AWS waf documentation change
Summary
Updated IAM policy examples to include 'protection pack' references and added console experience note
Security assessment
The changes expand IAM policy documentation to cover protection packs as a resource type, improving access control documentation for security features. However, this is a routine update rather than a response to a security issue.
Diff
diff --git a/waf/latest/developerguide/security_iam_id-based-policy-examples.md b/waf/latest/developerguide/security_iam_id-based-policy-examples.md index 61fcb6eb1..57320afcf 100644 --- a//waf/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//waf/latest/developerguide/security_iam_id-based-policy-examples.md @@ -5 +5,5 @@ -Policy best practicesUsing the consoleAllow users to view their own permissionsGrant read-only access to AWS WAF, CloudFront, and CloudWatchGrant full access to AWS WAF, CloudFront, and CloudWatchGrant access to a single AWS accountGrant access to a single web ACLGrant CLI access to a web ACL and rule group +Policy best practicesUsing the consoleAllow users to view their own permissionsGrant read-only access to AWS WAF, CloudFront, and CloudWatchGrant full access to AWS WAF, CloudFront, and CloudWatchGrant access to a single AWS accountGrant access to a single protection pack or web ACLGrant CLI access to a protection pack or web ACL and rule group + +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). @@ -31 +35 @@ For details about actions and resource types defined by AWS WAF, including the f - * Grant access to a single web ACL + * Grant access to a single protection pack or web ACL @@ -33 +37 @@ For details about actions and resource types defined by AWS WAF, including the f - * Grant CLI access to a web ACL and rule group + * Grant CLI access to a protection pack or web ACL and rule group @@ -105 +109 @@ This example shows how you might create a policy that allows IAM users to view t -The following policy grants users read-only access to AWS WAF resources, to Amazon CloudFront web distributions, and to Amazon CloudWatch metrics. It's useful for users who need permission to view the settings in AWS WAF conditions, rules, and web ACLs to see which distribution is associated with a web ACL, and to monitor metrics and a sample of requests in CloudWatch. These users can't create, update, or delete AWS WAF resources. +The following policy grants users read-only access to AWS WAF resources, to Amazon CloudFront web distributions, and to Amazon CloudWatch metrics. It's useful for users who need permission to view the settings in AWS WAF conditions, rules, and protection pack or web ACLs to see which distribution is associated with a protection pack or web ACL, and to monitor metrics and a sample of requests in CloudWatch. These users can't create, update, or delete AWS WAF resources. @@ -176 +180 @@ This policy grants the following permissions to the account 444455556666: - * Read and update access to all CloudFront distributions, which allows you to associate web ACLs and CloudFront distributions. + * Read and update access to all CloudFront distributions, which allows you to associate protection pack or web ACLs and CloudFront distributions. @@ -216 +220 @@ This policy grants the following permissions to the account 444455556666: -## Grant access to a single web ACL +## Grant access to a single protection pack or web ACL @@ -218 +222 @@ This policy grants the following permissions to the account 444455556666: -The following policy lets users perform any AWS WAF operation through the console on a specific web ACL in the account `444455556666`. +The following policy lets users perform any AWS WAF operation through the console on a specific protection pack or web ACL in the account `444455556666`. @@ -247 +251 @@ The following policy lets users perform any AWS WAF operation through the consol -## Grant CLI access to a web ACL and rule group +## Grant CLI access to a protection pack or web ACL and rule group @@ -249 +253 @@ The following policy lets users perform any AWS WAF operation through the consol -The following policy lets users perform any AWS WAF operation through the CLI on a specific web ACL and a specific rule group in the account `444455556666`. +The following policy lets users perform any AWS WAF operation through the CLI on a specific protection pack or web ACL and a specific rule group in the account `444455556666`. @@ -268 +272 @@ The following policy lets users perform any AWS WAF operation through the CLI on -The following policy lets users perform any AWS WAF operation through the console on a specific web ACL in the account `444455556666`. +The following policy lets users perform any AWS WAF operation through the console on a specific protection pack or web ACL in the account `444455556666`.