AWS waf documentation change
Summary
Updated AWS WAF managed policies to include Amazon CloudWatch in integrated services list and added detailed permissions for AWSWAFConsoleReadOnlyAccess/AWSWAFConsoleFullAccess policies (AppSync, CloudWatch Logs, Firehose, Price List, Marketplace)
Security assessment
The changes refine IAM policy permissions (e.g., restricting apigateway:GET scope) and document new service integrations. While this improves least-privilege practices, there's no evidence of addressing a specific security vulnerability. The updates primarily expand documentation about security-related IAM policies.
Diff
diff --git a/waf/latest/developerguide/security-iam-awsmanpol.md b/waf/latest/developerguide/security-iam-awsmanpol.md index 042741309..f96768120 100644 --- a//waf/latest/developerguide/security-iam-awsmanpol.md +++ b//waf/latest/developerguide/security-iam-awsmanpol.md @@ -25 +25 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM -This policy grants read-only permissions that allow users to access AWS WAF resources and resources for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. +This policy grants read-only permissions that allow users to access AWS WAF resources and resources for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, Amazon CloudWatch, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. @@ -31 +31 @@ For details about this policy, see [AWSWAFReadOnlyAccess](https://console.aws.am -This policy grants full access to AWS WAF resources and resources for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. +This policy grants full access to AWS WAF resources and resources for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, Amazon CloudWatch, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. @@ -37 +37 @@ For details about this policy, see [AWSWAFFullAccess](https://console.aws.amazon -This policy grants read-only permissions to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. +This policy grants read-only permissions to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, Amazon CloudWatch, and AWS Verified Access. You can attach this policy to your IAM identities. @@ -43 +43 @@ For details about this policy, see [AWSWAFConsoleReadOnlyAccess](https://console -This policy grants full access to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. +This policy grants full access to the AWS WAF console, which includes resources for AWS WAF and for integrated services, such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, Amazon CloudWatch, and AWS Verified Access. You can attach this policy to your IAM identities. AWS WAF also attaches this policy to a service role that allows AWS WAF to perform actions on your behalf. @@ -58,0 +59,76 @@ Policy | Description of change | Date +`AWSWAFConsoleReadOnlyAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleReadOnlyAccess$serviceLevelSummary). | Updated the following permissions: + + * `apigateway:GET` – Updated the resource scope to restrict retrievable resources to only Amazon API Gateway resources + +Added the following permissions: + +###### AWS AppSync + + * `appsync:ListApis` – Grants permission to retrieve AWS AppSync APIs in your AWS account + + + +###### Amazon CloudWatch + + * `logs:StartQuery` – Grants permission to start a query of one or more Amazon CloudWatch Logs insights log groups + * `logs:DescribeQueryDefinitions` – Grants permission to get a list of Amazon CloudWatch Logs insights query definitions and save them in your AWS or a source AWS account + * `logs:GetQueryResults` – Grants permission to get the results from a specified Amazon CloudWatch Logs insights query + + + +###### Amazon Data Firehose + + * `firehose:ListDeliveryStreams` – Grants permission to retrieve the Firehose streams in your AWS account + + + +###### AWS Price List + + * `pricing:GetPriceListFileUrl` – Grants permission to get the URL used to retrieve a Price List file from AWS Price List + * `pricing:ListPriceLists` – Grants permission to retrieve a list of Price List references from AWS Price List + + + +###### AWS Marketplace + + * `aws-marketplace:ViewSubscriptions` – Grants permission to view AWS Marketplace software subscriptions associated with your AWS account + +| 2025-11-03 +`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Updated the following permissions: + + * `apigateway:GET` – Updated the resource scope to restrict retrievable resources to only Amazon API Gateway resources + +Added the following permissions: + +###### AWS AppSync + + * `appsync:ListApis` – Grants permission to retrieve AWS AppSync APIs in your AWS account + + + +###### Amazon CloudWatch + + * `logs:StartQuery` – Grants permission to start a query of one or more Amazon CloudWatch Logs insights log groups + * `logs:DescribeQueryDefinitions` – Grants permission to get a list of Amazon CloudWatch Logs insights query definitions and save them in your AWS or a source AWS account + * `logs:GetQueryResults` – Grants permission to get the results from a specified Amazon CloudWatch Logs insights query + + + +###### Amazon Data Firehose + + * `firehose:ListDeliveryStreams` – Grants permission to retrieve the Firehose streams in your AWS account + + + +###### AWS Price List + + * `pricing:GetPriceListFileUrl` – Grants permission to get the URL used to retrieve a Price List file from AWS Price List + * `pricing:ListPriceLists` – Grants permission to retrieve a list of Price List references from AWS Price List + + + +###### AWS Marketplace + + * `aws-marketplace:ViewSubscriptions` – Grants permission to view AWS Marketplace software subscriptions associated with your AWS account + +| 2025-11-03