By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to add web ACL to CloudFront distribution

0

Hi,

I'm trying to add a web ACL in front of my CloudFront distribution but it keeps failing. I'm able to create new web ACLs. When I do I try to associate the distribution with the ACL from the beginning. Creation is successful but when I check the associated resources the list is always empty. See screenshots:

Adding distribution during creation creation is successful No associated resources after creation

If I try to add the distribution after the ACL has already been created I get the following error: acl error

I have created web ACLs for other resources already and I am the one that created the CloudFront distribution so I don't think permissions are an issue.

Any help is appreciated. Thank you!

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS WAFAmazon CloudFront
Language
English
suvan
asked 7 months ago549 views
2 Answers
0

Hi suvan,

"You can use an AWS WAF web ACL to protect global or regional resource types. You do this by associating the web ACL with the resources that you want to protect. The web ACL and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia)." https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works-resources.html

Did you check the region?

profile picture
Vitor Castellani
answered 7 months ago
  • suvan
    7 months ago

    Hey Vitor, thanks for your response! I saw that documentation but I also don't have the option to select my cloudfront distribution unless I select the global region. That is if I try to associate it during or after web ACL creation

  • Vitor Castellani
    7 months ago

    Hi suvan,

    For CloudFront, the associated Web ACL should indeed be global.

    Did you create your ACL in the "Global (CloudFront)" scope when setting it up in AWS WAF?

    Remember, even though CloudFront is global, you'll still choose a region within the Web ACLs section.

  • suvan
    7 months ago

    Yup, I only have the option to select the CloudFront distribution if I'm on the global region in the ACL menu

  • Vitor Castellani
    7 months ago

    Did you created ACL Globally? You can select it inside ACL creation page.

0

If you or anyone else runs into this issue I had the same exact problem. It was not due to misaligned environments. I discovered the issue is because we had continuous deployment enabled which blocks adding/disabling a WAF ACL. So the steps i followed were

WARNING

These steps will remove your staging distribution attached to the production. This is fine unless you have changes made in the staging distribution that have not yet been promoted. Either discard, promote changes before following steps, save the cf configuration for staging before following steps

Steps

  1. Go to your production CF distribution and scroll to the bottom of the general tab and disable continuous deployment
  2. Delete continuous deployment,
  3. Associate the WAF ACL of your choice
  4. Enable the continous deployment
lroling
answered 6 months ago
  • Renato Nogueira
    3 months ago

    Thats my case right now. I had suspected about the CD because all other distribution were accepting the association but the one with CD enabled. I can´t foward now because my CD has changes not deployed yet, but as soon as I apply them I will try and a edit the post.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content