EC2 instances in the ‘Public’ zone acting as web servers should still be considered risky despite being behind a load balancer. An attacker could potentially exploit vulnerabilities or misconfigurations to bypass the AWS WAF protection.
For more details, check out the original tweet here: https://twitter.com/rekdt/status/1758958550213107756