Fraud Prevention

AWS WAF Fraud Control provides two managed rule groups that protect authentication and account creation endpoints from credential-based attacks. Both rule groups have per-request charges beyond the base WAF fee and require configuration so they only trigger (and cost) for login/signup attempts they protect. Fraud Control is not available for Amazon Cognito user pools.

Both rule groups work best with the AWS WAF application integration for token-based client verification. The application integration SDK generates tokens that provide additional signals to the Fraud Control rules. Without the SDK, Fraud Control still functions but with reduced detection capability. See CAPTCHA and Challenge for details on application integration. Login and sign-up requests are POSTs, which must already carry a WAF token for session and client fingerprint based rules to provide full detection capability.

Account Takeover Prevention (ATP)

The Account Takeover Prevention (ATP) rule group (AWSManagedRulesATPRuleSet) inspects login attempts to detect and block credential-based attacks against your application's login endpoint.

What it does

Checks username and password combinations against a stolen credential database that is updated regularly as new leaked credentials are found on the dark web.
Aggregates login attempt data by IP address and client session to detect and block clients sending too many suspicious login requests.
For CloudFront distributions, inspects your application's responses to login attempts, tracking success and failure rates. This enables ATP to temporarily block client sessions or IP addresses with too many login failures.

What it protects you from

Credential stuffing — Automated replay of stolen username/password pairs from breach databases.
Password spraying — Trying a small set of common passwords across many accounts to avoid lockout thresholds.
Brute-force attacks — High-volume login attempts against a single account or small set of accounts.
Credential testing — Validating whether stolen credentials are still active before selling or using them elsewhere.
Username/email enumeration — Systematically probing login endpoints to discover valid accounts by observing differences in error responses or timing.

Configuration

ATP requires you to specify your login endpoint path and the request fields that contain the username and password. ATP only evaluates requests that match this endpoint — it does not inspect all traffic. This built-in scoping means you do not need a separate scope-down statement, though you can add one for further refinement.

Considerations

Response inspection (tracking login success/failure rates) is only available when ATP is associated with a CloudFront distribution.
ATP needs to know the exact request format for your login endpoint — the HTTP method, the path, and where the username and password appear in the request body. If your login endpoint accepts multiple formats (e.g., JSON and form-encoded), you may need to configure both.

Account Creation Fraud Prevention (ACFP)

The Account Creation Fraud Prevention (ACFP) rule group (AWSManagedRulesACFPRuleSet) inspects account creation attempts to detect and block fraudulent sign-ups.