Options for intelligent threat mitigation in Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Options for intelligent threat mitigation in Amazon WAF

This section provides a detailed comparison of the options for implementing intelligent threat mitigation.

Amazon WAF offers the following types of protections for intelligent threat mitigation.

  • Amazon WAF Fraud Control account creation fraud prevention (ACFP) – Detects and manages malicious account creation attempts on your application's sign-up page. The core functionality is provided by the ACFP managed rule group. For more information, see Amazon WAF Fraud Control account creation fraud prevention (ACFP) and Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group.

  • Amazon WAF Fraud Control account takeover prevention (ATP) – Detects and manages malicious takeover attempts on your application's login page. The core functionality is provided by the ATP managed rule group. For more information, see Amazon WAF Fraud Control account takeover prevention (ATP) and Amazon WAF Fraud Control account takeover prevention (ATP) rule group.

  • Amazon WAF Bot Control – Identifies, labels, and manages both friendly and malicious bots. This feature provides management for common bots with signatures that are unique across applications, and also for targeted bots that have signatures specific to an application. The core functionality is provided by the Bot Control managed rule group. For more information, see Amazon WAF Bot Control and Amazon WAF Bot Control rule group.

  • Client application integration SDKs – Validate client sessions and end users on your web pages and acquire Amazon WAF tokens for clients to use in their web requests. If you use ACFP, ATP, or Bot Control, implement the application integration SDKs in your client application if you can, to take full advantage of all of the rule group features. We only recommend using these rule groups without an SDK integration as a temporary measure, when a critical resource needs to be quickly secured and there isn’t enough time for the SDK integration. For information about implementing the SDKs, see Client application integrations in Amazon WAF.

  • Challenge and CAPTCHA rule actions – Validate client sessions and end users and acquire Amazon WAF tokens for clients to use in their web requests. You can implement these anywhere that you specify a rule action, in your rules and as overrides in rule groups that you use. These actions use Amazon WAF JavaScript interstitials to interrogate the client or end user, and they require client applications that support JavaScript. For more information, see CAPTCHA and Challenge in Amazon WAF.

The intelligent threat mitigation Amazon Managed Rules rule groups ACFP, ATP, and Bot Control use tokens for advanced detection. For information about the features that tokens enable in the rule groups, see Using application integration SDKs with ACFP, Using application integration SDKs with ATP, and Using application integration SDKs with Bot Control.

Your options for implementing intelligent threat mitigation run from the basic use of rule actions to run challenges and enforce token acquisition, to the advanced features offered by the intelligent threat mitigation Amazon Managed Rules rule groups.

The following tables provide detailed comparisons of the options for the basic and advanced features.