wafv2:AssociateWebACL

Write

wafv2:AssociateWebACL is a Write access-level action in the wafv2 service. Grants permission to associate a WebACL with a resource

Resource types

ARNs that wafv2:AssociateWebACL can be scoped to in an IAM policy.

arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/webacl/${Name}/${Id}
webacl
arn:${Partition}:bedrock-agentcore:${Region}:${Account}:gateway/${GatewayId}
agentcore-gateway
arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId}
amplify-app
arn:${Partition}:apigateway:${Region}::/restapis/${ApiId}/stages/${StageName}
apigateway
arn:${Partition}:apprunner:${Region}:${Account}:service/${ServiceName}/${ServiceId}
apprunner
arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}
appsync
arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/app/${LoadBalancerName}/${LoadBalancerId}
loadbalancer/app/
arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}
userpool
arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}
verified-access-instance

Condition keys

Keys you can use in the Condition block of a policy that grants wafv2:AssociateWebACL.

aws:ResourceTag/${TagKey} String

Filters access by tag-value associated with the resource

Dependent actions

To use wafv2:AssociateWebACL you may also need to grant:

Example IAM policy

A minimal policy that allows wafv2:AssociateWebACL. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWafv2AssociateWebACL",
      "Effect": "Allow",
      "Action": "wafv2:AssociateWebACL",
      "Resource": "*"
    }
  ]
}

Related actions in wafv2

View all wafv2 actions →