The security team at GlobalTech Solutions, which uses AWS Organizations to manage hundreds of AWS accounts, needs to implement a solution to protect all existing and new Amazon CloudFront distributions against the OWASP top 10 web application vulnerabilities using AWS WAF. Which combination of steps should a solutions architect take to provide this baseline protection across the organization? (Choose three.)