# Use AWS WAF protections
You can use [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf) to protect your CloudFront distributions and origin servers. AWS WAF is a web application firewall that helps secure your web applications and APIs by blocking requests before they reach your servers. For more information, see [Accelerate and protect your websites using CloudFront and AWS WAF](https://aws.amazon.com/blogs/networking-and-content-delivery/accelerate-and-protect-your-websites-using-amazon-cloudfront-and-aws-waf/) and [Guidelines for Implementing AWS WAF](https://docs.aws.amazon.com/whitepapers/latest/guidelines-for-implementing-aws-waf/guidelines-for-implementing-aws-waf.html).
To enable AWS WAF protections, you can:
+ Use one-click protection in the CloudFront console. One-click protection creates an AWS WAF web access control list (web ACL), configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. The topics in this section assume the use of one-click protections.
+ Use a preconfigured web ACL (access control list) that you create in the AWS WAF console, or by using the AWS WAF APIs. For more information, see [Web access control lists (ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF Developer Guide* and [AssociateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociateWebACL.html) in the *AWS WAF API Reference*
You can enable AWS WAF when you:
+ Create a distribution
+ Use the **Security** dashboard to edit the security settings of an existing distribution
When you use one-click protection, CloudFront applies an AWS recommended set of protections that:
+ Block IP addresses from potential threats based on Amazon internal threat intelligence.
+ Protect against the most common vulnerabilities found in web applications as described in the [OWASP Top 10](https://owasp.org/www-project-top-ten/).
+ Defend against malicious actors discovering application vulnerabilities.
**Important**
You must enable AWS WAF if you want to view security metrics in the CloudFront **Security** dashboard. Without AWS WAF, enabled, you can only use the **Security** dashboard to enable AWS WAF or configure CloudFront geographic restrictions. For more information about the dashboard, see [Manage AWS WAF security protections in the CloudFront security dashboard](security-dashboard.md), later in this section.
**Topics**
+ [Enable AWS WAF for distributions](WAF-one-click.md)
+ [Manage AWS WAF security protections in the CloudFront security dashboard](security-dashboard.md)
+ [Set up rate limiting](WAF-one-click-rate-limiting.md)
+ [Disable AWS WAF security protections](disable-waf.md)
# Enable AWS WAF for distributions
You can enable AWS WAF when you create a distribution, or you can enable security protections for an existing access control list (ACL).
If you enable AWS WAF for your CloudFront distribution, you can also enable bot control and configure security protection by bot category.
**Topics**
+ [Enable AWS WAF for a new distribution](#enable-waf-new-distribution)
+ [Use an existing web ACL](#acl-new-configuration)
+ [Enable bot control](#bot-traffic)
+ [Configure protection by bot category](#configure-bot-category-protection)
## Enable AWS WAF for a new distribution
The following procedure shows you how to enable AWS WAF when you create a new CloudFront distribution.
**To enable AWS WAF for a new distribution**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. In the navigation pane, choose **Distributions**, and then choose **Create distribution**.
1. As needed, follow the steps in [Create a distribution](distribution-web-creating-console.md).
1. In the **Web Application Firewall** section, choose **Edit**, then choose **Enable security protections**.
1. Complete the following fields:
+ **Use monitor mode** – You enable monitor mode when you want to first collect data to test how protection will work. When you enable monitor mode, requests aren't blocked if the protections were active. Instead, monitor mode collects data about requests that would be blocked if the protections were active. When you're ready to begin blocking, you can enable blocking on the **Security** page.
+ **Additional protections** – Choose any options that you want to enable. If you enable rate limiting, see [Set up rate limiting](WAF-one-click-rate-limiting.md) for more information.
+ **Price estimate** – You can open the section to display a field where you enter a different number of requests/month and see a new estimate.
1. Review the remaining distribution settings, then choose **Create distribution**.
After you create a distribution, CloudFront creates a **Security** dashboard. You can use this dashboard to disable or enable AWS WAF. If you haven't enabled AWS WAF yet, the charts and graphs in the dashboard remain blank.
## Use an existing web ACL
If you have an existing web ACL, you can use it instead of the protection offered by AWS WAF.
**To use an existing AWS WAF configuration**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. Do one of the following:
1. Choose **Create distribution** and follow the steps in [Create a distribution](distribution-web-creating-console.md), then return to this topic.
1. Choose an existing configuration, and then choose the **Security** tab.
1. In the **Web Application Firewall (WAF)** section, choose **Edit**, then **Enable security protections**.
1. Choose **Use existing WAF configuration**. This option appears only if you have web ACLs configured.
1. Choose your existing web ACL from the **Choose a web ACL** table.
1. Review the remaining distribution settings, and then choose **Create distribution**.
## Enable bot control
If you enable AWS WAF for your CloudFront distribution, you can view bot requests for a given time range under the security dashboard in the CloudFront console. You can also enable or disable bot control here.
You incur charges when you enable bot control. The security dashboard provides a cost estimate.
If you enable bot control, the security dashboard displays bot traffic by each bot type and category. If you disable bot control, bot traffic is displayed based on request sampling.
**To enable bot control**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. In the navigation pane, choose **Distributions**, then choose the distribution that you want to change.
1. Choose the **Security** tab.
1. Scroll down to the **Bot requests for a given time range** section and choose **Enable Bot Control**.
1. In the **Bot Control** dialog box, under **Configuration**, select the **Enable Bot Control for common bots** check box.
1. Choose **Save changes**.
## Configure protection by bot category
When you enable bot control, you can configure how each unverified bot is handled per bot category. For example, you can set an HTTP library bot to **Monitor mode** and assign a **Challenge** to a link checker.
**Note**
Bots that are known by AWS to be common and verifiable, such as known search engine crawlers, aren't subject to the actions you set here. Bot control confirms that validated bots come from the source that they claim before marking them as verified.
**To configure protection for a bot category**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. In the navigation pane, choose **Distributions**, then choose the distribution that you want to change.
1. Choose the **Security** tab.
1. In the **Requests by bot category** chart, point to any of the items in the **Unverified bot action** column and choose the pencil icon to edit it.
1. Open the resulting list and choose one of the following:
+ **Block**
+ **Allow**
+ **Monitor mode**
+ **CAPTCHA**
+ **Challenge**
1. Select the check mark next to the list to save your change.
# Manage AWS WAF security protections in the CloudFront security dashboard
CloudFront creates a security dashboard for each of your distributions. You use the dashboards in the CloudFront console. With the dashboards, you can use CloudFront and AWS WAF together in a single location to monitor and manage common security protections for your web applications. The dashboards provide the following tasks and data:
+ **Security configuration** – You can enable and disable AWS WAF protections, and see any app-specific protections such as WordPress protections.
+ **Security trends** – These include allowed and blocked requests, challenge and CAPTCHA requests, and top attack types. You can see traffic ratios and how they change over time. For example, if all requests increase by 3% but allowed requests increase by 14%, that means you allowed a larger portion of your traffic through in the current period.
+ **Bot requests** – You can see how much traffic comes from bots, which types of bots (verified vs non-verified), and how the percentage allocations of bot types (verified vs non-verified) change over time. For more information about enabling bot control, see [Enable bot control](WAF-one-click.md#bot-traffic).
+ **Request logs** – Log data can help answer questions about security trends or bot requests. You can search your logs without writing queries, and view aggregate charts to help determine if a filtered set of logs is primarily being driven by a subset of HTTP methods, IP addresses, URI paths, or countries. You can hover over values in the charts and block IP addresses and countries. For more information, see [Enable AWS WAF logs](#understand-logging).
+ **Geographic restriction management**** – CloudFront and AWS WAF provide geographic restriction features. CloudFront provides geographic restrictions for free, but metrics for CloudFront geographic restrictions aren't displayed in the security dashboard. To see request metrics for blocked country requests, you must use AWS WAF geographic restrictions. To do this, hover over a country bar in the security dashboard and block the country. For more information, see [Use CloudFront geographic restrictions](georestrictions.md#georestrictions-cloudfront).
+ The **Block** option might not be available if you previously created a custom AWS WAF rule outside of the CloudFront console to block countries.
**Topics**
+ [Prerequisites](#prerequisites)
+ [Enable AWS WAF logs](#understand-logging)
## Prerequisites
You must enable AWS WAF if you want to view security metrics in the CloudFront **Security** dashboard. If you don't enable AWS WAF, you can only use the **Security** dashboard to enable AWS WAF or configure CloudFront geographic restrictions.
For more information about enabling AWS WAF, see [Enable AWS WAF for distributions](WAF-one-click.md).
## Enable AWS WAF logs
AWS WAF log data can help you isolate specific traffic patterns. For example, logs can show you where certain traffic comes from or what it does.
If you enable AWS WAF logging to CloudWatch, the CloudFront security dashboard queries, aggregates, and displays insights from the CloudWatch logs. We don’t charge to use the security dashboard, but CloudWatch pricing applies to logs queried through the dashboard. For more information, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/).
**To enable logs**
1. Enter your expected request volume in the **Number of requests/month** box to estimate the costs of enabling logs.
1. Select the **Enable AWS WAF logs** check box.
1. Choose **Enable**.
CloudFront creates a CloudWatch logs group and updates your AWS WAF configuration to begin logging to CloudWatch. On first use, log data can take several minutes to appear. The **Requests** section of the chart lists each request. Below the individual requests, the bar charts aggregate data by HTTP method, top URI paths, top IP addresses, and top countries. The charts can help you find patterns. For example, you may see a disproportionate volume of requests from a single IP address, or data from a country that you haven't previously seen in your logs. You can filter requests based on **Country**, **Host Header**, and other attributes to help find unwanted traffic. Once you identify that traffic, hover over an individual request or chart item and block an IP address or country.
**Note**
Displayed metrics are based on web ACL. Therefore, if you associate the same web ACL to multiple distributions, you will see all metrics for your web ACL, not only the AWS WAF requests that are processed for that distribution.
# Set up rate limiting
Rate limiting is one of the recommendations you may receive when configuring security protections.
CloudFront always enables rate limiting in monitor mode. When monitor mode is enabled, CloudFront captures metrics that tell you if the rate you configured in the **Rate limiting** field has been exceeded, how often, and by how much.
After you save the distribution, CloudFront starts to collect data based on the number in the **Rate limiting** field.
You can enable or manage the rate limiting settings in the **Security - Web Application Firewall (WAF)** section on the **Security** tab of any CloudFront distribution.
**Note**
The **Rate limiting** option only appears in the CloudFront console if you specified a non-S3 custom origin for your distribution. Otherwise, you will only see the **Core protections** enabled for the distribution. For more information about origin types, see [Use various origins with CloudFront distributions](DownloadDistS3AndCustomOrigins.md).
**To set up rate limiting**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. In the navigation pane, choose **Distributions**, and then choose the distribution that you want to change.
1. Choose the **Security** tab.
1. In the **Security – Web Application Firewall (WAF)** section, choose **Edit**.
1. Under **Additional protections**, select **Rate limiting**. You can optionally change the rate limit. When you have fine-tuned the rate, choose **Save changes**.
1. In the **Security – Web Application Firewall (WAF)** section, next to **Rate limiting**, you can choose **Monitor mode** and then choose **Enable blocking** to deactivate monitor mode. CloudFront will start to block requests that exceed the specified rate limit.
For more information about enabling AWS WAF and rate limiting, see the [ Introducing CloudFront Security Dashboard, a Unified CDN and Security Experience](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cloudfront-security-dashboard-a-unified-cdn-and-security-experience/) blog post.
# Disable AWS WAF security protections
If your distribution doesn't need AWS WAF security protections, you can disable this feature by using the CloudFront console.
If you previously enabled AWS WAF protection and didn't choose an existing WAF configuration (also known as one-click protection), CloudFront automatically created a web ACL for you. For web ACLs created this way, the CloudFront console will disassociate the resource and delete the web ACL.
Disassociating a web ACL is different from deleting it. Disassociating removes the web ACL from your distribution, but it's not deleted from your AWS account. For more information, see [Associating or disassociating a web ACL with an AWS resource](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*.
See the following procedure to disable AWS WAF protections and disassociate the web ACL from your distribution.
**To disable AWS WAF security protections in CloudFront**
1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).
1. In the navigation pane, choose **Distributions**, and then choose the distribution that you want to change.
1. Choose the **Security** tab and then choose **Edit**.
1. In the **Web Application Firewall (WAF)** section, choose **Disable AWS WAF protection**.
1. Choose **Save changes**.
**Notes**
If you disabled AWS WAF security protection and you still want to delete the web ACL from your AWS account, you can delete it manually. Follow the procedure to [delete a web ACL](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-deleting.html). In the AWS WAF & Shield console, for the **Web ACLs** page, you *must* choose the **Global (CloudFront)** list to find the web ACLs.
When you delete a distribution from the CloudFront console, CloudFront will attempt to also delete the web ACL if you chose one-click protection. This is best effort and isn't always guaranteed. For more information, see [Delete a distribution](HowToDeleteDistribution.md).