Size constraint rule statement - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Size constraint rule statement

A size constraint statement compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint condition to look for query strings that are longer than 100 bytes.


If you choose URI for the value of Part of the request to filter on, the / in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

Nestable – You can nest this statement type.

WCUs – 1 WCU, as a base cost. If you use the request component All query parameters, add 10 WCUs. If you use the request component JSON body, double the base cost WCUs. For each Text transformation that you apply, add 10 WCUs.

This statement type operates on a web request component, and requires the following request component settings:

  • Request components – The part of the web request to inspect, for example, a query string or the body.


    If you use the request component Body or JSON body, AWS WAF only inspects the first 8 KB. For information, see Web request body inspection.

    For information about web request components, see Request component.

  • Optional text transformations – Transformations that you want AWS WAF to perform on the request component before inspecting it. For example, you could transform to lowercase or normalize white space. If you specify more than one transformation, AWS WAF processes them in the order listed. For information, see Text transformations.

Additionally, this statement requires the following settings:

  • Size match condition – This indicates the numerical comparison operator to use to compare the size that you provide with the request component that you've chosen. Choose the operator from the list.

  • Size – The size setting, in bytes, to use in the comparison.

Where to find this

  • Rule builder on the console – For Match type, under Size match condition, choose the condition that you want to use.

  • API statementSizeConstraintStatement