AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2026-07-10 · Documentation low

File: waf/latest/developerguide/waf-oversize-request-components.md

Summary

Included Amazon Bedrock AgentCore Gateway in body inspection configuration instructions

Security assessment

Updates operational guidance to include a new service in existing security controls (oversize request handling). This documents security feature usage but does not resolve a security issue.

Diff

diff --git a/waf/latest/developerguide/waf-oversize-request-components.md b/waf/latest/developerguide/waf-oversize-request-components.md
index e00357027..50fea1810 100644
--- a//waf/latest/developerguide/waf-oversize-request-components.md
+++ b//waf/latest/developerguide/waf-oversize-request-components.md
@@ -25 +25 @@ The component inspection size limits are as follows:
-  * **`Body` and `JSON Body`** – For Application Load Balancer and AWS AppSync, AWS WAF can inspect the first 8 KB of the body of a request. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, by default, AWS WAF can inspect the first 16 KB, and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. For more information, see [Considerations for managing body inspection in AWS WAF](./web-acl-setting-body-inspection-limit.html). 
+  * **`Body` and `JSON Body`** – For Application Load Balancer and AWS AppSync, AWS WAF can inspect the first 8 KB of the body of a request. For CloudFront, API Gateway, Amazon Cognito, App Runner, Verified Access, and Amazon Bedrock AgentCore Gateway, by default, AWS WAF can inspect the first 16 KB, and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. For more information, see [Considerations for managing body inspection in AWS WAF](./web-acl-setting-body-inspection-limit.html). 
@@ -94 +94 @@ You can add a rule in your protection pack (web ACL) that blocks requests with o
-    3. For **Size** , type a number that's at least the minimum size for the component type. For headers and cookies, type `8192`. In Application Load Balancer or AWS AppSync protection packs (web ACLs), for bodies, type `8192`. For bodies in CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access protection packs (web ACLs), if you're using the default body size limit, type `16384`. Otherwise, type the body size limit that you've defined for your protection pack (web ACL). 
+    3. For **Size** , type a number that's at least the minimum size for the component type. For headers and cookies, type `8192`. In Application Load Balancer or AWS AppSync protection packs (web ACLs), for bodies, type `8192`. For bodies in CloudFront, API Gateway, Amazon Cognito, App Runner, Verified Access, or Amazon Bedrock AgentCore Gateway protection packs (web ACLs), if you're using the default body size limit, type `16384`. Otherwise, type the body size limit that you've defined for your protection pack (web ACL).