Policy: AWSWAFConsoleFullAccess ARN: arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess Allowed Actions Actions Services apigateway:GET apigateway apigateway:SetWebACL apigateway apprunner:AssociateWebAcl apprunner apprunner:DescribeWebAclForService apprunner apprunner:DisassociateWebAcl apprunner apprunner:ListAssociatedServicesForWebAcl apprunner apprunner:ListServices apprunner appsync:ListGraphqlApis appsync appsync:SetWebACL appsync cloudfront:ListDistributions cloudfront cloudfront:ListDistributionsByWebACLId cloudfront cloudfront:UpdateDistribution cloudfront cloudwatch:GetMetricData cloudwatch cloudwatch:GetMetricStatistics cloudwatch cloudwatch:ListMetrics cloudwatch cognito-idp:AssociateWebACL cognito-idp cognito-idp:DisassociateWebACL cognito-idp cognito-idp:GetWebACLForResource cognito-idp cognito-idp:ListResourcesForWebACL cognito-idp cognito-idp:ListUserPools cognito-idp ec2:AssociateVerifiedAccessInstanceWebAcl ec2 ec2:DescribeRegions ec2 ec2:DescribeVerifiedAccessInstanceWebAclAssociations ec2 ec2:DescribeVerifiedAccessInstances ec2 ec2:DisassociateVerifiedAccessInstanceWebAcl ec2 ec2:GetVerifiedAccessInstanceWebAcl ec2 elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing elasticloadbalancing:SetWebACL elasticloadbalancing logs:CreateLogDelivery logs logs:DeleteLogDelivery logs logs:DescribeLogGroups logs logs:DescribeResourcePolicies logs logs:PutResourcePolicy logs s3:GetBucketPolicy s3 s3:ListAllMyBuckets s3 s3:PutBucketPolicy s3 waf:* waf waf-regional:* waf-regional wafv2:* wafv2