Loading...
Back

Required permissions for AWS WAF Classic/AWS WAF v2 (old plan)

AWS WAF ClassicAWS WAF v2Old PlanAdvancedLegacyUsage

Overview

This article explains the necessary permissions when using WafCharm with the old plan for AWS WAF Classic and AWS WAF v2.

For the old plan, only the Legacy rule policy is available.

If you are using AWS WAF v2, you can choose the Advanced rule policy by migrating to the new plan. If you are using AWS WAF Classic, you must migrate to AWS WAF v2 and to the new plan in order to use the Advanced rule policy.

Required permissions

  • AWSWAFFullAccess
  • AmazonS3ReadOnlyAccess

AWSWAFFullAccess

This permission allows access to AWS WAF. It is required to apply/update rules on web ACLs.

Custom policies are unavailable because permissions could become insufficient due to feature additions and updates.

AmazonS3ReadOnlyAccess

This is a permissions to access S3 buckets to obtain logs.

It is recommended to restrict the accessible S3 buckets in Resources by specifying ARNs.

To restrict the S3 buckets, please specify the S3 buckets' ARNs as shown below in the [Resource].

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket>",
                "arn:aws:s3:::<S3 Bucket>/<path>/*"
            ]
        }
    ]
}

To use the custom policy, please attach the policies below.

  • GetObject
  • ListBucket

If you are using AWS Key Management Service (AWS KMS), please ensure that the permissions are sufficient.

Procedures

  • How to configure Credential Store for AWS WAF Classic/AWS WAF v2 (old plan)