AWS WAF Fraud Control account takeover prevention (ATP) rule group - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS WAF Fraud Control account takeover prevention (ATP) rule group

The AWS WAF Fraud Control account takeover prevention (ATP) managed rule group available from AWS Managed Rules.

AWS WAF Fraud Control account takeover prevention (ATP)

VendorName: AWS, Name: AWSManagedRulesATPRuleSet, WCU: 50

The ATP managed rule group contains rules to block, label, and manage requests that might be part of malicious account takeover attempts. You are charged additional fees when you use this rule group. For more information, see AWS WAF Pricing.

The ATP rule group doesn't provide versioning or SNS update notifications.

This rule group requires additional configuration compared to other managed rule groups. To configure and implement this rule group, see the guidance at AWS WAF Fraud Control account takeover prevention (ATP).

This rule group provides the best detection capabilities when you combine it with the AWS WAF client application integration SDKs. For information about the SDKs, see AWS WAF client application integration.

Web requests that are evaluated using this rule group can have labels with the following prefixes added to the request:

  • awswaf:managed:aws:atp: – The ATP rule group and rules evaluation generates labels with this namespace prefix.

  • awswaf:managed:token: – These labels are generated by the token validation service. This rule group uses the token validation service to validate users when you combine it with the AWS WAF client application integration SDKs.

The label for each rule is listed in the table that follows. The rule group and token service evaluation can add labels that aren't associated with individual rules. The labels in this category are listed at the end of the following table.

The rule action for most matching requests is Block. You can change web request handling for any rule by setting its action to Count in your web ACL configuration of the rule group, and then adding your own rule that matches against the label that the ATP rule adds to requests. In your new rule, you provide the additional matching and handling behavior that you want. For more information, see ATP example: Custom handling for missing and compromised credentials and Testing and tuning your AWS WAF protections.

The following table lists the ATP rules in AWSManagedRulesATPRuleSet and the labels that the rule group adds to web requests.

Rule name Description and label
VolumetricIpHigh

Inspects for high volumes of requests sent from individual IP addresses. The rule applies the following rule actions and labels to requests.

Rule action: Block for label: awswaf:managed:aws:atp:aggregate:volumetric:ip:high

Rule action: Count for labels: awswaf:managed:aws:atp:aggregate:volumetric:ip:medium and awswaf:managed:aws:atp:aggregate:volumetric:ip:low

AttributePasswordTraversal

Inspects for attempts that use password traversal.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:password_traversal

AttributeLongSession

Inspects for attempts that use long lasting sessions.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:long_session

AttributeUsernameTraversal

Inspects for attempts that use username traversal.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:username_traversal

AttributeCompromisedCredentials

Inspects for attempts that use stolen credentials.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials

VolumetricSession

Inspects for high volumes of requests sent from individual sessions.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:volumetric:session

MissingCredential

Inspects for missing credentials.

Rule action: Block

Label: awswaf:managed:aws:atp:signal:missing_credential

No rule. For each matching request, the rule group adds the label and takes no action on the request.

Searches the stolen credential database for the credentials that were submitted in the request.

Rule action: no action

Label: awswaf:managed:aws:atp:signal:credential_compromised

TokenRejected

Used only for clients that are onboarded to the optional application integration SDKs. For information, see AWS WAF client application integration.

Inspects for tokens that are rejected by the token validation service.

Rule action: Block

Label: awswaf:managed:token:rejected

No rule. For each matching request, the token service adds the label and takes no action on the request.

Used only for clients that are onboarded to the optional application integration SDKs. For information, see AWS WAF client application integration.

Inspects to see whether the token in the request was accepted by the token validation service.

Rule action: no action

Label: awswaf:managed:token:accepted