Options for intelligent threat mitigation managed rule groups
This section compares managed rule group options.
The intelligent threat mitigation Amazon Managed Rules rule groups provide management of basic bots, detection and mitigation of sophisticated, malicious bots, detection and mitigation of account takeover attempts, and detection and mitigation of fraudulent account creation attempts. These rule groups, combined with the application integration SDKS described in the prior section, provide the most advanced protections and secure coupling with your client applications.
ACFP | ATP | Bot Control common level | Bot Control targeted level | |
---|---|---|---|---|
What it is | Manages requests that might be part of fraudulent account
creation attempts on an application's registration and sign-up
pages. Does not manage bots. See Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group. |
Manages requests that might be part of malicious takeover
attempts on an application's login page. Does not manage bots. See Amazon WAF Fraud Control account takeover prevention (ATP) rule group. |
Manages common bots that self-identify, with signatures that are unique across applications. | Manages targeted bots that don't self-identify, with signatures that are specific to an application. |
Good choice for... | Inspection of account creation traffic for fraudulent account creation attacks such creation attempts with username traversal and many new accounts created from a single IP address. | Inspection of login traffic for account takeover attacks such login attempts with password traversal and many login attempts from the same IP address. When used with tokens, also provides aggregate protections such as rate limiting of IPs and client sessions for high volumes of failed login attempts. | Basic bot protection and labeling of common, automated bot traffic. | Targeted protection against sophisticated bots, including rate limiting at the client session level and detection and mitigation of browser automation tools such as Selenium and Puppeteer. |
Adds labels that indicate evaluation results | Yes | Yes | Yes | Yes |
Adds token labels | Yes | Yes | Yes | Yes |
Blocking for requests that don't have a valid token | Not included. See Blocking requests that don't have a valid Amazon WAF token. |
Not included. See Blocking requests that don't have a valid Amazon WAF token. |
Not included. See Blocking requests that don't have a valid Amazon WAF token. |
Blocks client sessions that send 5 requests without a token. |
Requires the Amazon WAF token aws-waf-token |
Required for all rules. | Required for many rules. | No | Yes |
Acquires the Amazon WAF token aws-waf-token |
Yes, enforced by the rule AllRequests |
No | No | Some rules use Challenge or CAPTCHA rule actions, which acquire tokens. |
For details about costs associated with these options, see the intelligent threat
mitigation information at Amazon WAF
Pricing