AWS – AWS WAF adds JA4 fingerprinting and aggregation on JA3 and JA4 fingerprints for rate-based rules

AWS WAF now supports JA4 fingerprinting of incoming requests, enabling customers to allow known clients or block requests from malicious clients. Additionally, you can now use both JA4 and JA3 fingerprints as aggregation keys within WAF’s rate-based rules, allowing you to monitor and control request rates based on client fingerprints.

A JA4 TLS client fingerprint contains a 36-character long fingerprint of the TLS Client Hello which is used to initiate a secure connection from clients. The fingerprint can be used to build a database of known good and bad actors to apply when inspecting HTTP requests. These new features enhance your ability to identify and mitigate sophisticated attacks by creating more precise rules based on client behavior patterns. By leveraging both JA4 and JA3 fingerprinting capabilities, you can implement robust protection against automated threats while maintaining legitimate traffic flow to your applications.

JA4 as a match statement is available in all regions where AWS WAF is available for Amazon CloudFront, and Amazon Application Load Balancer (ALB). JA3 and JA4 aggregation keys are available in all regions, except the AWS GovCloud (US) Regions, the China Regions, Asia Pacific (Melbourne), Israel (Tel Aviv) and Asia Pacific (Malaysia). There is no additional cost for using this feature, however standard AWS WAF charges still apply. For more information about pricing, visit the AWS WAF Pricing page.

Read More for the details.