Testing and deploying ACFP
This section provides general guidance for configuring and testing an Amazon WAF Fraud Control account creation fraud prevention (ACFP) implementation for your site. The specific steps that you choose to follow will depend on your needs, resources, and web requests that you receive.
This information is in addition to the general information about testing and tuning provided at Testing and tuning your Amazon WAF protections.
Note
Amazon Managed Rules are designed to protect you from common web threats. When used in accordance
with the documentation, Amazon Managed Rules rule groups add another layer of security for your
applications. However, Amazon Managed Rules rule groups aren't intended as a replacement for your security
responsibilities, which are determined by the Amazon resources that you select. Refer
to the Shared
Responsibility Model
Production traffic risk
Before you deploy your ACFP implementation for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune the rules in count mode with your production traffic before enabling them.
Amazon WAF provides test credentials that you can use to verify your ACFP configuration. In the following procedure, you'll configure a test web ACL to use the ACFP managed rule group, configure a rule to capture the label added by the rule group, and then run an account creation attempt using these test credentials. You'll verify that your web ACL has properly managed the attempt by checking the Amazon CloudWatch metrics for the account creation attempt.
This guidance is intended for users who know generally how to create and manage Amazon WAF web ACLs, rules, and rule groups. Those topics are covered in prior sections of this guide.
To configure and test an Amazon WAF Fraud Control account creation fraud prevention (ACFP) implementation
Perform these steps first in a test environment, then in production.
-
Add the Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group in count mode
Note
You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing
. Add the Amazon Managed Rules rule group
AWSManagedRulesACFPRuleSet
to a new or existing web ACL and configure it so that it doesn't alter the current web ACL behavior. For details about the rules and labels for this rule group, see Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group.-
When you add the managed rule group, edit it and do the following:
-
In the Rule group configuration pane, provide the details of your application's account registration and creation pages. The ACFP rule group uses this information to monitor sign-in activities. For more information, see Adding the ACFP managed rule group to your web ACL.
-
In the Rules pane, open the Override all rule actions dropdown and choose Count. With this configuration, Amazon WAF evaluates requests against all of the rules in the rule group and only counts the matches that result, while still adding labels to requests. For more information, see Overriding rule actions in a rule group.
With this override, you can monitor the potential impact of the ACFP managed rules to determine whether you want to add exceptions, such as exceptions for internal use cases.
-
-
Position the rule group so that it's evaluated after your existing rules in the web ACL, with a priority setting that's numerically higher than any rules or rule groups that you're already using. For more information, see Setting rule priority in a web ACL.
This way, your current handling of traffic isn't disrupted. For example, if you have rules that detect malicious traffic such as SQL injection or cross-site scripting, they'll continue to detect and log that. Alternately, if you have rules that allow known non-malicious traffic, they can continue to allow that traffic, without having it blocked by the ACFP managed rule group. You might decide to adjust the processing order during your testing and tuning activities.
-
-
Implement the application integration SDKs
Integrate the Amazon WAF JavaScript SDK into your browser's account registration and account creation paths. Amazon WAF also provides mobile SDKs to integrate iOS and Android devices. For more information about the integration SDKs, see Client application integrations in Amazon WAF. For information about this recommendation, see Using application integration SDKs with ACFP.
Note
If you are unable to use the application integration SDKs, it's possible to test the ACFP rule group by editing it in your web ACL and removing the override that you placed on the
AllRequests
rule. This enables the rule's Challenge action setting, to ensure that requests include a valid challenge token.Do this first in a test environment and then with great care in your production environment. This approach has the potential to block users. For example, if your registration page path doesn't accept
GET
text/html requests, then this rule configuration can effectively block all requests at the registration page. -
Enable logging and metrics for the web ACL
As needed, configure logging, Amazon Security Lake data collection, request sampling, and Amazon CloudWatch metrics for the web ACL. You can use these visibility tools to monitor the interaction of the ACFP managed rule group with your traffic.
-
For information about logging, see Logging Amazon WAF web ACL traffic.
-
For information about Amazon Security Lake, see What is Amazon Security Lake? and Collecting data from Amazon services in the Amazon Security Lake user guide.
-
For information about Amazon CloudWatch metrics, see Monitoring with Amazon CloudWatch.
-
For information about web request sampling, see Viewing a sample of web requests.
-
-
Associate the web ACL with a resource
If the web ACL isn't already associated with a test resource, associate it. For information, see Associating or disassociating a web ACL with an Amazon resource.
-
Monitor traffic and ACFP rule matches
Make sure that your normal traffic is flowing and that the ACFP managed rule group rules are adding labels to matching web requests. You can see the labels in the logs and see the ACFP and label metrics in the Amazon CloudWatch metrics. In the logs, the rules that you've overridden to count in the rule group show up in the
ruleGroupList
withaction
set to count, and withoverriddenAction
indicating the configured rule action that you overrode. -
Test the rule group's credential checking capabilities
Perform an account creation attempt with test compromised credentials and check that the rule group matches against them as expected.
-
Access your protected resource's account registration page and try to add a new account. Use the following Amazon WAF test credential pair and enter any test
-
User:
WAF_TEST_CREDENTIAL@wafexample.com
-
Password:
WAF_TEST_CREDENTIAL_PASSWORD
These test credentials are categorized as compromised credentials, and the ACFP managed rule group will add the
awswaf:managed:aws:acfp:signal:credential_compromised
label to the account creation request, which you can see in the logs. -
-
In your web ACL logs, look for the
awswaf:managed:aws:acfp:signal:credential_compromised
label in thelabels
field on the log entries for your test account creation request. For information about logging, see Logging Amazon WAF web ACL traffic.
After you've verified that the rule group captures compromised credentials as expected, you can take steps to configure its implementation as you need for your protected resource.
-
-
For CloudFront distributions, test the rule group's management of bulk account creation attempts
Run this test for each success response criteria that you configured for the ACFP rule group. Wait at least 30 minutes between tests.
-
For each of your success criteria, identify an account creation attempt that will succeed with that success criteria in the response. Then, from a single client session, perform at least 5 successful account creation attempts in under 30 minutes. A user would normally only create a single account on your site.
After the first successful account creation, the
VolumetricSessionSuccessfulResponse
rule should start matching against the rest of your account creation responses, labeling them and counting them, based on your rule action override. The rule might miss the first one or two due to latency. -
In your web ACL logs, look for the
awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:high
label in thelabels
field on the log entries for your test account creation web requests. For information about logging, see Logging Amazon WAF web ACL traffic.
These tests verify that your success criteria match your responses by checking that the successful counts aggregated by the rule surpass the rule's threshold. After you've reached the threshold, if you continue to send account creation requests from the same session, the rule will continue to match until the success rate drops below the threshold. While the threshold is exceeded, the rule matches both successful or failed account creation attempts from the session address.
-
-
Customize ACFP web request handling
As needed, add your own rules that explicitly allow or block requests, to change how ACFP rules would otherwise handle them.
For example, you can use ACFP labels to allow or block requests or to customize request handling. You can add a label match rule after the ACFP managed rule group to filter labeled requests for the handling that you want to apply. After testing, keep the related ACFP rules in count mode, and maintain the request handling decisions in your custom rule. For an example, see ACFP example: Custom response for compromised credentials.
-
Remove your test rules and enable the ACFP managed rule group settings
Depending on your situation, you might have decided that you want to leave some ACFP rules in count mode. For the rules that you want to run as configured inside the rule group, disable count mode in the web ACL rule group configuration. When you're finished testing, you can also remove your test label match rules.
-
Monitor and tune
To be sure that web requests are being handled as you want, closely monitor your traffic after you enable the ACFP functionality that you intend to use. Adjust the behavior as needed with the rules count override on the rule group and with your own rules.
After you finish testing your ACFP rule group implementation, if you haven't already integrated the Amazon WAF JavaScript SDK into your browser's account registration and account creation pages, we strongly recommend that you do so. Amazon WAF also provides mobile SDKs to integrate iOS and Android devices. For more information about the integration SDKs, see Client application integrations in Amazon WAF. For information about this recommendation, see Using application integration SDKs with ACFP.