So when creating WEB ACL I have the option to add AWS resources BUT it shows as "optional". By the definition it states that " lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer.". – see below:
What happens if I don’t pick the resources – is it somehow global or it will just not work? Very confusing. Please advise.
I’m no expert — but…
Typically in these scenarios, a WAF is an associated resource. i.e. In order for it to work, it needs to be associated with either a CloudFront distribution, an ALB, or an API Gateway. If it is not associated with any of these — it still exists, but doesn’t effectively block any traffic from anything.
You can associated the WAF to these resources, either when creating the WAF (as in your picture), or when creating the resources (like a Cloudfront distribution).
It’s basically a chicken n’ egg scenario — you can either create the WAF first, or the Cloudfront distribution first, and then associate the two once both are created. But in the former, you still need the ability to create the WAF without any associations.