I noticed a new rule in my WAF configuration, but I cannot identify the cause of its creation

As far as I know, this behavior is expected when using the CloudFront console to manage geographic restrictions while a Web ACL is already associated with your distribution. So, when you enable Geographic Restrictions (Allow or Block list) directly in the CloudFront console, AWS automatically manages this requirement by creating a managed rule in the associated AWS WAF Web ACL.

The rule name CreatedByCloudFrontForDistribution[ID]-Geo-BlockRule is the standard naming convention used by this automation. This happens even if you didn't manually open the WAF dashboard; CloudFront "provisions" this rule on your behalf to ensure the restrictions are enforced at the edge.

How to verify the cause

To identify who or what triggered this, you can check AWS CloudTrail for the following sequence of events:

• EventSource: cloudfront.amazonaws.com-> Look for the UpdateDistribution event.
• EventSource: wafv2.amazonaws.com -> Look for a corresponding UpdateWebACL event occurring at the same timestamp.

you need to note

• Automatic Sync: If you remove the geographic restrictions in the CloudFront settings, the corresponding WAF rule is typically removed automatically.
• Manual Changes: It is generally recommended not to modify or delete these "CreatedByCloudFront" rules manually within the WAF console, as this can lead to configuration drift between CloudFront and WAF.

for details, you can refer to the official documentation on Restricting the geographic distribution of your content:

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html