# Disable Amazon WAF security protections
<a name="disable-waf"></a>

If your distribution doesn't need Amazon WAF security protections, you can disable this feature by using the CloudFront console. 

If you previously enabled Amazon WAF protection and didn't choose an existing WAF configuration (also known as one-click protection), CloudFront automatically created a web ACL for you. For web ACLs created this way, the CloudFront console will disassociate the resource and delete the web ACL. 

Disassociating a web ACL is different from deleting it. Disassociating removes the web ACL from your distribution, but it's not deleted from your Amazon Web Services account. For more information, see [Associating or disassociating a web ACL with an Amazon resource](https://docs.amazonaws.cn/waf/latest/developerguide/web-acl-associating-aws-resource.html) in the *Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide*.



See the following procedure to disable Amazon WAF protections and disassociate the web ACL from your distribution.

**To disable Amazon WAF security protections in CloudFront**

1. Open the CloudFront console at [https://console.amazonaws.cn/cloudfront/v4/home](https://console.amazonaws.cn/cloudfront/v4/home).

1. In the navigation pane, choose **Distributions**, and then choose the distribution that you want to change.

1. Choose the **Security** tab and then choose **Edit**.

1. In the **Web Application Firewall (WAF)** section, choose **Disable Amazon WAF protection**.

1. Choose **Save changes**.

**Notes**  
If you disabled Amazon WAF security protection and you still want to delete the web ACL from your Amazon Web Services account, you can delete it manually. Follow the procedure to [delete a web ACL](https://docs.amazonaws.cn/waf/latest/developerguide/web-acl-deleting.html). In the Amazon WAF & Shield console, for the **Web ACLs** page, you *must* choose the **Global (CloudFront)** list to find the web ACLs.
When you delete a distribution from the CloudFront console, CloudFront will attempt to also delete the web ACL if you chose one-click protection. This is best effort and isn't always guaranteed. For more information, see [Delete a distribution](HowToDeleteDistribution.md).