**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# AWS WAF Fraud Control account creation fraud prevention (ACFP) examples
This section shows example configurations that satisfy common use cases for the AWS WAF Fraud Control account creation fraud prevention (ACFP) implementations.
Each example provides a description of the use case and then shows the solution in JSON listings for the custom configured rules.
**Note**
You can retrieve JSON listings like the ones shown in these examples through the console protection pack (web ACL) JSON download or rule JSON editor, or through the `getWebACL` operation in the APIs and the command line interface.
**Topics**
+ [ACFP example: Simple configuration](waf-acfp-control-example-basic.md)
+ [ACFP example: Custom response for compromised credentials](waf-acfp-control-example-compromised-credentials.md)
+ [ACFP example: Response inspection configuration](waf-acfp-control-example-response-inspection.md)
# ACFP example: Simple configuration
The following JSON listing shows an example protection pack (web ACL) with an AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group. Note the additional `CreationPath` and `RegistrationPagePath` configurations, along with the payload type and the information needed to locate new account information in the payload, in order to verify it. The rule group uses this information to monitor and manage your account creation requests. This JSON includes the protection pack (web ACL)'s automatically generated settings, like the label namespace and the protection pack (web ACL)'s application integration URL.
```
{
"Name": "simpleACFP",
"Id": "... ",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/simpleACFP/... ",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesACFPRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesACFPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesACFPRuleSet": {
"CreationPath": "/web/signup/submit-registration",
"RegistrationPagePath": "/web/signup/registration",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
},
"EmailField": {
"Identifier": "/form/email"
},
"PhoneNumberFields": [
{
"Identifier": "/form/country-code"
},
{
"Identifier": "/form/region-code"
},
{
"Identifier": "/form/phonenumber"
}
],
"AddressFields": [
{
"Identifier": "/form/name"
},
{
"Identifier": "/form/street-address"
},
{
"Identifier": "/form/city"
},
{
"Identifier": "/form/state"
},
{
"Identifier": "/form/zipcode"
}
]
},
"EnableRegexInPath": false
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesACFPRuleSet"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "simpleACFP"
},
"Capacity": 50,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:111122223333:webacl:simpleACFP:"
}
```
# ACFP example: Custom response for compromised credentials
By default, the credentials check that's performed by the rule group `AWSManagedRulesACFPRuleSet` handles compromised credentials by labeling the request and blocking it. For details about the rule group and rule behavior, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](aws-managed-rule-groups-acfp.md).
To inform the user that the account credentials they've provided have been compromised, you can do the following:
+ **Override the `SignalCredentialCompromised` rule to Count** – This causes the rule to only count and label matching requests.
+ **Add a label match rule with custom handling** – Configure this rule to match against the ACFP label and to perform your custom handling.
The following protection pack (web ACL) listings shows the ACFP managed rule group from the prior example, with the `SignalCredentialCompromised` rule action overridden to count. With this configuration, when this rule group evaluates any web request that uses compromised credentials, it will label the request, but not block it.
In addition, the protection pack (web ACL) now has a custom response named `aws-waf-credential-compromised` and a new rule named `AccountSignupCompromisedCredentialsHandling`. The rule priority is a higher numeric setting than the rule group, so it runs after the rule group in the protection pack (web ACL) evaluation. The new rule matches any request with the rule group's compromised credentials label. When the rule finds a match, it applies the Block action to the request with the custom response body. The custom response body provides information to the end user that their credentials have been compromised and proposes an action to take.
```
{
"Name": "compromisedCreds",
"Id": "... ",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/compromisedCreds/...",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesACFPRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesACFPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesACFPRuleSet": {
"CreationPath": "/web/signup/submit-registration",
"RegistrationPagePath": "/web/signup/registration",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
},
"EmailField": {
"Identifier": "/form/email"
},
"PhoneNumberFields": [
{
"Identifier": "/form/country-code"
},
{
"Identifier": "/form/region-code"
},
{
"Identifier": "/form/phonenumber"
}
],
"AddressFields": [
{
"Identifier": "/form/name"
},
{
"Identifier": "/form/street-address"
},
{
"Identifier": "/form/city"
},
{
"Identifier": "/form/state"
},
{
"Identifier": "/form/zipcode"
}
]
},
"EnableRegexInPath": false
}
}
],
"RuleActionOverrides": [
{
"Name": "SignalCredentialCompromised",
"ActionToUse": {
"Count": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesACFPRuleSet"
}
},
{
"Name": "AccountSignupCompromisedCredentialsHandling",
"Priority": 1,
"Statement": {
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:acfp:signal:credential_compromised"
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 406,
"CustomResponseBodyKey": "aws-waf-credential-compromised",
"ResponseHeaders": [
{
"Name": "aws-waf-credential-compromised",
"Value": "true"
}
]
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AccountSignupCompromisedCredentialsHandling"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "compromisedCreds"
},
"Capacity": 51,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:111122223333:webacl:compromisedCreds:",
"CustomResponseBodies": {
"aws-waf-credential-compromised": {
"ContentType": "APPLICATION_JSON",
"Content": "{\n \"credentials-compromised\": \"The credentials you provided have been found in a compromised credentials database.\\n\\nTry again with a different username, password pair.\"\n}"
}
}
}
```
# ACFP example: Response inspection configuration
The following JSON listing shows an example protection pack (web ACL) with an AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group that is configured to inspect origin responses. Note the response inspection configuration, which specifies success and response status codes. You can also configure success and response settings based on header, body, and body JSON matches. This JSON includes the protection pack (web ACL)'s automatically generated settings, like the label namespace and the protection pack (web ACL)'s application integration URL.
**Note**
ATP response inspection is available only in protection packs (web ACLs) that protect CloudFront distributions.
```
{
"Name": "simpleACFP",
"Id": "... ",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/simpleACFP/... ",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesACFPRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesACFPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesACFPRuleSet": {
"CreationPath": "/web/signup/submit-registration",
"RegistrationPagePath": "/web/signup/registration",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
},
"EmailField": {
"Identifier": "/form/email"
},
"PhoneNumberFields": [
{
"Identifier": "/form/country-code"
},
{
"Identifier": "/form/region-code"
},
{
"Identifier": "/form/phonenumber"
}
],
"AddressFields": [
{
"Identifier": "/form/name"
},
{
"Identifier": "/form/street-address"
},
{
"Identifier": "/form/city"
},
{
"Identifier": "/form/state"
},
{
"Identifier": "/form/zipcode"
}
]
},
"ResponseInspection": {
"StatusCode": {
"SuccessCodes": [
200
],
"FailureCodes": [
401
]
}
},
"EnableRegexInPath": false
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesACFPRuleSet"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "simpleACFP"
},
"Capacity": 50,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:111122223333:webacl:simpleACFP:"
}
```