AWS waf documentation change
Summary
Added CloudFront web ACL association/disassociation permissions to Firewall Manager service role policy.
Security assessment
Documents expanded IAM permissions for security feature integration (WAF + CloudFront). Enhances security documentation but does not resolve a specific vulnerability.
Diff
diff --git a/waf/latest/developerguide/fms-security-iam-awsmanpol.md b/waf/latest/developerguide/fms-security-iam-awsmanpol.md index 964478b6e..ba6a73d23 100644 --- a//waf/latest/developerguide/fms-security-iam-awsmanpol.md +++ b//waf/latest/developerguide/fms-security-iam-awsmanpol.md @@ -115,0 +116,6 @@ Change | Description | Date +FMSServiceRolePolicy – Updated policy | Added permissions to the Firewall Manager service policy. Added the following permissions required for Amazon CloudFront: + + * `cloudfront:AssociateDistributionWebACL` – Grants permission to associate an AWS WAF web ACL with a CloudFront distribution + * `cloudfront:DisassociateDistributionWebACL` – Grants permission to disassociate an AWS WAF web ACL with a CloudFront distribution + +| 2025-05-21