AWS WAF Fraud Control account takeover prevention (ATP) rule group
The AWS WAF Fraud Control account takeover prevention (ATP) managed rule group available from AWS Managed Rules.
AWS WAF Fraud Control account takeover prevention (ATP)
VendorName: AWS, Name: AWSManagedRulesATPRuleSet
The ATP managed rule group contains rules to block, label, and manage requests that
might be part of malicious account takeover attempts. You are charged
additional fees when you use this rule group. For more information, see
AWS WAF Pricing
The ATP rule group doesn't provide versioning or SNS update notifications.
This rule group requires additional configuration compared to other managed rule groups. To configure and implement this rule group, see the guidance at AWS WAF Fraud Control account takeover prevention (ATP).
This rule group provides the best detection capabilities when you combine it with the AWS WAF client application integration SDKs. For information about the SDKs, see AWS WAF client application integration.
Web requests that are evaluated using this rule group can have labels with the following prefixes added to the request:
-
awswaf:managed:aws:atp:– The ATP rule group and rules evaluation generates labels with this namespace prefix. -
awswaf:managed:token:– These labels are generated by the token validation service. This rule group uses the token validation service to validate users when you combine it with the AWS WAF client application integration SDKs.
The label for each rule is listed in the table that follows. The rule group and token service evaluation can add labels that aren't associated with individual rules. The labels in this category are listed at the end of the following table.
The rule action for most matching requests is Block. You can change web
request handling for any rule by setting its action to Count in
your web ACL configuration of the rule group, and then adding your own rule
that matches against the label that the ATP rule adds to requests. In
your new rule, you provide the additional matching and handling behavior
that you want. For more information, see ATP example: Custom
handling for missing and compromised credentials and Testing and tuning your AWS WAF protections.
The following table lists the ATP rules in AWSManagedRulesATPRuleSet and the labels that the rule group
adds to web requests.
| Rule name | Description and label |
|---|---|
VolumetricIpHigh |
Inspects for high volumes of requests sent from individual IP addresses. The rule applies the following rule actions and labels to requests. Rule action: Rule action: |
AttributePasswordTraversal |
Inspects for attempts that use password traversal. Rule action: Label:
|
AttributeLongSession |
Inspects for attempts that use long lasting sessions. Rule action: Label: |
AttributeUsernameTraversal |
Inspects for attempts that use username traversal. Rule action: Label:
|
AttributeCompromisedCredentials |
Inspects for attempts that use stolen credentials. Rule action: Label:
|
VolumetricSession |
Inspects for high volumes of requests sent from individual sessions. Rule action: Label: |
MissingCredential |
Inspects for missing credentials. Rule action: Label: |
| No rule. For each matching request, the rule group adds the label and takes no action on the request. |
Searches the stolen credential database for the credentials that were submitted in the request. Rule action: no action Label:
|
TokenRejected |
Used only for clients that are onboarded to the optional application integration SDKs. For information, see AWS WAF client application integration. Inspects for tokens that are rejected by the token validation service. Rule action: Label: |
| No rule. For each matching request, the token service adds the label and takes no action on the request. |
Used only for clients that are onboarded to the optional application integration SDKs. For information, see AWS WAF client application integration. Inspects to see whether the token in the request was accepted by the token validation service. Rule action: no action Label: |
