Amazon WAF Fraud Control account takeover prevention (ATP) rule group - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF Fraud Control account takeover prevention (ATP) rule group

This section explains what the Amazon WAF Fraud Control account takeover prevention (ATP) managed rule group does.

VendorName: AWS, Name: AWSManagedRulesATPRuleSet, WCU: 50

Note

This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at Amazon Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.

The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.

If you need more information than you find here, contact the Amazon Web Services Support Center.

The Amazon WAF Fraud Control account takeover prevention (ATP) managed rule group labels and manages requests that might be part of malicious account takeover attempts. The rule group does this by inspecting login attempts that clients send to your application's login endpoint.

  • Request inspection – ATP gives you visibility and control over anomalous login attempts and login attempts that use stolen credentials, to prevent account takeovers that might lead to fraudulent activity. ATP checks email and password combinations against its stolen credential database, which is updated regularly as new leaked credentials are found on the dark web. ATP aggregates data by IP address and client session, to detect and block clients that send too many requests of a suspicious nature.

  • Response inspection – For CloudFront distributions, in addition to inspecting incoming login requests, the ATP rule group inspects your application's responses to login attempts, to track success and failure rates. Using this information, ATP can temporarily block client sessions or IP addresses that have too many login failures. Amazon WAF performs response inspection asynchronously, so this doesn't increase latency in your web traffic.

Considerations for using this rule group

This rule group requires specific configuration. To configure and implement this rule group, see the guidance at Amazon WAF Fraud Control account takeover prevention (ATP).

This rule group is part of the intelligent threat mitigation protections in Amazon WAF. For information, see Intelligent threat mitigation in Amazon WAF.

Note

You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing.

To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at Best practices for intelligent threat mitigation in Amazon WAF.

This rule group isn't available for use with Amazon Cognito user pools. You can't associate a web ACL that uses this rule group with a user pool, and you can't add this rule group to a web ACL that's already associated with a user pool.

Labels added by this rule group

This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. Amazon WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.

Token labels

This rule group uses Amazon WAF token management to inspect and label web requests according to the status of their Amazon WAF tokens. Amazon WAF uses tokens for client session tracking and verification.

For information about tokens and token management, see Token use in Amazon WAF intelligent threat mitigation.

For information about the label components described here, see Label syntax and naming requirements in Amazon WAF.

Client session label

The label awswaf:managed:token:id:identifier contains a unique identifier that Amazon WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.

Note

Amazon WAF doesn't report Amazon CloudWatch metrics for this label.

Browser fingerprint label

The label awswaf:managed:token:fingerprint:fingerprint-identifier contains a robust browser fingerprint identifier that Amazon WAF token management computes from various client browser signals. This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.

Note

Amazon WAF doesn't report Amazon CloudWatch metrics for this label.

Token status labels: Label namespace prefixes

Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.

Each token status label begins with one of the following namespace prefixes:

  • awswaf:managed:token: – Used to report the general status of the token and to report on the status of the token's challenge information.

  • awswaf:managed:captcha: – Used to report on the status of the token's CAPTCHA information.

Token status labels: Label names

Following the prefix, the rest of the label provides detailed token status information:

  • accepted – The request token is present and contains the following:

    • A valid challenge or CAPTCHA solution.

    • An unexpired challenge or CAPTCHA timestamp.

    • A domain specification that's valid for the web ACL.

    Example: The label awswaf:managed:token:accepted indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.

  • rejected – The request token is present but doesn't meet the acceptance criteria.

    Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.

    • rejected:not_solved – The token is missing the challenge or CAPTCHA solution.

    • rejected:expired – The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times.

    • rejected:domain_mismatch – The token's domain isn't a match for your web ACL's token domain configuration.

    • rejected:invalid – Amazon WAF couldn't read the indicated token.

    Example: The labels awswaf:managed:captcha:rejected and awswaf:managed:captcha:rejected:expired indicate that the request was rejected because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL.

  • absent – The request doesn't have the token or the token manager couldn't read it.

    Example: The label awswaf:managed:captcha:absent indicates that the request doesn't have the token.

ATP labels

The ATP managed rule group generates labels with the namespace prefix awswaf:managed:aws:atp: followed by the custom namespace and label name.

The rule group might add any of the following labels in addition to the labels that are noted in the rules listing:

  • awswaf:managed:aws:atp:signal:credential_compromised – Indicates that the credentials that were submitted in the request are in the stolen credential database.

  • awswaf:managed:aws:atp:aggregate:attribute:suspicious_tls_fingerprint – Available only for protected Amazon CloudFront distributions. Indicates that a client session has sent multiple requests that used a suspicious TLS fingerprint.

  • awswaf:managed:aws:atp:aggregate:volumetric:session:token_reuse:ip – Indicates the use of a single token among more than 5 distinct IP addresses. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the label is applied.

You can retrieve all labels for a rule group through the API by calling DescribeManagedRuleGroup. The labels are listed in the AvailableLabels property in the response.

Account takeover prevention rules listing

This section lists the ATP rules in AWSManagedRulesATPRuleSet and the labels that the rule group's rules add to web requests.

Note

This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at Amazon Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.

The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.

If you need more information than you find here, contact the Amazon Web Services Support Center.

Rule name Description and label
UnsupportedCognitoIDP

Inspects for web traffic going to an Amazon Cognito user pool. ATP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ATP rule group rules are not used to evaluate user pool traffic.

Rule action: Block

Labels: awswaf:managed:aws:atp:unsupported:cognito_idp and awswaf:managed:aws:atp:UnsupportedCognitoIDP

VolumetricIpHigh

Inspects for high volumes of requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window.

Note

The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:volumetric:ip:high and awswaf:managed:aws:atp:VolumetricIpHigh

The rule group applies the following labels to requests with medium volumes (more than 15 requests per 10 minute window) and low volumes (more than 10 requests per 10 minute window), but takes no action on them: awswaf:managed:aws:atp:aggregate:volumetric:ip:medium and awswaf:managed:aws:atp:aggregate:volumetric:ip:low.

VolumetricSession

Inspects for high volumes of requests sent from individual client sessions. The threshold is more than 20 requests per 30 minute window.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see Token use in Amazon WAF intelligent threat mitigation.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:volumetric:session and awswaf:managed:aws:atp:VolumetricSession

AttributeCompromisedCredentials

Inspects for multiple requests from the same client session that use stolen credentials.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials and awswaf:managed:aws:atp:AttributeCompromisedCredentials

AttributeUsernameTraversal

Inspects for multiple requests from the same client session that use username traversal.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:attribute:username_traversal and awswaf:managed:aws:atp:AttributeUsernameTraversal

AttributePasswordTraversal

Inspects for multiple requests with the same username that use password traversal.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:attribute:password_traversal and awswaf:managed:aws:atp:AttributePasswordTraversal

AttributeLongSession

Inspects for multiple requests from the same client session that use long lasting sessions. The threshold is more than 6 hours of traffic that has at least one login request every 30 minutes.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see Token use in Amazon WAF intelligent threat mitigation.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:attribute:long_session and awswaf:managed:aws:atp:AttributeLongSession

TokenRejected

Inspects for requests with tokens that are rejected by Amazon WAF token management.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see Token use in Amazon WAF intelligent threat mitigation.

Rule action: Block

Labels: None. To check for token rejected, use a label match rule to match on the label: awswaf:managed:token:rejected.

SignalMissingCredential

Inspects for requests with credentials that are missing the username or password.

Rule action: Block

Labels: awswaf:managed:aws:atp:signal:missing_credential and awswaf:managed:aws:atp:SignalMissingCredential

VolumetricIpFailedLoginResponseHigh

Inspects for IP addresses that have recently been the source of too high a rate of failed login attempts. A high volume is more than 10 failed login requests from an IP address in a 10 minute window.

If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators.

This rule applies the rule action and labeling to new web requests from an IP address, based on the success and failure responses from the protected resource to recent login attempts from the same IP address. You define how to count successes and failures when you configure the rule group.

Note

Amazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.

Note

The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed login attempts than are allowed before the rule starts matching on subsequent attempts.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:high and awswaf:managed:aws:atp:VolumetricIpFailedLoginResponseHigh

The rule group also applies the following related labels to requests, without any associated action. All counts are for a 10-minute window. awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:medium for more than 5 failed requests, awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:low for more than 1 failed request, awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:high for more than 10 successful requests, awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:medium for more than 5 successful requests, and awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:low for more than 1 successful request.

VolumetricSessionFailedLoginResponseHigh

Inspects for client sessions that have recently been the source of too high a rate of failed login attempts. A high volume is more than 10 failed login requests from a client session in a 30 minute window.

If you've configured the rule group to inspect the response body or JSON components, Amazon WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators.

This rule applies the rule action and labeling to new web requests from a client session, based on the success and failure responses from the protected resource to recent login attempts from the same client session. You define how to count successes and failures when you configure the rule group.

Note

Amazon WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.

Note

The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed login attempts than are allowed before the rule starts matching on subsequent attempts.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see Token use in Amazon WAF intelligent threat mitigation.

Rule action: Block

Labels: awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:high and awswaf:managed:aws:atp:VolumetricSessionFailedLoginResponseHigh

The rule group also applies the following related labels to requests, without any associated action. All counts are for a 30-minute window. awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:medium for more than 5 failed requests, awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:low for more than 1 failed request, awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:high for more than 10 successful requests, awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:medium for more than 5 successful requests, and awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:low for more than 1 successful request.