Trying to find the ARN pattern for AWS WAF regional

I'm playing around with writing IAM policies for an AWS WAF regional resource. I've created a rule for which I'm trying to see if I can write an IAM policy. That's where I realized that IAM policies require ARNs and not just resource Ids.

I used the GetRule API to see if that returns the ARN of the rule and it doesn't. It only returns the ID. I checked the AWS docs now:

1. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2. https://docs.aws.amazon.com/waf/latest/developerguide/waf-api-permissions-ref.html

The ARN pattern is a little confusing, the first document points out the pattern to be arn:aws:waf-regional::account-id:resource-type/resource-id, but the example below has a specific region in there.

Same happens with the second document for writing IAM policies, WAF regional does seem to have a region in the ARN. Now where can I get the ARN for this resource? And which document should I be referring as the source of truth?

Thanks!

You can click on the handy 📑 Copy ARN button next to the Region dropdown filter on the AWS Console Web ACLs page to get the ARN for an existing AWS WAF.

AWS WAFv2 WebACL ARN Scheme is as follow:

Regional WAF WebACL

arn:aws:wafv2:<wafv2_region>:<aws_account_id>:regional/webacl/<web_acl_name>/<web_acl_id>

Global (Cloudfront) WAF WebACL

arn:aws:wafv2:us-east-1:<aws_account_id>:global/webacl/<web_acl_name>/<web_acl_id>

The aws_account_id can be seen by clicking on the top-right of AWS Profile information. You can go to the AWS WAF WebACL console to get the wafv2_region, web_acl_name and web_acl_id,

Example:

The region of the WAF WebACL above is Singapore region (ap-southeast-1), so that the WAF WebACL ARN is

arn:aws:wafv2:ap-southeast-1:123456789981:regional/webacl/managed-rule-example/cffdb73a-0b9b-430a-bf05-763d903106e8