AWS WAF Rule Configuration to differentiate related requests to "body size" in the logs

Question

There's an endpoint blocked by AWS WAF. Let's say /api/services. In the logs, it's evident that it's being blocked due to the "size body" in the AWS Managed RuleSet. I've edited SizeRestrictions_BODY to "Override to Count" in AWSManagedRulesCommonRuleSet. Then, I've created a separate rule and set up an Allow for the /api/services. However, by doing so, I've completely allowed all requests contains /api/services. I want to distinguish which ones are getting caught by the "size restriction" when reviewing the logs.
How can I achieve this using tags so that I can easily differentiate those related to "body size" in the logs?

Answer

When you create the rule to allow the /api/services path, you can add a label to the rule. The label will then appear in the WAF logs for any requests matched by that rule.

You can then configure the rule's action to also insert a label in the logs. This will help you identify which blocked requests were due to body size or you could create a separate rule that only blocks requests to /api/services if the body size exceeds the limit. Give this higher priority than the general size restriction rule.

Look at this document where the same procedure is enlisted.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

AWS WAF Rule Configuration to differentiate related requests to "body size" in the logs

Relevanter Inhalt