AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-11-19 · Documentation low

File: waf/latest/developerguide/security_iam_id-based-policy-examples.md

Summary

Added pricing plan manager, Route 53, and CloudWatch permissions to example IAM policies; removed markdown formatting; updated service name reference

Security assessment

Changes expand example policies with new service permissions (pricingplanmanager, route53) but show no evidence of addressing security flaws. The CloudWatch:GetMetricData addition enables monitoring but isn't a security-specific feature.

Diff

diff --git a/waf/latest/developerguide/security_iam_id-based-policy-examples.md b/waf/latest/developerguide/security_iam_id-based-policy-examples.md
index 53512c76c..fd730d3e0 100644
--- a//waf/latest/developerguide/security_iam_id-based-policy-examples.md
+++ b//waf/latest/developerguide/security_iam_id-based-policy-examples.md
@@ -50 +50 @@ Identity-based policies determine whether someone can create, access, or delete
-  * **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as AWS CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_.
+  * **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_.
@@ -111,6 +110,0 @@ The following policy grants users read-only access to AWS WAF resources, to Amaz
-JSON
-    
-
-****
-    
-    
@@ -131,0 +126 @@ JSON
+                    "cloudwatch:GetMetricData",
@@ -134 +129,5 @@ JSON
-                "ec2:DescribeRegions"
+                    "ec2:DescribeRegions",
+                    "pricingplanmanager:GetSubscription",
+                    "pricingplanmanager:ListSubscriptions",
+                    "route53:ListHostedZones",
+                    "route53:GetHostedZone"
@@ -147,6 +145,0 @@ The following policy lets users perform any AWS WAF operation, perform any opera
-JSON
-    
-
-****
-    
-    
@@ -173,0 +167,2 @@ JSON
+                    "cloudfront:DeleteDistributionTenant",
+                    "cloudwatch:GetMetricData",
@@ -176 +171,10 @@ JSON
-                "ec2:DescribeRegions"
+                    "ec2:DescribeRegions",
+                    "pricingplanmanager:GetSubscription",
+                    "pricingplanmanager:ListSubscriptions",
+                    "pricingplanmanager:UpdateSubscription",
+                    "pricingplanmanager:CancelSubscription",
+                    "pricingplanmanager:CancelSubscriptionChange",
+                    "pricingplanmanager:AssociateResourcesToSubscription",
+                    "pricingplanmanager:DisassociateResourcesFromSubscription",
+                    "route53:ListHostedZones",
+                    "route53:GetHostedZone"