Amazon WAF token labeling by the bot and fraud managed rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF token labeling by the bot and fraud managed rule groups

This section describes the labels that Amazon WAF token management adds to web requests. For general information about labels, see Amazon WAF labels on web requests.

When you use any of the Amazon WAF bot or fraud control managed rule groups, the rule groups use Amazon WAF token management to inspect the web request tokens and apply token labeling to the requests. For information about the managed rule groups, see Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group, Amazon WAF Fraud Control account takeover prevention (ATP) rule group, and Amazon WAF Bot Control rule group .


Amazon WAF applies token labels only when you use one of these intelligent threat mitigation managed rule groups.

Token management can add the following labels to web requests.

Client session label

The label awswaf:managed:token:id:identifier contains a unique identifier that Amazon WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.


Amazon WAF doesn't report Amazon CloudWatch metrics for this label.

Token status labels: Label namespace prefixes

Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.

Each token status label begins with one of the following namespace prefixes:

  • awswaf:managed:token: – Used to report the general status of the token and to report on the status of the token's challenge information.

  • awswaf:managed:captcha: – Used to report on the status of the token's CAPTCHA information.

Token status labels: Label names

Following the prefix, the rest of the label provides detailed token status information:

  • accepted – The request token is present and contains the following:

    • A valid challenge or CAPTCHA solution.

    • An unexpired challenge or CAPTCHA timestamp.

    • A domain specification that's valid for the web ACL.

    Example: The label awswaf:managed:token:accepted indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.

  • rejected – The request token is present but doesn't meet the acceptance criteria.

    Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.

    • rejected:not_solved – The token is missing the challenge or CAPTCHA solution.

    • rejected:expired – The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times.

    • rejected:domain_mismatch – The token's domain isn't a match for your web ACL's token domain configuration.

    • rejected:invalid – Amazon WAF couldn't read the indicated token.

    Example: The labels awswaf:managed:captcha:rejected and awswaf:managed:captcha:rejected:expired indicate that the request was rejected because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL.

  • absent – The request doesn't have the token or the token manager couldn't read it.

    Example: The label awswaf:managed:captcha:absent indicates that the request doesn't have the token.