AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2026-07-01 · Documentation low

File: waf/latest/developerguide/security_iam_service-with-iam.md

Summary

Added IAM policy documentation for Amazon Bedrock AgentCore Gateway integration with AWS WAF, including permissions for AssociateWebACL, DisassociateWebACL, GetWebACLForResource, and ListResourcesForWebACL operations. Updated resource scope description to include Bedrock.

Security assessment

The change adds IAM policy examples for a new service integration (Bedrock AgentCore Gateway) but doesn't address any security vulnerability. It enhances security documentation by providing necessary permissions for WAF operations.

Diff

diff --git a/waf/latest/developerguide/security_iam_service-with-iam.md b/waf/latest/developerguide/security_iam_service-with-iam.md
index 4f53ae1c5..3fd99594c 100644
--- a//waf/latest/developerguide/security_iam_service-with-iam.md
+++ b//waf/latest/developerguide/security_iam_service-with-iam.md
@@ -301,0 +302,26 @@ Requires permission to call the App Runner `AssociateWebACL` action on the App R
+###### Amazon Bedrock AgentCore Gateway
+
+Requires permission to call the `bedrock-agentcore:GatewayAssociateWebACL` action on the Bedrock AgentCore Gateway resource type and to call AWS WAF `AssociateWebACL` for a web ACL.
+    
+    
+    {
+      "Sid": "AssociateWebACL1",
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:AssociateWebACL"
+      ],
+      "Resource": [
+        "arn:aws:wafv2:region:account-id:regional/webacl/*/*"
+      ]
+    },
+    {
+      "Sid": "AssociateWebACL2",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GatewayAssociateWebACL"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:*:account-id:gateway/*"
+      ]
+    }
+
@@ -478,0 +505,24 @@ Requires permission to call the App Runner `DisassociateWebACL` action on the Ap
+###### Amazon Bedrock AgentCore Gateway
+
+Requires permission to call the `bedrock-agentcore:GatewayDisassociateWebACL` action on the Bedrock AgentCore Gateway resource type and to call AWS WAF `DisassociateWebACL`.
+    
+    
+    {
+      "Sid": "DisassociateWebACL",
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:DisassociateWebACL"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "DisassociateWebACL2",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GatewayDisassociateWebACL"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:*:account-id:gateway/*"
+      ]
+    }
+
@@ -677,0 +728,27 @@ Requires permission to call the App Runner `DescribeWebAclForService` action on
+###### Amazon Bedrock AgentCore Gateway
+
+Requires permission to call the `bedrock-agentcore:GatewayGetWebACLForResource` action on the Bedrock AgentCore Gateway resource type and to call AWS WAF `GetWebACLForResource` and `GetWebACL` for a web ACL.
+    
+    
+    {
+      "Sid": "GetWebACLForResource1",
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:GetWebACLForResource",
+        "wafv2:GetWebACL"
+      ],
+      "Resource": [
+        "arn:aws:wafv2:region:account-id:regional/webacl/*/*"
+      ]
+    },
+    {
+      "Sid": "GetWebACLForResource2",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GatewayGetWebACLForResource"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:*:account-id:gateway/*"
+      ]
+    }
+
@@ -866,0 +944,24 @@ Requires permission to call the App Runner `ListAssociatedServicesForWebAcl` act
+###### Amazon Bedrock AgentCore Gateway
+
+Requires permission to call the `bedrock-agentcore:GatewayListResourcesForWebACL` action and to call AWS WAF `ListResourcesForWebACL` for a web ACL.
+    
+    
+    {
+      "Sid": "ListResourcesForWebACL",
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:ListResourcesForWebACL"
+      ],
+      "Resource": [
+        "arn:aws:wafv2:region:account-id:regional/webacl/*/*"
+      ]
+    },
+    {
+      "Sid": "ListResourcesForWebACL2",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GatewayListResourcesForWebACL"
+      ],
+      "Resource": "*"
+    }
+
@@ -917 +1018 @@ The following lists requirements that are specific to the ARNs of `wafv2` resour
-  * `scope`: Set the scope to `global` for use with an Amazon CloudFront distribution or `regional` for use with any of the regional resources that AWS WAF supports. The regional resources are an Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, and an AWS Verified Access instance. 
+  * `scope`: Set the scope to `global` for use with an Amazon CloudFront distribution or `regional` for use with any of the regional resources that AWS WAF supports. The regional resources are an Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, an Amazon Bedrock AgentCore Gateway, and an AWS Verified Access instance.