AWS WAF Fraud Control account takeover prevention (ATP) rule group - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS WAF Fraud Control account takeover prevention (ATP) rule group

VendorName: AWS, Name: AWSManagedRulesATPRuleSet, WCU: 50

The AWS WAF Fraud Control account takeover prevention (ATP) managed rule group provides rules to block, label, and manage requests that might be part of malicious account takeover attempts.

Note

You are charged additional fees when you use this managed rule group. For more information, see AWS WAF Pricing.

Using this rule group

This rule group requires specific configuration. To configure and implement this rule group, see the guidance at AWS WAF Fraud Control account takeover prevention (ATP).

To make full use of the capabilities of this rule group, implement the AWS WAF client application integration SDKs. The SDKs enable client session tracking through the use of AWS WAF tokens. When you use the SDKs, you enable this rule group to use client tokens for client session tracking and management. A number of the rules only run if the tokens are available. For information about tokens and the SDKs, see AWS WAF client application integration and AWS WAF tokens.

You can't use this rule group with Amazon Cognito user pools. You can't associate a web ACL that uses this rule group with a user pool, and you can't add this rule group to a web ACL that's already associated with a user pool.

This rule group doesn't provide versioning or SNS update notifications.

Token labels

This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.

AWS WAF applies one of the following labels when it inspects a web request's token and challenge timestamp. AWS WAF doesn't add labeling about the status of the CAPTCHA timestamp.

  • awswaf:managed:token:accepted– The request token is present and has an unexpired challenge timestamp.

  • awswaf:managed:token:rejected– The request token is present but is either corrupt or has an expired challenge timestamp.

  • awswaf:managed:token:absent – The request doesn't have a token.

For more information, see AWS WAF tokens.

ATP labels

The ATP managed rule group generates labels with the namespace prefix awswaf:managed:aws:atp: followed by the custom namespace.

The following table lists the ATP rules in AWSManagedRulesATPRuleSet and the labels that the rule group adds to web requests.

Rule name Description and label
UnsupportedCognitoIDP

Inspects for web traffic going to an Amazon Cognito user pool. ATP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ATP rule group rules are not used to evaluate user pool traffic.

Rule action: Block

Label: awswaf:managed:aws:atp:unsupported:cognito_idp

VolumetricIpHigh

Inspects for high volumes of requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window.

Note

The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:volumetric:ip:high

The rule group applies the following labels to requests with medium volumes (16-20 requests per 10 minute window) and low volumes (11-15 requests per 10 minute window), but takes no action on them: awswaf:managed:aws:atp:aggregate:volumetric:ip:medium and awswaf:managed:aws:atp:aggregate:volumetric:ip:low.

VolumetricSession

Inspects for high volumes of requests sent from individual client sessions.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens.

Note

The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:volumetric:session

AttributeCompromisedCredentials

Inspects for multiple requests from the same client session that use stolen credentials.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials

AttributeUsernameTraversal

Inspects for multiple requests from the same client session that use username traversal.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:username_traversal

AttributePasswordTraversal

Inspects for multiple requests from the same client session that use password traversal.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:password_traversal

AttributeLongSession

Inspects for multiple requests from the same client session that use long lasting sessions.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens.

Rule action: Block

Label: awswaf:managed:aws:atp:aggregate:attribute:long_session

TokenRejected

Inspects for requests with tokens that are rejected by AWS WAF token management.

This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF tokens.

Rule action: Block

Label: None. To check for token rejected, use a label match rule to match on the label: awswaf:managed:token:rejected

SignalMissingCredential

Inspects for requests with credentials that are missing the username or password.

Rule action: Block

Label: awswaf:managed:aws:atp:signal:missing_credential

No rule. For each matching request, the rule group adds the label and takes no action on the request.

Searches the stolen credential database for the credentials that were submitted in the request.

Rule action: no action

Label: awswaf:managed:aws:atp:signal:credential_compromised