Best practices for intelligent threat mitigation - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Best practices for intelligent threat mitigation

Follow the best practices in this section for the most efficient, cost-effective implementation of the intelligent threat mitigation features.

  • Implement the JavaScript and mobile application integration SDKs – Implement application integration to enable the full set of ACFP, ATP, or Bot Control functionality in the most effective way possible. The managed rule groups use the tokens provided by the SDKs to separate legitimate client traffic from unwanted traffic at the session level. The application integration SDKs ensure that these tokens are always available. For details, see the following:

    Use the integrations to implement challenges in your client and, for JavaScript, to customize how CAPTCHA puzzles are presented to your end users. For details, see Amazon WAF client application integration.

    If you customize CAPTCHA puzzles using the JavaScript API and you use the CAPTCHA rule action anywhere in your web ACL, follow the guidance for handling the Amazon WAF CAPTCHA response in your client at Handling a CAPTCHA response from Amazon WAF. This guidance applies to any rules that use the CAPTCHA action, including those in the ACFP managed rule group and the targeted protection level of the Bot Control managed rule group.

  • Limit the requests that you send to the ACFP, ATP, and Bot Control rule groups – You incur additional fees for using the intelligent threat mitigation Amazon Managed Rules rule groups. The ACFP rule group inspects requests to the account registration and creation endpoints that you specify. The ATP rule group inspects requests to the login endpoint that you specify. The Bot Control rule group inspects every request that reaches it in the web ACL evaluation.

    Consider the following approaches to reduce your use of these rule groups:

    • Exclude requests from inspection with a scope-down statement in the managed rule group statement. You can do this with any nestable statement. For information, see Scope-down statements.

    • Exclude requests from inspection by adding rules before the rule group. For rules that you can't use in a scope-down statement and for more complex situations, such as labeling followed by label matching, you might want to add rules that run before the rule groups. For information, see Scope-down statements and Rule statement basics.

    • Run the rule groups after less expensive rules. If you have other standard Amazon WAF rules that block requests for any reason, run them before these paid rule groups. For more information about rules and rule management, see Rule statement basics.

    • If you're using more than one of the intelligent threat mitigation managed rule groups, run them in the following order to keep costs down: Bot Control, ATP, ACFP.

    For detailed pricing information, see Amazon WAF Pricing.

  • Enable the targeted protection level of the Bot Control rule group during normal web traffic – Some rules of the targeted protection level need time to establish baselines for normal traffic patterns before they can recognize and respond to irregular or malicious traffic patterns. For example, the TGT_ML_* rules need up to 24 hours to warm up.

    Add these protections when you are not experiencing an attack and give them time to establish their baselines before expecting them to respond appropriately to attacks. If you add these rules during an attack, after the attack subsides, the time to establish a baseline is usually from double to triple the normal required time, because of the skewing added by the attack traffic. For additional information about the rules and any warm-up times that they require, see Rules listing.

  • For distributed denial of service (DDoS) protection, use Shield Advanced automatic application layer DDoS mitigation – The intelligent threat mitigation rule groups don't provide DDoS protection. ACFP protects against fraudulent account creation attempts to your application's sign-up page. ATP protects against account takeover attempts to your login page. Bot Control focuses on enforcing human-like access patterns using tokens and dynamic rate limiting on client sessions.

    When you use Shield Advanced with automatic application layer DDoS mitigation enabled, Shield Advanced automatically responds to detected DDoS attacks by creating, evaluating, and deploying custom Amazon WAF mitigations on your behalf. For more information about Shield Advanced, see Amazon Shield Advanced overview, and Amazon Shield Advanced application layer (layer 7) protections.

  • Tune and configure token handling – Adjust the web ACL's token handling for the best user experience.

    • To reduce operating costs and improve your end user's experience, tune your token management immunity times to the longest that your security requirements permit. This keeps the use of CAPTCHA puzzles and silent challenges to a minimum. For information, see Timestamp expiration: Amazon WAF token immunity times.

    • To enable token sharing between protected applications, configure a token domain list for your web ACL. For information, see Amazon WAF token domains and domain lists.

  • Reject requests with arbitrary host specifications – Configure your protected resources to require that the Host headers in web requests match the targeted resource. You can accept one value or a specific set of values, for example and, but don’t accept arbitrary values for the host.

  • For Application Load Balancers that are origins for CloudFront distributions, configure CloudFront and Amazon WAF for proper token handling – If you associate your web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution, see Required configuration for Application Load Balancers that are CloudFront origins.

  • Test and tune before deploying – Before you implement any changes to your web ACL, follow the testing and tuning procedures in this guide to be sure that you're getting the behavior you expect. This is especially important for these paid features. For general guidance, see Testing and tuning your Amazon WAF protections. For information specific to the paid managed rule groups, see Testing and deploying ACFP, Testing and deploying ATP, and Testing and deploying Amazon WAF Bot Control.