Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

WAF restriction and authenticated requests

0

Hello,

I'm running into the limitation of 8kb of the WAF and I need to send POST requests that are bigger than 8kb.

I was researching workarounds, but since the requests that are bigger than 8kb are only going to be authenticated (via cognito), isn't it still safe to "ignore" the 8kb restriction and let just those requests pass trough?

The requests are routed to an API Gateway and picked up by a Lambda.

Thank you.

Topics
ServerlessFront-End Web & MobileSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon API GatewayAmazon CognitoAWS WAFSecurity, Identity, & ComplianceNetworking & Content Delivery
Language
English
asked 10 months ago286 views
1 Answer
0

While it's understandable that you want to allow authenticated requests larger than 8KB to pass through, it's important to note that the 8KB limit you're encountering is not a universal restriction for all AWS WAF implementations.

First, let's clarify the limits:

  • For Application Load Balancer and AWS AppSync, there is indeed a fixed 8KB (8,192 bytes) limit for body inspection.
  • However, for services like CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is actually 16KB (16,384 bytes), and this can be increased.

Since you mentioned you're using API Gateway and Cognito, you have more flexibility. You can increase the body inspection limit up to 64KB in 16KB increments (16KB, 32KB, 48KB, 64KB). This can be done in your web ACL configuration, though be aware that increasing the limit beyond 16KB may incur additional processing fees.

Regarding your suggestion to "ignore" the restriction for authenticated requests: While authentication does add a layer of security, it's generally not recommended to completely bypass WAF inspection for authenticated users. Authenticated users could still potentially send malicious payloads, either intentionally or if their credentials are compromised.

Instead, consider the following approaches:

  1. Increase the body inspection limit in your web ACL configuration to accommodate your larger requests.
  2. If you absolutely need to allow larger payloads for authenticated users, you could create a separate rule in your WAF configuration that applies different inspection criteria or limits for authenticated requests. However, this should be done cautiously and with additional security measures in place.
  3. If your payloads are consistently larger than the maximum WAF inspection size, you might need to explore alternative architectures, such as using pre-signed URLs for larger data transfers or breaking larger requests into smaller chunks.

Remember, WAF is just one layer of your security strategy. Ensure you have other security measures in place within your API Gateway and Lambda functions to validate and sanitize incoming data, regardless of its size or the authentication status of the user.

Sources
JsonBody - AWS WAFV2
Body - AWS WAFV2
Managing body inspection size limits for AWS WAF - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content