{"id":"apigw-waf-evaluated-first-before-all-auth","text":"AWS WAF is evaluated first in the API Gateway access control chain — before resource policies, IAM policies, Lambda authorizers, and Cognito authorizers; if WAF blocks, nothing else is evaluated.","truth_value":"IN","source":"entries/2026/03/11/apigateway-latest-developerguide-apigateway-control-access-aws-wafhtml.md","source_url":"","source_hash":"49aaeca05641b725","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"apigw-waf-evaluated-first-before-all-auth","truth_value":"IN","reason":"premise"}]}}