AWS Web application firewall (WAF v2) Captcha enhancements and how to set it up

AWS WAF now supports an additional action apart from allowing, block and counting. CAPTCHA is now available which will provide a captcha for the block and . Captcha. 

  • Allowing  – Allow all requests except the ones that you specify
  • Blocking – Block all requests except the ones that you specify
  • Counting – Count requests that match the criteria specified.  This option is primarily used for monitoring and testing new rules
  • Captcha – Run Captcha against requests that match the criteria specified. This option is used primarily reduce non-humans or bot traffic

Note: that the Web ACL capacity limit is limited to 1500 web acl capacity units (WCUs) but can be increased by opening a support case

From the AWS Management Console, in the search bar search for WAF and choose WAF & Shield

2. Click web Acl from the side menu and then click Create web ACL


3. Enter a name for the Web ACL and description. The cloud watch metric name is populated with the web ACL name. The next step is to define

4. The next step is to choose the AWS resources to be associated with the Web ACL. In this case, an Application load balancer will be used. Once selected click Add

5. Once added click next

6. Click add rules to start adding the appropriate rules. We will use both AWS Managed rules groups and Add my own rules and rule groups

In this case, the add managed rule groups will be used

7. Click on the AWS managed rule groups and in this case choose SQL Database from the free rule groups and click to Add to web ACL and click Add rules

8. The next step is to create a custom rule


9. Choose the request criteria which will be used in our case matches the statement will be used

10. The setup is to choose the Inspect statement needed

11. For example to allow or block a particular country choose the option Originate from a country in

12. if this option is chosen you need to choose how the country origin is determined whether it is the source IP or the IP address in the header

If the IP address in the header is used, you need to define the Header and the fallback in the case there is no X-forwarded-for header


13. The next step is to choose the action required whether allowed, blocked, count or CAPTCHA. In this case CAPTCHA is selected

14. If needed, the default CAPTCHA token timer of 300 seconds can be modified

15. Click add rule to add the custom rule to the web acl

16. The next setup is to to Choose the default web ACL action that will be used if no rules are matched and click next

17. If needed change the rule priority by selecting the rule needed to be moved and choose Move up or down and then click next

18. The Enabled Sampled requests are needed and should be left enabled to view the request matching the web acl rules and click then next to continue

19. The last step is to review the settings and click create web acl. If needed click on the edit button to modify the settings again



In the case of failed requests, the CAPTCHA check is presented in the browser.  In our case, we need to solve the puzzle


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.