AWS WAF Fraud Control account takeover prevention (ATP) rule group

VendorName: AWS, Name: AWSManagedRulesATPRuleSet, WCU: 50

The AWS WAF Fraud Control account takeover prevention (ATP) managed rule group provides rules to block, label, and manage requests that might be part of malicious account takeover attempts.

Note

You are charged additional fees when you use this managed rule group. For more information, see AWS WAF Pricing.

Using this rule group

This rule group requires specific configuration. To configure and implement this rule group, see the guidance at AWS WAF Fraud Control account takeover prevention (ATP).

To make full use of the capabilities of this rule group, implement the AWS WAF client application integration SDKs. The SDKs enable client session tracking through the use of AWS WAF tokens. When you use the SDKs, you enable this rule group to use client tokens for client session tracking and management. A number of the rules only run if the tokens are available. For information about tokens and the SDKs, see AWS WAF client application integration and AWS WAF tokens.

You can't use this rule group with Amazon Cognito user pools. You can't associate a web ACL that uses this rule group with a user pool, and you can't add this rule group to a web ACL that's already associated with a user pool.

This rule group doesn't provide versioning or SNS update notifications.

Token labels

This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.

AWS WAF applies one of the following labels when it inspects a web request's token and challenge timestamp. AWS WAF doesn't add labeling about the status of the CAPTCHA timestamp.

• awswaf:managed:token:accepted– The request token is present and has an unexpired challenge timestamp.

• awswaf:managed:token:rejected– The request token is present but is either corrupt or has an expired challenge timestamp.

• awswaf:managed:token:absent – The request doesn't have a token.

For more information, see AWS WAF tokens.

ATP labels

The ATP managed rule group generates labels with the namespace prefix awswaf:managed:aws:atp: followed by the custom namespace.

The following table lists the ATP rules in AWSManagedRulesATPRuleSet and the labels that the rule group adds to web requests.

Rule name	Description and label
UnsupportedCognitoIDP	Inspects for web traffic going to an Amazon Cognito user pool. ATP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ATP rule group rules are not used to evaluate user pool traffic. Rule action: Block Label: awswaf:managed:aws:atp:unsupported:cognito_idp
VolumetricIpHigh	Inspects for high volumes of requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window. Note The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:volumetric:ip:high The rule group applies the following labels to requests with medium volumes (16-20 requests per 10 minute window) and low volumes (11-15 requests per 10 minute window), but takes no action on them: awswaf:managed:aws:atp:aggregate:volumetric:ip:medium and awswaf:managed:aws:atp:aggregate:volumetric:ip:low.
VolumetricSession	Inspects for high volumes of requests sent from individual client sessions. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens. Note The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:volumetric:session
AttributeCompromisedCredentials	Inspects for multiple requests from the same client session that use stolen credentials. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials
AttributeUsernameTraversal	Inspects for multiple requests from the same client session that use username traversal. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:attribute:username_traversal
AttributePasswordTraversal	Inspects for multiple requests from the same client session that use password traversal. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:attribute:password_traversal
AttributeLongSession	Inspects for multiple requests from the same client session that use long lasting sessions. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens. Rule action: Block Label: awswaf:managed:aws:atp:aggregate:attribute:long_session
TokenRejected	Inspects for requests with tokens that are rejected by AWS WAF token management. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens. Rule action: Block Label: None. To check for token rejected, use a label match rule to match on the label: awswaf:managed:token:rejected
SignalMissingCredential	Inspects for requests with credentials that are missing the username or password. Rule action: Block Label: awswaf:managed:aws:atp:signal:missing_credential
No rule. For each matching request, the rule group adds the label and takes no action on the request.	Searches the stolen credential database for the credentials that were submitted in the request. Rule action: no action Label: awswaf:managed:aws:atp:signal:credential_compromised