Fraud Control helps protect your login and sign-up pages against attacks such as credential stuffing, credential cracking and fake account creation attacks. With Fraud Control, you get 10k requests free per month.


Easy to deploy within minutes, without any architectural or application changes

Fraud Control is enabled by adding an AWS managed rule group to a Web Access Control List, making it easy to add bot protection for your applications that use Amazon CloudFront, Application Load Balancer, Amazon API Gateway, AWS AppSync, AWS AppRunner or AWS Verified Access. There is no additional infrastructure, DNS changes, or TLS certificate management needed.

Maintain customer trust and brand reputation by preventing account takeover attacks

Fraud Control analyzes requests to your login pages by continuously monitoring login requests for malicious attacks such as credential stuffing or credential cracking. Credential stuffing is when a bad actor is using stolen credentials for unauthorized access. Credential cracking involves using multiple username/password combinations to gain access to someone else’s account.

Minimize revenue loss by preventing abuse of loyalty and referral bonus

Fraud Control analyzes requests to your sign-up or registration pages by continuously monitoring requests for anomalous digital activity such as automated account creations using bots. It then automatically blocks suspicious requests based on request identifiers and behavioral analysis.

How it works

Bot Control Diagram

Use cases

Block fraud at the network edge

Fraud Control can block unwanted fraudulent traffic at the network edge when you use AWS WAF with Amazon CloudFront or other integrations. Fraud Control helps you minimize the impact of fraud on your application's performance and can reduce operational and infrastructure costs. Bot Control also increases the accuracy of your web analytics by removing bot traffic that can skew website and conversion metrics.

Easy to use fraud mitigation for multiple use-cases

Fraud Control is available for two use cases – Account Takeover and Account creation fraud prevention. Account Takeover managed rule consists of rules that prevent uauthorized login attempts. Account creation fraud prevention managed rule consists of rules that look at various elements of your sign-up request such as headers, reputation lists and behavioral analysis to prevent creation of fraudulent or fake accounts.

Learn how to get started with AWS WAF

Visit the getting started page
Ready to build?
Get started with AWS WAF
Have more questions?
Contact us