- Más nuevo
- Más votos
- Más comentarios
Hi suvan,
"You can use an AWS WAF web ACL to protect global or regional resource types. You do this by associating the web ACL with the resources that you want to protect. The web ACL and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia)." https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works-resources.html
Did you check the region?
If you or anyone else runs into this issue I had the same exact problem. It was not due to misaligned environments. I discovered the issue is because we had continuous deployment enabled which blocks adding/disabling a WAF ACL. So the steps i followed were
WARNING
These steps will remove your staging distribution attached to the production. This is fine unless you have changes made in the staging distribution that have not yet been promoted. Either discard, promote changes before following steps, save the cf configuration for staging before following steps
Steps
- Go to your production CF distribution and scroll to the bottom of the general tab and disable continuous deployment
- Delete continuous deployment,
- Associate the WAF ACL of your choice
- Enable the continous deployment
Thats my case right now. I had suspected about the CD because all other distribution were accepting the association but the one with CD enabled. I can´t foward now because my CD has changes not deployed yet, but as soon as I apply them I will try and a edit the post.
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 8 meses
Hey Vitor, thanks for your response! I saw that documentation but I also don't have the option to select my cloudfront distribution unless I select the global region. That is if I try to associate it during or after web ACL creation
Hi suvan,
For CloudFront, the associated Web ACL should indeed be global.
Did you create your ACL in the "Global (CloudFront)" scope when setting it up in AWS WAF?
Remember, even though CloudFront is global, you'll still choose a region within the Web ACLs section.
Yup, I only have the option to select the CloudFront distribution if I'm on the global region in the ACL menu
Did you created ACL Globally? You can select it inside ACL creation page.