The WAF, Shield, and Network Firewall we've covered so far each defend a single layer. Today we integrate them into one perimeter at the edge. CloudFront is not just a CDN but, from a security perspective, "the first line of defense and the policy enforcement point." Here, TLS termination (ACM), origin protection (OAC), content access control (signed URLs/cookies), and WAF/Shield integration converge. Security exams ask "how do you combine these controls to minimize the attack surface?"