Best practices for intelligent threat mitigation - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Best practices for intelligent threat mitigation

Follow the best practices in this section for the most efficient, cost-effective implementation of the intelligent threat mitigation features.

  • Implement the JavaScript and mobile application integration SDKs – Implement application integration to enable the full set of ATP or Bot Control functionality in the most effective way possible. The managed rule groups use the tokens provided by the SDKs to separate legitimate client traffic from unwanted traffic at the session level. The application integration SDKs ensure that these tokens are always available. For details, see Why you should use the application integration SDKs with Bot Control and Why you should use the application integration SDKs with ATP.

    To implement the SDKs, see AWS WAF client application integration.

  • Limit the requests that you send to the ATP and Bot Control rule groups – You incur additional fees for using the intelligent threat mitigation AWS Managed Rules rule groups. The Bot Control rule group inspects every request that reaches it in the web ACL evaluation. The ATP rule group only inspects login requests, but if you plan to reject login requests for reasons such as geographic origin, run those rules before the ATP rule group.

    Consider the following approaches to reduce your use of these rule groups:

    • Exclude requests from inspection with a scope-down statement in the managed rule group statement. You can do this with any nestable statement. For information, see Scope-down statements.

    • Exclude requests from inspection by adding rules before the rule group. For rules that you can't use in a scope-down statement and for more complex situations, such as labeling followed by label matching, you might need to add rules that run before the rule groups. For information, see Scope-down statements and AWS WAF rule statements.

    • Run the rule groups after less expensive rules. If you have other standard AWS WAF rules that block requests for any reason, run them before these paid rule groups. For more information about rules and rule management, see AWS WAF rule statements

    • If you're using both the ATP and Bot Control rule groups, run the Bot Control rule group first. It's the less expensive rule group.

    For detailed pricing information, see AWS WAF Pricing.

  • For distributed denial of service (DDoS) protection, use Shield Advanced automatic application layer DDoS mitigation – The intelligent threat mitigation rule groups don't provide DDoS protection. ATP protects against acount takeover attempts to your login page. Bot Control focuses on enforcing human-like access patterns using tokens and dynamic rate limiting on client sessions.

    When you use Shield Advanced with automatic application layer DDoS mitigation enabled, Shield Advanced automatically responds to detected DDoS attacks by creating, evaluating, and deploying custom AWS WAF mitigations on your behalf. For more information about Shield Advanced, see AWS Shield Advanced overview, and AWS Shield Advanced application layer (layer 7) protections.

  • Tune and configure token handling – Adjust the web ACL's token handling for the best user experience.

    • To reduce operating costs and improve your end user's experience, tune your token management immunity times to the longest that your security requirements permit. This keeps the use of CAPTCHA puzzles and silent challenges to a minimum. For information, see Timestamp expiration: token immunity times.

    • To enable token sharing between protected applications, configure a token domain list for your web ACL. For information, see Token domains and domain lists.

  • Reject requests with arbitrary host specifications – Configure your protected resources to require that the Host headers in web requests match the targeted resource. You can accept one value or a specific set of values, for example and, but don’t accept arbitrary values for the host.

  • For Application Load Balancers that are origins for CloudFront distributions, configure CloudFront and AWS WAF for proper token handling – If you associate your web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution, see Configuration required for Application Load Balancers that are CloudFront origins.

  • Test and tune before deploying – Before you implement any changes to your web ACL, follow the testing and tuning procedures in this guide to be sure that you're getting the behavior you expect. This is especially important for these paid features. For general guidance, see Testing and tuning your AWS WAF protections. For information specific to the paid managed rule groups, see Testing and deploying AWS WAF Bot Control and Testing and deploying ATP.