AWS WAF Reviews

If I have hosted your web applications or web services on AWS, and if you need a segregation in terms of different aspects, like at a country level or area level, especially when your website is not reachable for a particular country or a particular area, then you need to implement WAF on top of the public network. If WAF actually works on top of the network to manage each request at a global level, WAF is the first layer that handles the internet's every request, and depending on your choice, you can either accept or deny such requests.

Currently, most organizations face security challenges, and with the rise in hacking in every sector, like healthcare, IT, manufacturing, or infrastructure sector that we're talking about. You have to at least implement WAF on top of your network as well as the local network so that it filters every network traffic that comes in from any country. In our company, Fortinet WAF is what we use on top of the network as an anonymous network, and within the network, we use F5.

Due to security concerns or reasons, I recommend others to use AWS WAF and control the requests from multiple countries from a hacking point of view.

The area of reporting in the product needs to have a proper format. If you want to find the event log for an event and IP address from another country, there is a need to do some rework after the reporting part is taken care of so that the management can easily read the reports. A technical person in the organization can always understand where a particular network traffic comes in or where traffic is blocked with the help of WAF, but those in the management department would never understand the concepts that a technical person can understand. The reporting part of AWS WAF needs to be improved.

I have been using AWS WAF for five years.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is an easily scalable solution. Scalability-wise, I rate the solution a ten out of ten.

More than 2,000 to 2,500 employees in my company use the solution.

The solution's technical support's response time and quality are very good. I rate the technical support a ten out of ten.

The product's initial setup phase was very simple.

The solution is deployed on the hybrid cloud model.

The product is deployed in a virtual environment and not in a physical one.

I rate the product price a five on a scale of one to ten, where one is high price, and ten is low price. I recommend people check for the services that run in the AWS WAF account. Each service that uses AWS will need the user to pay for some costs. Most of the people who use the solution are not able to understand the number of services that are running in the product. Even though there is a feature to help understand top-level management, people fail to figure out the number of services that are running in the product.

Compared to AWS WAF, Fortinet is easy to use and deploy. From a technical point of view, Fortinet is easy to implement and handle. I recommend Fortinet over AWS WAF to others.

I recommend Fortinet, as it is one of the best products, be it the virtual firewalls or the on-premises setup. If one wants to look for the on-premises setup, one must buy the hardware box.

I rate the overall tool a ten out of ten.

AWS WAF is primarily used to prevent intrusion into web applications. You can also use it to protect virtual machines within the AWS cloud. The main process involves creating rules to block common threats like SQL injection and cross-site scripting. These rules can be selected from built-in options. After configuring the firewall settings, you create a target group and attach your web application to it. The firewall filters incoming traffic based on the selected rules, blocking any suspicious activity.

The most valuable feature of AWS WAF is its highly configurable rules system. You can set up rules based on specific criteria like SQL injection, general web threats, and even advanced features like DDoS protection and region-based blocking. The richness of available rules, including options for custom rule configurations from third-party partners, enhances its effectiveness.

One area for improvement in AWS WAF could be the limitation on the number of rules, particularly those from third-party sources, within the free tier. Users may face budget constraints when trying to implement additional rules beyond the free tier limit.

AWS WAF is stable, but I haven't tested it extensively with high request volumes.

In our IT organization, the usage of AWS varies by project, with approximately 50-60% of projects using AWS or Cloudflare. For our internal websites like BroadWorks.com, we use Cloudflare, while for client projects, about 60-70% make use of AWS WAF.

Setting up AWS WAF for initial installation was relatively straightforward, even for someone without extensive DevOps experience like myself. While it wasn't overly complex, it also wasn't overly simple. With the help of AWS documentation and resources, I was able to complete the setup within two to three days.

Whether AWS WAF is worth the monthly investment of $50 to $60 depends on your budget and preferences. While AWS WAF offers robust features, there are also free tools available like ModSecurity that require more configuration but can still provide adequate protection.

While AWS is a top choice, Cloudflare is also considered for smaller projects due to pricing. Overall, AWS WAF offers reasonable features compared to competitors like Cloudflare, GCP, and Azure.

Before using AWS WAF for the first time, it is important to consider where your infrastructure is hosted and where you want to implement the firewall. If you are already on AWS, AWS WAF would naturally be a suitable choice. Determine the level of security required based on your application's domain, such as financial applications needing more stringent security measures. Select appropriate rules for your use case, considering both conventional web rules and AWS Shield for critical applications. Additionally, after setting up AWS WAF, conduct thorough testing using vulnerability scanners like ThoughtSpot, Acunetix, or Nessus to ensure the effectiveness of your setup.

For beginners with around six months to a year of AWS experience, learning to use AWS WAF shouldn't be too difficult. However, integrating it with web applications across different cloud platforms might pose some challenges. Overall, experienced AWS users should find it manageable, while beginners may need some time to get used to it.

Overall, I would rate AWS WAF as a seven out of ten.

We use AWS WAF to protect our application from different kinds of attacks. We use AWS WAF for retail customers.

Our retail application is vulnerable to a lot of bot attacks. AWS WAF helps mitigate different kinds of bot attacks and SQL injection that happen within the retail industry.

The solution's pricing could be improved. You cannot add multiple rules within AWS WAF's CPU.

I have been using AWS WAF for more than three years.

Since AWS manages the solution, it is fairly stable.

I rate AWS WAF a nine out of ten for stability.

AWS WAF is a scalable solution.

I rate AWS WAF an eight out of ten for scalability.

I am satisfied with the solution’s technical support.

Positive

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

The solution's deployment takes a few minutes.

There is no licensing at all. We have to pay for it as we use it.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven or eight out of ten.

Integrating AWS WAF with other AWS services in our infrastructure is fairly easy. There are different tools through which we can do it.

AWS WAF is a fairly easy solution. Users need to build a few rules by themselves based on the vulnerability attack within the application.

Overall, I rate the solution a nine out of ten.

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

I have been using the solution for six years.

The tool is stable.

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Google’s console is minimalistic. It provides AI tools that help us create rules.

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

We pay $0.8 per hour. The product’s pricing is reasonable.

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

The solution protects my customers’ web applications hosted in AWS.

The ease of deployment of the product is valuable to me. AWS WAF might be one of the easiest WAFs that can be deployed. The only constraint is that our application must be running in AWS.

The default content policy available in the tool is not very strong compared to the competitors. Most of the WAFs will have a default set of policies and rules that we need to enable, which will satisfy our requirements. However, for AWS, we must put some time and effort into creating our content policy to get optimal protection.

I have been providing the solution for a year or more.

The product is stable. I have no complaints. I rate the stability a nine out of ten.

The product is scalable. I rate the scalability a nine out of ten.

The technical support is good. I have no complaints. The support team is fast, knowledgeable, and customer-friendly.

Positive

The initial setup is straightforward. It takes merely half an hour or less to deploy the solution. The solution is deployed on the cloud.

Whether we need a consultant to help with the deployment depends on our knowledge of the cloud platform and our applications. It is a complex solution. We can do it ourselves if we know about WAFs, rule sets, and deployments. It is not a solution for a novice or someone unfamiliar with the security and application firewall. Such people might need the help of an administrator or consultant. We deployed the solution ourselves.

Depending on how our AWS billing is configured, we are billed on a monthly or yearly billing cycle. The product is moderately priced. It is not too cheap but not too high either. There are no additional costs associated with the product.

I would recommend the solution to others. If a web application is completely hosted in AWS, then AWS WAF is a good choice. We can easily adopt it. Overall, I rate the solution a seven out of ten.

We use Managed Rules mostly.

ALB is integrated with WAF. When ALB spikes up, we know there’s something wrong. Usually, bots attack the applications.

Rule groups are valuable. We use it for DDoS. We do customizations with the help of Managed Rules in AWS. We use AWS WAF’s API to automate security tasks. The rule creation is similar to automation. We have enough understanding of how things work. It’s been one year since we have automated the tasks.

There are some limitations. We can add a maximum of four rate-based rules to the rule group. We must monitor and clean up the WAF manually. We cannot create rules if it goes above four. It requires manual intervention. We have to check, clean, and maintain it regularly. We do not want to do it. We are willing to pay extra if it can be improved. We need additional features so we do not have to do manual interventions.

I have been using the solution for three years.

We do not have any problems with the tool’s functionalities.

We are very happy about the product’s scalability. We did not face any issues. My organization is an enterprise.

We have a partnership. We can contact the consultants whenever we need anything. We don't have any problem with the support team.

Positive

The installation was not difficult. We have a separate team to deploy the solution in our organization. We do not face any issues with maintenance.

All our infrastructure is on AWS. My organization has been using AWS for the last eight years. Mid-size companies use ALB. We also use AWS Shield. Sometimes, we get alerts from AWS Shield. Our internal tools also send us alerts. We're completely on AWS. We do not integrate it with any other tool. Overall, I rate the product an eight out of ten.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.

For AWS WAF, currently, we use this new application. This is another service provided by AWS for the sales business, and it's used for education. So, AWS WAF works in conjunction with AWS Cognito.  We observe this when there's some kind of bot attempting to access our application or when you're trying to use a bot as a control mechanism to transcribe or manage a high volume of traffic through our endpoints. 

AWS WAF manages both human traffic and bot-controlled traffic, and it can redirect you to a catch-up mechanism or sometimes simply for use. So, we've implemented different kinds of mechanisms within AWS WAF.

We use it in the production environment. From time to time, we can see the metrics for the generated traffic on both the WAF and the infrastructure

These metrics are presented on the dashboard. We review this information and conclude that regular monitoring, along with dashboard evaluations, reaffirms the effectiveness of the system. This allows us to ensure that the investment we're making is justified and worthwhile.

The most valuable feature is that it is very easy to configure. It just takes a couple of minutes. 

There is room for improvement in pricing. 

The pricing for each rule group is a bit too high. It's a monthly subscription, and it can get quite expensive for rules that I won't use for my application. For example, I might create a rule group that costs $10, and I only use one of the rules in the group. That's $10 for a rule that I'm not even using! So, the pricing could be more flexible, or there could be a way to get discounts for unused rules.

So, AWS WAF should have a pay-as-you-go pricing model, where I can only pay for the rules that I use. 

I have been using this solution for three years. 

It is a stable solution to some extent.

For my use cases, it is a scalable solution. There are less than 2,000 end users using this solution in our organization.

I reached out to support when I was setting it up initially, I had some questions. And we have some kind of first-line support with AWS. So I reached out to them whenever I had questions.

However, the support depends on the support we are paying for. The support we are paying for is cheap support. I'm on the standard support plan, so my SLA is four hours. There's a phone queue, so I can't always get through right away. But the support engineers are knowledgeable and can usually point me in the right direction. 

Neutral

The initial setup is fairly easy. AWS does everything for us—just some clicks. 

There is no maintenance required. AWS also upgrades new offerings. AWS does all these things. Like, it does why it's very expensive.  And they give us the metrics.

Just evaluate these simple things you need. And don't try to put too many features at the beginning because you might not need them. Every application is designed differently. 

Every business and customer is also very different, so if your application is more susceptible to some kind of engineering traffic then it's going to be very expensive.

Overall, I would rate the solution an eight out of ten. 

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

I have been using AWS WAF for a couple of years.

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

Positive

The initial setup was very simple. It's just a click of a button.

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.