By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS WAF Rule Configuration to differentiate related requests to "body size" in the logs

0

There's an endpoint blocked by AWS WAF. Let's say /api/services. In the logs, it's evident that it's being blocked due to the "size body" in the AWS Managed RuleSet. I've edited SizeRestrictions_BODY to "Override to Count" in AWSManagedRulesCommonRuleSet. Then, I've created a separate rule and set up an Allow for the /api/services. However, by doing so, I've completely allowed all requests contains /api/services. I want to distinguish which ones are getting caught by the "size restriction" when reviewing the logs. How can I achieve this using tags so that I can easily differentiate those related to "body size" in the logs?

Topics
Security, Identity, & ComplianceManagement & GovernanceDeveloper ToolsAWS Well-Architected Framework
Tags
AWS WAFLog AnalysisMonitoring & LoggingSecurity
Language
English
Sena S
asked 13 days ago162 views
1 Answer
0

When you create the rule to allow the /api/services path, you can add a label to the rule. The label will then appear in the WAF logs for any requests matched by that rule.

You can then configure the rule's action to also insert a label in the logs. This will help you identify which blocked requests were due to body size or you could create a separate rule that only blocks requests to /api/services if the body size exceeds the limit. Give this higher priority than the general size restriction rule.

Look at this document where the same procedure is enlisted. https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

profile picture
EXPERT
Giovanni Lauria
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content