Associating or disassociating protection with an Amazon resource - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Associating or disassociating protection with an Amazon resource

You can use Amazon WAF to create the following associations between protection pack or web ACLs and your resources:

  • Associate a regional protection pack or web ACL with any of the regional resources listed below. For this option, the protection pack or web ACL must be in the same region as your resource.

    • Amazon API Gateway REST API

    • Application Load Balancer

    • Amazon AppSync GraphQL API

    • Amazon Cognito user pool

    • Amazon App Runner service

    • Amazon Verified Access instance

    • Amazon Amplify

  • Associate a global protection pack or web ACL with a Amazon CloudFront distribution. The global protection pack or web ACL will have a hard-coded Region of US East (N. Virginia) Region.

You can also associate a protection pack or web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see Using Amazon WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

Restrictions on multiple associations

You can associate a single protection pack or web ACL with one or more Amazon resources, according to the following restrictions:

  • You can associate each Amazon resource with only one protection pack or web ACL. The relationship between protection pack or web ACL and Amazon resources is one-to-many.

  • You can associate a protection pack or web ACL with one or more CloudFront distributions. You cannot associate a protection pack or web ACL that you have associated with a CloudFront distribution with any other Amazon resource type.

Additional restrictions

The following additional restrictions apply to protection pack or web ACL associations:

  • You can only associate a protection pack or web ACL to an Application Load Balancer within Amazon Web Services Regions. For example, you cannot associate a protection pack or web ACL to an Application Load Balancer that is on Amazon Outposts.

  • You can't associate an Amazon Cognito user pool with a protection pack or web ACL that uses the Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet or the Amazon WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet. For information about account creation fraud prevention, see Amazon WAF Fraud Control account creation fraud prevention (ACFP). For information about account takeover prevention, see Amazon WAF Fraud Control account takeover prevention (ATP).

Production traffic risk

Before you deploy your protection pack or web ACL for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your Amazon WAF protections.