Status: IN
AWS WAF is evaluated first in the API Gateway access control chain — before resource policies, IAM policies, Lambda authorizers, and Cognito authorizers; if WAF blocks, nothing else is evaluated.
Source: entries/2026/03/11/apigateway-latest-developerguide-apigateway-control-access-aws-wafhtml.md