Size constraint rule statement - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Size constraint rule statement

A size constraint statement compares the number of bytes in a web request component to a number that you provide, and matches according to your comparison criteria. The comparison criteria is an operator such as greater than (>) or less than (<). For example, you can match on requests that have a query string with a size that's greater than 100 bytes.


This statement only inspects the size of the web request component. It doesn't inspect the contents of the component.

If you inspect the URI path, any / in the path counts as one character. For example, the URI path /logo.jpg is nine characters long.

Nestable – You can nest this statement type.

WCUs – 1 WCU, as a base cost. If you use the request component All query parameters, add 10 WCUs. If you use the request component JSON body, double the base cost WCUs. For each Text transformation that you apply, add 10 WCUs.

This statement type operates on a web request component, and requires the following request component settings:

  • Request component – The part of the web request to inspect, for example, a query string or the body. For information about web request components, see Web request component specification and handling.

    A size constraint statement inspects only the size of the component after any transformations have been applied. It does not inspect the contents of the component.

  • Optional text transformations – Transformations that you want Amazon WAF to perform on the request component before inspecting its size. For example, you could compress white space or decode HTML entities. If you specify more than one transformation, Amazon WAF processes them in the order listed. For information, see Text transformation options.

Additionally, this statement requires the following settings:

  • Size match condition – This indicates the numerical comparison operator to use to compare the size that you provide with the request component that you've chosen. Choose the operator from the list.

  • Size – The size setting, in bytes, to use in the comparison.

Where to find this rule statement
  • Rule builder on the console – For Match type, under Size match condition, choose the condition that you want to use.

  • APISizeConstraintStatement