Permissions for @turbot/aws-waf
Taking a look at permissions and associated grant levels for each permission for WAF:
| Permission | Grant Level | Help |
|---|---|---|
| waf:CreateByteMatchSet | Admin | Admin can create the matchset part of a web request for AWS WAF to inspect |
| waf:CreateGeoMatchSet | Admin | |
| waf:CreateIPSet | Admin | |
| waf:CreateRateBasedRule | Admin | |
| waf:CreateRegexMatchSet | Admin | |
| waf:CreateRegexPatternSet | Admin | |
| waf:CreateRule | Admin | Admin can create a rule which contains the condition objects to block or allow access. |
| waf:CreateRuleGroup | Admin | Admin can create a rule group which is a collection of predefined rules that can be added to a web ACL. |
| waf:CreateSizeConstraintSet | Admin | |
| waf:CreateSqlInjectionMatchSet | Admin | |
| waf:CreateWebACL | Admin | Admin can create a WebACL that contains the Rules that identify the CloudFront web requests that should be allowed or blocked or counted. |
| waf:CreateWebACLMigrationStack | Admin | |
| waf:CreateXssMatchSet | Admin | |
| waf:DeleteByteMatchSet | Admin | |
| waf:DeleteGeoMatchSet | Admin | |
| waf:DeleteIPSet | Admin | |
| waf:DeleteLoggingConfiguration | Admin | |
| waf:DeletePermissionPolicy | Admin | Admin can permanently delete an IAM policy from the specified RuleGroup. |
| waf:DeleteRateBasedRule | Admin | |
| waf:DeleteRegexMatchSet | Admin | |
| waf:DeleteRegexPatternSet | Admin | |
| waf:DeleteRule | Admin | |
| waf:DeleteRuleGroup | Admin | Admin can delete a RuleGroup. |
| waf:DeleteSizeConstraintSet | Admin | |
| waf:DeleteSqlInjectionMatchSet | Admin | |
| waf:DeleteWebACL | Admin | Admin can delete a WebACL. |
| waf:DeleteXssMatchSet | Admin | |
| waf:GetByteMatchSet | Metadata | |
| waf:GetChangeToken | Metadata | |
| waf:GetChangeTokenStatus | Metadata | |
| waf:GetGeoMatchSet | Metadata | |
| waf:GetIPSet | ReadOnly | |
| waf:GetLoggingConfiguration | Metadata | |
| waf:GetPermissionPolicy | ReadOnly | |
| waf:GetRateBasedRule | ReadOnly | |
| waf:GetRateBasedRuleManagedKeys | ReadOnly | |
| waf:GetRegexMatchSet | Metadata | |
| waf:GetRegexPatternSet | Metadata | |
| waf:GetRule | Metadata | |
| waf:GetRuleGroup | Metadata | |
| waf:GetSampledRequests | Metadata | |
| waf:GetSizeConstraintSet | Metadata | |
| waf:GetSqlInjectionMatchSet | Metadata | |
| waf:GetWebACL | ReadOnly | |
| waf:GetXssMatchSet | Metadata | |
| waf:ListActivatedRulesInRuleGroup | Metadata | |
| waf:ListByteMatchSets | Metadata | |
| waf:ListGeoMatchSets | Metadata | |
| waf:ListIPSets | Metadata | |
| waf:ListLoggingConfigurations | Metadata | |
| waf:ListRateBasedRules | Metadata | |
| waf:ListRegexMatchSets | Metadata | |
| waf:ListRegexPatternSets | Metadata | |
| waf:ListRuleGroups | Metadata | |
| waf:ListRules | Metadata | |
| waf:ListSizeConstraintSets | Metadata | |
| waf:ListSqlInjectionMatchSets | Metadata | |
| waf:ListSubscribedRuleGroups | Metadata | |
| waf:ListTagsForResource | Metadata | |
| waf:ListWebACLs | Metadata | |
| waf:ListXssMatchSets | Metadata | |
| waf:PutLoggingConfiguration | Admin | |
| waf:PutPermissionPolicy | Admin | Admin can attache a IAM policy to the specified resource. |
| waf:TagResource | Operator | |
| waf:UntagResource | Operator | |
| waf:UpdateByteMatchSet | Admin | |
| waf:UpdateGeoMatchSet | Admin | |
| waf:UpdateIPSet | Admin | |
| waf:UpdateRateBasedRule | Admin | |
| waf:UpdateRegexMatchSet | Admin | |
| waf:UpdateRegexPatternSet | Admin | |
| waf:UpdateRule | Admin | |
| waf:UpdateRuleGroup | Admin | Admin can insert or delete an ActivatedRule objects in a RuleGroup. |
| waf:UpdateSizeConstraintSet | Admin | |
| waf:UpdateSqlInjectionMatchSet | Admin | |
| waf:UpdateWebACL | Admin | Admin can insert or delete ActivatedRule objects in a WebACL. |
| waf:UpdateXssMatchSet | Admin | |
| wafv2:AssociateWebACL | Admin | |
| wafv2:CheckCapacity | Metadata | |
| wafv2:CreateIPSet | Admin | |
| wafv2:CreateRegexPatternSet | Admin | |
| wafv2:CreateRuleGroup | Admin | |
| wafv2:CreateWebACL | Admin | |
| wafv2:DeleteFirewallManagerRuleGroups | Admin | |
| wafv2:DeleteIPSet | Admin | |
| wafv2:DeleteLoggingConfiguration | Admin | |
| wafv2:DeletePermissionPolicy | Admin | |
| wafv2:DeleteRegexPatternSet | Admin | |
| wafv2:DeleteRuleGroup | Admin | |
| wafv2:DeleteWebACL | Admin | |
| wafv2:DescribeManagedRuleGroup | Metadata | |
| wafv2:DisassociateFirewallManager | Admin | |
| wafv2:DisassociateWebACL | Admin | |
| wafv2:GetIPSet | Metadata | |
| wafv2:GetLoggingConfiguration | Metadata | |
| wafv2:GetManagedRuleSet | Metadata | |
| wafv2:GetPermissionPolicy | Metadata | |
| wafv2:GetRateBasedStatementManagedKeys | Metadata | |
| wafv2:GetRegexPatternSet | Metadata | |
| wafv2:GetRuleGroup | Metadata | |
| wafv2:GetSampledRequests | Metadata | |
| wafv2:GetWebACL | Metadata | |
| wafv2:GetWebACLForResource | Metadata | |
| wafv2:ListAvailableManagedRuleGroups | Metadata | |
| wafv2:ListIPSets | Metadata | |
| wafv2:ListLoggingConfigurations | Metadata | |
| wafv2:ListManagedRuleSets | Metadata | |
| wafv2:ListRegexPatternSets | Metadata | |
| wafv2:ListResourcesForWebACL | Metadata | |
| wafv2:ListRuleGroups | Admin | |
| wafv2:ListTagsForResource | Metadata | |
| wafv2:ListWebACLs | Metadata | |
| wafv2:PutFirewallManagerRuleGroups | Admin | |
| wafv2:PutLoggingConfiguration | Admin | |
| wafv2:PutManagedRuleSetVersions | Admin | |
| wafv2:PutPermissionPolicy | Admin | |
| wafv2:TagResource | Operator | |
| wafv2:UntagResource | Operator | |
| wafv2:UpdateIPSet | Admin | |
| wafv2:UpdateManagedRuleSetVersionExpiryDate | Admin | |
| wafv2:UpdateRegexPatternSet | Admin | |
| wafv2:UpdateRuleGroup | Admin | |
| wafv2:UpdateWebACL | Admin |