AWS WAF Reviews

AWS WAF is primarily used to prevent intrusion into web applications. You can also use it to protect virtual machines within the AWS cloud. The main process involves creating rules to block common threats like SQL injection and cross-site scripting. These rules can be selected from built-in options. After configuring the firewall settings, you create a target group and attach your web application to it. The firewall filters incoming traffic based on the selected rules, blocking any suspicious activity.

The most valuable feature of AWS WAF is its highly configurable rules system. You can set up rules based on specific criteria like SQL injection, general web threats, and even advanced features like DDoS protection and region-based blocking. The richness of available rules, including options for custom rule configurations from third-party partners, enhances its effectiveness.

One area for improvement in AWS WAF could be the limitation on the number of rules, particularly those from third-party sources, within the free tier. Users may face budget constraints when trying to implement additional rules beyond the free tier limit.

AWS WAF is stable, but I haven't tested it extensively with high request volumes.

In our IT organization, the usage of AWS varies by project, with approximately 50-60% of projects using AWS or Cloudflare. For our internal websites like BroadWorks.com, we use Cloudflare, while for client projects, about 60-70% make use of AWS WAF.

Setting up AWS WAF for initial installation was relatively straightforward, even for someone without extensive DevOps experience like myself. While it wasn't overly complex, it also wasn't overly simple. With the help of AWS documentation and resources, I was able to complete the setup within two to three days.

Whether AWS WAF is worth the monthly investment of $50 to $60 depends on your budget and preferences. While AWS WAF offers robust features, there are also free tools available like ModSecurity that require more configuration but can still provide adequate protection.

While AWS is a top choice, Cloudflare is also considered for smaller projects due to pricing. Overall, AWS WAF offers reasonable features compared to competitors like Cloudflare, GCP, and Azure.

Before using AWS WAF for the first time, it is important to consider where your infrastructure is hosted and where you want to implement the firewall. If you are already on AWS, AWS WAF would naturally be a suitable choice. Determine the level of security required based on your application's domain, such as financial applications needing more stringent security measures. Select appropriate rules for your use case, considering both conventional web rules and AWS Shield for critical applications. Additionally, after setting up AWS WAF, conduct thorough testing using vulnerability scanners like ThoughtSpot, Acunetix, or Nessus to ensure the effectiveness of your setup.

For beginners with around six months to a year of AWS experience, learning to use AWS WAF shouldn't be too difficult. However, integrating it with web applications across different cloud platforms might pose some challenges. Overall, experienced AWS users should find it manageable, while beginners may need some time to get used to it.

Overall, I would rate AWS WAF as a seven out of ten.

My usual use case involves monitoring incoming calls and services deployed in AWS cloud. Security and privacy are primary concerns, so we use AWS WAF to monitor and ensure that only appropriate calls are allowed. AWS Shield is also used to protect against DDoS attacks, but I'm using the basic free version due to budget constraints.

AWS WAF has helped to improve the security of our products by filtering web app traffic and specifying conditions such as IP addresses and HTTP headers. These features, along with others, have enhanced the overall security and effectiveness of our applications. The integration with IAM restricts access to the server, providing additional security.

One of the most valuable features of AWS WAF is its ability to filter web app traffic, allowing us to specify conditions such as IP addresses and HTTP headers. We can create rules accordingly to prevent attacks, like SQL injection and cross-site scripting. AWS WAF, combined with firewall manager, enhances security by allowing us to specify security rules. Custom rules are useful for allowing access to specific traffic, and AWS WAF handles false positives by limiting requests from certain IPs or setting geographic match conditions.

I find the documentation somewhat complex to implement during the initial stages. If it were made simpler and more user-friendly, with the right examples provided, it would be more helpful.

I have been working with AWS WAF for almost six years.

AWS WAF provides a stable environment by preventing unknown attacks, allowing us to deploy services securely. I rate the stability as nine out of ten. It ensures that our applications run without security concerns.

I rate the scalability of AWS WAF as a seven out of ten. It adapts well to our needs and serves its purpose effectively.

The customer service and support from AWS are excellent. I rate them ten out of ten. My interactions have been positive, with prompt responses to issues like quota requests and additional resource allocations.

Positive

Before AWS WAF, we used Azure but did not deploy these specific solutions on it. We migrated to AWS to fully utilize their security features.

The initial setup was complex, with a steep learning curve related to rules and implementation. I would rate the initial setup experience as a six out of ten, as it took substantial time to get everything functioning smoothly.

We managed the deployment process internally without needing external assistance. Our team uses automated deployment strategies via GitLab, which automates deployment across various environments.

Using solutions deployed in AWS cloud enhances customer satisfaction since AWS is a well-known and widely accessible cloud service provider.

The pricing is reasonable when using free credits; otherwise, it would be rated a six in terms of cost.

I did not evaluate other options extensively as AWS WAF with Firewall Manager seemed to offer the best security strategy.

Properly go through the documentation and reference examples. Understand your use cases and apply the correct rules for the solution. AWS support can assist with setup and implementation. 

I rate the overall solution as nine out of ten.

We use Managed Rules mostly.

ALB is integrated with WAF. When ALB spikes up, we know there’s something wrong. Usually, bots attack the applications.

Rule groups are valuable. We use it for DDoS. We do customizations with the help of Managed Rules in AWS. We use AWS WAF’s API to automate security tasks. The rule creation is similar to automation. We have enough understanding of how things work. It’s been one year since we have automated the tasks.

There are some limitations. We can add a maximum of four rate-based rules to the rule group. We must monitor and clean up the WAF manually. We cannot create rules if it goes above four. It requires manual intervention. We have to check, clean, and maintain it regularly. We do not want to do it. We are willing to pay extra if it can be improved. We need additional features so we do not have to do manual interventions.

I have been using the solution for three years.

We do not have any problems with the tool’s functionalities.

We are very happy about the product’s scalability. We did not face any issues. My organization is an enterprise.

We have a partnership. We can contact the consultants whenever we need anything. We don't have any problem with the support team.

Positive

The installation was not difficult. We have a separate team to deploy the solution in our organization. We do not face any issues with maintenance.

All our infrastructure is on AWS. My organization has been using AWS for the last eight years. Mid-size companies use ALB. We also use AWS Shield. Sometimes, we get alerts from AWS Shield. Our internal tools also send us alerts. We're completely on AWS. We do not integrate it with any other tool. Overall, I rate the product an eight out of ten.

If I have hosted your web applications or web services on AWS, and if you need a segregation in terms of different aspects, like at a country level or area level, especially when your website is not reachable for a particular country or a particular area, then you need to implement WAF on top of the public network. If WAF actually works on top of the network to manage each request at a global level, WAF is the first layer that handles the internet's every request, and depending on your choice, you can either accept or deny such requests.

Currently, most organizations face security challenges, and with the rise in hacking in every sector, like healthcare, IT, manufacturing, or infrastructure sector that we're talking about. You have to at least implement WAF on top of your network as well as the local network so that it filters every network traffic that comes in from any country. In our company, Fortinet WAF is what we use on top of the network as an anonymous network, and within the network, we use F5.

Due to security concerns or reasons, I recommend others to use AWS WAF and control the requests from multiple countries from a hacking point of view.

The area of reporting in the product needs to have a proper format. If you want to find the event log for an event and IP address from another country, there is a need to do some rework after the reporting part is taken care of so that the management can easily read the reports. A technical person in the organization can always understand where a particular network traffic comes in or where traffic is blocked with the help of WAF, but those in the management department would never understand the concepts that a technical person can understand. The reporting part of AWS WAF needs to be improved.

I have been using AWS WAF for five years.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is an easily scalable solution. Scalability-wise, I rate the solution a ten out of ten.

More than 2,000 to 2,500 employees in my company use the solution.

The solution's technical support's response time and quality are very good. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase was very simple.

The solution is deployed on the hybrid cloud model.

The product is deployed in a virtual environment and not in a physical one.

I rate the product price a five on a scale of one to ten, where one is high price, and ten is low price. I recommend people check for the services that run in the AWS WAF account. Each service that uses AWS will need the user to pay for some costs. Most of the people who use the solution are not able to understand the number of services that are running in the product. Even though there is a feature to help understand top-level management, people fail to figure out the number of services that are running in the product.

Compared to AWS WAF, Fortinet is easy to use and deploy. From a technical point of view, Fortinet is easy to implement and handle. I recommend Fortinet over AWS WAF to others.

I recommend Fortinet, as it is one of the best products, be it the virtual firewalls or the on-premises setup. If one wants to look for the on-premises setup, one must buy the hardware box.

I rate the overall tool a ten out of ten.

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

The price could be improved.

I have been using the solution for more than two years.

The tool is highly stable.

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

We deployed the solution in-house.

The solution is reasonably priced.

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

I have been using the solution for six years.

The tool is stable.

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Google’s console is minimalistic. It provides AI tools that help us create rules.

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

We pay $0.8 per hour. The product’s pricing is reasonable.

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

The solution protects my customers’ web applications hosted in AWS.

The ease of deployment of the product is valuable to me. AWS WAF might be one of the easiest WAFs that can be deployed. The only constraint is that our application must be running in AWS.

The default content policy available in the tool is not very strong compared to the competitors. Most of the WAFs will have a default set of policies and rules that we need to enable, which will satisfy our requirements. However, for AWS, we must put some time and effort into creating our content policy to get optimal protection.

I have been providing the solution for a year or more.

The product is stable. I have no complaints. I rate the stability a nine out of ten.

The product is scalable. I rate the scalability a nine out of ten.

The technical support is good. I have no complaints. The support team is fast, knowledgeable, and customer-friendly.

Positive

The initial setup is straightforward. It takes merely half an hour or less to deploy the solution. The solution is deployed on the cloud.

Whether we need a consultant to help with the deployment depends on our knowledge of the cloud platform and our applications. It is a complex solution. We can do it ourselves if we know about WAFs, rule sets, and deployments. It is not a solution for a novice or someone unfamiliar with the security and application firewall. Such people might need the help of an administrator or consultant. We deployed the solution ourselves.

Depending on how our AWS billing is configured, we are billed on a monthly or yearly billing cycle. The product is moderately priced. It is not too cheap but not too high either. There are no additional costs associated with the product.

I would recommend the solution to others. If a web application is completely hosted in AWS, then AWS WAF is a good choice. We can easily adopt it. Overall, I rate the solution a seven out of ten.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.