diff --git a/aws-lb-controller-iam.tf b/aws-lb-controller-iam.tf
index 84cdcf7..8435145 100644
--- a/aws-lb-controller-iam.tf
+++ b/aws-lb-controller-iam.tf
@@ -55,3 +55,55 @@ resource "aws_iam_role_policy_attachment" "aws_lb_controller" {
   role       = aws_iam_role.aws_lb_controller[0].name
   policy_arn = each.value
 }
+
+# IAM policy document for AWS Load Balancer Controller WAF, WAF Regional, and Shield permissions
+data "aws_iam_policy_document" "aws_lb_controller_waf" {
+  count = var.enable_aws_load_balancer_controller ? 1 : 0
+
+  statement {
+    sid    = "WAFv2Permissions"
+    effect = "Allow"
+    actions = [
+      "wafv2:GetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:AssociateWebACL",
+      "wafv2:DisassociateWebACL",
+      "wafv2:ListWebACLs"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "WAFRegionalPermissions"
+    effect = "Allow"
+    actions = [
+      "waf-regional:GetWebACL",
+      "waf-regional:GetWebACLForResource",
+      "waf-regional:AssociateWebACL",
+      "waf-regional:DisassociateWebACL",
+      "waf-regional:ListWebACLs"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "ShieldPermissions"
+    effect = "Allow"
+    actions = [
+      "shield:GetSubscriptionState",
+      "shield:DescribeProtection",
+      "shield:CreateProtection",
+      "shield:DeleteProtection"
+    ]
+    resources = ["*"]
+  }
+}
+
+# IAM policy for AWS Load Balancer Controller WAF permissions
+resource "aws_iam_role_policy" "aws_lb_controller_waf" {
+  count = var.enable_aws_load_balancer_controller ? 1 : 0
+
+  name   = "${var.name}-aws-lb-controller-waf-policy"
+  role   = aws_iam_role.aws_lb_controller[0].id
+  policy = data.aws_iam_policy_document.aws_lb_controller_waf[0].json
+}
diff --git a/tests/eks_test.tftest.hcl b/tests/eks_test.tftest.hcl
index 9bef255..0deabf9 100644
--- a/tests/eks_test.tftest.hcl
+++ b/tests/eks_test.tftest.hcl
@@ -231,6 +231,11 @@ run "eks_aws_lb_controller_iam" {
     condition     = length(aws_iam_role_policy_attachment.aws_lb_controller) == 2
     error_message = "Two policy attachments should be created (ELB and EC2)"
   }
+
+  assert {
+    condition     = length(aws_iam_role_policy.aws_lb_controller_waf) == 1
+    error_message = "AWS Load Balancer Controller WAF policy should be created when enabled"
+  }
 }
 
 run "eks_external_dns_iam" {