Skip to content

/AWS1/CL_WA2=>DISASSOCIATEWEBACL()

About DisassociateWebACL

Disassociates the specified regional application resource from any existing web ACL association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To disassociate a web ACL, provide an empty web ACL ID in the CloudFront call UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.

Required permissions for customer-managed IAM policies

This call requires permissions that are specific to the protected resource type. For details, see Permissions for DisassociateWebACL in the WAF Developer Guide.

Method Signature

IMPORTING

Required arguments:

IV_RESOURCEARN TYPE /AWS1/WA2RESOURCEARN /AWS1/WA2RESOURCEARN

The Amazon Resource Name (ARN) of the resource to disassociate from the web ACL.

The ARN must be in one of the following formats:

  • For an Application Load Balancer: arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id

  • For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name

  • For an AppSync GraphQL API: arn:partition:appsync:region:account-id:apis/GraphQLApiId

  • For an Amazon Cognito user pool: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id

  • For an App Runner service: arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id

  • For an Amazon Web Services Verified Access instance: arn:partition:ec2:region:account-id:verified-access-instance/instance-id

RETURNING

OO_OUTPUT TYPE REF TO /AWS1/CL_WA2DISASSOCWEBACLRSP /AWS1/CL_WA2DISASSOCWEBACLRSP