AWS WAF v2New PlanUsage
This article explains the necessary permissions when using WafCharm with the new plan for AWS WAF v2.
In the new plan, you can choose either Legacy or Advanced rule policy, and both require the same permissions.
This permission allows access to AWS WAF. It is required to apply/update rules on web ACLs.
Custom policies are unavailable because permissions could become insufficient due to feature additions and updates.
This is a permissions to access S3 buckets to obtain logs.
It is recommended to restrict the accessible S3 buckets in Resources by specifying ARNs.
To restrict the S3 buckets, please specify the S3 buckets' ARNs as shown below in the [Resource].
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::<S3 bucket>",
"arn:aws:s3:::<S3 bucket>/<path>/*"
]
}
]
}To use the custom policy, please attach the policies below.
If you are using AWS Key Management Service (AWS KMS), please ensure that the permissions are sufficient.
This permission is used to obtain AllowedRequests and BlockedRequests metrics used to aggregate the total number of web requests, which are reported to CloudWatch Metrics from AWS WAF.
To restrict the permission, please use the custom policy available below.
*CloudWatch does not have resources to limit using the policy's resource statement, so please specify a wild card * in the IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudwatch:GetMetricData",
"Resource": "*"
}
]
}