### Example of embedding the honeypot link Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/embed-the-honeypot-link-in-your-web-application-optional.md This HTML snippet demonstrates how to embed the honeypot link in your web application's content, ensuring it is hidden from human users. ```html ``` -------------------------------- ### Glue Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary Glue permissions. ```json { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:GetTable", "glue:GetTables", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:table/*/*", "arn:aws:glue:*:*:userDefinedFunction/*" ] } ``` -------------------------------- ### Lambda Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary Lambda permissions. ```json { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:*:*:function:*" } ``` -------------------------------- ### S3 Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary S3 permissions. ```json { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucketPolicy", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetObject", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration", "s3:PutObject", "s3:PutBucketTagging", "s3:PutLifecycleConfiguration", "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:PutBucketLogging", "s3:GetBucketLogging" ], "Resource": "arn:aws:s3:::*" } ``` -------------------------------- ### Service Catalog App Registry Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for Service Catalog App Registry operations. ```json { "Effect": "Allow", "Action": [ "servicecatalog:CreateApplication", "servicecatalog:DeleteApplication", "servicecatalog:GetApplication", "servicecatalog:TagResource", "servicecatalog:CreateAttributeGroup", "servicecatalog:DeleteAttributeGroup", "servicecatalog:GetAttributeGroup", "servicecatalog:AssociateAttributeGroup", "servicecatalog:DisassociateAttributeGroup", "servicecatalog:AssociateResource", "servicecatalog:DisassociateResource" ], "Resource": "arn:aws:servicecatalog:*:*:*" } ``` -------------------------------- ### WAF Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary WAF permissions. ```json { "Effect": "Allow", "Action": [ "wafv2:CreateWebACL", "wafv2:UpdateWebACL", "wafv2:DeleteWebACL", "wafv2:GetWebACL", "wafv2:ListWebACLs", "wafv2:CreateIPSet", "wafv2:UpdateIPSet", "wafv2:DeleteIPSet", "wafv2:GetIPSet", "wafv2:AssociateWebACL", "wafv2:DisassociateWebACL", "wafv2:PutLoggingConfiguration", "wafv2:DeleteLoggingConfiguration", "wafv2:ListWebACLs", "wafv2:ListIPSets", "wafv2:ListTagsForResource" ], "Resource": [ "arn:aws:wafv2:*:*:regional/webacl/*", "arn:aws:wafv2:*:*:regional/ipset/*", "arn:aws:wafv2:*:*:global/webacl/*", "arn:aws:wafv2:*:*:global/ipset/*" ] } ``` -------------------------------- ### Firehose Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary Firehose permissions. ```json { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:StartDeliveryStreamEncryption", "firehose:StopDeliveryStreamEncryption", "firehose:UpdateDestination" ], "Resource": "arn:aws:firehose:*:*:deliverystream/*" } ``` -------------------------------- ### Athena Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary Athena permissions. ```json { "Effect": "Allow", "Action": [ "athena:CreateWorkGroup", "athena:DeleteWorkGroup", "athena:GetWorkGroup", "athena:UpdateWorkGroup", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StopQueryExecution" ], "Resource": "arn:aws:athena:*:*:workgroup/WAF*" } ``` -------------------------------- ### DynamoDB Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for DynamoDB operations. ```json { "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:DescribeTable", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:*:*:table/*" } ``` -------------------------------- ### CloudWatch Logs Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md IAM policy statements for granting necessary CloudWatch Logs permissions. ```json { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:PutRetentionPolicy", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/*", "arn:aws:logs:*:*:log-group:*", "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/*" ] } ``` -------------------------------- ### X-Ray Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for X-Ray operations. ```json { "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords" ], "Resource": "*" } ``` -------------------------------- ### IAM Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for IAM operations. ```json { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRoles", "iam:PassRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/*" } ``` -------------------------------- ### CloudFormation Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for CloudFormation operations. ```json { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:UpdateStack", "cloudformation:ListStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/*/*" } ``` -------------------------------- ### CloudWatch Permissions Source: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/deployment-considerations.md Permissions required for CloudWatch operations. ```json { "Effect": "Allow", "Action": [ "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:PutMetricData" ], "Resource": "*" } ```