ACFP example: Custom response for compromised credentials
By default, the credentials check that's performed by the rule group AWSManagedRulesACFPRuleSet
handles compromised credentials by labeling the request and blocking it. For details about the rule group and rule behavior, see Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group.
To inform the user that the account credentials they've provided have been compromised, you can do the following:
-
Override the
SignalCredentialCompromised
rule to Count – This causes the rule to only count and label matching requests. -
Add a label match rule with custom handling – Configure this rule to match against the ACFP label and to perform your custom handling.
The following web ACL listings shows the ACFP managed rule group from the prior example, with the
SignalCredentialCompromised
rule action overridden to count. With this configuration, when this rule group evaluates any web request that uses
compromised credentials, it will label the request, but not block it.
In addition, the web ACL now has a custom response named aws-waf-credential-compromised
and a new rule named AccountSignupCompromisedCredentialsHandling
. The rule priority is a higher numeric
setting than the rule group, so it runs after the rule group in the web ACL evaluation. The new rule matches any request with
the rule group's compromised credentials label. When the rule finds a match, it applies the
Block action to the request with the custom response body. The custom response body provides information to the end user that their credentials have been compromised and proposes an action to take.
{ "Name": "compromisedCreds", "Id": "... ", "ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/compromisedCreds/...", "DefaultAction": { "Allow": {} }, "Description": "", "Rules": [ { "Name": "AWS-AWSManagedRulesACFPRuleSet", "Priority": 0, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesACFPRuleSet", "ManagedRuleGroupConfigs": [ { "AWSManagedRulesACFPRuleSet": { "CreationPath": "/web/signup/submit-registration", "RegistrationPagePath": "/web/signup/registration", "RequestInspection": { "PayloadType": "JSON", "UsernameField": { "Identifier": "/form/username" }, "PasswordField": { "Identifier": "/form/password" }, "EmailField": { "Identifier": "/form/email" }, "PhoneNumberFields": [ { "Identifier": "/form/country-code" }, { "Identifier": "/form/region-code" }, { "Identifier": "/form/phonenumber" } ], "AddressFields": [ { "Identifier": "/form/name" }, { "Identifier": "/form/street-address" }, { "Identifier": "/form/city" }, { "Identifier": "/form/state" }, { "Identifier": "/form/zipcode" } ] }, "EnableRegexInPath": false } } ], "RuleActionOverrides": [ { "Name": "SignalCredentialCompromised", "ActionToUse": { "Count": {} } } ] } }, "OverrideAction": { "None": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "AWS-AWSManagedRulesACFPRuleSet" } }, { "Name": "AccountSignupCompromisedCredentialsHandling", "Priority": 1, "Statement": { "LabelMatchStatement": { "Scope": "LABEL", "Key": "awswaf:managed:aws:acfp:signal:credential_compromised" } }, "Action": { "Block": { "CustomResponse": { "ResponseCode": 406, "CustomResponseBodyKey": "aws-waf-credential-compromised", "ResponseHeaders": [ { "Name": "aws-waf-credential-compromised", "Value": "true" } ] } } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "AccountSignupCompromisedCredentialsHandling" } } ], "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "compromisedCreds" }, "Capacity": 51, "ManagedByFirewallManager": false, "RetrofittedByFirewallManager": false, "LabelNamespace": "awswaf:111122223333:webacl:compromisedCreds:", "CustomResponseBodies": { "aws-waf-credential-compromised": { "ContentType": "APPLICATION_JSON", "Content": "{\n \"credentials-compromised\": \"The credentials you provided have been found in a compromised credentials database.\\n\\nTry again with a different username, password pair.\"\n}" } } }