Posted On: Nov 24, 2021

AWS today announced AWS WAF Captcha to help block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. Captcha is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart and is commonly used to distinguish between robotic and human visitors to prevent activity like web scraping, credential stuffing, and spam. You can configure AWS WAF rules to require WAF Captcha challenges to be solved for specific resources that are frequently targeted by bots such as login, search, and form submissions. You can also require WAF Captcha challenges for suspicious requests based on the rate, attributes, or labels generated from AWS Managed Rules, such as AWS WAF Bot Control or the Amazon IP Reputation list. WAF Captcha challenges are simple for humans while remaining effective against bots. WAF Captcha includes an audio version and is designed to meet WCAG accessibility requirements.

You can start using Captcha in AWS WAF by creating or navigating to a rule statement and selecting challenge as the action type. When a request matches a rule statement and has WAF Captcha as the action type, users will be presented with a page delivered by AWS WAF, instructing them to complete a Captcha challenge before they can proceed. Once a user successfully completes a Captcha challenge, the originally requested resource will be requested again automatically. Users that complete challenges will not be required to complete additional challenges for a period of time that you can customize. For detailed information, see the AWS WAF developer guide.

AWS WAF Captcha is now available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources. We expect to launch AWS WAF Captcha in other commercial AWS Regions and AWS GovCloud (US) Regions and to add support for Amazon CloudFront resources over the next few days. WAF Captcha usage is billed based on the number of WAF Captcha challenges attempted, in addition to standard AWS WAF service charges. See the AWS WAF Pricing page for more details.