Security

AWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover Protection

Detect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.

約 3 分で読めます

Bot Control Overview

AWS WAF Bot Control is a managed rule group that detects and manages bot traffic to your web applications. The Common level detects general bots (HTTP libraries, scrapers, security scanners), while the Targeted level detects sophisticated bots (browser-impersonating bots, distributed bots). Detected requests are labeled (e.g., awswaf:managed:aws:bot-control:bot:category:scraping_framework), and you can configure custom actions based on these labels. Search engine crawlers (such as Googlebot) are automatically included in the allow list, so there is no impact on SEO.

Account Takeover Prevention and Fraud Control

Account Takeover Prevention (ATP) monitors login pages and detects credential stuffing - brute-force attacks using lists of leaked credentials. ATP cross-references requests against a database of stolen credentials and blocks or presents a CAPTCHA when a match is found. It also analyzes login success/failure patterns and automatically rate-limits IP addresses with abnormal failure rates. Account Creation Fraud Prevention (ACFP) monitors account creation pages and detects mass creation of fake accounts. It combines disposable email address detection, anomaly detection in creation patterns, and JavaScript challenges for browser verification to prevent fraudulent account creation.

Challenge and CAPTCHA Design

JavaScript challenges execute JavaScript in the client's browser to verify browser legitimacy. Automation tools (some Selenium and Puppeteer configurations) fail the challenge and their requests are blocked. CAPTCHA presents visual puzzles to users to confirm they are human. Since challenges and CAPTCHA affect user experience, carefully select which pages to apply them to. The recommended approach is to limit them to pages with high fraud risk - login pages, account creation pages, and checkout pages - and not apply them to general content pages. Configure challenge immunity time (the exemption period after a successful verification) to reduce the burden on legitimate users. For more detailed coverage of bot mitigation, related books on Amazon are also available.

WAF Bot Control Pricing

WAF base pricing is approximately $5.00 per month per Web ACL, approximately $1.00 per month per rule, and approximately $0.60 per million requests. Bot Control Common level adds approximately $1.00 per million requests, and the Targeted level adds approximately $10.00. ATP (Account Takeover Prevention) costs approximately $1.00 per 1,000 login attempts, and ACFP costs approximately $2.00 per 1,000 account creation attempts. Since the Bot Control Targeted level is expensive, apply it only to high-risk pages like login and checkout pages, and use the Common level for general content pages to manage costs.

Summary

AWS WAF Bot Control, ATP, and ACFP are managed rules that protect web applications from bots and fraud. Label-based flexible rule evaluation lets you fine-tune detection accuracy, while challenges and CAPTCHA balance user experience with security. Integrate with CloudFront or API Gateway to block threats at the edge, before they reach your application.

Related Services

AWS WAFA firewall service that protects web applications from malicious trafficAmazon CloudFrontA CDN service that delivers content at high speed from edge locations around the worldAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIs

Related Articles

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain FilteringControl VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.Centralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.DDoS Protection with AWS Shield - Choosing Between Standard and AdvancedUnderstand the differences between Standard's free L3/L4 protection and Advanced's L7 support with SRT assistance. Learn about cost protection and proactive engagement.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

AWS WAFA managed web application firewall that protects applications from common web attacks such as SQL injection and cross-site scriptingAutomatic Data Extraction from Documents with Amazon Textract - OCR, Table Analysis, and Form RecognitionLearn how to extract text from documents, analyze table structures, and extract key-value pairs from forms using Textract.Building Conversational Bots - Natural Conversation Interfaces with Amazon Lex and PollyLearn how to build conversational bots using Amazon Lex and Amazon Polly.Amazon CloudWatch RUMA real user monitoring service that collects client-side performance and error data from web applications