How to handle CloudFront 403 errors for large POST requests when WAF allows the request?

If you haven't got CloudFront v2 logs enabled, I suggest you enable them. If CloudFront rejects a request, it'll log a reason code in the logs. The size limit for POST request bodies is 50 gigabytes, so your 33-kilobyte requests aren't a reason for CloudFront to reject them, and if WAFv2 logs show the request as allowed, they aren't being rejected by WAF either.

However, CloudFront will drop requests for various other reasons, such as the size of the entire HTTP request without the body exceeding 20,480 bytes, or a Lambda@Edge function being configured to process the request body in the context of a viewer request. One typical reason for those limits to be hit is storing entire authentication tokens, user profile information, and refresh tokens in HTTP cookies. The log will show which limit, if any, is exceeded, or if there's another reason for the request to be dropped, such as configured geoblocking rules.

CloudFront logs also contain a unique ID assigned to the request by CloudFront. You can correlate the events from WAF with those shown in CloudFront logs based on the request ID.

You can add override WAF rules for specific URLs / set the RULE to count for the whole site

This behavior is expected and aligns with how CloudFront and AWS WAF work together, based on documented service limits.

AWS WAF body inspection limits

AWS WAF does not inspect the entire request body. It inspects only up to a configured limit. For CloudFront, the default inspection limit is 16 KB, and it can be increased in 16 KB increments up to 64 KB. When a request body exceeds this limit, only the portion within the limit is forwarded to AWS WAF for inspection, and WAF logs oversizeFields: REQUEST_BODY. If the inspected portion does not violate any rules, WAF records the request as ALLOW.

Official documentation:

Considerations for managing body inspection in AWS WAF https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-setting-body-inspection-limit.html

Oversize web request components in AWS WAF https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

CloudFront request handling behavior

Even when AWS WAF allows a request, CloudFront still applies its own edge-level request handling limits. These limits are independent of WAF and determine whether CloudFront can safely parse and forward a request to the origin. While CloudFront does not publish a hard limit for POST body size, it does enforce limits on request structure (such as combined header and URL size), and requests that exceed what CloudFront can process may be rejected with a 403 at the edge before reaching the origin.

Official documentation:

Quotas – Amazon CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html

Why WAF shows ALLOW but CloudFront returns 403

This happens because AWS WAF evaluates only the portion of the request body within its inspection limit. As explained in the AWS Knowledge Center, the host service (CloudFront) forwards only the inspectable portion to WAF, and CloudFront may still block the request afterward based on its own constraints. This results in WAF logs showing ALLOW while CloudFront returns a 403 and the request never reaches the origin.

Official reference:

How do I handle oversize HTTP requests in AWS WAF? https://repost.aws/knowledge-center/waf-http-request-body-inspection

Recommended approach

There is no supported way to force CloudFront to forward large POST bodies or to override this behavior using AWS WAF. The recommended and supported solutions are to bypass CloudFront for large POST requests or redesign the flow, such as uploading large payloads directly to the origin or using S3 presigned URLs and sending only metadata through CloudFront.

You're encountering a CloudFront limitation where it blocks large POST requests at the edge based on its own validation, independent of WAF's allowance. The 403 error occurs because CloudFront has internal constraints on POST request sizes and handling, even when WAF passes the request. To resolve this, first update your CloudFront distribution's behavior to use a modern origin request policy that's configured to forward all headers and the request body—legacy cache settings often restrict POST body forwarding. Alternatively, create a separate CloudFront behavior specifically for your large POST endpoints with caching disabled and full request forwarding enabled. If these adjustments don't work, consider bypassing CloudFront for large POST operations entirely, as AWS generally advises against routing large mutable POST bodies through CloudFront; instead, implement pre-signed S3 URLs for direct client-to-S3 uploads, or route these requests directly to your ALB using a different subdomain. Finally, if you must use CloudFront, contact AWS Support to verify if your distribution's POST body size limit can be increased, as some thresholds require backend adjustments.