Options for challenges and token acquisition - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Options for challenges and token acquisition

This section compares challenge and token management options.

You can provide challenges and acquire tokens using the Amazon WAF application integration SDKs or the rule actions Challenge and CAPTCHA. Broadly speaking, the rule actions are easier to implement, but they incur added costs, intrude more on your customer experience, and require JavaScript. The SDKs require programming in your client applications, but they can provide a better customer experience, they're free to use, and they can be used with JavaScript or in Android or iOS applications. You can only use the application integration SDKs with web ACLs that use one of the paid intelligent threat mitigation managed rule groups, described in the following section.

Comparison of options for challenges and token acquisition
Challenge rule action CAPTCHA rule action JavaScript SDK challenge Mobile SDK challenge
What it is Rule action that enforces acquisition of the Amazon WAF token by presenting the browser client with a silent challenge interstitial Rule action that enforces acquisition of the Amazon WAF token by presenting the client end user with a visual or audio challenge interstitial

Application integration layer, for client browsers and other devices that execute JavaScript. Renders the silent challenge and acquires a token

Application integration layer, for Android and iOS applications. Natively renders the silent challenge and acquires a token

Good choice for... Silent validation against bot sessions and enforcement of token acquisition for clients that support JavaScript End user and silent validation against bot sessions and enforcement of token acquisition, for clients that support JavaScript Silent validation against bot sessions and enforcement of token acquisition for clients that support JavaScript.

The SDKs provide the lowest latency and best control over where the challenge script runs in the application.

Silent validation against bot sessions and enforcement of token acquisition for native mobile applications on Android and iOS.

The SDKs provide the lowest latency and best control over where the challenge script runs in the application.

Implementation considerations Implemented as a rule action setting Implemented as a rule action setting Requires one of the ACFP, ATP, or Bot Control paid rule groups in the web ACL.

Requires coding in the client application.

Requires one of the ACFP, ATP, or Bot Control paid rule groups in the web ACL.

Requires coding in the client application.

Runtime considerations Intrusive flow for requests without valid tokens. Client is redirected to an Amazon WAF challenge interstitial. Adds network round trips and requires a second evaluation of the web request. Intrusive flow for requests without valid tokens. Client is redirected to an Amazon WAF CAPTCHA interstitial. Adds network round trips and requires a second evaluation of the web request. Can be run behind the scenes. Gives you more control over the challenge experience. Can be run behind the scenes. Gives you more control over the challenge experience.
Requires JavaScript Yes Yes Yes No
Supported clients Browser and devices that execute Javascript Browser and devices that execute Javascript Browser and devices that execute Javascript Android and iOS devices
Supports single-page applications (SPA) Enforcement only.

You can use the Challenge action in conjunction with the SDKs, to ensure that requests have a valid challenge token. You can't use the rule action to deliver the challenge script to the page.

Enforcement only.

You can use the CAPTCHA action in conjunction with the SDKs, to ensure that requests have a valid CAPTCHA token. You can't use the rule action to deliver the CAPTCHA script to the page.

Yes N/A
Additional cost Yes, for action settings that you explicitly specify, either in the rules that you define or as rule action overrides in rule groups that you use. No in all other cases. Yes, for action settings that you explicitly specify, either in the rules that you define or as rule action overrides in rule groups that you use. No in all other cases. No, but requires one of the paid rule groups ACFP, ATP, or Bot Control. No, but requires one of the paid rule groups ACFP, ATP, or Bot Control .

For details about costs associated with these options, see the intelligent threat mitigation information at Amazon WAF Pricing.

It can be simpler to run challenges and provide basic token enforcement by just adding a rule with a Challenge or CAPTCHA action. You might be required to use the rule actions, for example if you don't have access to the application code.

If you can implement the SDKs however, you can save costs and reduce latency in your web ACL evaluation of client web requests, compared to using the Challenge action:

  • You can write your SDK implementation to run the challenge at any point in your application. You can acquire the token in the background, prior to any customer action that would send a web request to your protected resource. This way, the token is available to send with your client's first request.

  • If instead you acquire tokens by implementing a rule with the Challenge action, the rule and action require additional web request evaluation and processing when the client first sends a request and anytime the token expires. The Challenge action blocks the request that doesn't have a valid, unexpired token, and sends the challenge interstitial back to the client. After the client successfully responds to the challenge, the interstitial resends the original web request with the valid token, which is then evaluated a second time by the web ACL.