**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Associating or disassociating protection with an AWS resource
<a name="web-acl-associating-aws-resource"></a>

You can use AWS WAF to create the following associations between protection packs (web ACLs) and your resources: 
+ Associate a regional protection pack (web ACL) with any of the regional resources listed below. For this option, the protection pack (web ACL) must be in the same region as your resource. 
  + Amazon API Gateway REST API
  + Application Load Balancer
  + AWS AppSync GraphQL API
  + Amazon Cognito user pool
  + AWS App Runner service
  + AWS Verified Access instance
  + AWS Amplify
+ Associate a global protection pack (web ACL) with a Amazon CloudFront distribution. The global protection pack (web ACL) will have a hard-coded Region of US East (N. Virginia) Region.

You can also associate a protection pack (web ACL) with a CloudFront distribution when you create or update the distribution itself. For information, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*.

**Restrictions on multiple associations**  
You can associate a single protection pack (web ACL) with one or more AWS resources, according to the following restrictions:
+ You can associate each AWS resource with only one protection pack (web ACL). The relationship between protection pack (web ACL) and AWS resources is one-to-many. 
+ You can associate a protection pack (web ACL) with one or more CloudFront distributions. You cannot associate a protection pack (web ACL) that you have associated with a CloudFront distribution with any other AWS resource type.

**Additional restrictions**  
The following additional restrictions apply to protection pack (web ACL) associations: 
+ You can only associate a protection pack (web ACL) to an Application Load Balancer within AWS Regions. For example, you cannot associate a protection pack (web ACL) to an Application Load Balancer that is on AWS Outposts.
+ You can't associate an Amazon Cognito user pool with a protection pack (web ACL) that uses the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet`. For information about account creation fraud prevention, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](waf-acfp.md). For information about account takeover prevention, see [AWS WAF Fraud Control account takeover prevention (ATP)](waf-atp.md). 

**Production traffic risk**  
Before you deploy your protection pack (web ACL) for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

# Associating protection with an AWS resource
<a name="web-acl-associating"></a>

------
#### [ Using the new console ]

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Resources** to open the **Manage resources **panel.

1. In the **Manage resources** section for the rule group, choose **Add regional resources** or **Add global resources**.

1. Choose resources and then choose **Add**.

------
#### [ Using the standard console ]

To associate a web ACL with an AWS resource, perform the following procedure.

**To associate a web ACL with an AWS resource**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Choose the name of the web ACL that you want to associate with a resource. The console takes you to the web ACL's description, where you can edit it.

1. On the **Associated AWS resources** tab, choose **Add AWS resources**.

1. When prompted, choose the resource type, select the radio button next to the resource that you want to associate, and then choose **Add**. 

------

# Disassociating a protection from an AWS resource
<a name="web-acl-dissociating-aws-resource"></a>

------
#### [ Using the new console ]

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Resources** to open the **Manage resources ** panel.

1. In the **Manage resources** section for the rule group, choose the resource you want to disassociate, and then choose **Disassociate**.
**Note**  
You must disassociate one resource at a time. Do not choose multiple resources. 

1. In the confirmation page, type "disassociate", and then choose **Disassociate**.

------
#### [ Using the standard console ]

To dissociate a web ACL from an AWS resource, perform the following procedure.

**To disassociate a web ACL from an AWS resource**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Choose the name of the web ACL that you want to disassociate from your resource. The console takes you to the web ACL's description, where you can edit it.

1. On the **Associated AWS resources** tab, select the resource that you want to disassociate this web ACL from. 
**Note**  
You must disassociate one resource at a time. Do not choose multiple resources. 
**Note**  
When you choose to associate an Application Load Balancer with your webACL, **Resource-level DDoS protection** is enabled. For more information, see [AWS WAF Distributed Denial of Service (DDoS) prevention](waf-anti-ddos.md).

1. Choose **Disassociate**. The console opens a confirmation dialogue. Confirm your choice to disassociate the web ACL from the AWS resource. 

------