- Enable AWS Security hub
- Create an automation (like this one) to ingest AWS WAF Alert to AWS Security Hub. More info about AWS Security Hub custom providers here
- The sample application you deployed is the OWASP Juice Shop. It intentionally contains common web vulnerabilities. WAF automatically protects against some of these vulnerabilities, such as SQL Injection and Cross Site Scriptting. There is an accompanying book by Ben Kimminitch that explains further. Try exploring the site to test out some other vulnerabilities. Access your EC2 resource directly (bypassing the ALB) to test your attacks without the WAF protection.