Skip to content

AWS WAF CAPTCHA: Protect your application from bots

What is AWS WAF Captcha?

AWS WAF Captcha is a feature within AWS WAF (Web Application Firewall) that lets you easily block bot traffic by presenting users with a task they need to complete before allowing them to access the page.

AWS Captcha is extremely easy to setup. Unlike the Google ReCaptcha and most other similar services which require you to modify your application to implement a Captcha, AWS WAF Captcha requires no code modification because it acts as a layer above your application.

AWS WAF Captcha can be used to protect resources behind application load balancers, as well as Amazon API Gateway, and AWS AppSync.

You can configure AWS WAF captcha to appear based on:

  • Specific page uri, for e.g to block highly targeted areas such as login pages, forms, etc.
  • Suspicious requests as determined by rate, or other attributes
  • Labels set by other AWS Managed rules, for e.g requests that got marked as a bot based on the AWS WAF Bot Control list would see the Captcha

Setting up AWS WAF Captcha

This tutorial will cover how to setup AWS WAF Captcha for the login page of a web application that sits behind an application load balancer.

  1. From the AWS console, go to AWS WAF then lick on Web ACL. Click on Create Web ACL. (If you are already using AWS WAF for your application you can skip this step and go straight to step 4, the rule creation step.)
  2. Fill out the necessary fields for your ACL:

3. Next associate the resources that you are planning to protect with this WAF.

Click on Add AWS resources, then set the resource type and search for yours. In this example, we’re using an application load balancer.

4. Next, let’s add a rule. Select Add my own rules and rule groups.

5. Select Rule Builder and enter a name for your rule. In this example, we will be setting up a captcha for a login page and will be using the regular rule type. If you want to make the captcha only appear based on the frequency of requests, you can use the Rate-based rule instead.

6. Next we need to specify the condition for showing the AWS Captcha. For our example, we want to show it for the login page so we create a rule where any url on our website beginning with /login will trigger the Captcha. If you wanted to protect a WordPress website’s login page, you would set this path to /wp-login.

7. Next we need to tell the WAF how to respond when a request matches the condition we set in step 6. Select CAPTCHA and set how long the validated captcha token will last. Once a user solves a captcha, a cookie containing the validated token will be saved in their browser. By default the immunity time is set to 5 mins (300 seconds). Once the immunity period expires, the user will be have to solve a new Captcha to access the protected page again.

8. Click Add rule, and follow the prompts to finish creating your ACL. Once created, go to rules and you should see the Captcha rule we created.

Testing the Captcha

At this point your Captcha setup should be complete! To test this out I simply go to the URI we defined in step 6, for example, You should see something like this:

Once you solve the captcha, you will be directed to your application’s actual login page.

If you are not already using the other features within AWS WAF, you’re missing out! AWS WAF provides several managed rules that can help you protect your application against common attacks such as SQL injection, XSS, etc. This is not a comprehensive security solution but it’s a fantastic first line of defense that filters out malicious requests so that these requests don’t put a strain on your application’s resources.


Found this interesting? Share it!

Leave a Reply

Your email address will not be published.