AWS WAF ATP components
The primary components of AWS WAF Fraud Control account takeover prevention (ATP) are the following:
-
AWSManagedRulesATPRuleSet
– The rules in this AWS Managed Rules rule group detect, label, and handle various types of account takeover activity. The rule group inspects HTTPPOST
web requests that clients send to the specified login endpoint. For protected CloudFront distributions, the rule group also inspects the responses that the distribution sends back to these requests. For a list of the rule group's rules, see AWS WAF Fraud Control account takeover prevention (ATP) rule group. You include this rule group in your web ACL using a managed rule group reference statement. For information about using this rule group, see Adding the ATP managed rule group to your web ACL.Note
You are charged additional fees when you use this managed rule group. For more information, see AWS WAF Pricing
. -
Details about your application's login page – You must provide information about your login page when you add the
AWSManagedRulesATPRuleSet
rule group to your web ACL. This lets the rule group narrow the scope of the requests it inspects and properly validate credentials usage in web requests. The ATP rule group works with usernames that are in email format. For more information, see Adding the ATP managed rule group to your web ACL. -
For protected CloudFront distributions, details about how your application responds to login attempts – You provide details about your application's responses to login attempts, and the rule group tracks and manages clients that are sending too many failed login attempts. For information about configuring this option, see Adding the ATP managed rule group to your web ACL.
-
JavaScript and mobile application integration SDKs – Implement the AWS WAF JavaScript and mobile SDKs with your ATP implementation to enable the full set of capabilities that the rule group offers. Many of the ATP rules use the information provided by the SDKs for session level client verification and behavior aggregation, required to separate legitimate client traffic from bot traffic. For more information about the SDKs, see Client application integrations in AWS WAF.
You can combine your ATP implementation with the following to help you monitor, tune, and customize your protections.
-
Logging and metrics – You can monitor your traffic, and understand how the ACFP managed rule group affects it, by configuring and enabling logs, Amazon Security Lake data collection, and Amazon CloudWatch metrics for your web ACL. The labels that
AWSManagedRulesATPRuleSet
adds to your web requests are included in the data. For information about the options, see Logging AWS WAF web ACL traffic, Monitoring with Amazon CloudWatch, and What is Amazon Security Lake?.Depending on your needs and the traffic that you see, you might want to customize your
AWSManagedRulesATPRuleSet
implementation. For example, you might want to exclude some traffic from ATP evaluation, or you might want to alter how it handles some of the account takeover attempts that it identifies, using AWS WAF features like scope-down statements or label matching rules. -
Labels and label matching rules – For any of the rules in
AWSManagedRulesATPRuleSet
, you can switch the blocking behavior to count, and then match against the labels that are added by the rules. Use this approach to customize how you handle web requests that are identified by the ATP managed rule group. For more information about labeling and using label match statements, see Label match rule statement and Web request labeling in AWS WAF. -
Custom requests and responses – You can add custom headers to the requests that you allow and you can send custom responses for requests that you block. To do this, you pair your label matching with the AWS WAF custom request and response features. For more information about customizing requests and responses, see Customized web requests and responses in AWS WAF.