How would you apply defense in depth using controls such as WAF, network ACLs, IAM policies, and application-level checks?