**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# AWS WAF Fraud Control account takeover prevention (ATP) examples
This section shows example configurations that satisfy common use cases for the AWS WAF Fraud Control account takeover prevention (ATP) implementations.
Each example provides a description of the use case and then shows the solution in JSON listings for the custom configured rules.
**Note**
You can retrieve JSON listings like the ones shown in these examples through the console protection pack (web ACL) JSON download or rule JSON editor, or through the `getWebACL` operation in the APIs and the command line interface.
**Topics**
+ [ATP example: Simple configuration](waf-atp-control-example-basic.md)
+ [ATP example: Custom handling for missing and compromised credentials](waf-atp-control-example-user-agent-exception.md)
+ [ATP example: Response inspection configuration](waf-atp-control-example-response-inspection.md)
# ATP example: Simple configuration
The following JSON listing shows an example protection pack (web ACL) with an AWS WAF Fraud Control account takeover prevention (ATP) managed rule group. Note the additional sign-in page configuration, which gives the rule group the information it needs to monitor and manage your login requests. This JSON includes the protection pack (web ACL)'s automatically generated settings, like the label namespace and the protection pack (web ACL)'s application integration URL.
```
{
"WebACL": {
"LabelNamespace": "awswaf:111122223333:webacl:ATPModuleACL:",
"Capacity": 50,
"Description": "This is a test protection pack (web ACL) for ATP.",
"Rules": [
{
"Priority": 1,
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AccountTakeOverValidationRule"
},
"Name": "DetectCompromisedUserCredentials",
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesATPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesATPRuleSet": {
"LoginPath": "/web/login",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
}
},
"EnableRegexInPath": false
}
}
]
}
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "ATPValidationAcl"
},
"DefaultAction": {
"Allow": {}
},
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"Id": "32q10987-65rs-4tuv-3210-98765wxyz432",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/ATPModuleACL/32q10987-65rs-4tuv-3210-98765wxyz432",
"Name": "ATPModuleACL"
},
"ApplicationIntegrationURL": "https://9z87abce34ea.us-east-1.sdk.awswaf.com/9z87abce34ea/1234567a1b10/",
"LockToken": "6d0e6966-95c9-48b6-b51d-8e82e523b847"
}
```
# ATP example: Custom handling for missing and compromised credentials
By default, the credentials checks that are performed by the rule group `AWSManagedRulesATPRuleSet` handle web requests as follows:
+ **Missing credentials** – Label and block request.
+ **Compromised credentials** – Label request but don't block or count it.
For details about the rule group and rule behavior, see [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md).
You can add custom handling for web requests that have missing or compromised credentials by doing the following:
+ **Override the `MissingCredential` rule to Count** – This rule action override causes the rule to only count and label matching requests.
+ **Add a label match rule with custom handling** – Configure this rule to match against both of the ATP labels and to perform your custom handling. For example, you might redirect the customer to your sign-up page.
The following rule shows the ATP managed rule group from the prior example, with the `MissingCredential` rule action overridden to count. This causes the rule to apply its label to matching requests, and then only count the requests, instead of blocking them.
```
"Rules": [
{
"Priority": 1,
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AccountTakeOverValidationRule"
},
"Name": "DetectCompromisedUserCredentials",
"Statement": {
"ManagedRuleGroupStatement": {
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesATPRuleSet": {
"LoginPath": "/web/login",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
}
},
"EnableRegexInPath": false
}
}
]
"VendorName": "AWS",
"Name": "AWSManagedRulesATPRuleSet",
"RuleActionOverrides": [
{
"ActionToUse": {
"Count": {}
},
"Name": "MissingCredential"
}
],
"ExcludedRules": []
}
}
}
],
```
With this configuration, when this rule group evaluates any web request that has missing or compromised credentials, it will label the request, but not block it.
The following rule has a priority setting that is higher numerically than the preceding rule group. AWS WAF evaluates rules in numeric order, starting from the lowest, so this rule will be evaluated after the rule group evaluation. The rule is configured to match either of the credentials labels and to send a custom response for matching requests.
```
"Name": "redirectToSignup",
"Priority": 10,
"Statement": {
"OrStatement": {
"Statements": [
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:atp:signal:missing_credential"
}
},
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:atp:signal:credential_compromised"
}
}
]
}
},
"Action": {
"Block": {
"CustomResponse": {
your custom response settings
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "redirectToSignup"
}
```
# ATP example: Response inspection configuration
The following JSON listing shows an example protection pack (web ACL) with an AWS WAF Fraud Control account takeover prevention (ATP) managed rule group that is configured to inspect origin responses. Note the response inspection configuration, which specifies success and response status codes. You can also configure success and response settings based on header, body, and body JSON matches. This JSON includes the protection pack (web ACL)'s automatically generated settings, like the label namespace and the protection pack (web ACL)'s application integration URL.
**Note**
ATP response inspection is available only in protection packs (web ACLs) that protect CloudFront distributions.
```
{
"WebACL": {
"LabelNamespace": "awswaf:111122223333:webacl:ATPModuleACL:",
"Capacity": 50,
"Description": "This is a test protection pack (web ACL) for ATP.",
"Rules": [
{
"Priority": 1,
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AccountTakeOverValidationRule"
},
"Name": "DetectCompromisedUserCredentials",
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesATPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesATPRuleSet": {
"LoginPath": "/web/login",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
}
},
"ResponseInspection": {
"StatusCode": {
"SuccessCodes": [
200
],
"FailureCodes": [
401
]
}
},
"EnableRegexInPath": false
}
}
]
}
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "ATPValidationAcl"
},
"DefaultAction": {
"Allow": {}
},
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"Id": "32q10987-65rs-4tuv-3210-98765wxyz432",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/ATPModuleACL/32q10987-65rs-4tuv-3210-98765wxyz432",
"Name": "ATPModuleACL"
},
"ApplicationIntegrationURL": "https://9z87abce34ea.us-east-1.sdk.awswaf.com/9z87abce34ea/1234567a1b10/",
"LockToken": "6d0e6966-95c9-48b6-b51d-8e82e523b847"
}
```