@matthewdfuller @awscloud Yes. I’ve tried to test the protection AWS WAF provided for a client, but I could barely find a way to get it to trigger at all, let alone need a bypass. AWS documentation like https://t.co/YmsfsNWbBR also don’t even use the CRS