Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News AWS WAF Introduces Fraud Control - Account Takeover Prevention

AWS WAF Introduces Fraud Control - Account Takeover Prevention

This item in japanese

Amazon recently introduced Fraud Control - Account Takeover Prevention, a new feature of AWS Web Application Firewall to protect login pages at network edge.

Checking in real time whether the usernames and passwords have been compromised elsewhere on the web, Account Takeover Prevention (ATP) is designed to mitigate brute force attempts, credential stuffing attacks, and other anomalous login activities.

The new feature is a managed rule group of AWS WAF that monitors the traffic to an application’s login page and detects unauthorised access using compromised credentials. ATP gives visibility over anomalous login attempts, helping prevent unauthorised access and fraudulent activity. Corey Quinn, cloud economist at The Duckbill Group, writes in his newsletter:

This is a neat feature for those of you who have login pages. There was a time I'd have paid handsomely for this feature.

A managed service for data and infrastructure security, AWS WAF can be used to protect applications on CloudFront, Application Load Balancer, API Gateway, AWS Lambda and AWS AppSync for GraphQL APIs.


When AWS WAF determines that credentials have been compromised, it highlights a match with a label and automatically blocks failed login attempts, repeat offenders, and requests from bots. Without ATP, system administrators have to configure rate-based rules to mitigate web layer DDoS attacks, brute force login attempts and bots. Jonathan Rau, CISO at Lightspin, writes:

As time passes, the AWS WAF team definitely gets a lot more crafty, this new release is no exception. From the launch post (and looking at the AMR config), it seems they're using some OSINT & CTI (likely HIPB and existing IOC feeds), basic login pattern telemetry, and probably rate-based rules underneath to detect & prevent techniques such as credential stuffing, brute-forcing, and impossible travel to stop Account Takeovers.

Optional JavaScript and Mobile SDKs increase protection against automated login attempts by bots, relying on additional telemetry on user devices. Currently AWS WAF only inspects the first 8 KB of the web request body, a limitation that Riyaz Walikar, co-founder at Kloudle, claims could result in attackers bypassing the feature:

Now the WAF functions as advertised for any web traffic that is less than 8KB in size, but as soon as the attack traffic exceeds 8KB, a malicious payload will go right through the AWS WAF, the load balancer and will be processed by the application.

The new ATP feature is available in a subset of AWS regions, including Northern Virginia and Ireland, and is charged 10 USD per month and 1 USD per thousand login attempts analysed. Rau adds:

It's expensive (...) for a very popular app I can see this easily being way too expensive. 10M logins is $10K, imagine that in front of Coinbase after their Super Bowl ad? Oof.

AWS released a video to show how to configure the new feature.

About the Author

Rate this Article