**Introducing a new console experience for Amazon WAF**

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html). 

# Amazon managed policies for Amazon Shield
<a name="shd-security-iam-awsmanpol"></a>

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

## Amazon managed policy: AWSShieldDRTAccessPolicy
<a name="shd-security-iam-awsmanpol-AWSShieldDRTAccessPolicy"></a>

This section explains how to use Amazon managed policies for Shield.

Amazon Shield uses this managed policy when you grant permission to the Shield Response Team (SRT) to act on your behalf. This policy gives the SRT limited access to your Amazon account, to assist with DDoS attack mitigation during high-severity events. This policy allows the SRT to manage your Amazon WAF rules and Shield Advanced protections and to access your Amazon WAF logs. 

For information about granting permission to the SRT to operate on your behalf, see [Granting access for the SRT](ddos-srt-access.md).

For details about this policy, see [AWSShieldDRTAccessPolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy) in the IAM console.

## Amazon managed policy: AWSShieldServiceRolePolicy
<a name="shd-security-iam-awsmanpol-AWSShieldServiceRolePolicy"></a>

Shield Advanced uses this managed policy when you enable automatic application layer DDoS mitigation, to set the permissions it needs to manage resources for your account. This policy allows Shield Advanced to create and apply Amazon WAF rules and rule groups in the web ACLs that you've associated with your protected resources, to automatically respond to DDoS attacks. 

You can't attach AWSShieldServiceRolePolicy to your IAM entities. Shield attaches this policy to the service-linked role `AWSServiceRoleForAWSShield` to allow Shield to perform actions on your behalf. 

Shield Advanced enables the use of this policy when you enable automatic application layer DDoS mitigation. For more information about the use for this policy, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md). 

For information about the service-linked role AWSServiceRoleForAWSShield that uses this policy, see [Using service-linked roles for Shield Advanced](shd-using-service-linked-roles.md)

For details about this policy, see [AWSShieldServiceRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSShieldServiceRolePolicy) in the IAM console.

## Shield updates to Amazon managed policies
<a name="shd-security-iam-awsmanpol-updates"></a>



View details about updates to Amazon managed policies for Shield since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Shield document history page at [Document history](doc-history.md).




| Policy | Description of change | Date | 
| --- | --- | --- | 
|  `AWSShieldServiceRolePolicy` This policy allows Shield to access and manage Amazon resources in order to automatically respond to application layer DDoS attacks on your behalf.  Details in IAM console: [AWSShieldServiceRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSShieldServiceRolePolicy) The service-linked role `AWSServiceRoleForAWSShield` uses this policy. For information, see [Using service-linked roles for Shield Advanced](shd-using-service-linked-roles.md).  |  Added this policy to provide Shield Advanced with the permissions required for the automatic application layer DDoS mitigation functionality. For information about this feature, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md).  | December 1, 2021 | 
|  Shield started tracking changes  |  Shield started tracking changes for its Amazon managed policies.  | March 3, 2021 |