Waf Charm

Blog

AWS WAF

Account Creation Fraud Prevention (ACFP) rule group has been added to AWS WAF Managed Rules

Table of Contents

  1. 1. Introduction
  2. 2. What is Account Creation Fraud Prevention (ACFP)?
  3. 3. How to add ACFP rules
  4. 4. Overview of the rules in ACFP
  5. 5. Usage with WafCharm
  6. 6. Conclusion

1. Introduction

AWS WAF announced the release of rules to prevent the creation of fake or fraudulent accounts in AWS WAF Managed Rules on June 13th, 2023.
The name of the rule group "Account Creation Fraud Prevention" can be shortened to ACFP.

AWS WAF Fraud Control launches account creation fraud prevention and reduced pricing

We will take a look at the new rule group in this post.

2. What is Account Creation Fraud Prevention (ACFP)?

ACFP includes rules to protect against attackers attempting to create fake accounts or fraudulent accounts. The rules can block suspicious requests that include abnormal activity when attempting to create an account.

In addition, they can also inspect responses to block client sessions or IP addresses with a high volume of unsuccessful account creation requests when protecting CloudFront distributions.

Please keep in mind that AWS WAF will charge an added fee when using this rule. Refer to the AWS WAF Pricing for more details.

3. How to add ACFP rules

You can add the ACFP rule group with the procedure below.

1. Click the [Add rules] button placed on the right side of the web ACL page and click [Add managed rule groups].

2. Open [AWS managed rule groups]

3. Click the [Add to web ACL] toggle button on the right side of [Account creation fraud prevention].

4. Click the [Edit] button.

5. Input necessary information under [Scope of inspection] and [Rule group configuration] and click the [Save] button.

Since ACFP inspects account creation, you must specify details such as paths to the registration form page and account creation page. For web ACLs associated with CloudFront, there is a section for response inspection as well.

In addition, you will have to add SDK into your application after applying the rule group to your web ACL in order to fully use the ACFP rules because ACFP has rules that use tokens.

Please refer to the AWS Security Blog for more details on how to configure the rule group and add SDK.
Prevent account creation fraud with AWS WAF Fraud Control – Account Creation Fraud Prevention

4. Overview of the rules in ACFP

There are multiple rules in ACFP, such as a rule to inspect all requests and apply challenge action, a rule to inspect highly suspicious IP addresses, and a rule to inspect credentials using a stolen credential database. These rules utilize tokens added by SDK and labels, and some rules require SDK implementation for the rules to be functional.

Below is the list of rules and a brief description.

Rule name Description
UnsupportedCognitoIDP Inspects for web traffic going to an Amazon Cognito user pool. ACFP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ACFP rule group rules are not used to evaluate user pool traffic.
AllRequests Applies the Challenge action to requests that access the registration page path.
RiskScoreHigh Inspects for requests whose IP addresses are considered to be highly suspicious.
SignalCredentialCompromised Searches the stolen credential database for the credentials that were submitted in the request.
SignalClientInteractivityAbsentLow Inspects the request's token for data that indicates abnormal human interactivity with the application. This rule requires SDK implementation.
SignalAutomatedBrowser Inspects the request's token for indicators that the client browser might be automated.
SignalBrowserInconsistency Inspects the request's token for inconsistent browser interrogation data.
VolumetricIpHigh Inspects for high volumes of requests sent from individual IP addresses.
VolumetricSessionHigh Inspects for high volumes of requests sent from individual client sessions.
AttributeUsernameTraversalHigh Inspects for a high rate of requests from a single client session that use different usernames.
VolumetricPhoneNumberHigh Inspects for high volumes of account creation requests that use the same phone number.
VolumetricAddressHigh Inspects for high volumes of account creation requests that use the same physical address.
VolumetricAddressLow Inspects for low and medium volumes of account creation requests that use the same physical address.
VolumetricIPSuccessfulResponse Inspects for a high volume of successful account creation requests for a single IP address. AWS WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.
VolumetricSessionSuccessfulResponse Inspects for a high volume of success responses from the protected resource to account creation requests that are being sent from a single client session. AWS WAF only evaluates this rule in web ACLs that protect Amazon CloudFront distributions.
VolumetricSessionTokenReuseIp Inspects for the use of a single token among more than 5 distinct IP addresses.

Please refer to the document below for a more detailed overview of the ACFP rules.
AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group

5. Usage with WafCharm

AWS Managed Rule Account Creation Fraud Prevention can be used with WafCharm rules.

6. Conclusion

With the addition of ACFP, you can now protect against account creation.

Although complex configuration is required in advance, you will be able to protect the account creation and sign-in flow by using the ACFP rule with the account takeover prevention (ATP) rule. These rules would be beneficial to those who manage websites with account creations and sign-ins.