Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group
VendorName: AWS, Name: AWSManagedRulesACFPRuleSet
The Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group labels and manages requests that might be part of fraudulent account creation attempts. The rule group does this by inspecting account creation requests that clients send to your application's registration and account creation endpoints.
The ACFP rule group inspects account creation attempts in various ways, to give you visibility and control over potentially malicious interactions. The rule group uses request tokens to gather information about the client browser and about the level of human interactivity in the creation of the account creation request. The rule group detects and manages bulk account creation attempts by aggregating requests by IP address and client session, and aggregating by the provided account information such as the physical address and phone number. Additionally, the rule group detects and blocks the creation of new accounts using credentials that have been compromised, which helps protect the security posture of your application and of your new users.
Considerations for using this rule group
This rule group requires custom configuration, which includes the specification of your application's account registration and account creation paths. Except where noted, the rules in this rule group inspect all requests that your clients send to these two endpoints. To configure and implement this rule group, see the guidance at Amazon WAF Fraud Control account creation fraud prevention (ACFP).
Note
You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing
This rule group is part of the intelligent threat mitigation protections in Amazon WAF. For information, see Amazon WAF intelligent threat mitigation.
To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at Best practices for intelligent threat mitigation.
This rule group isn't available for use with Amazon Cognito user pools. You can't associate a web ACL that uses this rule group with a user pool, and you can't add this rule group to a web ACL that's already associated with a user pool.
This rule group doesn't provide versioning or SNS update notifications.
Labels added by this rule group
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. Amazon WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Labels on web requests and Label metrics and dimensions.
Token labels
This rule group uses Amazon WAF token management to inspect and label web requests according to the status of their Amazon WAF tokens. Amazon WAF uses tokens for client session tracking and verification.
For information about tokens and token management, see Amazon WAF web request tokens.
For information about the label components described here, see Amazon WAF label syntax and naming requirements.
Client session label
The label awswaf:managed:token:id: contains a unique identifier that Amazon WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using. identifier
Note
Amazon WAF doesn't report Amazon CloudWatch metrics for this label.
Token status labels: Label namespace prefixes
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
awswaf:managed:token:– Used to report the general status of the token and to report on the status of the token's challenge information.awswaf:managed:captcha:– Used to report on the status of the token's CAPTCHA information.
Token status labels: Label names
Following the prefix, the rest of the label provides detailed token status information:
accepted– The request token is present and contains the following:A valid challenge or CAPTCHA solution.
An unexpired challenge or CAPTCHA timestamp.
A domain specification that's valid for the web ACL.
Example: The label
awswaf:managed:token:acceptedindicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.-
rejected– The request token is present but doesn't meet the acceptance criteria.Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
rejected:not_solved– The token is missing the challenge or CAPTCHA solution.rejected:expired– The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times.rejected:domain_mismatch– The token's domain isn't a match for your web ACL's token domain configuration.rejected:invalid– Amazon WAF couldn't read the indicated token.
Example: The labels
awswaf:managed:captcha:rejectedandawswaf:managed:captcha:rejected:expiredindicate that the request was rejected because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL. -
absent– The request doesn't have the token or the token manager couldn't read it.Example: The label
awswaf:managed:captcha:absentindicates that the request doesn't have the token.
ACFP labels
This rule group generates labels with the namespace prefix
awswaf:managed:aws:acfp: followed by the custom namespace and
label name. The rule group might add more than one label to a request.
You can retrieve all labels for a rule group through the API by calling
DescribeManagedRuleGroup. The labels are listed in the
AvailableLabels property in the response.
Account creation fraud prevention rules listing
This section lists the ACFP rules in AWSManagedRulesACFPRuleSet and the labels that the rule group's
rules add to web requests.
Note
The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you
with enough information to use the rules while not providing information that
bad actors could use to circumvent the rules. If you need more information than
you find in this documentation, contact the Amazon Web Services Support Center
All of the rules in this rule group require a web request token, except for the first
two UnsupportedCognitoIDP and AllRequests. For
a description of the information that the token provides, see Amazon WAF token characteristics.
Except where noted, the rules in this rule group inspect all requests that your clients send to the account registration and account creation page paths that you provide in the rule group configuration. For information about configuring this rule group, see Amazon WAF Fraud Control account creation fraud prevention (ACFP).
| Rule name | Description and label |
|---|---|
UnsupportedCognitoIDP |
Inspects for web traffic going to an Amazon Cognito user pool. ACFP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ACFP rule group rules are not used to evaluate user pool traffic. Rule action: Block Label:
|
AllRequests |
Applies the rule action to requests that access the registration page path. You configure the registration page path when you configure the rule group. By default, this rule applies the Challenge to requests. By applying this action, the rule ensures that the client acquires a challenge token before any requests are evaluated by the rest of the rules in the rule group. Ensure that your end users load the registration page path before they submit an account creation request. Tokens are added to requests by the client application integration SDKs and by the rule actions CAPTCHA and Challenge. For the most efficient token acquisition, we highly recommend that you use the application integration SDKs. For more information, see Amazon WAF client application integration. Rule action: Challenge Label: None |
RiskScoreHigh |
Inspects for account creation requests with IP addresses or other factors
that are considered to be highly suspicious. This evaluation
is usually based on multiple contributing factors,
which you can see in Rule action: Block Label:
The rule might also apply If Amazon WAF doesn't succeed at evaluating the risk
score for the web request, the rule adds the label
Additionally,
the rule adds labels with the namespace
|
SignalCredentialCompromised |
Searches the stolen credential database for the credentials that were submitted in the account creation request. This rule ensures that new clients initialize their accounts with positive security posture. NoteYou can add a custom blocking response, to describe the problem to your end user and tell them how to proceed. For information, see ACFP example: Custom response for compromised credentials. Rule action: Block Label: The rule group applies the following related label,
but takes no action on it, because not all requests
in account creation will have credentials:
|
SignalClientHumanInteractivityAbsentLow |
Inspects the account creation request's token for data that indicates abnormal human interactivity with the application. Human interactivity is detected through interactions such as mouse movements and key presses. If the page has an HTML form, human interactivity includes interactions with the form. NoteThis rule only inspects requests to the account creation path and is only evaluated if you've implemented the application integration SDKs. The SDK implementations passively capture human interactivity and stores the information in the request token. For more information, see Amazon WAF token characteristics and Amazon WAF client application integration. Rule action: CAPTCHA Label: None. The rule determines a match based on varying factors, so there is no individual label that applies for every possible match scenario. The rule group can apply one or more of the following labels to requests:
|
SignalAutomatedBrowser |
Inspects the request for indicators that the client browser might be automated. Rule action: Block Label:
|
SignalBrowserInconsistency |
Inspects the request's token for inconsistent browser interrogation data. For more information, see Amazon WAF token characteristics. Rule action: CAPTCHA Label:
|
VolumetricIpHigh |
Inspects for high volumes of account creation requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window. NoteThe thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied. Rule action: CAPTCHA Label:
The rule applies the following labels to requests with medium volumes (16-20
requests per 10 minute window) and low volumes
(11-15 requests per 10 minute window), but takes no
action on them:
|
VolumetricSessionHigh |
Inspects for high volumes of account creation requests sent from individual client sessions. A high volume is more than 10 requests in a 30 minute window. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label:
The rule group applies the following labels to
requests with medium volumes (6-10 requests per 30
minute window) and low volumes (2-5 requests per 30
minute window), but takes no action on them:
|
AttributeUsernameTraversalHigh |
Inspects for a high rate of account creation requests from a single client session that use different usernames. The threshold for a high evaluation is more than 10 requests in 30 minutes. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label:
The rule group applies the following labels to
requests with medium volumes (6-10 requests per 30
minute window) and low volumes (2-5 requests per 30
minute window) of username traversal requests, but
takes no action on them:
|
VolumetricPhoneNumberHigh |
Inspects for high volumes of account creation requests that use the same phone number. The threshold for a high evaluation is more than 10 requests in 30 minutes. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label:
The rule group applies the following labels to requests with medium volumes (6-10
requests per 30 minute window) and low volumes (2-5
requests per 30 minute window), but takes no action
on them:
|
VolumetricAddressHigh |
Inspects for high volumes of account creation requests that use the same physical address. The threshold for a high evaluation is more than 100 requests per 30 minute window. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label:
|
VolumetricAddressLow |
Inspects for low and medium volumes of account creation requests that use the same physical address. The threshold for a medium evaluation is more than 51-100 requests per 30 minute window, and for a low evaluation is 11-50 requests per 30 minute window. The rule applies the action for either medium or low volumes. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: CAPTCHA Label:
|
VolumetricIPSuccessfulResponse |
Inspects for a high volume of successful account creation requests for a single IP address. This rule aggregates success responses from the protected resource to account creation requests. The threshold for a high evaluation is more than 10 requests per 10 minute window. This rule helps protect against bulk account creation attempts. It has a lower
threshold than the rule
If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from an IP address, based on the success and failure responses from the protected resource to recent login attempts from the same IP address. You define how to count successes and failures when you configure the rule group. NoteAmazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions. NoteThe thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more successful account creation attempts than are allowed before the rule starts matching on subsequent attempts. Rule action: Block Label:
The rule group also applies the following related labels to
requests, without any associated action. All counts are for a 10-minute window.
|
VolumetricSessionSuccessfulResponse |
Inspects for a low volume of success responses from the protected resource to account creation requests that are being sent from a single client session. This helps to protect against bulk account creation attempts. The threshold for a low evaluation is more than 1 request per 30 minute window. This helps protect against bulk account creation
attempts. This rule uses a lower threshold than the rule
If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from a client session, based on the success and failure responses from the protected resource to recent login attempts from the same client session. You define how to count successes and failures when you configure the rule group. NoteAmazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions. NoteThe thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed account creation attempts than are allowed before the rule starts matching on subsequent attempts. Rule action: Block Label:
The rule group also applies the following related labels to requests. All counts are for a 30-minute window.
|
VolumetricSessionTokenReuseIp |
Inspects account creation requests for the use of a single token among more than 5 distinct IP addresses. NoteThe thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label:
|