By using AWS re:Post, you agree to the AWS re:Post Terms of Use

filesize Control WAF

0

Hi team,

I have a workflow that enables file uploads through CloudFront:

  • Client browser -> API Gateway -> Lambda function (generates a CloudFront signed URL for file upload)
  • The client then uses this signed URL to upload a file to an S3 bucket via CloudFront.

I want to attach an AWS WAF to my CloudFront distribution. Is there a way to enforce a maximum file size of 20MB at the WAF level? Or should this file size restriction be handled separately from the WAF?

2 Answers
2

The bot advised some alternatives, but I think you could try a WAF rule that inspects the size of the "Body" element of the request and blocks large request bodies. It's explained in this document article for a somewhat different purpose that the bot also mentioned, which is to have WAF reject requests where the request body exceeds the size that WAF can inspect: https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html#waf-oversize-request-components-blocking

For your purpose, you don't need WAF to analyse the contents of the uploaded file but only the size of the file that is declared in the Content-Length header of the request. You can follow the instructions in the documentation article with the exception of setting the limit to 20 MB. I'm not quite 100% sure if there might be situations with chunked transfer encoding in HTTP/1.1 or unusual encoding of the request body where the limit might not be interpreted accurately, but I think it should work for typical situations. It won't work for S3's multipart upload feature, however, because it allows uploading a large file in many small requests, so you'd have to make sure that the presigned URLs you provide don't allow multipart uploads.

EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for you answer, very useful! how can make sure that the cloud Front generated signed URL did not allow multipart? or should i make this restriction at the bucket level via bucket policy?

    also i see in AWSManagedRulesCommonRuleSet there is a rule SizeRestrictions_BODY, does this impact what I'm trying to do here on file upload size thank you!

0

While AWS WAF can be used to protect your CloudFront distribution, it doesn't have a direct feature to enforce a maximum file size of 20MB for uploads. However, you can use AWS WAF in combination with other AWS services to achieve your goal.

AWS WAF allows you to customize the maximum size of the request body that CloudFront forwards to WAF for inspection. By default, this is set to 16 KB, but you can increase it up to 64 KB. However, this limit is primarily for inspection purposes and not for enforcing upload size limits.

For your specific use case of limiting file uploads to 20MB, you have a few options:

  1. Use CloudFront Functions or Lambda@Edge: You can create a function that checks the Content-Length header of the request and rejects it if it exceeds 20MB. This would happen before the file is uploaded to S3.

  2. Implement the size check in your Lambda function: When generating the signed URL, you could include conditions that limit the file size.

  3. Use API Gateway: If you change your workflow to upload the file through API Gateway, you can set a maximum payload size there.

While AWS WAF is excellent for protecting against web exploits and controlling access to your CloudFront distribution, it's not the ideal tool for enforcing file size limits. It's best to handle this restriction separately from WAF, using one or a combination of the methods mentioned above.

Remember to enable AWS WAF on your CloudFront distribution for other security benefits, such as protecting against common web exploits and controlling access based on conditions you specify.

Sources
RequestBodyAssociatedResourceTypeConfig - AWS WAFV2
Using AWS WAF with Amazon CloudFront - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Enable AWS WAF for distributions - Amazon CloudFront

profile picture
answered a month ago
EXPERT
revised a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions