diff --git a/README.md b/README.md
index acd09e1f..df1c87b8 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ This module provisions an IBM Cloud Internet Services (CIS) instance and configu
 * Domain
 * DNS records
 * Global load balancer (GLB) including load balancers, origin pools and health checks
+* Web Application Firewall (WAF)
 
 For more information see, [Getting started with IBM Cloud Internet Services](https://cloud.ibm.com/docs/cis?topic=cis-getting-started).
 
@@ -22,6 +23,7 @@ For more information see, [Getting started with IBM Cloud Internet Services](htt
     * [dns](./modules/dns)
     * [domain](./modules/domain)
     * [glb](./modules/glb)
+    * [waf](./modules/waf)
 * [Examples](./examples)
     * [End-to-end example](./examples/complete)
 * [Contributing](#contributing)
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index e3090e10..2b7430fb 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -88,3 +88,14 @@ module "cis_glb" {
     }
   ]
 }
+
+##############################################################################
+# Enables web application firewall(WAF) to CIS instance
+##############################################################################
+
+module "cis_domain_settings" {
+  source          = "../../modules/waf"
+  cis_instance_id = module.cis_instance.cis_instance_id
+  domain_id       = module.cis_instance.cis_domain.domain_id
+  enable_waf      = true
+}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index 6b9bb6fe..2be8e784 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -16,3 +16,8 @@ output "cis_glb" {
   description = "CIS Global Load Balancer"
   value       = module.cis_glb
 }
+
+output "cis_domain_settings" {
+  description = "CIS domain settings"
+  value       = module.cis_domain_settings
+}
diff --git a/modules/waf/README.md b/modules/waf/README.md
new file mode 100644
index 00000000..16a76c6a
--- /dev/null
+++ b/modules/waf/README.md
@@ -0,0 +1,36 @@
+# CIS web application firewall (WAF) module
+
+This module enables/disables the web application firewall (WAF) of the domain.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0, <1.6.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.49.0 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_cis_domain_settings.domain_settings](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cis_domain_settings) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cis_instance_id"></a> [cis\_instance\_id](#input\_cis\_instance\_id) | CRN of the existing CIS instance. | `string` | n/a | yes |
+| <a name="input_domain_id"></a> [domain\_id](#input\_domain\_id) | ID of the existing domain to add a DNS record to the CIS instance. | `string` | n/a | yes |
+| <a name="input_enable_waf"></a> [enable\_waf](#input\_enable\_waf) | To control whether the web application firewall (WAF) is enabled or disabled for a CIS instance. | `bool` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cis_domain_settings_details"></a> [cis\_domain\_settings\_details](#output\_cis\_domain\_settings\_details) | CIS Domain settings details |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/waf/main.tf b/modules/waf/main.tf
new file mode 100644
index 00000000..80b06a32
--- /dev/null
+++ b/modules/waf/main.tf
@@ -0,0 +1,10 @@
+##############################################################################
+# To enable/disable Web Application Firewall(WAF) for a domain
+##############################################################################
+
+resource "ibm_cis_domain_settings" "domain_settings" {
+  cis_id          = var.cis_instance_id
+  domain_id       = var.domain_id
+  waf             = var.enable_waf ? "on" : "off"
+  min_tls_version = "1.2" #Temporary fix - The min_tls_version default value (1.2) gets modified to 1.1 while applying domain_settings. This will be reverted back once the provider issue(IBM-Cloud/terraform-provider-ibm#4937) is fixed.
+}
diff --git a/modules/waf/outputs.tf b/modules/waf/outputs.tf
new file mode 100644
index 00000000..f93e25dc
--- /dev/null
+++ b/modules/waf/outputs.tf
@@ -0,0 +1,5 @@
+
+output "cis_domain_settings_details" {
+  description = "CIS Domain settings details"
+  value       = ibm_cis_domain_settings.domain_settings
+}
diff --git a/modules/waf/variables.tf b/modules/waf/variables.tf
new file mode 100644
index 00000000..da1f7504
--- /dev/null
+++ b/modules/waf/variables.tf
@@ -0,0 +1,15 @@
+
+variable "cis_instance_id" {
+  type        = string
+  description = "CRN of the existing CIS instance."
+}
+
+variable "domain_id" {
+  type        = string
+  description = "ID of the existing domain to add a DNS record to the CIS instance."
+}
+
+variable "enable_waf" {
+  type        = bool
+  description = "To control whether the web application firewall (WAF) is enabled or disabled for a CIS instance."
+}
diff --git a/modules/waf/version.tf b/modules/waf/version.tf
new file mode 100644
index 00000000..ddfa2c8e
--- /dev/null
+++ b/modules/waf/version.tf
@@ -0,0 +1,10 @@
+
+terraform {
+  required_version = ">= 1.3.0, <1.6.0"
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.49.0"
+    }
+  }
+}