diff --git a/docs/roles/_init.md b/docs/roles/_init.md
index 7dd7ab3fb..d8183a4c6 100644
--- a/docs/roles/_init.md
+++ b/docs/roles/_init.md
@@ -22,7 +22,7 @@ _ce_ansible_timer_name: upgrade_ansible
 # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all
 #_aws_profile: example # boto profile name
 #_aws_region: eu-west-1
-_aws_vpc_cidr_base: 10.0
+_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client
 
 # AWS tags
 _aws_resource_name: "" # Name
diff --git a/roles/_init/README.md b/roles/_init/README.md
index 7dd7ab3fb..d8183a4c6 100644
--- a/roles/_init/README.md
+++ b/roles/_init/README.md
@@ -22,7 +22,7 @@ _ce_ansible_timer_name: upgrade_ansible
 # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all
 #_aws_profile: example # boto profile name
 #_aws_region: eu-west-1
-_aws_vpc_cidr_base: 10.0
+_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client
 
 # AWS tags
 _aws_resource_name: "" # Name
diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml
index cfee2615b..017f953ff 100644
--- a/roles/_init/defaults/main.yml
+++ b/roles/_init/defaults/main.yml
@@ -12,7 +12,7 @@ _ce_ansible_timer_name: upgrade_ansible
 # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all
 #_aws_profile: example # boto profile name
 #_aws_region: eu-west-1
-_aws_vpc_cidr_base: 10.0
+_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client
 
 # AWS tags
 _aws_resource_name: "" # Name
diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md
index f802c46a2..3dbfc823e 100644
--- a/roles/aws/aws_acl/README.md
+++ b/roles/aws/aws_acl/README.md
@@ -1,6 +1,31 @@
 # AWS ACL
 Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB).
 
+## Default variables to create WAF
+If the var is list type, it will go through the process of creating and assignng rules to WAF
+aws_acl.yml needs to be located in global or regional vars
+
+If you don't need one of the rules on the WAF, we can just remove it from the "rules"
+
+Since IP set is a thing under WAF, we have option to create, update and use existing set:
+
+IP set with a list of IPs will be marked as a thing that needs to be created/updated
+
+If its defined only with rule_name, set_name, action and priority (leaving the list empty) it will just search existing set and assign it to WAF
+
+## Default variables to Assign WAF to CF/ALB
+If the var is dict type, it will go through the process assignng WAF to CF/ALB
+aws_acl.yml needs to be located in resource vars
+
+Make sure to use "us-east-1" for CLOUDFRONT scope
+or define region where the ALB is located with REGIONAL scope
+```yaml
+---
+aws_acl:
+  name: "{{ _infra_name }}_main_acl"
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: "us-east-1"
+```
 <!--TOC-->
 <!--ENDTOC-->
 
@@ -19,28 +44,35 @@ aws_acl:
       rate_limit:
         value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
         priority: 2 # can be float with 1 decimal place
-      ip_sets:
-        - rule_name: "Allowed-IPs-rule"
-          set_name: "Allowed-IPs-set"
-          description: "List of IPs to whitelist - Ansible managed"
-          action: allow
-          priority: 1
-          list:
-            - 1.1.1.1/32
-            - 2.2.2.2/32
-      country_codes:
-        - name: "allowed-countries"
-          action: allow
-          priority: 0.2
-          list:
-            - GB
-            - HR
-        - name: "blocked-countries"
-          action: block
-          priority: 8
-          list:
-            - RU
-            - CN
+      ip_sets: []
+#   Example IP set to allow a list of safe IPs
+#        - rule_name: "Allowed-IPs-rule"
+#          set_name: "Allowed-IPs-set"
+#          description: "List of IPs to safelist - Ansible managed"
+#          action: allow
+#          priority: 1
+#          list:
+#            - 1.1.1.1/32
+#            - 2.2.2.2/32
+#            - 30.30.30.0/24
+#   Example country code ruleset allowing one set of countries and blocking another
+#      country_codes:
+#        - name: "allowed-countries"
+#          action: allow
+#          priority: 0.2
+#          list:
+#            - GB
+#            - HR
+#            - FR
+#            - ES
+#            - UY
+#            - JP
+#        - name: "blocked-countries"
+#          action: block
+#          priority: 8
+#          list:
+#            - RU
+#            - CN
       regular_rules:
         - name: allow_panels
           action: allow
@@ -100,5 +132,4 @@ aws_acl:
         priority: 13
 
 ```
-
 <!--ENDROLEVARS-->