**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Security in your use of the AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
This section describes the key security considerations for using this network security director preview.
**Data sources**
When you run an analysis, network security director retrieves information about your [AWS resources](https://aws.amazon.com/resourceexplorer/) using public AWS API endpoints. The information retrieved includes resource attributes that are available to your account through the public AWS APIs.
AWS Shield network security director also uses internal AWS data sources and threat intelligence to identify findings and recommend remediations.
**Data encryption**
Review the following encryption considerations when using network security director.
+ **Encryption at rest** – All data is protected at rest.
+ **Encryption in transit** – All data is protected in transit using Transport Layer Security (TLS) encryption. All communication is authenticated using Amazon Simple Storage Service AWS Signature Version 4 (SigV4). For information about SigV4, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon S3 User Guide*.
+ **Key management** – Customer-managed keys are not currently supported.
**Topics**
+ [Identity and Access Management for AWS Shield network security director](nsd-iam.md)
+ [Identity-based policy examples for AWS Shield network security director](security-nsd-with-iam-id-based-policies.md)
+ [Using service-linked roles for AWS Shield network security director](security_iam_nsd-with-iam-roles-service-linked.md)
# Identity and Access Management for AWS Shield network security director
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Shield network security director resources. IAM is an AWS service that you can use with no additional charge.
Review the guidance in this section to understand how to use supported policies and roles for AWS Shield network security director.
## How AWS Shield network security director works with IAM
This section explains how to use the features of IAM with AWS Shield network security director.
Before you use IAM to manage access to network security director, learn what IAM features are available to use with network security director.
**IAM features you can use with AWS Shield network security director**
| IAM feature | AWS Shield network security director support |
| --- | --- |
| [Identity-based policies](#iam_nsd-with-iam-id-based-policies) | Yes |
| [Service-linked roles](security_iam_nsd-with-iam-roles-service-linked.md) | Yes |
To get a high-level view of how network security director and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
### Identity-based policies for network security director
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
To view examples of AWS Shield network security director identity-based policies, see [Identity-based policy examples for AWS Shield network security director](security-nsd-with-iam-id-based-policies.md).
### Service-linked roles for network security director
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing network security director service-linked roles, see [Using service-linked roles for AWS Shield network security director](security_iam_nsd-with-iam-roles-service-linked.md).
# Identity-based policy examples for AWS Shield network security director
**Note**
When you start using AWS Shield network security director, we automatically create a service-linked role that satisfies all the minimum permissions requirements. Creating and managing your own identity-based policies is optional.
To provide appropriate access to network security director, you can create identity-based policies that grant the necessary permissions for administrative and read-only access.
For more information about creating and managing IAM policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.
These permissions allow AWS Shield network security director to perform comprehensive security analysis and provide accurate network security recommendations. The example policies provided in this guide are designed for common use cases. You can use these policies as a starting point and modify them as needed to meet your specific requirements.
**Example policies in this guide**
+ [Administrative access identity-based policy](#nsd-security-admin-id-based-policy)
+ [Read-only access identity-based policy](#nsd-security-readonly-id-based-policy)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete network security director resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Updates to identity-based policies
As updates and features are added to network security director, you may need to update your identity-based policies to include additional permissions. Monitor this guide for information about new permissions that may be required.
Unlike AWS managed policies, customer managed policies are not automatically updated. You are responsible for maintaining and updating these policies as needed.
For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Administrative access identity-based policy
Create an identity-based policy with the following example to provide full administrative access to network security director operations and the ability to create the required service-linked role.
**Policy name**: NetworkSecurityDirectorAdminPolicy
**Policy description**: Allows full administrative access to AWS Shield network security director operations and also provides access to create or delete the service linked role for Network Security Director.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-security-director:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/network-security-director.amazonaws.com/AWSServiceRoleForNetworkSecurityDirector"
}
]
}
```
------
## Read-only access identity-based policy
Create an identity-based policy with the following policy example to provide read-only access to network security director operations.
**Policy name**: NetworkSecurityDirectorReadOnlyPolicy
**Policy description**: Allows read-only access to AWS Shield network security director.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-security-director:Get*",
"network-security-director:List*"
],
"Resource": "*"
}
]
}
```
------
# Using service-linked roles for AWS Shield network security director
This section explains how to use service-linked roles to give AWS Shield network security director access to resources in your AWS account.
AWS Shield network security director uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Shield network security director. Service-linked roles are predefined by AWS Shield network security director and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Shield network security director easier because you don’t have to manually add the necessary permissions. AWS Shield network security director defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Shield network security director can assume its roles. The defined permissions include the trust policy and the permissions policy. That permissions policy can't be attached to any other IAM entity.
See the full service-linked role in the IAM console: [NetworkSecurityDirectorServiceLinkedRolePolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/NetworkSecurityDirectorServiceLinkedRolePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for AWS Shield network security director
The `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role trusts the following services to assume the role:
+ `network-director.amazonaws.com`
The `NetworkSecurityDirectorServiceLinkedRolePolicy` grants AWS Shield network security director permissions to access and analyze various AWS resources and services on your behalf. This includes:
+ Retrieving network configuration and security settings from Amazon EC2 resources
+ Accessing CloudWatch metrics to analyze network traffic patterns
+ Gathering information about load balancers and target groups
+ Collecting AWS WAF configurations and rules
+ Accessing AWS Direct Connect gateway information
+ And more, as detailed in the permissions list below
The following listing is for permissions that don't support downscoping to specific resources. The rest are downscoped for the indicated service resources.
```
{
"Sid": "ResourceLevelPermissionNotSupported",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeCustomerGateways",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:GetManagedPrefixListEntries",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancencerAttributes",
"wafv2:ListWebACLs",
"cloudfront:ListDistributions",
"cloudfront:ListTagsForResource",
"directconnect:DescribeDirectConnectGateways",
"directconnect:DescribeVirtualInterfaces"
],
"Resource": "*"
}
```
**`NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role permissions**
The following list covers all permissions enabled by the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role.
Amazon CloudFront
```
{
"Sid": "cloudfront",
"Effect": "Allow",
"Action": [
"cloudfront:GetDistribution"
],
"Resource": "arn:aws:cloudfront::*:distribution/*"
}
```
AWS WAF
```
{
"Sid": "wafv2",
"Effect": "Allow",
"Action": [
"wafv2:ListResourcesForWebACL",
"wafv2:ListRuleGroups",
"wafv2:ListAvailableManagedRuleGroups",
"wafv2:GetRuleGroup",
"wafv2:DescribeManagedRuleGroup",
"wafv2:GetWebACL"
],
"Resource": [
"arn:aws:wafv2:*:*:global/rulegroup/*",
"arn:aws:wafv2:*:*:regional/rulegroup/*",
"arn:aws:wafv2:*:*:global/managedruleset/*",
"arn:aws:wafv2:*:*:regional/managedruleset/*",
"arn:aws:wafv2:*:*:global/webacl/*/*",
"arn:aws:wafv2:*:*:regional/webacl/*/*",
"arn:aws:apprunner:*:*:service/*",
"arn:aws:cognito-idp:*:*:userpool/*",
"arn:aws:ec2:*:*:verified-access-instance/*"
]
}
```
AWS WAF Classic
```
{
"Sid": "classicWaf",
"Effect": "Allow",
"Action": [
"waf:ListWebACLs",
"waf:GetWebACL"
],
"Resource": [
"arn:aws:waf::*:webacl/*",
"arn:aws:waf-regional:*:*:webacl/*"
]
}
```
AWS Direct Connect
```
{
"Sid": "directconnect",
"Effect": "Allow",
"Action": [
"directconnect:DescribeConnections",
"directconnect:DescribeDirectConnectGatewayAssociations",
"directconnect:DescribeDirectConnectGatewayAttachments",
"directconnect:DescribeVirtualGateways"
],
"Resource": [
"arn:aws:directconnect::*:dx-gateway/*",
"arn:aws:directconnect:*:*:dxcon/*",
"arn:aws:directconnect:*:*:dxlag/*",
"arn:aws:directconnect:*:*:dxvif/*"
]
}
```
AWS Transit Gateway routes
```
{
"Sid": "ec2Get",
"Effect": "Allow",
"Action": [
"ec2:SearchTransitGatewayRoutes"
],
"Resource": [
"arn:aws:ec2:*:*:transit-gateway-route-table/*"
]
}
```
AWS Network Firewall
```
{
"Sid": "networkFirewall",
"Effect": "Allow",
"Action": [
"network-firewall:ListFirewalls",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup"
],
"Resource": [
"arn:aws:network-firewall:*:*:*/*"
]
}
```
Amazon API Gateway
```
{
"Sid": "apiGatewayGetAPI",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/tags/*",
"arn:aws:apigateway:*::/vpclinks",
"arn:aws:apigateway:*::/vpclinks/*"
]
}
```
## Creating a service-linked role for AWS Shield network security director
You don't need to manually create a service-linked role. When you run your first network analysis, AWS Shield network security director creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you enable AWS Shield network security director logging, AWS Shield network security director creates the service-linked role for you again.
## Editing a service-linked role for AWS Shield network security director
AWS Shield network security director doesn't allow you to edit the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS Shield network security director
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
This protects your AWS Shield network security director resources because you can't inadvertently remove permission to access the resources.
**Note**
If the AWS Shield network security director service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To manually delete the service-linked role using IAM**
Use the IAM console, the IAM CLI, or the IAM API to delete the `NetworkSecurityDirectorServiceLinkedRolePolicy` service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS Shield network security director service-linked roles
**Note**
AWS Shield network security director is in public preview release and is subject to change.
AWS Shield network security director supports using service-linked roles in following regions and can only retrieve data about your resources in these regions.
| Region Name | Region |
| --- | --- |
| US East (N. Virginia) | us-east-1 |
| Europe (Stockholm) | eu-north-1 |
| Asia Pacific (Thailand) | ap-southeast-7 |
| Africa (Cape Town) | ap-south-1 |
| US East (Ohio) | us-east-2 |
| Asia Pacific (Malaysia) | ap-southeast-5 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| US West (Oregon) | us-west-2 |
| Europe (Spain) | eu-south-2 |
| Europe (Ireland) | eu-west-1 |
| Europe (Frankfurt) | eu-central-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |