Introducing a new console experience for AWS WAF
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see Working with the updated console experience.
Using service-linked roles for AWS Shield network security director
This section explains how to use service-linked roles to give AWS Shield network security director access to resources in your AWS account.
AWS Shield network security director uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Shield network security director. Service-linked roles are predefined by AWS Shield network security director and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Shield network security director easier because you don’t have to manually add the necessary permissions. AWS Shield network security director defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Shield network security director can assume its roles. The defined permissions include the trust policy and the permissions policy. That permissions policy can't be attached to any other IAM entity.
See the full service-linked role in the IAM console:
NetworkSecurityDirectorServiceLinkedRolePolicy
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.
For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.
Service-linked role permissions for AWS Shield network security director
The NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role trusts the following services to assume the role:
network-director.amazonaws.com
The NetworkSecurityDirectorServiceLinkedRolePolicy grants AWS Shield network security director permissions to access and analyze various AWS resources and services on your behalf. This includes:
Retrieving network configuration and security settings from Amazon EC2 resources
Accessing CloudWatch metrics to analyze network traffic patterns
Gathering information about load balancers and target groups
Collecting AWS WAF configurations and rules
Accessing AWS Direct Connect gateway information
And more, as detailed in the permissions list below
The following listing is for permissions that don't support downscoping to specific resources. The rest are downscoped for the indicated service resources.
{ "Sid": "ResourceLevelPermissionNotSupported", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:GetManagedPrefixListEntries", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeLoadBalancencerAttributes", "wafv2:ListWebACLs", "cloudfront:ListDistributions", "cloudfront:ListTagsForResource", "directconnect:DescribeDirectConnectGateways", "directconnect:DescribeVirtualInterfaces" ], "Resource": "*" }
NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role permissions
The following list covers all permissions enabled by the NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role.
Amazon CloudFront
{ "Sid": "cloudfront", "Effect": "Allow", "Action": [ "cloudfront:GetDistribution" ], "Resource": "arn:aws:cloudfront::*:distribution/*" }
AWS WAF
{ "Sid": "wafv2", "Effect": "Allow", "Action": [ "wafv2:ListResourcesForWebACL", "wafv2:ListRuleGroups", "wafv2:ListAvailableManagedRuleGroups", "wafv2:GetRuleGroup", "wafv2:DescribeManagedRuleGroup", "wafv2:GetWebACL" ], "Resource": [ "arn:aws:wafv2:*:*:global/rulegroup/*", "arn:aws:wafv2:*:*:regional/rulegroup/*", "arn:aws:wafv2:*:*:global/managedruleset/*", "arn:aws:wafv2:*:*:regional/managedruleset/*", "arn:aws:wafv2:*:*:global/webacl/*/*", "arn:aws:wafv2:*:*:regional/webacl/*/*", "arn:aws:apprunner:*:*:service/*", "arn:aws:cognito-idp:*:*:userpool/*", "arn:aws:ec2:*:*:verified-access-instance/*" ] }
AWS WAF Classic
{ "Sid": "classicWaf", "Effect": "Allow", "Action": [ "waf:ListWebACLs", "waf:GetWebACL" ], "Resource": [ "arn:aws:waf::*:webacl/*", "arn:aws:waf-regional:*:*:webacl/*" ] }
AWS Direct Connect
{ "Sid": "directconnect", "Effect": "Allow", "Action": [ "directconnect:DescribeConnections", "directconnect:DescribeDirectConnectGatewayAssociations", "directconnect:DescribeDirectConnectGatewayAttachments", "directconnect:DescribeVirtualGateways" ], "Resource": [ "arn:aws:directconnect::*:dx-gateway/*", "arn:aws:directconnect:*:*:dxcon/*", "arn:aws:directconnect:*:*:dxlag/*", "arn:aws:directconnect:*:*:dxvif/*" ] }
AWS Transit Gateway routes
{ "Sid": "ec2Get", "Effect": "Allow", "Action": [ "ec2:SearchTransitGatewayRoutes" ], "Resource": [ "arn:aws:ec2:*:*:transit-gateway-route-table/*" ] }
AWS Network Firewall
{ "Sid": "networkFirewall", "Effect": "Allow", "Action": [ "network-firewall:ListFirewalls", "network-firewall:ListFirewallPolicies", "network-firewall:ListRuleGroups", "network-firewall:DescribeFirewall", "network-firewall:DescribeFirewallPolicy", "network-firewall:DescribeRuleGroup" ], "Resource": [ "arn:aws:network-firewall:*:*:*/*" ] }
Amazon API Gateway
{ "Sid": "apiGatewayGetAPI", "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": [ "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/apis", "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/tags/*", "arn:aws:apigateway:*::/vpclinks", "arn:aws:apigateway:*::/vpclinks/*" ] }
Creating a service-linked role for AWS Shield network security director
You don't need to manually create a service-linked role. When you run your first network analysis, AWS Shield network security director creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable AWS Shield network security director logging, AWS Shield network security director creates the service-linked role for you again.
Editing a service-linked role for AWS Shield network security director
AWS Shield network security director doesn't allow you to edit the NetworkSecurityDirectorServiceLinkedRolePolicy service-linked role. After you
create a service-linked role, you can't change the name of the role because various
entities might reference the role. However, you can edit the description of the role
using IAM. For more information, see Editing
a Service-Linked Role in the IAM User Guide.
Deleting a service-linked role for AWS Shield network security director
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
This protects your AWS Shield network security director resources because you can't inadvertently remove permission to access the resources.
Note
If the AWS Shield network security director service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
To manually delete the service-linked role using IAM
Use the IAM console, the IAM CLI, or the IAM API to delete the NetworkSecurityDirectorServiceLinkedRolePolicy
service-linked role. For more information, see Deleting a
Service-Linked Role in the IAM User Guide.
Supported Regions for AWS Shield network security director service-linked roles
Note
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director supports using service-linked roles in following regions and can only retrieve data about your resources in these regions.
| Region Name | Region |
|---|---|
| US East (N. Virginia) | us-east-1 |
| Europe (Stockholm) | eu-north-1 |
