WAF rules only evaluate requests after they reach the origin, so the absence of matches means the origin is blocking traffic first.

WAF evaluates requests at the edge (before the request is forwarded to the origin). If rules never match, the issue is more likely related to WAF association/scope/rule logic than the origin blocking first.

For CloudFront, you must use a regional WAF endpoint and cannot use a global web ACL.

CloudFront uses a global WAF web ACL scope. The service expects a CloudFront-scoped web ACL, which is created/managed in us-east-1.

WAF web ACL rules never apply to signed URLs or signed cookies, so the web ACL is bypassed by design.

Signed URLs and signed cookies are still requests that WAF evaluates. WAF does not bypass evaluation solely due to the request being signed.

What does this SAA-C03 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: The WAF web ACL intended for CloudFront must be created in the us-east-1 (N. Virginia) region (CloudFront scope), even if the rest of the stack is in another region. — For CloudFront, WAF uses a global (CloudFront) scope that is managed/provisioned in us-east-1. If the web ACL was created with the wrong region/scope and then associated, CloudFront may not evaluate the intended rules, resulting in zero rule matches in logs. The most likely fix is to recreate the web ACL with the correct CloudFront scope in us-east-1 and re-associate it to the CloudFront distribution. Why others are wrong: B is incorrect because WAF inspects requests before they reach the origin. C is incorrect because CloudFront requires a CloudFront-scoped (global) web ACL. D is incorrect because WAF evaluates signed requests as well; the signed nature does not bypass WAF rule evaluation.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.