Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

AWS::WAFv2::WebACL ManagedRuleGroupConfig

RSS
Focus mode
AWS::WAFv2::WebACL ManagedRuleGroupConfig - AWS CloudFormation
SyntaxProperties
Filter View

Additional information that's used by a managed rule group. Many managed rule groups don't require this.

The rule groups used for intelligent threat mitigation require additional configuration:

  • Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.

  • Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.

  • Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AWSManagedRulesACFPRuleSet

Additional configuration for using the account creation fraud prevention (ACFP) managed rule group, AWSManagedRulesACFPRuleSet. Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests.

For information about using the ACFP managed rule group, see AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group and AWS WAF Fraud Control account creation fraud prevention (ACFP) in the AWS WAF Developer Guide.

Required: No

Type: AWSManagedRulesACFPRuleSet

Update requires: No interruption

AWSManagedRulesATPRuleSet

Additional configuration for using the account takeover prevention (ATP) managed rule group, AWSManagedRulesATPRuleSet. Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests.

This configuration replaces the individual configuration fields in ManagedRuleGroupConfig and provides additional feature configuration.

For information about using the ATP managed rule group, see AWS WAF Fraud Control account takeover prevention (ATP) rule group and AWS WAF Fraud Control account takeover prevention (ATP) in the AWS WAF Developer Guide.

Required: No

Type: AWSManagedRulesATPRuleSet

Update requires: No interruption

AWSManagedRulesBotControlRuleSet

Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see AWS WAF Bot Control rule group and AWS WAF Bot Control in the AWS WAF Developer Guide.

Required: No

Type: AWSManagedRulesBotControlRuleSet

Update requires: No interruption

LoginPath
Note

Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet.

Required: No

Type: String

Pattern: .*\S.*

Minimum: 1

Maximum: 256

Update requires: No interruption

PasswordField
Note

Instead of this setting, provide your configuration under the request inspection configuration for AWSManagedRulesATPRuleSet or AWSManagedRulesACFPRuleSet.

Required: No

Type: FieldIdentifier

Update requires: No interruption

PayloadType
Note

Instead of this setting, provide your configuration under the request inspection configuration for AWSManagedRulesATPRuleSet or AWSManagedRulesACFPRuleSet.

Required: No

Type: String

Allowed values: JSON | FORM_ENCODED

Update requires: No interruption

UsernameField
Note

Instead of this setting, provide your configuration under the request inspection configuration for AWSManagedRulesATPRuleSet or AWSManagedRulesACFPRuleSet.

Required: No

Type: FieldIdentifier

Update requires: No interruption

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.