Table of Contents
- 1. Introduction
- 2. Increased inspectable body size
- 3. Changing the body size limit
- 4. Effects of WafCharm
- 5. Conclusion
1. Introduction
AWS WAF released an update that inspects larger body sizes for some of the regional resources on March 8th, 2024.
AWS WAF now supports larger request body inspections for regional resources
CloudFront had a similar update on April 11th, 2023, so it seems like the regional resources are following to have the same features as CloudFront distributions.
AWS WAF updates: Increase in WCU limitations and body size limits in CloudFront protection
In this blog post, we will take a look at the update for the regional resources.
2. Increased inspectable body size
In this update, the AWS WAF can inspect up to the first 16KB of the request body for regional resources, just like CloudFront distributions. The body size limit can also be increased up to the first 64KB with additional costs.
Keep in mind that this update is only available for the four resources below.
- Amazon API Gateway
- Cognito user pools
- App Runner
- AWS Verified Access
In addition to the above, regional resources include Application Load Balancers (ALB) and App Sync, but AWS WAF still inspects the first 8KB of the request body for these two resources.
Refer to the document below for more details.
Managing body inspection size limits
As a sidenote, AWS WAF has an oversize handling option which determines how AWS WAF behaves when the request size exceeds the limit.
For example, the body size limit of the requests to API Gateway has been increased to 16KB by default. If the request body exceeds 16KB, you can choose from 1. inspect up to the first 16KB (continue the inspection with subsequent rules or apply Default Action), 2. consider the request as matching because it exceeds the body size limit, or 3. consider the request as not matching and do not evaluate against the rule (continue the inspection with subsequent rules or apply Default Action).
Depending on the oversize handling option you choose, you may get unexpected results. Make sure to consider the option carefully.
Refer to the blog post below for more information on the oversize handling options.
Inspect all headers option and oversize handling for request components option are released in AWS WAF (3. What is oversize handling for request components option?)
3. Changing the body size limit
To change the body size limit, open the [Associated AWS resources] tab from the AWS WAF console just like CloudFront distributions.
If you have resources like API Gateway associated with the web ACL, you will be able to see the [Web request body inspection] section, as shown in the screenshot below.
Click the [Edit] button under the [Web request body inspection] section to change the body size limit.
CloudFront distributions use a radio button to select the body size limit, but the regional resources use a drop-down menu instead.
As mentioned above, ALB and App Sync are not part of the update. You can see a message that states that these two resources are out of scope.
For Application Load Balancer and AppSync, the limit is currently fixed at 8 KB.
You can attach both API Gateway and ALB to the same web ACL, but the body size limit options are unavailable for ALB, as shown in the screenshot. Even if you change the body size limit for API Gateway, the change will not be applied to requests that are sent to ALB.
4. Effects of WafCharm
You can change the body size limit in the web ACLs using WafCharm.
Please keep in mind that WafCharm only works with CloudFront, ALB or API Gateway at the moment.
5. Conclusion
Because AWS WAF could only inspect the first 8KB of the request body, there were cases where some requests couldn't be detected, even if they contained data that matched the rules depending on the request body size.
This update can enhance the protection of regional resources in addition to CloudFront distributions.
However, the body size is still limited to 8KB for resources like ALB. We look forward to seeing the same update for ALB in the future.