I was trying to create an user with specific permissions to access and modify their own WAF ACL, and I ran into issues by starting to see UnauthorizedOperation without any kind of information (not even if some permission was faulty) in the Web ACLs panel even having full listing and read capabilities or even any other panel more than the initial one.
I changed the user to use AWSWAFFullAccess and tried several times using other web browser and re-login to avoid any kind of session cache, but it seems that still don't have access to WAF panels.
With another account, with the AdministratorAccess policy, I have full acccess.
I looked for information in AWS official documentation but found nothing related with some kind of hard-blocking to these panels.
Seems that the specific needed access was related to listing regions, which was a permission grouped inside EC2.
I had to compare both policies and try/catch to find the specific permission.