Home > Networking > Cyber Security Skill > Overview AWS WAF Bot Control with A Step-by-Step Guide

Overview AWS WAF Bot Control with A Step-by-Step Guide

By /

Protecting Your Website with AWS WAF Bot Control: A Step-by-Step Guide

AWS WAF Bot Control is a powerful managed rule group that helps detect and mitigate bot activity, from basic crawlers to sophisticated automated scripts. After discussions with my vendor, I learned that enabling Bot Control requires strategic integration, especially embedding the AWS WAF JavaScript SDK on key pages to generate tokens and handle responses like CAPTCHAs or redirects. In this guide, I’ll walk you through implementing AWS WAF Bot Control, ensuring your site stays protected while minimizing disruptions for legitimate users.

What is AWS WAF Bot Control?

AWS WAF Bot Control is a managed rule set within AWS Web Application Firewall (WAF) designed to identify and manage bot traffic. It offers two protection levels:

  • Common: Detects self-identifying bots (e.g., search engines, scrapers) using basic techniques like User-Agent analysis.
  • Targeted: Adds advanced detection, including browser fingerprinting, machine learning, and behavioral analysis to catch sophisticated bots.

Bot Control uses tokens (generated via client-side challenges or CAPTCHAs) to validate requests. These tokens, stored as cookies (aws-waf-token), help distinguish legitimate users from bots. If tokens are missing, reused, or show high-volume patterns, WAF may block requests or issue challenges (silent or CAPTCHA-based). For suspected bot activity, WAF might return HTTP responses like 202 (Challenge) or 405 (CAPTCHA), requiring client-side handling, such as redirecting to a CAPTCHA page and returning to the original page upon completion.

Note: Bot Control incurs additional AWS WAF fees, and Challenge/CAPTCHA actions add costs per execution. Check AWS WAF Pricing for details.

Let’s dive into the implementation.

Step 1: Create a Web ACL in AWS WAF

A Web ACL is the container for your WAF rules.

  1. Log in to the AWS Management Console and navigate to AWS WAF.
  2. In the left pane, select Web ACLs > Create web ACL.
  3. Enter a name (e.g., MyBotControlACL) and an optional description.
  4. Choose the resource type:
    • Amazon CloudFront for global apps.
    • Application Load Balancer (ALB) or API Gateway for regional apps.
  5. Set the default action to Allow (permits traffic unless blocked by rules).
  6. Proceed to add rules.

This sets up the foundation for Bot Control.

Step 2: Add the Bot Control Rule Group

Bot Control is a managed rule group you add to your Web ACL.

  1. In the Web ACL creation wizard, go to Rules > Add rules > Add managed rule groups.
  2. Under AWS managed rule groups, locate AWSManagedRulesBotControlRuleSet (vendor: AWS).
  3. Select the protection level:
    • Common: For basic bot detection (e.g., blocks unverifiable bots).
    • Targeted: Includes Common plus advanced detection (e.g., volumetric session analysis, token reuse checks). Optionally enable Machine Learning for anomaly detection.
  4. Configure rule actions (default actions include Block, Count, Challenge, or CAPTCHA). Override as needed:
    • Example: Change TGT_VolumetricSession (high-volume sessions) to CAPTCHA for user verification instead of blocking.
    • Example: Set TGT_TokenReuseIpHigh (high token reuse) to Block for strict enforcement.
    • Common rules add labels like awswaf:managed:aws:bot-control:bot:category:search_engine for custom handling.
  5. Set rule priority: Place Bot Control early (e.g., after rate-limiting rules).
  6. Save the Web ACL.

Pro Tip: Targeted rules rely on tokens for optimal performance. Without tokens, detection accuracy drops, so integrate the JavaScript SDK (Step 4).

Step 3: Associate the Web ACL with Your Resource

  1. In the Web ACL details, go to Associated AWS resources > Add AWS resources.
  2. Select your resource (e.g., CloudFront distribution, ALB, API Gateway).
  3. Save. Traffic to this resource now flows through the Web ACL.

Test in a staging environment to avoid impacting production users.

Step 4: Integrate the JavaScript SDK for Token Generation

As per my vendor’s advice, embedding the AWS WAF JavaScript SDK on “starting point” pages (e.g., homepage, login, checkout) ensures browsers generate tokens early. These tokens, included as cookies, reduce false positives and help WAF validate requests.

  1. In the AWS WAF console, go to Application integration (left pane).
  2. Select your Web ACL and navigate to the JavaScript SDK tab.
  3. Copy the script tag, e.g.: 
    <script src="https://<integration-id>.execute-api.us-east-1.amazonaws.com/prod/challenge.js" defer></script>
  4. Add it to the <head> of your HTML pages: 
    <head>
    <script type="text/javascript" src="https://<your-integration税-id>.execute-api.us-east-1.amazonaws.com/prod/challenge.js" defer></script>
</head>
    This runs a silent challenge on page load, setting the aws-waf-token cookie.
  5. Modify API requests to include tokens:
    • Use AwsWafIntegration.fetch for automatic token inclusion: 
      <script>
async function login() {
    const response = await AwsWafIntegration.fetch('/login', {
        method: 'POST',
        body: JSON.stringify({ username: 'user', password: 'pass' })
    });
    console.log(await response.json());
}
</script>
    • Or manually retrieve the token: 
      <script>
async function getToken() {
    const token = await AwsWafIntegration.getToken();
    // Use in headers: { 'x-aws-waf-token': token }
}
</script>

For single-page apps (e.g., React), add the script in index.html and wrap API calls. Tokens expire (default 5 minutes, configurable), and high-volume or reused tokens may trigger rules like TGT_TokenReuseIpHigh, leading to blocks or challenges.

Step 5: Handle Challenges and CAPTCHAs on the Client Side

If WAF suspects bot activity (e.g., missing/expired tokens, high request volume), it triggers a Challenge (silent proof-of-work) or CAPTCHA (visible puzzle). For non-HTML requests (e.g., APIs), WAF returns HTTP 202 (Challenge) or 405 (CAPTCHA). Your client must handle these, often redirecting to a CAPTCHA page and returning to the original page after completion.

  1. Set Up CAPTCHA API:
    • In Application integration > CAPTCHA tab, copy the JS tag and generate an API key.
    • Add to <head>: 
      <script src="https://<integration-url>/jsapi.js" defer></script>
    • Render CAPTCHA when needed: 
      <script>
function showCaptcha() {
    const container = document.getElementById('captcha-container');
    AwsWafCaptcha.renderCaptcha(container, {
        apiKey: '<your-api-key>',
        onSuccess: (token) => {
            // Retry original request
            fetch('/protected', { headers: { 'x-aws-waf-token': token } });
        },
        onError: (error) => { console.error(error); }
    });
}
</script>
<div id="captcha-container"></div>
  2. Handle WAF Responses:
    • Wrap API calls to detect 202/405 status codes: 
      <script>
async function protectedFetch(url) {
    const response = await AwsWafIntegration.fetch(url);
    if (response.status === 405) { // CAPTCHA required
        showCaptcha(); // Render CAPTCHA, retry on success
        return;
    } else if (response.status === 202) { // Silent Challenge
        await AwsWafIntegration.getToken(); // Wait for token
        return protectedFetch(url); // Retry
    }
    return response.json();
}
</script>
  3. Manage Redirects:
    • WAF’s interstitial page (for HTML requests) auto-redirects to the original URL after challenge completion.
    • For SPAs, store the original URL (e.g., in sessionStorage) and navigate post-CAPTCHA: 
      <script>
sessionStorage.setItem('originalUrl', window.location.href);
// After CAPTCHA success:
window.location.href = sessionStorage.getItem('originalUrl');
</script>

Implement retry logic with exponential backoff to handle repeated challenges gracefully.

Step 6: Monitor and Optimize

  1. Enable Logging:
    • In Web ACL > Logging, send logs to CloudWatch Logs or S3.
    • Analyze for blocked/challenged requests.
  2. Use the Bot Control Dashboard:
    • In Web ACL > Bot Control tab, view bot categories (e.g., search engines, scrapers) and traffic patterns.
  3. Test and Tune:
    • Simulate bot traffic (e.g., modify User-Agent) to verify token generation and challenge handling.
    • Add custom rules based on labels (e.g., allow verified search bots).
    • Adjust token immunity time or scope rules to specific URIs for efficiency.

Key Takeaways

  • Place SDK on Key Pages: Embed the JavaScript SDK on high-traffic or entry pages to generate tokens early, reducing false positives.
  • Handle Responses: Detect 202/405 status codes and manage CAPTCHAs or redirects to maintain user experience.
  • Monitor and Refine: Use logs and the Bot Control dashboard to optimize rules and minimize disruptions.

By following these steps, you can protect your website from bots while ensuring legitimate users face minimal friction. If you encounter issues, AWS Support is a great resource.

Have you implemented AWS WAF Bot Control? Share your tips or challenges in the comments below!

Related posts:

  1. Best Public DNS Providers in 2025: IPs, Features, and Security Compared
  2. Learning material for drive in cyber security (Useful link)
  3. AA(Active/Active) vs AP(Active/Passive) Palo Alto Firewalls
  4. Cisco ISE vs Aruba ClearPass
  5. Understanding HTTP GET vs POST: Differences, Examples, and Security Concerns
  6. Demo of cyber security risk of XSS

Powered by YARPP.

Leave a Comment