diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
index ba8bac6636cd9..35f081faafc6b 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -336,10 +336,14 @@ export class Distribution extends Resource implements IDistribution {
       });
     }
 
+    if (props.webAclId) {
+      this.validateWebAclId(props.webAclId);
+      this.webAclId = props.webAclId;
+    }
+
     this.certificate = props.certificate;
     this.errorResponses = props.errorResponses ?? [];
     this.publishAdditionalMetrics = props.publishAdditionalMetrics;
-    this.webAclId = props.webAclId;
 
     // Comments have an undocumented limit of 128 characters
     const trimmedComment =
@@ -606,15 +610,27 @@ export class Distribution extends Resource implements IDistribution {
   /**
    * Attach WAF WebACL to this CloudFront distribution
    *
+   * WebACL must be in the us-east-1 region
+   *
    * @param webAclId The WAF WebACL to associate with this distribution
    */
   public attachWebAclId(webAclId: string) {
     if (this.webAclId) {
       throw new Error('A WebACL has already been attached to this distribution');
     }
+    this.validateWebAclId(webAclId);
     this.webAclId = webAclId;
   }
 
+  private validateWebAclId(webAclId: string) {
+    if (webAclId.startsWith('arn:')) {
+      const webAclRegion = Stack.of(this).splitArn(webAclId, ArnFormat.SLASH_RESOURCE_NAME).region;
+      if (!Token.isUnresolved(webAclRegion) && webAclRegion !== 'us-east-1') {
+        throw new Error(`WebACL for CloudFront distributions must be created in the us-east-1 region; received ${webAclRegion}`);
+      }
+    }
+  }
+
   private addOrigin(origin: IOrigin, isFailoverOrigin: boolean = false): string {
     const ORIGIN_ID_MAX_LENGTH = 128;
 
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
index ec8c36adf721b..470af4c0a0c09 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -1394,4 +1394,30 @@ describe('attachWebAclId', () => {
       distribution.attachWebAclId('473e64fd-f30b-4765-81a0-62ad96dd167b');
     }).toThrow(/A WebACL has already been attached to this distribution/);
   });
+
+  describe('throws if the WebAcl is not in us-east-1 region', () => {
+    test('when try to attach WebACL using `attachWebAclId` method', () => {
+      const origin = defaultOrigin();
+
+      const distribution = new Distribution(stack, 'MyDist', {
+        defaultBehavior: { origin },
+      });
+
+      expect(() => {
+        distribution.attachWebAclId('arn:aws:wafv2:ap-northeast-1:123456789012:global/web-acl/MyWebAcl/473e64fd-f30b-4765-81a0-62ad96dd167a');
+      }).toThrow(/WebACL for CloudFront distributions must be created in the us-east-1 region; received ap-northeast-1/);
+    });
+
+    test('when try to attach WebACL by specifying value for props', () => {
+      const origin = defaultOrigin();
+
+      expect(() => {
+        new Distribution(stack, 'MyDist', {
+          defaultBehavior: { origin },
+          webAclId: 'arn:aws:wafv2:ap-northeast-1:123456789012:global/web-acl/MyWebAcl/473e64fd-f30b-4765-81a0-62ad96dd167a',
+        });
+      }).toThrow(/WebACL for CloudFront distributions must be created in the us-east-1 region; received ap-northeast-1/);
+    });
+  });
+
 });