Usage Question - Multi S3 Buckets or only 1 for DEV and PROD sites?

[ghost]

I have a question around this solution in terms of separation of endpoints, s3 buckets and WAF rules.

Example:
If I have 2 separate domain names and 2 separate clouldfront instance that share the same WAF Name/ rules and s3 bucket, does that mean if someone is hitting api.dev.abc.com hard and it triggers the lambda function to block the IP, would this also affect all domains sharing the same WAF rules and s3 log bucket? Assuming I didn't want this behaviour would I have to create an s3 access log bucket for each domain and separate WAF rules for each or just a separate WAF rule for each domain and attach the different WAF name/rule to each cloudfront instance?

api.dev.abc.com --> cloudfront (WAF named WAF1) --> s3 (bucket name: cloudfront-access-logs) --> lambda
 
api.qa.abc.com --> cloudfront (WAF named WAF1) --> s3 (bucket name: cloudfront-access-logs) --> lambda

I noticed that if I configure the same bucket name, that inside the bucket it creates separate folders based on the domain name (which is good), but is the lambda function using teh domain name to determine which endpoint to disable? How does it know which WAF name to update?