Adding the Amazon WAF Bot Control managed rule group to your web ACL - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding the Amazon WAF Bot Control managed rule group to your web ACL

The Bot Control managed rule group AWSManagedRulesBotControlRuleSet requires additional configuration to identify the protection level that you want to implement.

For the rule group description and rules listing, see Amazon WAF Bot Control rule group.

This guidance is intended for users who know generally how to create and manage Amazon WAF web ACLs, rules, and rule groups. Those topics are covered in prior sections of this guide. For basic information about how to add a managed rule group to your web ACL, see Adding a managed rule group to a web ACL through the console.

Follow best practices

Use the Bot Control rule group in accordance with the best practices at Best practices for intelligent threat mitigation.

To use the AWSManagedRulesBotControlRuleSet rule group in your web ACL
  1. Add the Amazon managed rule group, AWSManagedRulesBotControlRuleSet to your web ACL. For the full rule group description, see Amazon WAF Bot Control rule group.


    You are charged additional fees when you use this managed rule group. For more information, see Amazon WAF Pricing.

    When you add the rule group, edit it to open the configuration page for the rule group.

  2. On the rule group's configuration page, in the Inspection level pane, select the inspection level that you want to use.

    • Common – Detects a variety of self-identifying bots, such as web scraping frameworks, search engines, and automated browsers. Bot Control protections at this level identify common bots using traditional bot detection techniques, such as static request data analysis. The rules label traffic from these bots and block the ones that they cannot verify.

    • Targeted – Includes the common-level protections and adds targeted detection for sophisticated bots that do not self identify. Targeted protections mitigate bot activity using a combination of rate limiting and CAPTCHA and background browser challenges.

      • TGT_ – Rules that provide targeted protection have names that begin with TGT_. All targeted protections use detection techniques such as browser interrogation, fingerprinting, and behavior heuristics to identify bad bot traffic.

      • TGT_ML_ – Targeted protection rules that use machine learning have names that begin with TGT_ML_. These rules use automated, machine-learning analysis of website traffic statistics to detect anomalous behavior indicative of distributed, coordinated bot activity. Amazon WAF analyzes statistics about your website traffic such as timestamps, browser characteristics, and previous URL visited, to improve the Bot Control machine learning model. Machine learning capabilities are enabled by default, but you can disable them in your rule group configuration. When machine learning is disabled, Amazon WAF does not evaluate these rules.

  3. If you're using the targeted protection level and you don't want Amazon WAF to use machine learning (ML) to analyze web traffic for distributed, coordinated bot activity, disable the machine learning option. Machine learning is required for the Bot Control rules whose names start with TGT_ML_. For details about these rules, see Bot Control rules listing.

  4. Add a scope-down statement for the rule group, to contain the costs of using it. A scope-down statement narrows the set of requests that the rule group inspects. For example use cases, start with Bot Control example: Use Bot Control only for the login page and Bot Control example: Use Bot Control only for dynamic content.

  5. Provide any additional configuration that you need for the rule group.

  6. Save your changes to the web ACL.

Before you deploy your Bot Control implementation for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune the rules in count mode with your production traffic before enabling them. See the sections that follow for guidance.