Amazon WAF ATP components - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF ATP components

The primary components of Amazon WAF Fraud Control account takeover prevention (ATP) are the following:

  • AWSManagedRulesATPRuleSet – The rules in this Amazon Managed Rules rule group detect, label, and handle various types of account takeover activity. The rule group inspects HTTP POST web requests that clients send to the specified login endpoint. For protected CloudFront distributions, the rule group also inspects the responses that the distribution sends back to these requests. For a list of the rule group's rules, see Amazon WAF Fraud Control account takeover prevention (ATP) rule group. You include this rule group in your web ACL using a managed rule group reference statement. For information about using this rule group, see Adding the ATP managed rule group to your web ACL.


    You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing.

  • Details about your application's login page – You must provide information about your login page when you add the AWSManagedRulesATPRuleSet rule group to your web ACL. This lets the rule group narrow the scope of the requests it inspects and properly validate credentials usage in web requests. The ATP rule group works with usernames that are in email format. For more information, see Adding the ATP managed rule group to your web ACL.

  • For protected CloudFront distributions, details about how your application responds to login attempts – You provide details about your application's responses to login attempts, and the rule group tracks and manages clients that are sending too many failed login attempts. For information about configuring this option, see Adding the ATP managed rule group to your web ACL.

  • JavaScript and mobile application integration SDKs – Implement the Amazon WAF JavaScript and mobile SDKs with your ATP implementation to enable the full set of capabilities that the rule group offers. Many of the ATP rules use the information provided by the SDKs for session level client verification and behavior aggregation, required to separate legitimate client traffic from bot traffic. For more information about the SDKs, see Amazon WAF client application integration.

You can combine your ATP implementation with the following to help you monitor, tune, and customize your protections.

  • Logging and metrics – You can monitor your traffic, and understand how the ACFP managed rule group affects it, by configuring and enabling logs, Amazon Security Lake data collection, and Amazon CloudWatch metrics for your web ACL. The labels that AWSManagedRulesATPRuleSet adds to your web requests are included in the data. For information about the options, see Logging Amazon WAF web ACL traffic, Monitoring with Amazon CloudWatch, and What is Amazon Security Lake?.

    Depending on your needs and the traffic that you see, you might want to customize your AWSManagedRulesATPRuleSet implementation. For example, you might want to exclude some traffic from ATP evaluation, or you might want to alter how it handles some of the account takeover attempts that it identifies, using Amazon WAF features like scope-down statements or label matching rules.

  • Labels and label matching rules – For any of the rules in AWSManagedRulesATPRuleSet, you can switch the blocking behavior to count, and then match against the labels that are added by the rules. Use this approach to customize how you handle web requests that are identified by the ATP managed rule group. For more information about labeling and using label match statements, see Label match rule statement and Amazon WAF labels on web requests.

  • Custom requests and responses – You can add custom headers to the requests that you allow and you can send custom responses for requests that you block. To do this, you pair your label matching with the Amazon WAF custom request and response features. For more information about customizing requests and responses, see Customized web requests and responses in Amazon WAF.