AWS solutions medium security documentation change
Summary
Added documentation about disabling WAF SizeRestrictions_QUERYSTRING rule to accommodate large pagination tokens
Security assessment
Disabling a security rule (SizeRestrictions_QUERYSTRING) weakens default WAF protections against query string attacks. The change explicitly modifies security controls to accommodate specific API usage patterns, potentially introducing a security risk if not properly mitigated with custom rules
Diff
diff --git a/solutions/latest/innovation-sandbox-on-aws/security-1.md b/solutions/latest/innovation-sandbox-on-aws/security-1.md index 5ead982cf..bb20fafc9 100644 --- a//solutions/latest/innovation-sandbox-on-aws/security-1.md +++ b//solutions/latest/innovation-sandbox-on-aws/security-1.md @@ -32,0 +33,8 @@ The default action of the web ACL is set to **allow** and the rule actions are s +###### Note + +WAF SizeRestrictions_QUERYSTRING Rule Modification* + +The solution disables the `SizeRestrictions_QUERYSTRING` rule from the `AWSManagedRulesCommonRuleSet` to accommodate legitimate large pagination tokens from the AWS Organizations API. The GET `/accounts/unregistered` endpoint retrieves accounts from AWS Organizations, which can return pagination tokens that exceed the default WAF query string size limit when handling large numbers of accounts (>20). + +This modification is necessary for the solution to function properly with large account pools. If you require additional query string size protection for other endpoints, you can manually implement a custom rule that excludes the `/accounts/unregistered` endpoint while applying size restrictions to other API endpoints. +