WAFV2 / Client / associate_web_acl



Associates a web ACL with a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

For Amazon CloudFront, don’t use this call. Instead, use your CloudFront distribution configuration. To associate a web ACL, in the CloudFront call UpdateDistribution, set the web ACL ID to the Amazon Resource Name (ARN) of the web ACL. For information, see UpdateDistribution in the Amazon CloudFront Developer Guide.

When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.

See also: AWS API Documentation

Request Syntax

response = client.associate_web_acl(
  • WebACLArn (string) –


    The Amazon Resource Name (ARN) of the web ACL that you want to associate with the resource.

  • ResourceArn (string) –


    The Amazon Resource Name (ARN) of the resource to associate with the web ACL.

    The ARN must be in one of the following formats:

    • For an Application Load Balancer: arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id

    • For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name

    • For an AppSync GraphQL API: arn:partition:appsync:region:account-id:apis/GraphQLApiId

    • For an Amazon Cognito user pool: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id

    • For an App Runner service: arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id

    • For an Amazon Web Services Verified Access instance: arn:partition:ec2:region:account-id:verified-access-instance/instance-id

Return type:



Response Syntax


Response Structure

  • (dict) –


  • WAFV2.Client.exceptions.WAFInternalErrorException

  • WAFV2.Client.exceptions.WAFInvalidParameterException

  • WAFV2.Client.exceptions.WAFNonexistentItemException

  • WAFV2.Client.exceptions.WAFUnavailableEntityException

  • WAFV2.Client.exceptions.WAFInvalidOperationException