv2:PutPermissionPolicy

Permissions management, Write

TagResource

wafv2:TagResource

Tagging, Write

UntagResource

wafv2:UntagResource

Tagging, Write

UpdateIPSet

wafv2:UpdateIPSet

Write

UpdateManagedRuleSetVersionExpiryDate

wafv2:UpdateManagedRuleSetVersionExpiryDate

Write

UpdateRegexPatternSet

wafv2:UpdateRegexPatternSet

Write

UpdateRuleGroup

wafv2:UpdateRuleGroup

Write

UpdateWebACL

wafv2:UpdateWebACL

Write

Actions defined by Amazon WAF V2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateWebACL

Grants permission to associate a WebACL with a resource

agentcore-gateway

Write

amplify-app

apigateway

apprunner

appsync

loadbalancer/app/

userpool

verified-access-instance

webacl*

aws:ResourceTag/${TagKey}

CheckCapacity

Grants permission to calculate web ACL capacity unit (WCU) requirements for a specified scope and set of rules

Read

CreateAPIKey

Grants permission to create an API key for use in the integration of the CAPTCHA API in your JavaScript client applications

Write

CreateIPSet

Grants permission to create an IPSet

ipset*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateRegexPatternSet

Grants permission to create a RegexPatternSet

regexpatternset*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateRuleGroup

Grants permission to create a RuleGroup

ipset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

regexpatternset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

rulegroup*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateWebACL

Grants permission to create a WebACL

ipset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

managedruleset

aws:RequestTag/${TagKey}

aws:TagKeys

regexpatternset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

rulegroup

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

webacl*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DeleteAPIKey

Grants permission to delete an API key

Write

DeleteFirewallManagerRuleGroups

Grants permission to delete FirewallManagedRulesGroups from a WebACL if not managed by Firewall Manager anymore

webacl*

aws:ResourceTag/${TagKey}

Write

DeleteIPSet

Grants permission to delete an IPSet

ipset*

aws:ResourceTag/${TagKey}

Write

DeleteLoggingConfiguration

Grants permission to delete the LoggingConfiguration from a WebACL

webacl*

aws:ResourceTag/${TagKey}

wafv2:LogScope

Write

DeletePermissionPolicy

Grants permission to delete the PermissionPolicy on a RuleGroup

rulegroup*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeleteRegexPatternSet

Grants permission to delete a RegexPatternSet

regexpatternset*

aws:ResourceTag/${TagKey}

Write

DeleteRuleGroup

Grants permission to delete a RuleGroup

rulegroup*

aws:ResourceTag/${TagKey}

Write

DeleteWebACL

Grants permission to delete a WebACL

webacl*

aws:ResourceTag/${TagKey}

Write

DescribeAllManagedProducts

Grants permission to retrieve product information for a managed rule group

Read

DescribeManagedProductsByVendor

Grants permission to retrieve product information for a managed rule group by a given vendor

Read

DescribeManagedRuleGroup

Grants permission to retrieve high-level information for a managed rule group

Read

DisassociateWebACL

Grants permission to disassociate a WebACL from an application resource

agentcore-gateway

Write

amplify-app

apigateway

apprunner

appsync

loadbalancer/app/

userpool

verified-access-instance

GenerateMobileSdkReleaseUrl

Grants permission to generate a presigned download URL for the specified release of the mobile SDK

Read

GetDecryptedAPIKey

Grants permission to return your API key in decrypted form. Use this to check the token domains that you have defined for the key

Read

GetIPSet

Grants permission to retrieve details about an IPSet

ipset*

aws:ResourceTag/${TagKey}

Read

GetLoggingConfiguration

Grants permission to retrieve LoggingConfiguration for a WebACL

webacl*

aws:ResourceTag/${TagKey}

wafv2:LogScope

Read

GetManagedRuleSet

Grants permission to retrieve details about a ManagedRuleSet

managedruleset*

Read

GetMobileSdkRelease

Grants permission to retrieve information for the specified mobile SDK release, including release notes and tags

Read

GetPermissionPolicy

Grants permission to retrieve a PermissionPolicy for a RuleGroup

rulegroup*

aws:ResourceTag/${TagKey}

Read

GetRateBasedStatementManagedKeys

Grants permission to retrieve the keys that are currently blocked by a rate-based rule

webacl*

aws:ResourceTag/${TagKey}

Read

GetRegexPatternSet

Grants permission to retrieve details about a RegexPatternSet

regexpatternset*

aws:ResourceTag/${TagKey}

Read

GetRevenueStatistics

Grants permission to retrieve monetization revenue statistics ranked by source or path within a specified time window

Read

GetRevenueStatisticsSummary

Grants permission to retrieve a summary of monetization revenue statistics within a specified time window

Read

GetRevenueStatisticsTimeSeries

Grants permission to retrieve monetization revenue statistics as a time series within a specified time window

Read

GetRuleGroup

Grants permission to retrieve details about a RuleGroup

rulegroup*

aws:ResourceTag/${TagKey}

Read

GetSampledRequests

Grants permission to retrieve detailed information about a sampling of web requests

webacl*

aws:ResourceTag/${TagKey}

Read

GetTopPathStatisticsByTraffic

Grants permission to retrieve aggregated path statistics with bot traffic analysis for a WebACL within a specified time window

webacl*

aws:ResourceTag/${TagKey}

Read

GetWebACL

Grants permission to retrieve details about a WebACL

webacl*

aws:ResourceTag/${TagKey}

Read

GetWebACLForResource

Grants permission to retrieve the WebACL that's associated with a resource

agentcore-gateway

Read

amplify-app

apigateway

apprunner

appsync

loadbalancer/app/

userpool

verified-access-instance

webacl*

aws:ResourceTag/${TagKey}

ListAPIKeys

Grants permission to retrieve a list of the API keys that you've defined for the specified scope

List

ListAvailableManagedRuleGroupVersions

Grants permission to retrieve an array of managed rule group versions that are available for you to use

List

ListAvailableManagedRuleGroups

Grants permission to retrieve an array of managed rule groups that are available for you to use

List

ListIPSets

Grants permission to retrieve an array of IPSetSummary objects for the IP sets that you manage

List

ListLoggingConfigurations

Grants permission to retrieve an array of your LoggingConfiguration objects

wafv2:LogScope

List

ListManagedRuleSets

Grants permission to retrieve an array of your ManagedRuleSet objects

List

ListMobileSdkReleases

Grants permission to retrieve a list of the available releases for the mobile SDK and the specified device platform

List

ListRegexPatternSets

Grants permission to retrieve an array of RegexPatternSetSummary objects for the regex pattern sets that you manage

List

ListResourcesForWebACL

Grants permission to retrieve an array of the Amazon Resource Names (ARNs) for the resources that are associated with a web ACL

agentcore-gateway

List

amplify-app

apprunner

userpool

verified-access-instance

webacl*

aws:ResourceTag/${TagKey}

ListRuleGroups

Grants permission to retrieve an array of RuleGroupSummary objects for the rule groups that you manage

List

ListSettlementRecords

Grants permission to retrieve a list of monetization settlement records within a specified time window

List

ListTagsForResource

Grants permission to list tags for a resource

ipset

aws:ResourceTag/${TagKey}

Read

regexpatternset

aws:ResourceTag/${TagKey}

rulegroup

aws:ResourceTag/${TagKey}

webacl

aws:ResourceTag/${TagKey}

ListWebACLs

Grants permission to retrieve an array of WebACLSummary objects for the web ACLs that you manage

List

PutLoggingConfiguration

Grants permission to enable a LoggingConfiguration, to start logging for a web ACL

webacl*

aws:ResourceTag/${TagKey}

wafv2:LogDestinationResource

wafv2:LogScope

Write

PutManagedRuleSetVersions

Grants permission to enable create a new or update an existing version of a ManagedRuleSet

managedruleset*

Write

rulegroup*

aws:ResourceTag/${TagKey}

PutPermissionPolicy

Grants permission to attach an IAM policy to a resource, used to share rule groups between accounts

rulegroup*

aws:ResourceTag/${TagKey}

Permissions management, Write

TagResource

Grants permission to associate tags with a Amazon resource

ipset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

regexpatternset

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

rulegroup

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

webacl

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to disassociate tags from an Amazon resource

ipset

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

regexpatternset

aws:ResourceTag/${TagKey}

aws:TagKeys

rulegroup

aws:ResourceTag/${TagKey}

aws:TagKeys

webacl

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateIPSet

Grants permission to update an IPSet

ipset*

aws:ResourceTag/${TagKey}

Write

UpdateManagedRuleSetVersionExpiryDate

Grants permission to update the expiry date of a version in ManagedRuleSet

managedruleset*

Write

UpdateRegexPatternSet

Grants permission to update a RegexPatternSet

regexpatternset*

aws:ResourceTag/${TagKey}

Write

UpdateRuleGroup

Grants permission to update a RuleGroup

ipset

aws:ResourceTag/${TagKey}

Write

regexpatternset

aws:ResourceTag/${TagKey}

rulegroup*

aws:ResourceTag/${TagKey}

UpdateWebACL

Grants permission to update a WebACL

ipset

aws:ResourceTag/${TagKey}

Write

managedruleset

aws:ResourceTag/${TagKey}

regexpatternset

aws:ResourceTag/${TagKey}

rulegroup

aws:ResourceTag/${TagKey}

webacl*

aws:ResourceTag/${TagKey}

Permission-only actions for Amazon WAF V2

The following actions are defined by Amazon WAF V2 but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

DisassociateFirewallManager

Grants permission to disassociate Firewall Manager from a WebACL

webacl*

aws:ResourceTag/${TagKey}

Write

PutFirewallManagerRuleGroups

Grants permission to create FirewallManagedRulesGroups in a WebACL

webacl*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon WAF V2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

agentcore-gateway

arn:${Partition}:bedrock-agentcore:${Region}:${Account}:gateway/${GatewayId}

amplify-app

arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId}

apigateway

arn:${Partition}:apigateway:${Region}::/restapis/${ApiId}/stages/${StageName}

apprunner

arn:${Partition}:apprunner:${Region}:${Account}:service/${ServiceName}/${ServiceId}

appsync

arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}

ipset

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/ipset/${Name}/${Id}

aws:ResourceTag/${TagKey}

loadbalancer/app/

arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/app/${LoadBalancerName}/${LoadBalancerId}

managedruleset

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/managedruleset/${Name}/${Id}

regexpatternset

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/regexpatternset/${Name}/${Id}

aws:ResourceTag/${TagKey}

rulegroup

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/rulegroup/${Name}/${Id}

aws:ResourceTag/${TagKey}

userpool

arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}

verified-access-instance

arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}

webacl

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/webacl/${Name}/${Id}

aws:ResourceTag/${TagKey}

Condition keys for Amazon WAF V2

Amazon WAF V2 defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the allowed set of values for each of the tags

String

aws:ResourceTag/${TagKey}

Filters access by tag-value associated with the resource

String

aws:TagKeys

Filters access by the presence of mandatory tags in the request

ArrayOfString

wafv2:LogDestinationResource

Filters access by log destination ARN for PutLoggingConfiguration API

ARN

wafv2:LogScope

Filters access by log scope for Logging Configuration API

String