Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group

VendorName: AWS, Name: AWSManagedRulesACFPRuleSet, WCU: 50

The Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group labels and manages requests that might be part of fraudulent account creation attempts. The rule group does this by inspecting account creation requests that clients send to your application's registration and account creation endpoints.

The ACFP rule group inspects account creation attempts in various ways, to give you visibility and control over potentially malicious interactions. The rule group uses request tokens to gather information about the client browser and about the level of human interactivity in the creation of the account creation request. The rule group detects and manages bulk account creation attempts by aggregating requests by IP address and client session, and aggregating by the provided account information such as the physical address and phone number. Additionally, the rule group detects and blocks the creation of new accounts using credentials that have been compromised, which helps protect the security posture of your application and of your new users.

Considerations for using this rule group

This rule group requires custom configuration, which includes the specification of your application's account registration and account creation paths. Except where noted, the rules in this rule group inspect all requests that your clients send to these two endpoints. To configure and implement this rule group, see the guidance at Amazon WAF Fraud Control account creation fraud prevention (ACFP).

Note

You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing.

This rule group is part of the intelligent threat mitigation protections in Amazon WAF. For information, see Amazon WAF intelligent threat mitigation.

To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at Best practices for intelligent threat mitigation.

This rule group isn't available for use with Amazon Cognito user pools. You can't associate a web ACL that uses this rule group with a user pool, and you can't add this rule group to a web ACL that's already associated with a user pool.

Labels added by this rule group

This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. Amazon WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Labels on web requests and Label metrics and dimensions.

Token labels

This rule group uses Amazon WAF token management to inspect and label web requests according to the status of their Amazon WAF tokens. Amazon WAF uses tokens for client session tracking and verification.

For information about tokens and token management, see Amazon WAF web request tokens.

For information about the label components described here, see Amazon WAF label syntax and naming requirements.

Client session label

The label awswaf:managed:token:id:identifier contains a unique identifier that Amazon WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.

Note

Amazon WAF doesn't report Amazon CloudWatch metrics for this label.

Token status labels: Label namespace prefixes

Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.

Each token status label begins with one of the following namespace prefixes:

  • awswaf:managed:token: – Used to report the general status of the token and to report on the status of the token's challenge information.

  • awswaf:managed:captcha: – Used to report on the status of the token's CAPTCHA information.

Token status labels: Label names

Following the prefix, the rest of the label provides detailed token status information:

  • accepted – The request token is present and contains the following:

    • A valid challenge or CAPTCHA solution.

    • An unexpired challenge or CAPTCHA timestamp.

    • A domain specification that's valid for the web ACL.

    Example: The label awswaf:managed:token:accepted indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.

  • rejected – The request token is present but doesn't meet the acceptance criteria.

    Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.

    • rejected:not_solved – The token is missing the challenge or CAPTCHA solution.

    • rejected:expired – The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times.

    • rejected:domain_mismatch – The token's domain isn't a match for your web ACL's token domain configuration.

    • rejected:invalid – Amazon WAF couldn't read the indicated token.

    Example: The labels awswaf:managed:captcha:rejected and awswaf:managed:captcha:rejected:expired indicate that the request was rejected because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL.

  • absent – The request doesn't have the token or the token manager couldn't read it.

    Example: The label awswaf:managed:captcha:absent indicates that the request doesn't have the token.

ACFP labels

This rule group generates labels with the namespace prefix awswaf:managed:aws:acfp: followed by the custom namespace and label name. The rule group might add more than one label to a request.

You can retrieve all labels for a rule group through the API by calling DescribeManagedRuleGroup. The labels are listed in the AvailableLabels property in the response.

Account creation fraud prevention rules listing

This section lists the ACFP rules in AWSManagedRulesACFPRuleSet and the labels that the rule group's rules add to web requests.

Note

The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you with enough information to use the rules while not providing information that bad actors could use to circumvent the rules. If you need more information than you find in this documentation, contact the Amazon Web Services Support Center.

All of the rules in this rule group require a web request token, except for the first two UnsupportedCognitoIDP and AllRequests. For a description of the information that the token provides, see Amazon WAF token characteristics.

Except where noted, the rules in this rule group inspect all requests that your clients send to the account registration and account creation page paths that you provide in the rule group configuration. For information about configuring this rule group, see Amazon WAF Fraud Control account creation fraud prevention (ACFP).

Rule name Description and label
UnsupportedCognitoIDP

Inspects for web traffic going to an Amazon Cognito user pool. ACFP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ACFP rule group rules are not used to evaluate user pool traffic.

Rule action: Block

Label: awswaf:managed:aws:acfp:unsupported:cognito_idp

AllRequests

Applies the rule action to requests that access the registration page path. You configure the registration page path when you configure the rule group.

By default, this rule applies the Challenge to requests. By applying this action, the rule ensures that the client acquires a challenge token before any requests are evaluated by the rest of the rules in the rule group.

Ensure that your end users load the registration page path before they submit an account creation request.

Tokens are added to requests by the client application integration SDKs and by the rule actions CAPTCHA and Challenge. For the most efficient token acquisition, we highly recommend that you use the application integration SDKs. For more information, see Amazon WAF client application integration.

Rule action: Challenge

Label: None

RiskScoreHigh

Inspects for account creation requests with IP addresses or other factors that are considered to be highly suspicious. This evaluation is usually based on multiple contributing factors, which you can see in risk_score labels that the rule group adds to the request.

Rule action: Block

Label: awswaf:managed:aws:acfp:risk_score:high

The rule might also apply medium or low risk score labels to the request.

If Amazon WAF doesn't succeed at evaluating the risk score for the web request, the rule adds the label awswaf:managed:aws:acfp:risk_score:evaluation_failed

Additionally, the rule adds labels with the namespace awswaf:managed:aws:acfp:risk_score:contributor: that include risk score evaluation status and results for specific risk score contributors, such as IP reputation and stolen credentials evaluations.

SignalCredentialCompromised

Searches the stolen credential database for the credentials that were submitted in the account creation request.

This rule ensures that new clients initialize their accounts with positive security posture.

Note

You can add a custom blocking response, to describe the problem to your end user and tell them how to proceed. For information, see ACFP example: Custom response for compromised credentials.

Rule action: Block

Label: awswaf:managed:aws:acfp:signal:credential_compromised

The rule group applies the following related label, but takes no action on it, because not all requests in account creation will have credentials: awswaf:managed:aws:acfp:signal:missing_credential

SignalClientHumanInteractivityAbsentLow

Inspects the account creation request's token for data that indicates abnormal human interactivity with the application. Human interactivity is detected through interactions such as mouse movements and key presses. If the page has an HTML form, human interactivity includes interactions with the form.

Note

This rule only inspects requests to the account creation path and is only evaluated if you've implemented the application integration SDKs. The SDK implementations passively capture human interactivity and stores the information in the request token. For more information, see Amazon WAF token characteristics and Amazon WAF client application integration.

Rule action: CAPTCHA

Label: None. The rule determines a match based on varying factors, so there is no individual label that applies for every possible match scenario.

The rule group can apply one or more of the following labels to requests:

awswaf:managed:aws:acfp:signal:client:human_interactivity:low/medium/high

awswaf:managed:aws:acfp:signal:client:human_interactivity:insufficient_data

awswaf:managed:aws:acfp:signal:form_detected.

SignalAutomatedBrowser

Inspects the request for indicators that the client browser might be automated.

Rule action: Block

Label: awswaf:managed:aws:acfp:signal:automated_browser

SignalBrowserInconsistency

Inspects the request's token for inconsistent browser interrogation data. For more information, see Amazon WAF token characteristics.

Rule action: CAPTCHA

Label: awswaf:managed:aws:acfp:signal:browser_inconsistency

VolumetricIpHigh

Inspects for high volumes of account creation requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window.

Note

The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied.

Rule action: CAPTCHA

Label: awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:high

The rule applies the following labels to requests with medium volumes (16-20 requests per 10 minute window) and low volumes (11-15 requests per 10 minute window), but takes no action on them: awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:medium and awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:low.

VolumetricSessionHigh

Inspects for high volumes of account creation requests sent from individual client sessions. A high volume is more than 10 requests in a 30 minute window.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:high

The rule group applies the following labels to requests with medium volumes (6-10 requests per 30 minute window) and low volumes (2-5 requests per 30 minute window), but takes no action on them: awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:medium and awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:low.

AttributeUsernameTraversalHigh

Inspects for a high rate of account creation requests from a single client session that use different usernames. The threshold for a high evaluation is more than 10 requests in 30 minutes.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:high

The rule group applies the following labels to requests with medium volumes (6-10 requests per 30 minute window) and low volumes (2-5 requests per 30 minute window) of username traversal requests, but takes no action on them: awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:medium and awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:low.

VolumetricPhoneNumberHigh

Inspects for high volumes of account creation requests that use the same phone number. The threshold for a high evaluation is more than 10 requests in 30 minutes.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:high

The rule group applies the following labels to requests with medium volumes (6-10 requests per 30 minute window) and low volumes (2-5 requests per 30 minute window), but takes no action on them: awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:medium and awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:low.

VolumetricAddressHigh

Inspects for high volumes of account creation requests that use the same physical address. The threshold for a high evaluation is more than 100 requests per 30 minute window.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:address:high

VolumetricAddressLow

Inspects for low and medium volumes of account creation requests that use the same physical address. The threshold for a medium evaluation is more than 51-100 requests per 30 minute window, and for a low evaluation is 11-50 requests per 30 minute window.

The rule applies the action for either medium or low volumes.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: CAPTCHA

Label: awswaf:managed:aws:acfp:aggregate:volumetric:address:low or awswaf:managed:aws:acfp:aggregate:volumetric:address:medium

VolumetricIPSuccessfulResponse

Inspects for a high volume of successful account creation requests for a single IP address. This rule aggregates success responses from the protected resource to account creation requests. The threshold for a high evaluation is more than 10 requests per 10 minute window.

This rule helps protect against bulk account creation attempts. It has a lower threshold than the rule VolumetricIpHigh, which counts just the requests.

If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators.

This rule applies the rule action and labeling to new web requests from an IP address, based on the success and failure responses from the protected resource to recent login attempts from the same IP address. You define how to count successes and failures when you configure the rule group.

Note

Amazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.

Note

The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more successful account creation attempts than are allowed before the rule starts matching on subsequent attempts.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:high

The rule group also applies the following related labels to requests, without any associated action. All counts are for a 10-minute window. awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:medium for more than 5 successful requests, awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:low for more than 1 successful request, awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:high for more than 10 failed requests, awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:medium for more than 5 failed requests, and awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:low for more than 1 failed request.

VolumetricSessionSuccessfulResponse

Inspects for a low volume of success responses from the protected resource to account creation requests that are being sent from a single client session. This helps to protect against bulk account creation attempts. The threshold for a low evaluation is more than 1 request per 30 minute window.

This helps protect against bulk account creation attempts. This rule uses a lower threshold than the rule VolumetricSessionHigh, which tracks only the requests.

If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators.

This rule applies the rule action and labeling to new web requests from a client session, based on the success and failure responses from the protected resource to recent login attempts from the same client session. You define how to count successes and failures when you configure the rule group.

Note

Amazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.

Note

The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed account creation attempts than are allowed before the rule starts matching on subsequent attempts.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:low

The rule group also applies the following related labels to requests. All counts are for a 30-minute window. awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:high for more than 10 successful requests, awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:medium for more than 5 successful requests, awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:high for more than 10 failed requests, awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:medium for more than 5 failed requests, and awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:low for more than 1 failed request.

VolumetricSessionTokenReuseIp

Inspects account creation requests for the use of a single token among more than 5 distinct IP addresses.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:token_reuse:ip