Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Using service-linked roles for Amazon Shield network security director

This section explains how to use service-linked roles to give Amazon Shield network security director access to resources in your Amazon account.

Amazon Shield network security director uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Shield network security director. Service-linked roles are predefined by Amazon Shield network security director and include all the permissions that the service requires to call other Amazon services on your behalf.

A service-linked role makes setting up Amazon Shield network security director easier because you don’t have to manually add the necessary permissions. Amazon Shield network security director defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Shield network security director can assume its roles. The defined permissions include the trust policy and the permissions policy. That permissions policy can't be attached to any other IAM entity.

See the full service-linked role in the IAM console: NetworkSecurityDirectorServiceLinkedRolePolicy.

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

For information about other services that support service-linked roles, see Amazon Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for Amazon Shield network security director

The NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role trusts the following services to assume the role:

The NetworkSecurityDirectorServiceLinkedRolePolicy grants Amazon Shield network security director permissions to access and analyze various Amazon resources and services on your behalf. This includes:

The following listing is for permissions that don't support downscoping to specific resources. The rest are downscoped for the indicated service resources.

 {
  "Sid": "ResourceLevelPermissionNotSupported",
  "Effect": "Allow",
  "Action": [
    "cloudwatch:GetMetricData",
    "cloudwatch:GetMetricStatistics",
    "ec2:DescribeAvailabilityZones",
    "ec2:DescribeCustomerGateways",
    "ec2:DescribeInstances",
    "ec2:DescribeInternetGateways",
    "ec2:DescribeManagedPrefixLists",
    "ec2:DescribeNatGateways",
    "ec2:DescribeNetworkAcls",
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribePrefixLists",
    "ec2:DescribeRegions",
    "ec2:DescribeRouteTables",
    "ec2:DescribeSecurityGroups",
    "ec2:DescribeSubnets",
    "ec2:DescribeTransitGateways",
    "ec2:DescribeTransitGatewayVpcAttachments",
    "ec2:DescribeTransitGatewayAttachments",
    "ec2:DescribeTransitGatewayPeeringAttachments",
    "ec2:DescribeTransitGatewayRouteTables",
    "ec2:DescribeVpcEndpoints",
    "ec2:DescribeVpcEndpointServiceConfigurations",
    "ec2:DescribeVpcPeeringConnections",
    "ec2:DescribeVpcs",
    "ec2:DescribeVpnConnections",
    "ec2:DescribeVpnGateways",
    "ec2:GetTransitGatewayRouteTablePropagations",
    "ec2:GetManagedPrefixListEntries",
    "elasticloadbalancing:DescribeLoadBalancers",
    "elasticloadbalancing:DescribeTargetGroups",
    "elasticloadbalancing:DescribeTags",
    "elasticloadbalancing:DescribeListeners",
    "elasticloadbalancing:DescribeTargetHealth",
    "elasticloadbalancing:DescribeTargetGroupAttributes",
    "elasticloadbalancing:DescribeRules",
    "elasticloadbalancing:DescribeLoadBalancencerAttributes",
    "wafv2:ListWebACLs",
    "cloudfront:ListDistributions",
    "cloudfront:ListTagsForResource",
    "directconnect:DescribeDirectConnectGateways",
    "directconnect:DescribeVirtualInterfaces"
  ],
  "Resource": "*"
}
     

NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role permissions

The following list covers all permissions enabled by the NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role.

Amazon CloudFront

 {
  "Sid": "cloudfront",
  "Effect": "Allow",
  "Action": [
    "cloudfront:GetDistribution"
  ],
  "Resource": "arn:aws:cloudfront::*:distribution/*"
 }
     

Amazon WAF

 {
  "Sid": "wafv2",
  "Effect": "Allow",
  "Action": [
    "wafv2:ListResourcesForWebACL",
    "wafv2:ListRuleGroups",
    "wafv2:ListAvailableManagedRuleGroups",
    "wafv2:GetRuleGroup",
    "wafv2:DescribeManagedRuleGroup",
    "wafv2:GetWebACL"
  ],
  "Resource": [
    "arn:aws:wafv2:*:*:global/rulegroup/*",
    "arn:aws:wafv2:*:*:regional/rulegroup/*",
    "arn:aws:wafv2:*:*:global/managedruleset/*",
    "arn:aws:wafv2:*:*:regional/managedruleset/*",
    "arn:aws:wafv2:*:*:global/webacl/*/*",
    "arn:aws:wafv2:*:*:regional/webacl/*/*",
    "arn:aws:apprunner:*:*:service/*",
    "arn:aws:cognito-idp:*:*:userpool/*",
    "arn:aws:ec2:*:*:verified-access-instance/*"
  ]
 }
      

Amazon WAF Classic

 {
  "Sid": "classicWaf",
  "Effect": "Allow",
  "Action": [
    "waf:ListWebACLs",
    "waf:GetWebACL"
  ],
  "Resource": [
    "arn:aws:waf::*:webacl/*",
    "arn:aws:waf-regional:*:*:webacl/*"
  ]
}
     

Amazon Direct Connect

 {
  "Sid": "directconnect",
  "Effect": "Allow",
  "Action": [
    "directconnect:DescribeConnections",
    "directconnect:DescribeDirectConnectGatewayAssociations",
    "directconnect:DescribeDirectConnectGatewayAttachments",
    "directconnect:DescribeVirtualGateways"
  ],
  "Resource": [
    "arn:aws:directconnect::*:dx-gateway/*",
    "arn:aws:directconnect:*:*:dxcon/*",
    "arn:aws:directconnect:*:*:dxlag/*",
    "arn:aws:directconnect:*:*:dxvif/*"
  ]
 }
     

Amazon Transit Gateway routes

 {
  "Sid": "ec2Get",
  "Effect": "Allow",
  "Action": [
    "ec2:SearchTransitGatewayRoutes"
  ],
  "Resource": [
    "arn:aws:ec2:*:*:transit-gateway-route-table/*"
  ]
 }
     

Amazon Network Firewall

 {
  "Sid": "networkFirewall",
  "Effect": "Allow",
  "Action": [
    "network-firewall:ListFirewalls",
    "network-firewall:ListFirewallPolicies",
    "network-firewall:ListRuleGroups",
    "network-firewall:DescribeFirewall",
    "network-firewall:DescribeFirewallPolicy",
    "network-firewall:DescribeRuleGroup"
  ],
  "Resource": [
    "arn:aws:network-firewall:*:*:*/*"
  ]
}
     

Amazon API Gateway

 {
   "Sid": "apiGatewayGetAPI",
   "Effect": "Allow",
   "Action": [
     "apigateway:GET"
   ],
  "Resource": [
    "arn:aws:apigateway:*::/restapis",
    "arn:aws:apigateway:*::/restapis/*",
    "arn:aws:apigateway:*::/apis",
    "arn:aws:apigateway:*::/apis/*",
    "arn:aws:apigateway:*::/tags/*",
    "arn:aws:apigateway:*::/vpclinks",
    "arn:aws:apigateway:*::/vpclinks/*"
  ]
 }
     

Creating a service-linked role for Amazon Shield network security director

You don't need to manually create a service-linked role. When you run your first network analysis, Amazon Shield network security director creates the service-linked role for you.

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable Amazon Shield network security director logging, Amazon Shield network security director creates the service-linked role for you again.

Editing a service-linked role for Amazon Shield network security director

Amazon Shield network security director doesn't allow you to edit the NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a service-linked role for Amazon Shield network security director

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

This protects your Amazon Shield network security director resources because you can't inadvertently remove permission to access the resources.

To manually delete the service-linked role using IAM

Use the IAM console, the IAM CLI, or the IAM API to delete the NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

Supported Regions for Amazon Shield network security director service-linked roles

Amazon Shield network security director supports using service-linked roles in following regions and can only retrieve data about your resources in these regions.