• Go to the AWS WAF service, select the Web ACLs on the left, and then "Create web ACL"

* The first step is creating the name, and select the resource type. We'll create two ACLs, one for CloudFont which global region, one for APIGateway with Canada region. The screenshot shows the example for the APIGateway ACL

• And then we need to set some security rules. For our starting point, we'll select the following rules from the AWS managed rule groups:

• Amazon IP reputation list (AWS-AWSManagedRulesAmazonIpReputationList)
• Core rule set (AWS-AWSManagedRulesCommonRuleSet)
• Known bad inputs (AWS-AWSManagedRulesKnownBadInputsRuleSet)
• Linux operating system (AWS-AWSManagedRulesLinuxRuleSet)
• SQL database (AWS-AWSManagedRulesSQLiRuleSet)

* Default web ACL action is "allow" * And then we just click next until finish create this ACL

• Find our cloudfont distribution click "Edit" for setting

* Choose the AWS WAF we created for cloudfont and then save changes

• Go to "Stages" and "Settings" for our current version, select the AWS WAF we created for api gateway

It's hard to test that for CloudFont because of the cache. We could only test the api gateway. So change the default web ACL action from "allow" to "block", and verify the api web page is no longer accessible, and the api call is not working anymore.