# Use Amazon WAF protections You can use [Amazon WAF](https://docs.amazonaws.cn/waf/latest/developerguide/what-is-aws-waf) to protect your CloudFront distributions and origin servers. Amazon WAF is a web application firewall that helps secure your web applications and APIs by blocking requests before they reach your servers. For more information, see [Accelerate and protect your websites using CloudFront and Amazon WAF](https://www.amazonaws.cn/blogs/networking-and-content-delivery/accelerate-and-protect-your-websites-using-amazon-cloudfront-and-aws-waf/) and [Guidelines for Implementing Amazon WAF](https://docs.amazonaws.cn/whitepapers/latest/guidelines-for-implementing-aws-waf/guidelines-for-implementing-aws-waf.html). To enable Amazon WAF protections, you can: + Use one-click protection in the CloudFront console. One-click protection creates an Amazon WAF web access control list (web ACL), configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. The topics in this section assume the use of one-click protections. + Use a preconfigured web ACL (access control list) that you create in the Amazon WAF console, or by using the Amazon WAF APIs. For more information, see [Web access control lists (ACLs)](https://docs.amazonaws.cn/waf/latest/developerguide/web-acl.html) in the *Amazon WAF Developer Guide* and [AssociateWebACL](https://docs.amazonaws.cn/waf/latest/APIReference/API_AssociateWebACL.html) in the *Amazon WAF API Reference* You can enable Amazon WAF when you: + Create a distribution + Use the **Security** dashboard to edit the security settings of an existing distribution When you use one-click protection, CloudFront applies an Amazon recommended set of protections that: + Block IP addresses from potential threats based on Amazon internal threat intelligence. + Protect against the most common vulnerabilities found in web applications as described in the [OWASP Top 10](https://owasp.org/www-project-top-ten/). + Defend against malicious actors discovering application vulnerabilities. **Important** You must enable Amazon WAF if you want to view security metrics in the CloudFront **Security** dashboard. Without Amazon WAF, enabled, you can only use the **Security** dashboard to enable Amazon WAF or configure CloudFront geographic restrictions. For more information about the dashboard, see [Manage Amazon WAF security protections in the CloudFront security dashboard](security-dashboard.md), later in this section. **Topics** + [Enable Amazon WAF for distributions](WAF-one-click.md) + [Manage Amazon WAF security protections in the CloudFront security dashboard](security-dashboard.md) + [Set up rate limiting](WAF-one-click-rate-limiting.md) + [Disable Amazon WAF security protections](disable-waf.md)