Anti-Bot

What Is AWS WAF Bot Control?

By the Scrappey Research Team

What Is AWS WAF Bot Control? — conceptual illustration
On this page

AWS WAF Bot Control is a ready-made set of rules inside AWS WAF (Amazon's web application firewall — the security layer that filters traffic before it reaches a site) that detects and blocks bot traffic. It comes in two tiers — Common (signature-based: it blocks known crawlers and bots that identify themselves) and Targeted (which adds a JavaScript / CAPTCHA challenge, groups requests by IP to spot abuse, and applies TGT_* labels). Lots of sites use it because it's a one-click enable on any AWS-fronted site, but its detection is well below DataDome or Akamai.

Quick facts

TiersCommon (signature) and Targeted (challenge + behaviour)
Detection cookieaws-waf-token (only on Targeted with challenge action)
Response headerx-amzn-waf-action when challenge fires; x-amz-cf-id on CloudFront
Labels emittedawswaf:managed:aws:bot-control:* on classified requests
Detection strengthLight (Common) to moderate (Targeted with challenge)

Common vs Targeted — the two tiers

Common checks each request against a fixed list of tell-tale signs: known crawler User-Agents (the string a client uses to identify itself), a missing Accept-Language header, scripting-engine UAs, and datacenter ASNs (the network blocks that cloud servers live in, as opposed to home internet). It blocks roughly the same traffic as Cloudflare's Bot Fight Mode. curl_cffi with Chrome impersonation presents a consistent client to the Common tier, because its UA, TLS (the encryption layer behind https), and headers all look like a real browser.

Targeted adds a Silent Challenge (a small piece of JavaScript that hands out an aws-waf-token) and a CAPTCHA Challenge action. When it's set to challenge rather than block, a request with no token gets a 405 response carrying an x-amzn-waf-action: challenge header plus an HTML page that runs the WAF challenge script. Targeted also counts requests per session token to catch ones coming in too fast.

How AWS labels classified requests

Unlike Cloudflare, AWS WAF doesn't give each request a 0–99 score. Instead it attaches labels — short tags describing what it thinks the request is — such as awswaf:managed:aws:bot-control:bot:category:scraping_framework or awswaf:managed:aws:bot-control:signal:automated_browser. The site owner then writes rules that act on those labels (block, challenge, or just count). This makes Bot Control more lenient by default than other vendors: a labelled request is only blocked if the owner actually added a rule for it, so many AWS-protected sites let through traffic that Cloudflare or Akamai would reject.

How different clients are handled (on sites you are permitted to access)

Common tier: any modern impersonation library (curl_cffi, tls-client, hrequests) plus a non-datacenter IP presents a consistent client. The signature list is short and well-known.

Targeted tier: if the owner chose challenge, a real-browser session (Playwright, Camoufox) completes the challenge once and then reuses the aws-waf-token cookie for later requests — the token stays valid for a while (~5 min by default, configurable). If the owner chose block, there's no challenge to complete, so a coherent, consistent browser configuration matters — broadly the same considerations as Akamai, but against a much weaker scoring model.

Code example

python
# AWS WAF Common: curl_cffi alone usually passes
from curl_cffi import requests

s = requests.Session(impersonate="chrome131")
r = s.get("https://target.com/api/items")

# Check for AWS WAF challenge
if r.headers.get("x-amzn-waf-action") == "challenge":
    print("Targeted tier with challenge — switch to a real browser")
elif r.status_code == 403:
    print("Common tier blocked — check IP and User-Agent")
else:
    print(f"OK: {r.status_code}")

Related terms

Concept map

How AWS WAF Bot Control connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Frequently asked questions

Is AWS WAF Bot Control as strong as Cloudflare Bot Management?

No. The signature-based Common tier is about as strong as Cloudflare's free Bot Fight Mode. The Targeted tier adds JS challenges but lacks the continuous machine-learning scoring and the global cross-site data that Cloudflare's enterprise product draws on. Most AWS-WAF-protected sites are not the hardest targets.

How do I tell Common from Targeted from a single response?

Common blocks with a plain 403 and no extra headers. Targeted set to challenge returns a 405 plus an x-amzn-waf-action: challenge header. Targeted set to block returns a 403, but its Set-Cookie header usually contains an aws-waf-token left over from a previous interaction.

Do the awswaf:* labels appear in HTTP responses?

No — the labels live inside AWS WAF and are only visible in CloudWatch logs to the site owner, so scrapers never see them. What you can observe is the action the owner's rule took based on those labels (block, challenge, or allow).

Last updated: 2026-05-31