Enabling AWS WAF for distributions - Amazon CloudFront
Using an existing web ACL

Enabling AWS WAF for distributions

When you create a distribution, you can enable AWS WAF and use an existing ACL.

To enable AWS WAF for a new distribution

  1. Open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. In the navigation pane, choose Distributions, and then choose Create distribution.

  3. As needed, follow the steps in Create a distribution.

  4. In the Web Application Firewall section, choose Edit, then choose Enable security protections.

  5. Complete the following fields:

    • Use monitor mode – You enable monitor mode when you want to first collect data to test how protection will work. When you enable monitor mode, requests aren't blocked if the protections were active. Instead, monitor mode collects data about requests that would be blocked if the protections were active. When you're ready to begin blocking, you can enable blocking on the Security page.

    • Additional protections – Choose any options that you want to enable. If you enable rate limiting, see Setting up rate limiting for more information.

    • Price estimate – You can open the section to display a field where you enter a different number of requests/month and see a new estimate.

  6. Review the remaining distribution settings, then choose Create distribution.

After you create a distribution, CloudFront creates a Security dashboard. You can use this dashboard to disable or enable AWS WAF. If you haven't enabled AWS WAF yet, the charts and graphs in the dashboard remain blank.

Using an existing web ACL

If you have a web ACL, you can use it instead of the protection offered by AWS WAF.

To use an existing AWS WAF configuration

  1. Open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.

  2. Do one of the following:

    1. Choose Create distribution and follow the steps in Create a distribution, then return to this topic.

    2. Choose an existing configuration, and then choose the Security tab.

  3. In the Web Application Firewall (WAF) section, choose Edit, then Enable security protections.

  4. Choose Use existing WAF configuration. This option appears only if you have web ACLs configured.

  5. Choose your existing web ACL from the Choose a web ACL table.

  6. Review the remaining distribution settings, and then choose Create distribution.