AWS waf documentation change
Summary
Updated IAM policy documentation to add Amplify and CloudFront permissions for web ACL management, removed service role reference
Security assessment
The changes document new IAM permissions (AssociateWebACL, DisassociateWebACL, etc.) required for AWS Amplify and CloudFront integration with WAF. While these permissions relate to security controls (web ACL management), there is no evidence of addressing a specific security vulnerability. The updates enhance documentation of security features rather than patching an issue.
Diff
diff --git a/waf/latest/developerguide/security-iam-awsmanpol.md b/waf/latest/developerguide/security-iam-awsmanpol.md index 63985dd2b..d54707405 100644 --- a//waf/latest/developerguide/security-iam-awsmanpol.md +++ b//waf/latest/developerguide/security-iam-awsmanpol.md @@ -33 +33 @@ For details about this policy, see [AWSWAFFullAccess](https://console.aws.amazon -This policy grants read-only permissions to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to aiam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary service role that allows AWS WAF to perform actions on your behalf. +This policy grants read-only permissions to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. @@ -54,0 +55,44 @@ Policy | Description of change | Date +`AWSWAFFullAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFFullAccess$serviceLevelSummary). | Added permissions AssociateWebACL, DisassociateWebACL, GetWebACLForResource, and ListResourcesForWebACL required for AWS Amplify. | 2025-05-05 +`AWSWAFReadOnlyAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. For details about this policy, see [AWSWAFReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess$serviceLevelSummary) in the IAM console. | Added permissions GetWebACLForResource and ListResourcesForWebACL required for AWS Amplify. | 2025-05-05 +`AWSWAFConsoleReadOnlyAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleReadOnlyAccess$serviceLevelSummary). | Added the following permissions: + +###### Amplify + + * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF web ACL associated with an Amplify resource + * `amplify:ListApps` – Grants permission to retrieve the Amplify apps in your AWS account + * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF web ACL + + + +###### CloudFront + + * `cloudfront:GetDistributionConfig` – Grants permission to get the configuration information about a CloudFront distribution + * `cloudfront:GetDistributionTenant` – Grants permission to get the information about a CloudFront distribution tenant + * `cloudfront:ListDistributionTenants` – Grants permission to list the CloudFront distribution tenants associated with your AWS account + * `cloudfront:ListDistributionTenantsByCustomization` – Grants permission to list filtered CloudFront distribution tenants associated with your AWS account + +| 2025-05-05 +`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Added the following permissions: + +###### Amplify + + * `amplify:AssociateWebACL` – Grants permission to associate an AWS WAF web ACL to an Amplify resource + * `amplify:DisassociateWebACL` – Grants permission to disassociate an AWS WAF web ACL from an Amplify resource + * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF web ACL associated with an Amplify resource + * `amplify:ListApps` – Grants permission to retrieve the Amplify apps in your AWS account + * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF web ACL + + + +###### CloudFront + + * `cloudfront:AssociateDistributionTenantWebACL` – Grants permission to associate an AWS WAF web ACL with a CloudFront distribution tenant + * `cloudfront:AssociateDistributionWebACL` – Grants permission to associate an AWS WAF web ACL with a CloudFront distribution + * `cloudfront:DisassociateDistributionTenantWebACL` – Grants permission to disassociate an AWS WAF web ACL with a CloudFront distribution tenant + * `cloudfront:DisassociateDistributionWebACL` – Grants permission to disassociate an AWS WAF web ACL with a CloudFront distribution + * `cloudfront:GetDistributionConfig` – Grants permission to get the configuration information about a CloudFront distribution + * `cloudfront:GetDistributionTenant` – Grants permission to get the information about a CloudFront distribution tenant + * `cloudfront:ListDistributionTenants` – Grants permission to list the CloudFront distribution tenants associated with your AWS account + * `cloudfront:ListDistributionTenantsByCustomization` – Grants permission to list filtered CloudFront distribution tenants associated with your AWS account + +| 2025-05-05