By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Unable to add web ACL to CloudFront distribution

0

Hi,

I'm trying to add a web ACL in front of my CloudFront distribution but it keeps failing. I'm able to create new web ACLs. When I do I try to associate the distribution with the ACL from the beginning. Creation is successful but when I check the associated resources the list is always empty. See screenshots:

Adding distribution during creation creation is successful No associated resources after creation

If I try to add the distribution after the ACL has already been created I get the following error: acl error

I have created web ACLs for other resources already and I am the one that created the CloudFront distribution so I don't think permissions are an issue.

Any help is appreciated. Thank you!

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS WAFAmazon CloudFront
Language
English
suvan
asked 4 days ago57 views
1 Answer
0

Hi suvan,

"You can use an AWS WAF web ACL to protect global or regional resource types. You do this by associating the web ACL with the resources that you want to protect. The web ACL and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia)." https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works-resources.html

Did you check the region?

profile picture
Vitor Castellani
answered 4 days ago
  • suvan
    4 days ago

    Hey Vitor, thanks for your response! I saw that documentation but I also don't have the option to select my cloudfront distribution unless I select the global region. That is if I try to associate it during or after web ACL creation

  • Vitor Castellani
    4 days ago

    Hi suvan,

    For CloudFront, the associated Web ACL should indeed be global.

    Did you create your ACL in the "Global (CloudFront)" scope when setting it up in AWS WAF?

    Remember, even though CloudFront is global, you'll still choose a region within the Web ACLs section.

  • suvan
    3 days ago

    Yup, I only have the option to select the CloudFront distribution if I'm on the global region in the ACL menu

  • Vitor Castellani
    a day ago

    Did you created ACL Globally? You can select it inside ACL creation page.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content