Associating or disassociating a web ACL with an AWS resource

You can use AWS WAF to create the following associations between web ACLS and your resources:

• Associate a regional web ACL with any of the regional resources listed below. For this option, the web ACL must be in the same region as your resource.

  • Amazon API Gateway REST API

  • Application Load Balancer

  • AWS AppSync GraphQL API

  • Amazon Cognito user pool

  • AWS App Runner service

  • AWS Verified Access instance

• Associate a global web ACL with a Amazon CloudFront distribution. The global web ACL will have a hard-coded Region of US East (N. Virginia) Region.

You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see Using AWS WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

Restrictions on multiple associations

You can associate a single web ACL with one or more AWS resources, according to the following restrictions:

• You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.

• You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.

Additional restrictions

The following additional restrictions apply to web ACL associations:

• You can only associate a web ACL to an Application Load Balancer within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that is on AWS Outposts.

• You can't associate an Amazon Cognito user pool with a web ACL that uses the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet. For information about account creation fraud prevention, see Preventing account creation fraud with AWS WAF Fraud Control account creation fraud prevention (ACFP). For information about account takeover prevention, see Preventing account takeover with AWS WAF Fraud Control account takeover prevention (ATP).

Production traffic risk

Before you deploy your web ACL for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your AWS WAF protections.