Managing body inspection size limits - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing body inspection size limits

The body inspection size limit is the maximum request body size that Amazon WAF can inspect. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to Amazon WAF for inspection.

  • For Application Load Balancer and Amazon AppSync, the limit is fixed at 8 KB (8,192 bytes).

  • For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for any of the resource types by increments of 16 KB, up to 64 KB. The setting options are 16 KB, 32 KB, 48 KB, and 64 KB.

Oversize body handling

If your web traffic includes bodies that are larger than the limit, your configured oversize handling will apply. For information about the options for oversize handling, see Handling of oversize request components in Amazon WAF.

Pricing considerations for increasing the limit setting

Amazon WAF charges a base rate for inspecting traffic that's within the default limit for the resource type.

For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources, if you increase the limit setting, the traffic that Amazon WAF can inspect includes body sizes up to your new limit. You're charged extra only for the inspection of requests that have body sizes larger than the default 16 KB. For more information about pricing, see Amazon WAF Pricing.

Options for modifying the body inspection size limit

You can configure the body inspection size limit for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources.

When you create or edit a web ACL, you can modify the body inspection size limits in the resource association configuration. For the API, see the web ACL's association configuration at AssociationConfig. For the console, see the configuration on the page where you specify the web ACL's associated resources. For guidance on the console configuration, see Working with web ACLs.