Options for intelligent threat mitigation managed rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Options for intelligent threat mitigation managed rule groups

The intelligent threat mitigation Amazon Managed Rules rule groups provide management of basic bots, detection and mitigation of sophisticated, malicious bots, detection and mitigation of account takeover attempts, and detection and mitigation of fraudulent account creation attempts. These rule groups, combined with the application integration SDKS described in the prior section, provide the most advanced protections and secure coupling with your client applications.

Comparison of the managed rules group options
ACFP ATP Bot Control common level Bot Control targeted level
What it is Manages requests that might be part of fraudulent account creation attempts on an application's registration and sign-up pages.

Does not manage bots.

See Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group.

Manages requests that might be part of malicious takeover attempts on an application's login page.

Does not manage bots.

See Amazon WAF Fraud Control account takeover prevention (ATP) rule group.

Manages common bots that self-identify, with signatures that are unique across applications.

See Amazon WAF Bot Control rule group.

Manages targeted bots that don't self-identify, with signatures that are specific to an application.

See Amazon WAF Bot Control rule group.

Good choice for... Inspection of account creation traffic for fraudulent account creation attacks such creation attempts with username traversal and many new accounts created from a single IP address. Inspection of login traffic for account takeover attacks such login attempts with password traversal and many login attempts from the same IP address. When used with tokens, also provides aggregate protections such as rate limiting of IPs and client sessions for high volumes of failed login attempts. Basic bot protection and labeling of common, automated bot traffic. Targeted protection against sophisticated bots, including rate limiting at the client session level and detection and mitigation of browser automation tools such as Selenium and Puppeteer.
Adds labels that indicate evaluation results Yes Yes Yes Yes
Adds token labels Yes Yes Yes Yes
Blocking for requests that don't have a valid token Not included.

See Blocking requests that don't have a valid Amazon WAF token.

Not included.

See Blocking requests that don't have a valid Amazon WAF token.

Not included.

See Blocking requests that don't have a valid Amazon WAF token.

Blocks client sessions that send 5 requests without a token.
Requires the Amazon WAF token aws-waf-token Required for all rules.

See Why you should use the application integration SDKs with ACFP.

Required for many rules.

See Why you should use the application integration SDKs with ATP.

No Yes
Acquires the Amazon WAF token aws-waf-token Yes, enforced by the rule AllRequests No No Some rules use Challenge or CAPTCHA rule actions, which acquire tokens.

For details about costs associated with these options, see the intelligent threat mitigation information at Amazon WAF Pricing.