Create an AWS WAF web ACL and attach managed rule groups via the WAFV2 API

Verified steps

1. Determine the scope: use REGIONAL for Application Load Balancers, API Gateway, or AppSync; use CLOUDFRONT for CloudFront distributions (must be created in us-east-1 regardless of distribution region).
2. Create a web ACL with the create-web-acl CLI command or CreateWebACL API call; provide Name, Scope, DefaultAction (Allow or Block), and VisibilityConfig with CloudWatch metric name and sampling enabled.
3. Add managed rule groups inside the Rules array using ManagedRuleGroupStatement: set VendorName to AWS for AWS Managed Rules; set Name to the rule group (for example AWSManagedRulesCommonRuleSet or AWSManagedRulesKnownBadInputsRuleSet); set Priority to a unique integer (lower number evaluates first).
4. Attach the web ACL to your resource with associate-web-acl (for ALB or API Gateway) or by referencing the ACL ARN in your CloudFormation/Terraform template for CloudFront.
5. Enable AWS WAF logging by creating a Kinesis Data Firehose delivery stream or CloudWatch Log Group and calling PutLoggingConfiguration with the web ACL ARN and the log destination ARN.
6. Use DescribeManagedRuleGroup to inspect which rules a managed rule group contains and their labels before deploying, so you can add RuleActionOverrides to count (rather than block) specific rules during initial rollout.