AWS WAF adds two new features to help customers write more specific rules to protect their web applications and APIs: (a) enhanced pattern matching against Query String arguments and (b) support for non-octet CIDR boundaries.

With enhanced pattern matching against Query String arguments, customers can now configure AWS WAF to parse the query string in the URI and run pattern matches on the value of a specific query argument or values of all query arguments. Previously, customers could match a string (or use a regex) against the full query string without differentiating individual name-value pairs. With this enhancement, customers can write WAF rules for application vulnerabilities embedded in the query string and benefit from more targeted look-ups and more granular detections thus reducing false positives on query argument names. For example, in the URL https://, customers can now write a string match condition to match the value “value1” for the query argument “name1” as well as a size constraint condition(s) on one or more of the name-value pairs in the query string.

Support for non-octet CIDR boundaries allows customers to use more granular subnet boundaries by configuring any subnet mask between /16 and /32 for IPv4 addresses. Previously, AWS WAF’s IP match condition supported only /8, /16, /24 and /32 subnets for IPv4. Now, customers can write AWS WAF rules to match on CIDRs such as,,, and so on. This allows for better aggregation of IPs into fewer entries in the IP lists which currently support 10,000 CIDR entries per list. We will also continue to support the existing IPv6 CIDR boundaries, which are: /128 /64 /56 /48 /32 and /24.

There is no additional charge for either of these new features. For more details visit the AWS WAF page on the AWS Website.