The AWS-AWSManagedRulesBotControlRuleSet is an AWS Managed WAF rule group that detects and mitigates unwanted bot traffic — including headless browsers, automated scripts, and non-browser clients like curl/Postman. It’s very effective for your goal of allowing only browser-based traffic to your Application Load Balancer (ALB).