AWS WAF Reviews

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

We faced many potential threats, such as hackers flooding in the requests, so we started using AWS WAF to block those IPs and stop those attacks. If multiple IPs are trying to attack our product, we'll also use AWS WAF by selecting the endpoints the hackers were attacking and then blocking those endpoints. Our cybersecurity team primarily uses AWS WAF.

What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours. From the start, I know its purpose and its use case.

AWS WAF also has documentation. It's a user-friendly tool, and it's easy to know how to block the IPs and endpoints.

AWS WAF would be better if it uses AI or machine learning to detect a potential attack or a potential IP that creates an attack even before it happens. I want AWS WAF to capture the IP and automatically write the rule to automate the entire process. I want an AI feature in AWS WAF in the future.

I only saw how AWS WAF works for seven months when the cybersecurity team used it, so my knowledge of the tool is basic. I'm not an expert on AWS WAF.

AWS WAF is a stable product.

I have yet to contact the AWS WAF technical support.

As the company is an Amazon customer, the company looked into what other Amazon services could prevent the attack and came across AWS WAF when the attack happened. The tool was also easy to use and could prevent attacks and safeguard the company's product, so the company decided to use AWS WAF.

The initial setup for AWS WAF was simple. It was a basic setup process, though I have no idea about deployment time.

AWS WAF costs $5 monthly plus $1 for the rule. It's cheap, cost-wise. It's worth the money.

AWS WAF has three users within the company.

If I were to advise you on using AWS WAF, I'd tell you first to understand how the attack is happening. For example, is it a single server attack or multiple servers or regions? It would be best to find out which target is being attacked. You need to know the basics before using AWS WAF. You also need to know the rules. You need to understand how to secure your endpoints. Users should have a basic understanding of AWS WAF and its purposes before using it. You need basic cybersecurity knowledge.

I'm new to cybersecurity, so AWS WAF is the first cybersecurity product I used and based on my experience and usage, it's a ten out of ten. AWS WAF is a user-friendly, on-point tool, and I could understand it easily.

My company is an Amazon customer.

It's more of an application security tool that we use to secure applications. 

AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.

It's pretty much an AWS native service, so it's something that they improve year after year. They do continuous improvements on a year-by-year basis, so the product is really good. An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently.

It could also support multi-cloud integration where you can integrate with applications other than AWS applications. It would be a good feature or use case for this solution.

I've been using this solution for almost three to four years.

It's stable. I'd rate it an eight out of ten in terms of stability.

It's scalable. We probably have more than a hundred users. It's pretty much being used by everyone, such as engineers, managers, etc. Everyone is into it.

We get good support. I'd rate them a nine out of ten.

Positive

We didn't use any similar solution previously. In the future, we might use another solution, but for now, we are more into AWS WAF.

It's neither complex nor simple. It's somewhere in the middle. I'd rate it a six out of ten in terms of the ease of the setup.

It's a cloud solution, and we have a multi-cloud scenario. We are pretty much using all four clouds: Amazon, Azure, AWS, and Oracle. It's a mix-and-match or hybrid.

In terms of maintenance, there would be a team of engineers to maintain it.

Its price is fair. There is a very fair amount that they charge.

It has a pay-as-you-go model, so it pretty much depends on how much a user uses it. As per the cloud norms, the more you use, the more you pay. I would rate it a five out of ten in terms of pricing.

Overall, I'd rate it a seven out of ten because it's not automated and it's a bit complicated to implement or deploy the solution.

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

I have been using AWS WAF for a couple of years.

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

Positive

The initial setup was very simple. It's just a click of a button.

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.

We primarily use the solution for load balancing. 

We have some microsites exposed through the AWS cloud. These are some sort of pilot and we are using WAF to learn how this new product fits with us, and are mostly in the testing phase with a limited impact application. We are obviously not migrating core applications or those which have a significant impact on availability or on integrity and confidentiality. Mostly we have it on microsites where we don't see a significant risk, and it is more of a learning exercise for us.

The most important aspect for us is that AWS WAF is easy to deploy. The ease of implementation, ease of management, and flexibility are great. We like the potential for pay as you grow as you have instant deployment, infrastructure as a code, or any other automation tools that can leverage these deployments. The most important thing for us is that it stays flexible and scalable. That is true not only with WAF but with all the cloud services where you can provision any product in minutes. 

With the cloud, you have these integrated tools that provide a single glass pane. 

You have automation, ease of export, or ease of seeing the logs and exporting to a SIEM; these aspects are also great. The agility is great for us in terms of cloud services in general.

Usually, if we're talking about standard WAF, this is easy to deploy and is good at protecting low to medium applications.

As of now, regarding WAF, I'm not sure what the minuses or pluses are. You have the native WAF, which you can deploy directly on the load balancer. However, you also have that store where you can actually deploy some other vendors' specifics. At this point, feature-wise, I don't see anything lacking, more or less. Obviously, if we want to migrate, which is not yet the case, there might be a significant impact.

For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends. If every company is building its own framework based on their experience or their past experience, this might be subjective, and it'll end up with each company having its own framework, which can be good. However, it'll be better to have a standardized baseline that every company could build on. 

We've been using the solution for more than a year at this point. 

You have multiple availability zones and regions. The availability or durability is not something that we need to concern ourselves with very much here. Regarding the availability, I don't think this is something that the average company could match. They have a lot of availability zones, redundancy, and all the other things like that.

It's scalable. Mostly, what I would look into is having cloud resiliency in the sense that we want multiple vendors, so if something happens with AWS, you'll need some sort of strategy and you'll need some other vendor to provide you with similar services. 

We have a number of users per application. It's hard to quantify how many users are on the solution in general. 

For us, it's a bit of a different model where we have services provided by one central team or central entity. The others will have some sort of hub and spoke with the central entity providing or re-providing services to the other network units. The relationship with AWS is maintained by our central unit, and we somehow take services from the central unit and customize them per our needs. However, if we have some issues, this will be raised by the group. Issues may be resolved by AWS or an SME that works with us. 

In terms of the initial setup, from what I heard, it initially being a new technology, you want to deploy it in a correct manner. Therefore, it will need more diligence in the first deployment as security is not something you can learn and adjust. You need to make it right from day one in order to avoid breaches. However, after that, with infrastructure as a code and the automatic deployment, it's easier. You just create your setup, and you use the rules and go. You have network access to a security group, which provides you with very general filtering for problematic traffic. 

From my experience, the cloud provides everything we need; however, we still lack the knowledge and framework in terms of who is doing what, et cetera.

It's quite different between on-premise and cloud. In the cloud, DevOps is doing a lot of things. On-premise, you have someone from infrastructure, someone installing the OS, and someone doing the vulnerability and patch management.

Depending on how you deploy, the activities need to be revised. You need to have this framework to work in the cloud, and it's more of a challenge in company philosophy rather than technical capabilities. Companies can find it challenging to migrate to new tools. Sometimes existing teams need to be re-educated. 

We have multiple applications, so usually, it takes a while to refine the framework with the responsibility inside the company. It's to be optimized. However, in terms of actual deployment, security-wise, it takes some time to do the security checks, including the scanning and vulnerability asset inventory. It might take two or three months per application.

I definitely recommend not only AWS. I also recommend Azure as an option. We have the integration with Office and the entire portfolio. The cloud, in general, it's a new thing to consider. For example, you have this GDPR with data in Europe. However, in the case of most of the clouds, you can select your regions and you have some control. 

I'd rate the solution nine out of ten. 

There are a huge amount of products. I'm not saying it's a bad or a good thing. However, it can be quite confusing. There are VPC, EC2, and other instances, and there are a lot of other services that you can use like Macie, where you can filter sensitive information. There are a lot of tools that require hands-on and new capabilities. For me, being at the beginning of this journey for cloud migration, I've been mostly quite happy with the results.

The primary use case for AWS WAF involves securing applications for our customers, who are mainly software developers. Their application is positioned behind the firewall.

DDoS attacks are being blocked by AWS WAF, which is something some of my customers really need as they are targeted quite often.

The most valuable feature of AWS WAF is the OWASP filtering rules. They filter a lot of attacks out. Moreover, the service includes DDoS protection.

Rule exclusion could be a bit more transparent. However, it works great overall.

I have been working with AWS WAF for two years now.

AWS WAF is stable. I have no complaints regarding its stability.

It is easy to scale up AWS WAF. I would rate it an eight out of ten on the scale of scalability.

I have never needed customer support for AWS WAF.

Positive

The old team I worked at is still using Enable Insight remote monitoring, but personally, I am now using Datadog.

AWS WAF is easy to connect, and I would rate the overall setup process as a seven since it's still a lot of work.

I manage the AWS WAF for my clients and am responsible for the implementation.

The return on investment is difficult to determine. When a successful hack attempt is stopped, the investment is already returned.

The customers think AWS WAF is expensive. Compared to hardware solutions, it is slightly more expensive, but it includes extra services. Personally, I find it fairly priced.

I did not explicitly evaluate any alternate solutions for AWS WAF.

If security is an issue and you want to be secure, you should use AWS WAF.

I'd rate the solution eight out of ten.

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

The price could be improved.

I have been using the solution for more than two years.

The tool is highly stable.

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

We deployed the solution in-house.

The solution is reasonably priced.

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

We use the solution for publishing important applications. These sites are accessed by hundred to one million users every day.

We do not have to maintain the solution. Amazon maintains the product.

We have a lot of issues related to attacks on our cloud. There is a limitation on how to mitigate the issues in the solution. The product should improve the DDoS-related features.

The solution should provide an advanced tool for DDoS migration and a better reporting method. Compared to other solutions, we do not get all the information we need for reporting.

I am dealing with the solution right now.

The solution is stable. It does not depend on the data centre or browser consumption.

The product has high scalability. I can increase the resources without any effort.

The support team is very helpful.

Positive

The initial setup is too simple on the AWS. It is not complex at all. If we take certain courses and view a lot of videos on how to implement the solution, it is very easy. Support helps us with the deployment.

Our teams do not manage the product. The deployment process includes adding a new customer, reserving their information on the cloud, creating the nodes, publishing the service and testing it on the old security aspects. Then, the solution is deployed on the cloud. 

The time taken for deployment depends on the customer's requirements. Usually, there is a delay due to missing information from the customers. One or two engineers can handle the deployment. We do not need a big team for it.

We have decided to use Cloudflare to integrate with AWS, and most of our issues have been resolved. I would recommend the solution. However, it depends on the customer’s data confidentiality. If there are confidential data on the servers, they should not be on the cloud. They can use the cloud solution if the data is normal and not critical. Overall, I rate the product a seven out of ten.