1. Assessment

  • Inventory WAFv2 Web ACLs and basic configuration
  • Identify WAFv2 Web ACLs with no rules
  • User: Approve empty Web ACLs for deletion

2. Configuration

  • Delete approved empty WAFv2 Web ACLs

3. Validation

  • Validate empty WAFv2 Web ACLs are deleted
1 Credits

Remove Empty AWS WAFv2 Web ACLs

Overview

Clean up unused AWS WAFv2 Web ACLs by identifying and deleting ACLs that contain no rules or rule groups. This plan inventories all in-scope Web ACLs, pinpoints those that are truly empty, guides you through selecting which ones to remove, and then deletes only the approved, still-empty, and safely unassociated ACLs. A final validation step confirms which ACLs were successfully deleted and highlights any that require follow-up.

Execution Details

Assessment

Inventory WAFv2 Web ACLs and basic configuration

First, gather a complete inventory of WAFv2 Web ACLs across the chosen scopes and Regions (for example, CLOUDFRONT and/or specific REGIONAL Regions). For each Web ACL, the plan records:

  • ARN, name, scope, and Region
  • Default action (such as Allow or Block)
  • Any available metrics or logging identifiers
  • Tags to help with ownership and environment context
  • Any indication of associated resources (for example, CloudFront distributions, ALBs, APIs), when available

This information is stored in a structured format for use in later steps.

Identify WAFv2 Web ACLs with no rules

Using the inventory, the plan inspects each Web ACL’s full configuration to determine whether it has any top-level rules or rule groups. Web ACLs whose rules list is completely empty are marked as candidates for deletion. For each candidate, the plan preserves key details (ARN, name, scope, Region, default action, tags, and association information) and compiles them into a structured candidate list.

User: Approve empty Web ACLs for deletion

The plan then guides you through reviewing the candidate list of empty Web ACLs. It:

  • Presents each empty Web ACL with its identifiers, configuration details, and any known resource associations
  • Clearly highlights empty Web ACLs that still appear to be associated with resources, so you can decide whether to retain them
  • Allows you to select which empty Web ACLs should be deleted and which should be kept as exceptions, optionally capturing a rationale for retaining them

The outcome is a user-approved list of Web ACLs (with ARNs, scopes, and Regions) that are authorized for deletion.

Configuration

Delete approved empty WAFv2 Web ACLs

The plan deletes only the Web ACLs that you have explicitly approved. Before each deletion, it:

  • Re-checks the current configuration to ensure the Web ACL is still empty
  • Verifies that the Web ACL is not associated with resources, or that associations can be safely handled within the scope of the plan

If a Web ACL is no longer empty or remains associated in a way that cannot be safely changed, the plan skips deletion and records it as an exception with the reason. For each attempted deletion, the plan records the outcome and any errors, then reconfirms that successfully deleted Web ACLs are no longer present. A summary of deletions and exceptions is produced for your review.

Validation

Validate empty WAFv2 Web ACLs are deleted

Finally, the plan validates that all user-approved empty Web ACLs reported as successfully deleted are truly gone:

  • Retrieves the current Web ACL list for the relevant scopes and Regions
  • Confirms that each Web ACL ARN marked as deleted no longer exists
  • Identifies any Web ACLs that were intended for deletion but remain, and determines whether they failed deletion or were intentionally skipped (for example, became non-empty or stayed associated)

A validation report summarizes which empty Web ACLs were successfully removed and which require additional remediation or follow-up actions.