Let’s confirm you are human

Anders Bjørnestad
Published in
4 min readJan 27, 2022


AWS WAF now have support for Captcha

Captcha-support for AWS WAF (Web Application Firewall) was announced recently. Most of us are seeing captchas when we are registering new accounts, making orders online or simply want to check the flight-times to Paris.

AWS WAF Captcha
AWS WAF Captcha

A CAPTCHA (/kæp.tʃə/, a contrived acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge–response test used in computing to determine whether the user is human.

(source: Wikipedia)

There are a different providers of Captcha solutions out there, and a lot requires you to alter your applications to implement their solution. AWS WAF has this integrated, and if you are using WAF already you can configure this in minutes without the need to change your solution. The captchas presented here are (from what I have seen) either a slider where you match a figure or a “car path” where you have to point to the end. The user can also select a voice-message where you have to recognise one of two words spoken (in English).

If you are not using AWS WAF you could, without much change, set up a CloudFront distribution (AWS service for content delivery) and add WAF to the distribution.

Let us skip the part of setting up CloudFront (or another supported AWS services) and see how Captcha is configured.

Set up AWS Web ACL

Go to WAF in the AWS-console and select “Web ACLs” in the menu. Make sure to select the correct region, or “Global” if you are using a global service like CloudFront.

WFA ACL page

You press “Create web ACL” and give your ACL a good name, and add an AWS resource (for example CloudFront).

Step 1

Then you need to define a rule for your ACL. This can be a custom rule or a managed rule. Managed rules can be AWS-provided or you can purchase rules from security-vendors. In my case I make a custom rule, and check that the query-string in the request does not matches “mysecretdoor”. This will then trigger an action unless are are accessing via the “secret door”.

Step 2 — Rule

Next is to define the action to perform when the rule is “true”. We select Captcha and for this demo I use 60 seconds as the immunity time (time before captcha is triggered for the user again). 300 sec is the default value.

Step 2 — Action

You can leave the other value as is if you are just experimenting. Then it is just to hit your webpage(s) to see if it works.

WAF also give you metrics and a list of requests being served.


AWS WAF is priced per WEB ACL, per rule and per request (see pricing). On top of that you pay $0.40 per thousand challenge attempts.

To save money it is possible just to send some requests to WAF (path-based) and add Captcha to only some URLs, but that routing is up to the service WAF is hooked into.


There are a lot of captcha solutions out there with a lot of different pricing and technical requirements. If you are already using AWS, their solution is really quick to get going and does not require any major changes to your application. The cost depends on the traffic, and of course you need to look at the price related to the value it is to stop spammers and bots. Captchas presented are not to annoying.



Anders Bjørnestad

Consultant, AWS Community Hero, APN Ambassador and AWS Trainer based in Norway. Have worked with AWS technology since 2010.