AWSWAFConsoleFullAccess details (in AWS console)
Policy Name
AWSWAFConsoleFullAccess
Description
Provides full access to AWS WAF via the AWS Management Console. Note that this policy also grants permissions to list and update Amazon CloudFront distributions, permissions to view load balancers on AWS Elastic Load Balancing, permissions to view Amazon API Gateway REST APIs and stages, permissions to list and view Amazon CloudWatch metrics, and permissions to view regions enabled within the account.
ARN
arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess
Path
/
PolicyId
ANPAZKAPJZG4AZOTQ7KAT
AttachmentCount
0
[
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:SetWebACL",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:UpdateDistribution",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:SetWebACL",
"appsync:ListGraphqlApis",
"appsync:SetWebACL",
"waf-regional:*",
"waf:*",
"wafv2:*",
"s3:ListAllMyBuckets",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups",
"cognito-idp:ListUserPools",
"cognito-idp:AssociateWebACL",
"cognito-idp:DisassociateWebACL",
"cognito-idp:ListResourcesForWebACL",
"cognito-idp:GetWebACLForResource",
"apprunner:AssociateWebAcl",
"apprunner:DisassociateWebAcl",
"apprunner:DescribeWebAclForService",
"apprunner:ListServices",
"apprunner:ListAssociatedServicesForWebAcl",
"ec2:AssociateVerifiedAccessInstanceWebAcl",
"ec2:DisassociateVerifiedAccessInstanceWebAcl",
"ec2:DescribeVerifiedAccessInstanceWebAclAssociations",
"ec2:GetVerifiedAccessInstanceWebAcl",
"ec2:DescribeVerifiedAccessInstances"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::aws-waf-logs-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy"
],
"Resource": [
"*"
]
}
]