Updated on 2024-07-05 GMT+08:00

Web Application Firewall (WAF)

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by Web Application Firewall (WAF), see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys for Web Application Firewall (WAF), see Condition.

The following table lists the actions that you can define in SCP statements for WAF.

Table 1 Actions supported by WAF

Action

Description

Access Level

Resource Type (*: Required)

Condition Key

waf:host:list

Grants the permission to query the protected domain name list.

list

host *

-

-

g:EnterpriseProjectId

waf:host:create

Grants the permission to create a protected domain name.

write

host *

-

policy

-

certificate

-

-

g:EnterpriseProjectId

waf:host:get

Grants the permission to query a specific protected domain name.

read

host *

g:EnterpriseProjectId

waf:host:put

Grants the permission to update a specific protected domain name.

write

host *

g:EnterpriseProjectId

certificate

-

waf:host:delete

Grants the permission to delete a specific protected domain name.

write

host *

g:EnterpriseProjectId

waf:sourceIp:get

Grants the permission to query back-to-source IP addresses.

read

-

-

waf:policy:list

Grants the permission to query the protection policy list.

list

policy *

-

-

g:EnterpriseProjectId

waf:policy:create

Grants the permission to create protection policies.

write

policy *

-

-

g:EnterpriseProjectId

waf:policy:get

Grants the permission to query a protection policy.

read

policy *

g:EnterpriseProjectId

waf:policy:put

Grants the permission to update protection policies.

write

policy *

g:EnterpriseProjectId

host

-

waf:policy:delete

Grants the permission to delete protection policies.

write

policy *

g:EnterpriseProjectId

waf:ccRule:list

Grants the permission to query the CC attack protection rule list.

list

policy *

-

-

g:EnterpriseProjectId

waf:ccRule:create

Grants the permission to create a CC attack protection rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:ccRule:get

Grants the permission to query a CC attack protection rule.

read

policy *

g:EnterpriseProjectId

waf:ccRule:put

Grants the permission to upgrade a CC attack protection rule.

write

policy *

g:EnterpriseProjectId

waf:ccRule:delete

Grants the permission to delete a CC attack protection rule.

write

policy *

g:EnterpriseProjectId

waf:preciseProtectionRule:list

Grants the permission to query the list of precise protection rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:preciseProtectionRule:create

Grants the permission to create a precise protection rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:preciseProtectionRule:get

Grants the permission to query a precise protection rule.

read

policy *

g:EnterpriseProjectId

waf:preciseProtectionRule:put

Grants the permission to update a precise protection rule.

write

policy *

g:EnterpriseProjectId

waf:preciseProtectionRule:delete

Grants the permission to delete a precise protection rule.

write

policy *

g:EnterpriseProjectId

waf:whiteBlackIpRule:list

Grants the permission to query the list of blacklist and whitelist rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:whiteBlackIpRule:create

Grants the permission to create an IP address blacklist or whitelist.

write

policy *

-

-

g:EnterpriseProjectId

waf:whiteBlackIpRule:get

Grants the permission to query a blacklist or whitelist rule.

read

policy *

g:EnterpriseProjectId

waf:whiteBlackIpRule:put

Grants the permission to update a blacklist or whitelist rule.

write

policy *

g:EnterpriseProjectId

waf:whiteBlackIpRule:delete

Grants the permission to delete a blacklist or whitelist rule.

write

policy *

g:EnterpriseProjectId

waf:privacyRule:list

Grants the permission to query the list of data masking rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:privacyRule:create

Grants the permission to create a data masking rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:privacyRule:get

Grants the permission to query a data masking rule.

read

policy *

g:EnterpriseProjectId

waf:privacyRule:put

Grants the permission to update a data masking rule.

write

policy *

g:EnterpriseProjectId

waf:privacyRule:delete

Grants the permission to delete a data masking rule.

write

policy *

g:EnterpriseProjectId

waf:falseAlarmMaskRule:list

Grants the permission to query the list of false alarm masking rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:falseAlarmMaskRule:create

Grants the permission to create a false alarm masking rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:falseAlarmMaskRule:get

Grants the permission to query a false alarm masking rule.

read

policy *

g:EnterpriseProjectId

waf:falseAlarmMaskRule:put

Grants the permission to update a false alarm masking rule.

write

policy *

g:EnterpriseProjectId

waf:falseAlarmMaskRule:delete

Grants the permission to delete a false alarm masking rule.

write

policy *

g:EnterpriseProjectId

waf:geoIpRule:list

Grants the permission to query the list of geolocation access control rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:geoIpRule:create

Grants the permission to create a geolocation access control rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:geoIpRule:get

Grants the permission to query a geolocation access control rule.

read

policy *

g:EnterpriseProjectId

waf:geoIpRule:put

Grants the permission to update a geolocation access control rule.

write

policy *

g:EnterpriseProjectId

waf:geoIpRule:delete

Grants the permission to delete a geolocation access control rule.

write

policy *

g:EnterpriseProjectId

waf:antiTamperRule:list

Grants the permission to query the list of web tamper protection rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:antiTamperRule:create

Grants the permission to create a web tamper protection rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:antiTamperRule:get

Grants the permission to query a web tamper protection rule.

read

policy *

g:EnterpriseProjectId

waf:antiTamperRule:put

Grants the permission to update a web tamper protection rule.

write

policy *

g:EnterpriseProjectId

waf:antiTamperRule:delete

Grants the permission to delete a web tamper protection rule.

write

policy *

g:EnterpriseProjectId

waf:antiLeakageRule:list

Grants the permission to query the list of information leakage prevention rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:antiLeakageRule:create

Grants the permission to create an information leakage prevention rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:antiLeakageRule:get

Grants the permission to query an information leakage prevention rule.

read

policy *

g:EnterpriseProjectId

waf:antiLeakageRule:put

Grants the permission to update an information leakage prevention rule.

write

policy *

g:EnterpriseProjectId

waf:antiLeakageRule:delete

Grants the permission to delete an information leakage prevention rule.

write

policy *

g:EnterpriseProjectId

waf:anticrawlerRule:list

Grants the permission to query the list of anti-crawler rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:anticrawlerRule:create

Grants the permission to create an anti-crawler rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:anticrawlerRule:get

Grants the permission to query an anti-crawler rule.

read

policy *

g:EnterpriseProjectId

waf:anticrawlerRule:put

Grants the permission to update an anti-crawler rule.

write

policy *

g:EnterpriseProjectId

waf:anticrawlerRule:delete

Grants the permission to delete an anti-crawler rule.

write

policy *

g:EnterpriseProjectId

waf:punishmentRule:list

Grants the permission to query the list of known attack source rules.

list

policy *

-

-

g:EnterpriseProjectId

waf:punishmentRule:create

Grants the permission to create a known attack source rule.

write

policy *

-

-

g:EnterpriseProjectId

waf:punishmentRule:get

Grants the permission to query a known attack source rule.

read

policy *

g:EnterpriseProjectId

waf:punishmentRule:put

Grants the permission to update a known attack source rule.

write

policy *

g:EnterpriseProjectId

waf:punishmentRule:delete

Grants the permission to delete a known attack source rule.

write

policy *

g:EnterpriseProjectId

waf:valueList:list

Grants the permission to query the list of reference tables.

list

-

g:EnterpriseProjectId

waf:valueList:create

Grants the permission to create a reference table.

write

-

g:EnterpriseProjectId

waf:valueList:get

Grants the permission to query a reference table.

read

-

g:EnterpriseProjectId

waf:valueList:put

Grants the permission to update a reference table.

write

-

g:EnterpriseProjectId

waf:valueList:delete

Grants the permission to delete a reference table.

write

-

g:EnterpriseProjectId

waf:ipgroup:list

Grants permission to query IP address groups.

list

-

g:EnterpriseProjectId

waf:ipgroup:create

Grants permission to create an IP address group.

write

-

g:EnterpriseProjectId

waf:ipgroup:get

Grants the permission to query an IP address group.

read

-

g:EnterpriseProjectId

waf:ipgroup:put

Grants permission to modify an IP address group.

write

-

g:EnterpriseProjectId

waf:ipgroup:delete

Grants permission to delete an IP address group.

write

-

g:EnterpriseProjectId

waf:certificate:list

Grants the permission to query the certificate list.

list

certificate *

-

-

g:EnterpriseProjectId

waf:certificate:create

Grants permission to add a certificate.

write

certificate *

-

-

g:EnterpriseProjectId

waf:certificate:get

Grants the permission to query a certificate.

read

certificate *

g:EnterpriseProjectId

waf:certificate:put

Grants the permission to modify a certificate in WAF.

write

certificate *

g:EnterpriseProjectId

waf:certificate:delete

Delete a certificate.

write

certificate *

g:EnterpriseProjectId

waf:certificate:apply

Grants the permission to apply a certificate to a domain name.

write

certificate *

g:EnterpriseProjectId

host *

-

waf:premiumInstance:list

Grants the permission to query the dedicated engine instance list.

list

premiumInstance *

-

-

g:EnterpriseProjectId

waf:premiumInstance:create

Grants the permission to create a dedicated engine instance.

write

premiumInstance *

-

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

waf:premiumInstance:get

Grants the permission to query a dedicated engine instance.

read

premiumInstance *

  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

waf:premiumInstance:put

Grants the permission to update a dedicated engine instance.

write

premiumInstance *

  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

waf:premiumInstance:delete

Grants the permission to delete a dedicated engine instance.

write

premiumInstance *

  • g:ResourceTag/<tag-key>
  • g:EnterpriseProjectId

waf:event:get

Grants the permission to query protection events.

read

-

g:EnterpriseProjectId

waf:ltsConfig:get

Grants the permission to query the configuration of the interconnection with LTS.

list

-

g:EnterpriseProjectId

waf:ltsConfig:put

Grants the permission to update the configuration of the interconnection with LTS.

write

-

g:EnterpriseProjectId

waf:postpaid:create

Grants the permission to enable the pay-per-use billing mode.

write

-

g:EnterpriseProjectId

waf:postpaid:delete

Grants the permission to disable pay-per-use billing.

write

-

g:EnterpriseProjectId

waf:prepaid:create

Grants the permission to create a yearly/monthly order.

write

-

  • g:EnterpriseProjectId
  • g:RequestTag/<tag-key>
  • g:TagKeys

waf:subscription:get

Grants the permission to query subscriptions to the cloud mode.

read

-

-

waf:alert:get

Grants the permission to query alarm notification configurations.

list

-

-

waf:alert:put

Grants the permission to update alarm notification configurations.

write

-

-

waf:consoleConfig:get

Grants the permission to query the console configurations.

read

-

-

A WAF API usually has one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by CCE APIs

API

Action

Dependencies

POST /v1/{project_id}/waf/instance

waf:host:create

-

DELETE /v1/{project_id}/waf/instance/{instance_id}

waf:host:delete

-

GET /v1/{project_id}/waf/instance

waf:host:list

-

GET /v1/{project_id}/waf/instance/{instance_id}/route

waf:host:get

-

GET /v1/{project_id}/waf/instance/{instance_id}

waf:host:get

-

PATCH /v1/{project_id}/waf/instance/{instance_id}

waf:host:put

-

PUT /v1/{project_id}/waf/instance/{instance_id}/protect-status

waf:host:put

-

POST /v1/{project_id}/premium-waf/host

waf:host:create

-

DELETE /v1/{project_id}/premium-waf/host/{host_id}

waf:host:delete

-

GET /v1/{project_id}/premium-waf/host

waf:host:list

-

GET /v1/{project_id}/premium-waf/host/{host_id}

waf:host:get

-

PUT /v1/{project_id}/premium-waf/host/{host_id}

waf:host:put

-

PUT /v1/{project_id}/premium-waf/host/{host_id}/protect-status

waf:host:put

-

POST /v1/{project_id}/waf/policy

waf:policy:create

-

DELETE /v1/{project_id}/waf/policy/{policy_id}

waf:policy:delete

-

GET /v1/{project_id}/waf/policy

waf:policy:list

-

GET /v1/{project_id}/waf/policy/{policy_id}

waf:policy:get

-

PATCH /v1/{project_id}/waf/policy/{policy_id}

waf:policy:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}

waf:policy:put

-

POST /v1/{project_id}/waf/policy/{policy_id}/cc

waf:ccRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/custom

waf:preciseProtectionRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/antitamper

waf:antiTamperRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id}/refresh

waf:antiTamperRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/antileakage

waf:antiLeakageRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/anticrawler

waf:anticrawlerRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/punishment

waf:punishmentRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/geoip

waf:geoIpRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/ignore

waf:falseAlarmMaskRule:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/privacy

waf:privacyRule:create

-

POST /v1/{project_id}/waf/valuelist

waf:valueList:create

-

POST /v1/{project_id}/waf/policy/{policy_id}/whiteblackip

waf:whiteBlackIpRule:create

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id}

waf:ccRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id}

waf:preciseProtectionRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id}

waf:antiTamperRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/antileakage/{rule_id}

waf:antiLeakageRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/anticrawler/{rule_id}

waf:anticrawlerRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/punishment/{rule_id}

waf:punishmentRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/geoip/{rule_id}

waf:geoIpRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id}

waf:falseAlarmMaskRule:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id}

waf:privacyRule:delete

-

DELETE /v1/{project_id}/waf/valuelist/{valuelistid}

waf:valueList:delete

-

DELETE /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id}

waf:whiteBlackIpRule:delete

-

GET /v1/{project_id}/waf/policy/{policy_id}/custom

waf:preciseProtectionRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/cc

waf:ccRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/antitamper

waf:antiTamperRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/antileakage

waf:antiLeakageRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/anticrawler

waf:anticrawlerRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/punishment

waf:punishmentRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/geoip

waf:geoIpRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/ignore

waf:falseAlarmMaskRule:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/privacy

waf:privacyRule:list

-

GET /v1/{project_id}/waf/valuelist

waf:valueList:list

-

GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip

waf:whiteBlackIpRule:list

-

PUT /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id}

waf:ccRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id}

waf:preciseProtectionRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/geoip/{rule_id}

waf:geoIpRule:put

-

-

waf:antiTamperRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/antileakage/{rule_id}

waf:antiLeakageRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/anticrawler/{rule_id}

waf:anticrawlerRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/anticrawler

waf:anticrawlerRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/punishment/{rule_id}

waf:punishmentRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/{ruletype}/{rule_id}/status

waf:whiteBlackIpRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id}

waf:privacyRule:put

-

PUT /v1/{project_id}/waf/valuelist/{valuelistid}

waf:valueList:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id}

waf:whiteBlackIpRule:put

-

PUT /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id}

waf:falseAlarmMaskRule:put

-

GET /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id}

waf:ccRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/custom/{rule_id}

waf:preciseProtectionRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/whiteblackip/{rule_id}

waf:whiteBlackIpRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/privacy/{rule_id}

waf:privacyRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/ignore/{rule_id}

waf:falseAlarmMaskRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/geoip/{rule_id}

waf:geoIpRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/antitamper/{rule_id}

waf:antiTamperRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/antileakage/{rule_id}

waf:antiLeakageRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/anticrawler/{rule_id}

waf:anticrawlerRule:get

-

GET /v1/{project_id}/waf/policy/{policy_id}/punishment/{rule_id}

waf:punishmentRule:get

-

GET /v1/{project_id}/waf/valuelist/{valuelistid}

waf:valueList:get

-

POST /v1/{project_id}/waf/ip-groups

waf:ipgroup:create

-

DELETE /v1/{project_id}/waf/ip-group/{id}

waf:ipgroup:delete

-

GET /v1/{project_id}/waf/ip-groups

waf:ipgroup:list

-

GET /v1/{project_id}/waf/ip-group/{id}

waf:ipgroup:get

-

PUT /v1/{project_id}/waf/ip-group/{id}

waf:ipgroup:put

-

POST /v1/{project_id}/waf/certificate/{certificate_id}/apply-to-hosts

waf:certificate:apply

-

POST /v1/{project_id}/waf/certificate

waf:certificate:create

-

DELETE /v1/{project_id}/waf/certificate/{certificate_id}

waf:certificate:delete

-

GET /v1/{project_id}/waf/certificate

waf:certificate:list

-

GET /v1/{project_id}/waf/certificate/{certificate_id}

waf:certificate:get

-

PUT /v1/{project_id}/waf/certificate/{certificate_id}

waf:certificate:put

-

GET /v1/{project_id}/waf/event

waf:event:get

-

GET /v1/{project_id}/waf/event/{eventid}

waf:event:get

-

GET /v1/{project_id}/waf/overviews/bandwidth/timeline

waf:event:get

-

GET /v1/{project_id}/waf/overviews/classification

waf:event:get

-

GET /v1/{project_id}/waf/overviews/qps/timeline

waf:event:get

-

GET /v1/{project_id}/waf/overviews/request/timeline

waf:event:get

-

GET /v1/{project_id}/waf/overviews/statistics

waf:event:get

-

GET /v1/{project_id}/waf/overviews/abnormal

waf:event:get

-

GET /v1/{project_id}/waf/config/console

waf:consoleConfig:get

-

POST /v1/{project_id}/premium-waf/instance

waf:premiumInstance:create

-

DELETE /v1/{project_id}/premium-waf/instance/{instance_id}

waf:premiumInstance:delete

-

GET /v1/{project_id}/premium-waf/instance

waf:premiumInstance:list

-

PUT /v1/{project_id}/premium-waf/instance/{instance_id}

waf:premiumInstance:put

-

GET /v1/{project_id}/premium-waf/instance/{instance_id}

waf:premiumInstance:get

-

GET /v1/{project_id}/waf/config/lts

waf:ltsConfig:get

-

PUT /v1/{project_id}/waf/config/lts/{ltsconfig_id}

waf:ltsConfig:put

-

POST /v1/{project_id}/waf/subscription/batchalter/prepaid-cloud-waf

waf:prepaid:create

-

POST /v1/{project_id}/waf/subscription/purchase/prepaid-cloud-waf

waf:prepaid:create

-

GET /v1/{project_id}/waf/subscription

waf:subscription:get

-

POST /v1/{project_id}/waf/postpaid

waf:postpaid:create

-

DELETE /v1/{project_id}/waf/postpaid

waf:postpaid:delete

-

GET /v2/{project_id}/waf/alerts

waf:alert:get

-

PUT /v2/{project_id}/waf/alert/{alert_id}

waf:alert:put

-

GET /v1/{project_id}/waf/config/source-ip

waf:sourceIp:get

-

POST /v1/{project_id}/composite-waf/hosts/migration

waf:host:create

-

GET /v1/{project_id}/composite-waf/host

waf:host:list

-

GET /v1/{project_id}/composite-waf/host/{host_id}

waf:host:get

-

Resources

A resource type indicates the resources that an SCP policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

WAF defines the following resource types that can be used in the Resource element of a custom SCP.

Table 3 Resource types supported by WAF

Resource Type

URN

policy

waf:<region>:<account-id>:policy:<policy-id>

host

waf:<region>:<account-id>:host:<host-id>

premiumInstance

waf:<region>:<account-id>:premiumInstance:<instance-id>

certificate

waf:<region>:<account-id>:certificate:<certificate-id>

Condition

WAF does not support service-level condition keys in an SCP. WAF can use global condition keys applicable to all services. For details, see Global Condition Keys.