Using Amazon WAF to control access to your content - Amazon CloudFront
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using Amazon WAF to control access to your content

Amazon WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the values of query strings or the IP addresses that requests originate from, CloudFront responds to requests either with the requested content or with an HTTP status code 403 (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about Amazon WAF, see the Amazon WAF Developer Guide.

After you create an Amazon WAF web access control list (web ACL), create or update a web distribution to associate the distribution with the web ACL. You can associate as many CloudFront distributions as you want with the same web ACL or with different web ACLs. For information about creating a distribution and associating it with a web ACL, see Creating a distribution.

To associate or disassociate a web ACL and an existing distribution, or change the web ACL that is associated with a distribution, perform the following procedure.

To associate or disassociate an Amazon WAF web ACL and an existing CloudFront distribution by using the CloudFront console

  1. Sign in to the Amazon Web Services Management Console and open the CloudFront console at

  2. Choose the ID for the distribution that you want to update.

  3. On the General tab, choose Edit.

  4. On the Distribution Settings page, in the Amazon WAF Web ACL list, choose the web ACL that you want to associate with this distribution.

    If you want to disassociate the distribution from all web ACLs, choose None. If you want to associate the distribution with a different web ACL, choose the new web ACL.

  5. Choose Yes, Edit.

  6. Repeat steps 2 through 5 for other distributions, if any, for which you want to add, delete, or change associations with Amazon WAF web ACLs.

  7. After you change settings, the value of the Status column for the distributions that you updated changes to InProgress while CloudFront propagates the changes to edge locations. When Status changes to Deployed for a distribution, the distribution is ready to use Amazon WAF when it processes requests. (The value of the State column for the distribution must also be Enabled.) This should take less than 15 minutes after you save the last change to a distribution.


Amazon Firewall Manager is a security management service that makes it easier to centrally configure and manage Amazon WAF rules across your accounts and applications. Using Firewall Manager, you can roll out Amazon WAF rules to your CloudFront distributions across accounts in Amazon Organizations. For more information, see the Amazon Firewall Manager Developer Guide.