Use AWS WAF protections - Amazon CloudFront

Use AWS WAF protections

You can use AWS WAF to protect your CloudFront distributions and origin servers. AWS WAF is a web application firewall that helps secure your web applications and APIs by blocking requests before they reach your servers. For more details, see Accelerate and protect your websites using CloudFront and AWS WAF.

To enable AWS WAF protections, you can:

  • Use one-click protection in the CloudFront console. One-click protection creates an AWS WAF web access control list (web ACL), configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. The topics in this section assume the use of one-click protections.

  • Use a preconfigured web ACL (access control list) that you create in the AWS WAF console, or by using the AWS WAF APIs. For more information, see Web access control lists (ACLs) in the AWS WAF Developer Guide and AssociateWebACL in the AWS WAF API Reference

You can enable AWS WAF when you:

  • Create a distribution

  • Use the Security dashboard to edit the security settings of an existing distribution

When you use one-click protection, CloudFront applies an AWS recommended set of protections that:

  • Block IP addresses from potential threats based on Amazon internal threat intelligence.

  • Protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10.

  • Defend against malicious actors discovering application vulnerabilities.


You must enable AWS WAF if you want to view security metrics in the CloudFront Security dashboard. Without AWS WAF, enabled, you can only use the Security dashboard to enable AWS WAF or configure CloudFront geographic restrictions. For more information about the dashboard, see Manage AWS WAF security protections in the CloudFront security dashboard, later in this section.