AWS WAF ACL should be associated with AWS API Gateway Stage to protect web applications and API's from attacks.
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association