By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Clicking Add rule with the rule builder for a Web ACL in AWS WAF does nothing (no errors), the browser console shows WAFLimitsExceededException, we have no other WAFs

0

I've created my first WAF/Web ACL for a Cloudfront distribution, I'm trying to block some links by query string matches. When I click Add rule, there are no errors thrown, nothing happens. Checking the browser console shows:

WAFLimitsExceededException: AWS WAF couldn’t perform the operation because you exceeded your resource limit.

We have no other WAFs, and only one Web ACL I've just created and want to add a single Rule on.

Topics
Security, Identity, & Compliance
Tags
AWS WAFAWS Firewall Manager
Language
English
williama
asked 2 years ago643 views
2 Answers
0

There are multiple things that can cause this, the error you are facing is not only limited with having only one WAF WebACL. For more details with the quotas specifically for WAFv2 - https://docs.aws.amazon.com/waf/latest/developerguide/limits.html

AWS
Timothy_M
answered 2 years ago
  • williama
    2 years ago

    I went through that list already, we have only 1 WAF WebACL, 0 Rule groups, 0 Ip sets, our requests per second is well below the limit, no custom request headers, no custom response headers, no custom response bodies, no log streams setup for the WebACL. Other errors show, eg. if I fail to fill in a field or configure it incorrectly, but just setting up a query string match rule, shows no error at all, and nothing happens when I click Add rule. When I open the browser console, I see the error I've mentioned about WAFLimitsExceeded. The UI displays nothing.

0

Can you confirm that you are using WAFv2 and not Classic WAF? Classic WAF has lower limits compare to WAFv2.

Classic WAF quotas - https://docs.aws.amazon.com/waf/latest/developerguide/limits.html

Will you be able to share the raw request body from the browser console when you see the error? (e.g. HTTP Archive (HAR) file) Please remove any sensitive information from it. Next, this can be correlated with Cloudtrail as well, I assume you are using WAFv2 so it should appear in "UpdateWebACL" API Call.

Finally, I do recommend creating a support case for this. Looking forward for your response.

AWS
Timothy_M
answered 2 years ago
  • williama
    2 years ago

    It is v2, not the classic WAF, after experimenting a little I found the issue was that the length of the string I was using in the filter, when I increased the size, I was still not seeing an error in the UI but I saw it in the network response that I had exceeded the character limit. There seems to be a gap between the lengths where it shows the correct error or the generic limits exceeded error.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content