diff --git a/modules/cloudfront_distribution/aws-waf-1.png b/modules/cloudfront_distribution/aws-waf-1.png
new file mode 100644
index 000000000..5465abb01
Binary files /dev/null and b/modules/cloudfront_distribution/aws-waf-1.png differ
diff --git a/modules/cloudfront_distribution/aws-waf-2.png b/modules/cloudfront_distribution/aws-waf-2.png
new file mode 100644
index 000000000..0fa086b4d
Binary files /dev/null and b/modules/cloudfront_distribution/aws-waf-2.png differ
diff --git a/modules/cloudfront_distribution/aws-waf-3.png b/modules/cloudfront_distribution/aws-waf-3.png
new file mode 100644
index 000000000..198616be2
Binary files /dev/null and b/modules/cloudfront_distribution/aws-waf-3.png differ
diff --git a/modules/cloudfront_distribution/cloudfront-distribution.md b/modules/cloudfront_distribution/cloudfront-distribution.md
index cbd0b457f..6106e0516 100644
--- a/modules/cloudfront_distribution/cloudfront-distribution.md
+++ b/modules/cloudfront_distribution/cloudfront-distribution.md
@@ -78,10 +78,40 @@ also manually configure DNS / SSL from outside of Opta using the following steps
 2. Get an [AWS ACM certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) for your site. 
    Make sure that you get it in region us-east-1. If you already have one at hand in your account (e.g. from another 
    active Opta deployment), then feel free to reuse that.
-3. [Validate](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html) the certificate by adding the correct CNAME entries in your domain's DNS settings. 
+3. [Validate](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html) the certificate by adding the correct CNAME entries in your domain's DNS settings. Specific instructions for popular domain providers are [explained here](https://docs.aws.amazon.com/amplify/latest/userguide/custom-domains.html).
 4. Fill in the `acm_cert_arn` field for the cloudfront module with the arn of your cert.
 5. In your hosted zone, create either an A record (if it's on the same AWS account) or a CNAME pointing to the cloudfront
    distribution url (the `cloudfront_domain` output). Alternatively, if it's a hosted zone on the same AWS account you could pass the `zone_id` to the
    cloudfront module to have Opta automatically take care of this for you.
 6. Fill in the `domains` field to include the domains for which you have the certificate for (no need to include wildcard repetition, that's automatic).
 7. Opta apply and you're done!
+
+### AWS WAF with Cloudfront
+
+[AWS WAF](https://aws.amazon.com/waf/) is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. In this section we explain how to configure AWS WAF with your Cloudfront distribution. 
+
+As a pre-requisite, follow the steps in the previous section (__Using your own domain__) to create a and validate a certificate for the custom domain. After completing those steps, users have the ability to access your services at `https://your-custom-domain`; and because your CNAME record for your custom domain points to the cloudfront distribution URL, traffic will be directed through your cloud-front distribution.
+
+Next, we need to create an AWS WAF to protect our service and cloudfront CDN cache. We do this via the [AWS WAF GUI](https://console.aws.amazon.com/wafv2/homev2).
+
+Here are a few screen shots showing how the WAF GUI values can be configured for a "passthrough" WAF to start with.
+
+We start at the WAF landing page in the AWS Console:
+
+<a href="/reference_images/aws/cloudfront-distribution/aws-waf-1.png" target="_blank">
+  <img src="/reference_images/aws/cloudfront-distribution/aws-waf-1.png" align="center"/>
+</a>
+
+We configure the WAF to use the cloudfront distribution we created with Opta; this can be selected by selecting the `Cloudfront distribution` radio button and then clicking on the `Add AWS Resources` button to select the cloudfront distribution; you should then end up with something like so:
+
+<a href="/reference_images/aws/cloudfront-distribution/aws-waf-2.png" target="_blank">
+  <img src="/reference_images/aws/cloudfront-distribution/aws-waf-2.png" align="center"/>
+  </a>
+
+The initial configuration of the WAF allows all traffic:
+
+<a href="/reference_images/aws/cloudfront-distribution/aws-waf-3.png" target="_blank">
+  <img src="/reference_images/aws/cloudfront-distribution/aws-waf-3.png" align="center"/>
+</a>
+
+Finally, please [configure AWS WAF rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) for your specific application protection needs.