Waf Charm


AWS WAF, WafCharm

AWS WAF updates: Increase in WCU limitations and body size limits in CloudFront protection

Table of Contents

  1. 1. Introduction
  2. 2. WCUs limitation increase
  3. 3. Inspected request body size on web ACLs attached to CloudFront
  4. 4. Effects on WafCharm
  5. 5.Conclusion

1. Introduction

This article will address two updates released by AWS WAF on April 11th, 2023.

The first update is that the Web ACL capacity units (WCUs) limitation has been increased to 5,000 WCUs by default.

The WCU limitation used to be 1,500 WCUs, and if you wanted to use more than that, you had to request an increase.

With this update, you can now use more than 1,500 WCUs without requesting an increase.

AWS WAF increases web ACL capacity units limits

The second update is that AWS WAF can inspect the first 16KB of the request body for CloudFront web ACLs by default, and the inspection size of the request body can be increased up to 64KB.

Before the release, AWS WAF could only inspect the request body up to the first 8KB regardless of which resources (i.e., ALB, CloudFront, etc.) web ACLs are associated with.

With this update, the first 16KB of the request body can be inspected with web ACLs associated with CloudFront.

AWS WAF supports larger request body inspections for Amazon CloudFront distributions

2. WCUs limitation increase

The limitations of WCUs have been automatically updated to 5,000 with the release.

You can check the current WCUs by opening the AWS WAF page on the AWS management console, clicking on the Rules tab on the Web ACLs page, and looking at [Web ACL capacity units (WCUs) used by your rules].

In the screenshot below, you can see that the WCUs have increased to 5,000 WCUs by looking at the number [1328/5000 WCUs].

However, there are additional costs if you are using more than 1,500 WCUs, as noted on the page.

As per the official pricing information, you will be charged an additional $0.20 per million requests for every 500 WCUs if you exceed 1,500 WCUs.
Reference: AWS WAF Pricing

You can use up to 1,500 WCUs without additional costs.

3. Inspected request body size on web ACLs attached to CloudFront

Previously, AWS WAF could inspect the request body up to the first 8KB regardless of the resources attached to web ACLs.

With this update, AWS WAF can now inspect the first 16KB by default for web ACLs protecting CloudFront distributions.

In addition, AWS WAF can inspect up to the first 64KB of the request body by changing the setting in web ACL.

Here's how to change the configuration.

1. Log in to the AWS management console and open the AWS WAF page.

2. Click [Web ACLs] on the left menu.

3. Change the region to [CloudFront (Global)].
*This update only targets web ACLs for CloudFront, so other regions will not provide the options.

4. Click the web ACL name

5. Click [Associated AWS resources]

6. Click the [Edit] button next to [Web request body inspection] section

7. Choose the body lize limit and click the [Save] button

As stated on the page, there will be additional cost when you change the body size from the default 16 KB.

According to the AWS pricing page, $0.30 per million requests for each additional 16KB analyzed beyond the default body inspection limit will be added to the cost.
Reference: AWS WAF Pricing

4. Effects on WafCharm

WafCharm used to apply rules based on the maximum of 1,500 WCUs limitation provided by AWS WAF, but we will start operating based on the new maximum of 5,000 WCUs limitation.

With this change, WafCharm will apply the rules if the total number of WCUs fits within 5,000 WCUs after the WafCharm rule application is completed, even if there are other rules already applied to Web ACL.

If you already have several rules applied to your web ACL, please keep in mind that applying WafCharm rules may result in exceeding the 1,500 WCUs.

If you do not want to exceed the 1,500 WCUs, adjust the rules that are applied to your web ACL before applying WafCharm.

*As of April 2023, WafCharm rules will use 1,100 WCUs for rule application. However, AWS WAF may reduce the number of used WCUs for shared resources. WafCharm will need 1,100 WCUs for the application process, but the number of used WCUs may decrease a little bit when the rules are fully applied.

WafCharm is planning an update to follow the body size limit feature provided for CloudFront web ACLs for you to be able to use the feature.
If you change the body size limit to numbers other than the default 16KB before the WafCharm update, the option will automatically change back to the default 16KB when the WafCharm rules are updated. Please wait for the WafCharm update before adjusting the body size limit option if you want to use this feature.

5. Conclusion

The number of applicable rules has increased due to the increase in default WCU limitations without requesting an increase to AWS. Additionally, with the increase of inspected body size in CloudFront protection, WAF can provide stronger security.

On the other hand, you could experience unexpected increases in cost by applying rules without watching the number of WCUs or having a lot of requests with huge body sizes unbeknownst to you.

Make sure to keep an eye on WCUs status and request body size when adding rules or changing the configurations.