AWS WAF Reviews

My usual use case involves monitoring incoming calls and services deployed in AWS cloud. Security and privacy are primary concerns, so we use AWS WAF to monitor and ensure that only appropriate calls are allowed. AWS Shield is also used to protect against DDoS attacks, but I'm using the basic free version due to budget constraints.

AWS WAF has helped to improve the security of our products by filtering web app traffic and specifying conditions such as IP addresses and HTTP headers. These features, along with others, have enhanced the overall security and effectiveness of our applications. The integration with IAM restricts access to the server, providing additional security.

One of the most valuable features of AWS WAF is its ability to filter web app traffic, allowing us to specify conditions such as IP addresses and HTTP headers. We can create rules accordingly to prevent attacks, like SQL injection and cross-site scripting. AWS WAF, combined with firewall manager, enhances security by allowing us to specify security rules. Custom rules are useful for allowing access to specific traffic, and AWS WAF handles false positives by limiting requests from certain IPs or setting geographic match conditions.

I find the documentation somewhat complex to implement during the initial stages. If it were made simpler and more user-friendly, with the right examples provided, it would be more helpful.

I have been working with AWS WAF for almost six years.

AWS WAF provides a stable environment by preventing unknown attacks, allowing us to deploy services securely. I rate the stability as nine out of ten. It ensures that our applications run without security concerns.

I rate the scalability of AWS WAF as a seven out of ten. It adapts well to our needs and serves its purpose effectively.

The customer service and support from AWS are excellent. I rate them ten out of ten. My interactions have been positive, with prompt responses to issues like quota requests and additional resource allocations.

Positive

Before AWS WAF, we used Azure but did not deploy these specific solutions on it. We migrated to AWS to fully utilize their security features.

The initial setup was complex, with a steep learning curve related to rules and implementation. I would rate the initial setup experience as a six out of ten, as it took substantial time to get everything functioning smoothly.

We managed the deployment process internally without needing external assistance. Our team uses automated deployment strategies via GitLab, which automates deployment across various environments.

Using solutions deployed in AWS cloud enhances customer satisfaction since AWS is a well-known and widely accessible cloud service provider.

The pricing is reasonable when using free credits; otherwise, it would be rated a six in terms of cost.

I did not evaluate other options extensively as AWS WAF with Firewall Manager seemed to offer the best security strategy.

Properly go through the documentation and reference examples. Understand your use cases and apply the correct rules for the solution. AWS support can assist with setup and implementation. 

I rate the overall solution as nine out of ten.

We use Managed Rules mostly.

ALB is integrated with WAF. When ALB spikes up, we know there’s something wrong. Usually, bots attack the applications.

Rule groups are valuable. We use it for DDoS. We do customizations with the help of Managed Rules in AWS. We use AWS WAF’s API to automate security tasks. The rule creation is similar to automation. We have enough understanding of how things work. It’s been one year since we have automated the tasks.

There are some limitations. We can add a maximum of four rate-based rules to the rule group. We must monitor and clean up the WAF manually. We cannot create rules if it goes above four. It requires manual intervention. We have to check, clean, and maintain it regularly. We do not want to do it. We are willing to pay extra if it can be improved. We need additional features so we do not have to do manual interventions.

I have been using the solution for three years.

We do not have any problems with the tool’s functionalities.

We are very happy about the product’s scalability. We did not face any issues. My organization is an enterprise.

We have a partnership. We can contact the consultants whenever we need anything. We don't have any problem with the support team.

Positive

The installation was not difficult. We have a separate team to deploy the solution in our organization. We do not face any issues with maintenance.

All our infrastructure is on AWS. My organization has been using AWS for the last eight years. Mid-size companies use ALB. We also use AWS Shield. Sometimes, we get alerts from AWS Shield. Our internal tools also send us alerts. We're completely on AWS. We do not integrate it with any other tool. Overall, I rate the product an eight out of ten.

We use AWS WAF to protect our application from different kinds of attacks. We use AWS WAF for retail customers.

Our retail application is vulnerable to a lot of bot attacks. AWS WAF helps mitigate different kinds of bot attacks and SQL injection that happen within the retail industry.

The solution's pricing could be improved. You cannot add multiple rules within AWS WAF's CPU.

I have been using AWS WAF for more than three years.

Since AWS manages the solution, it is fairly stable.

I rate AWS WAF a nine out of ten for stability.

AWS WAF is a scalable solution.

I rate AWS WAF an eight out of ten for scalability.

I am satisfied with the solution’s technical support.

Positive

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

The solution's deployment takes a few minutes.

There is no licensing at all. We have to pay for it as we use it.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven or eight out of ten.

Integrating AWS WAF with other AWS services in our infrastructure is fairly easy. There are different tools through which we can do it.

AWS WAF is a fairly easy solution. Users need to build a few rules by themselves based on the vulnerability attack within the application.

Overall, I rate the solution a nine out of ten.

If I have hosted your web applications or web services on AWS, and if you need a segregation in terms of different aspects, like at a country level or area level, especially when your website is not reachable for a particular country or a particular area, then you need to implement WAF on top of the public network. If WAF actually works on top of the network to manage each request at a global level, WAF is the first layer that handles the internet's every request, and depending on your choice, you can either accept or deny such requests.

Currently, most organizations face security challenges, and with the rise in hacking in every sector, like healthcare, IT, manufacturing, or infrastructure sector that we're talking about. You have to at least implement WAF on top of your network as well as the local network so that it filters every network traffic that comes in from any country. In our company, Fortinet WAF is what we use on top of the network as an anonymous network, and within the network, we use F5.

Due to security concerns or reasons, I recommend others to use AWS WAF and control the requests from multiple countries from a hacking point of view.

The area of reporting in the product needs to have a proper format. If you want to find the event log for an event and IP address from another country, there is a need to do some rework after the reporting part is taken care of so that the management can easily read the reports. A technical person in the organization can always understand where a particular network traffic comes in or where traffic is blocked with the help of WAF, but those in the management department would never understand the concepts that a technical person can understand. The reporting part of AWS WAF needs to be improved.

I have been using AWS WAF for five years.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is an easily scalable solution. Scalability-wise, I rate the solution a ten out of ten.

More than 2,000 to 2,500 employees in my company use the solution.

The solution's technical support's response time and quality are very good. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase was very simple.

The solution is deployed on the hybrid cloud model.

The product is deployed in a virtual environment and not in a physical one.

I rate the product price a five on a scale of one to ten, where one is high price, and ten is low price. I recommend people check for the services that run in the AWS WAF account. Each service that uses AWS will need the user to pay for some costs. Most of the people who use the solution are not able to understand the number of services that are running in the product. Even though there is a feature to help understand top-level management, people fail to figure out the number of services that are running in the product.

Compared to AWS WAF, Fortinet is easy to use and deploy. From a technical point of view, Fortinet is easy to implement and handle. I recommend Fortinet over AWS WAF to others.

I recommend Fortinet, as it is one of the best products, be it the virtual firewalls or the on-premises setup. If one wants to look for the on-premises setup, one must buy the hardware box.

I rate the overall tool a ten out of ten.

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

I have been using the solution for six years.

The tool is stable.

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Google’s console is minimalistic. It provides AI tools that help us create rules.

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

We pay $0.8 per hour. The product’s pricing is reasonable.

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

The solution protects my customers’ web applications hosted in AWS.

The ease of deployment of the product is valuable to me. AWS WAF might be one of the easiest WAFs that can be deployed. The only constraint is that our application must be running in AWS.

The default content policy available in the tool is not very strong compared to the competitors. Most of the WAFs will have a default set of policies and rules that we need to enable, which will satisfy our requirements. However, for AWS, we must put some time and effort into creating our content policy to get optimal protection.

I have been providing the solution for a year or more.

The product is stable. I have no complaints. I rate the stability a nine out of ten.

The product is scalable. I rate the scalability a nine out of ten.

The technical support is good. I have no complaints. The support team is fast, knowledgeable, and customer-friendly.

Positive

The initial setup is straightforward. It takes merely half an hour or less to deploy the solution. The solution is deployed on the cloud.

Whether we need a consultant to help with the deployment depends on our knowledge of the cloud platform and our applications. It is a complex solution. We can do it ourselves if we know about WAFs, rule sets, and deployments. It is not a solution for a novice or someone unfamiliar with the security and application firewall. Such people might need the help of an administrator or consultant. We deployed the solution ourselves.

Depending on how our AWS billing is configured, we are billed on a monthly or yearly billing cycle. The product is moderately priced. It is not too cheap but not too high either. There are no additional costs associated with the product.

I would recommend the solution to others. If a web application is completely hosted in AWS, then AWS WAF is a good choice. We can easily adopt it. Overall, I rate the solution a seven out of ten.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.

For AWS WAF, currently, we use this new application. This is another service provided by AWS for the sales business, and it's used for education. So, AWS WAF works in conjunction with AWS Cognito.  We observe this when there's some kind of bot attempting to access our application or when you're trying to use a bot as a control mechanism to transcribe or manage a high volume of traffic through our endpoints. 

AWS WAF manages both human traffic and bot-controlled traffic, and it can redirect you to a catch-up mechanism or sometimes simply for use. So, we've implemented different kinds of mechanisms within AWS WAF.

We use it in the production environment. From time to time, we can see the metrics for the generated traffic on both the WAF and the infrastructure

These metrics are presented on the dashboard. We review this information and conclude that regular monitoring, along with dashboard evaluations, reaffirms the effectiveness of the system. This allows us to ensure that the investment we're making is justified and worthwhile.

The most valuable feature is that it is very easy to configure. It just takes a couple of minutes. 

There is room for improvement in pricing. 

The pricing for each rule group is a bit too high. It's a monthly subscription, and it can get quite expensive for rules that I won't use for my application. For example, I might create a rule group that costs $10, and I only use one of the rules in the group. That's $10 for a rule that I'm not even using! So, the pricing could be more flexible, or there could be a way to get discounts for unused rules.

So, AWS WAF should have a pay-as-you-go pricing model, where I can only pay for the rules that I use. 

I have been using this solution for three years. 

It is a stable solution to some extent.

For my use cases, it is a scalable solution. There are less than 2,000 end users using this solution in our organization.

I reached out to support when I was setting it up initially, I had some questions. And we have some kind of first-line support with AWS. So I reached out to them whenever I had questions.

However, the support depends on the support we are paying for. The support we are paying for is cheap support. I'm on the standard support plan, so my SLA is four hours. There's a phone queue, so I can't always get through right away. But the support engineers are knowledgeable and can usually point me in the right direction. 

Neutral

The initial setup is fairly easy. AWS does everything for us—just some clicks. 

There is no maintenance required. AWS also upgrades new offerings. AWS does all these things. Like, it does why it's very expensive.  And they give us the metrics.

Just evaluate these simple things you need. And don't try to put too many features at the beginning because you might not need them. Every application is designed differently. 

Every business and customer is also very different, so if your application is more susceptible to some kind of engineering traffic then it's going to be very expensive.

Overall, I would rate the solution an eight out of ten.