I am trying to add CloudFront distribution to AWS WAF by using CloudFormation and have tried this,
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"ResourceArn": "arn:aws:cloudfront::AccountID:distribution/CloudFrontID",
"WebACLId": {
"Ref": "WebACLName"
}
But I ended up with this error: The referenced item does not exist. (Service: AWSWAFRegional; Status Code: 400; Error Code: WAFNonexistentItemException; Request ID: 149453cd-1606-11e8-86b2-a3efdb49d9d1)
Using AWS WAF with CloudFront for applications running on your own HTTP server. When you use AWS WAF with CloudFront, you can protect your applications running on any HTTP webserver, whether it's a webserver that's running in Amazon Elastic Compute Cloud (Amazon EC2) or a webserver that you manage privately.
You can use AWS WAF to create custom, application-specific rules that block attack patterns to ensure application availability, secure resources, and prevent excessive resource consumption. The WAF Automation on AWS solution supports the latest version of AWS WAF (AWS WAFV2) service API.
Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/ . In the navigation pane, choose Rule groups, and then Create rule group. Enter a name and description for the rule group. You'll use these to identify the set to manage it and use it.
AWS WAF Web ACL evaluates each request with configured rules containing conditions. If a request matches a block condition, the request results in returning an HTTP 403 error (forbidden) to the client computer. If a request matches a count rule, the requests are served. The origin configured in CloudFront serves allowed or counted requests.
A zipped version of the CloudFormation templates for the example stack and other AWS WAF example solutions are available in our GitHub repository: aws-waf-sample repository. This blog post has shown you how to use CloudFormation to automate the configuration of a basic set of rules and match conditions to get started with AWS WAF.
In a WebACL, you also specify a default action ( ALLOW or BLOCK ), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a Amazon CloudFront distribution to identify the requests that you want AWS WAF to filter.
AWS::CloudFront::Distribution. A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. To declare this entity in your AWS CloudFormation template, use the following syntax:
AWS::WAFRegional::*
is actually for association with Application Load Balancers. You'll want to use the AWS::WAF::*
types (without the "Regional").
Then for the association you have to do it from the CloudFront distribution itself. Like so:
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"WebACLId": { "Ref" : "MyWebACL" },
That part is explained in the CloudFormation documentation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With