AWS WAF Reviews

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

Our company uses the solution with F5 to secure applications from the injection, the track, and vulnerabilities. 

We use the built-in solution provided by SGO for the web. 

The web solution effectively protects from vulnerabilities and cyber attacks. 

The solution is menu driven and operates with no coding.

It is easy to manage and use the solution. 

The solution should identify why it blocks particular websites. The solution performs high-level blocks but doesn't provide very much detail. For example, a particular IT is blocked due to a vulnerability but we are not able to identify the reason for the block. Our developers or IT staff need to be able to identify vulnerabilities to fix applications. 

We would like output that tracks how many concurrent requests come through a particular application gateway, the response times for requests, and the latency parameters. 

I have been using the solution for two years. 

The solution is very stable so I rate stability a ten out of ten. 

The setup is easy so I rate it a nine out of ten. 

We implemented through a third party and it only took a few minutes. 

The pricing is good and manageable. I rate pricing a ten out of ten. 

I recommend the solution for protecting web applications. 

I rate the solution a ten out of ten. 

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

I have been using AWS WAF for a couple of years.

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

Positive

The initial setup was very simple. It's just a click of a button.

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.

We primarily use the solution for load balancing. 

We have some microsites exposed through the AWS cloud. These are some sort of pilot and we are using WAF to learn how this new product fits with us, and are mostly in the testing phase with a limited impact application. We are obviously not migrating core applications or those which have a significant impact on availability or on integrity and confidentiality. Mostly we have it on microsites where we don't see a significant risk, and it is more of a learning exercise for us.

The most important aspect for us is that AWS WAF is easy to deploy. The ease of implementation, ease of management, and flexibility are great. We like the potential for pay as you grow as you have instant deployment, infrastructure as a code, or any other automation tools that can leverage these deployments. The most important thing for us is that it stays flexible and scalable. That is true not only with WAF but with all the cloud services where you can provision any product in minutes. 

With the cloud, you have these integrated tools that provide a single glass pane. 

You have automation, ease of export, or ease of seeing the logs and exporting to a SIEM; these aspects are also great. The agility is great for us in terms of cloud services in general.

Usually, if we're talking about standard WAF, this is easy to deploy and is good at protecting low to medium applications.

As of now, regarding WAF, I'm not sure what the minuses or pluses are. You have the native WAF, which you can deploy directly on the load balancer. However, you also have that store where you can actually deploy some other vendors' specifics. At this point, feature-wise, I don't see anything lacking, more or less. Obviously, if we want to migrate, which is not yet the case, there might be a significant impact.

For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends. If every company is building its own framework based on their experience or their past experience, this might be subjective, and it'll end up with each company having its own framework, which can be good. However, it'll be better to have a standardized baseline that every company could build on. 

We've been using the solution for more than a year at this point. 

You have multiple availability zones and regions. The availability or durability is not something that we need to concern ourselves with very much here. Regarding the availability, I don't think this is something that the average company could match. They have a lot of availability zones, redundancy, and all the other things like that.

It's scalable. Mostly, what I would look into is having cloud resiliency in the sense that we want multiple vendors, so if something happens with AWS, you'll need some sort of strategy and you'll need some other vendor to provide you with similar services. 

We have a number of users per application. It's hard to quantify how many users are on the solution in general. 

For us, it's a bit of a different model where we have services provided by one central team or central entity. The others will have some sort of hub and spoke with the central entity providing or re-providing services to the other network units. The relationship with AWS is maintained by our central unit, and we somehow take services from the central unit and customize them per our needs. However, if we have some issues, this will be raised by the group. Issues may be resolved by AWS or an SME that works with us. 

In terms of the initial setup, from what I heard, it initially being a new technology, you want to deploy it in a correct manner. Therefore, it will need more diligence in the first deployment as security is not something you can learn and adjust. You need to make it right from day one in order to avoid breaches. However, after that, with infrastructure as a code and the automatic deployment, it's easier. You just create your setup, and you use the rules and go. You have network access to a security group, which provides you with very general filtering for problematic traffic. 

From my experience, the cloud provides everything we need; however, we still lack the knowledge and framework in terms of who is doing what, et cetera.

It's quite different between on-premise and cloud. In the cloud, DevOps is doing a lot of things. On-premise, you have someone from infrastructure, someone installing the OS, and someone doing the vulnerability and patch management.

Depending on how you deploy, the activities need to be revised. You need to have this framework to work in the cloud, and it's more of a challenge in company philosophy rather than technical capabilities. Companies can find it challenging to migrate to new tools. Sometimes existing teams need to be re-educated. 

We have multiple applications, so usually, it takes a while to refine the framework with the responsibility inside the company. It's to be optimized. However, in terms of actual deployment, security-wise, it takes some time to do the security checks, including the scanning and vulnerability asset inventory. It might take two or three months per application.

I definitely recommend not only AWS. I also recommend Azure as an option. We have the integration with Office and the entire portfolio. The cloud, in general, it's a new thing to consider. For example, you have this GDPR with data in Europe. However, in the case of most of the clouds, you can select your regions and you have some control. 

I'd rate the solution nine out of ten. 

There are a huge amount of products. I'm not saying it's a bad or a good thing. However, it can be quite confusing. There are VPC, EC2, and other instances, and there are a lot of other services that you can use like Macie, where you can filter sensitive information. There are a lot of tools that require hands-on and new capabilities. For me, being at the beginning of this journey for cloud migration, I've been mostly quite happy with the results.

We use the AWS platform to implement custom security rules based on our company's SOP. We apply custom rules to protect specific APIs and specific endpoint URLs. This allows us to tailor our security measures to our specific needs and requirements.

AWS WAF has improved our organization by allowing us to restrict access to our services based on location, which means that only customers from specific locations can access our services. It helps protect against unauthorized access and data breaches.

The most valuable feature is the capability to limit access based on geographical location by restricting specific IP addresses.

In terms of improvement, AWS WAF works perfectly fine right now. I would like to see the addition of more advanced rate-limiting features in the next release. It would be beneficial to extend rate limiting beyond just web servers to the main node level.

I have been using AWS WAF for three years.

I would rate the stability of the solution an eight out of ten.

I would rate the scalability of AWS WAF an eight out of ten. All requests, about 100,000 per month, go through the AWS App, ensuring the entire infrastructure is compliant with it. We use it 24/7.

The technical support is slow to respond, and it's a paid service. I wouldn't recommend relying on it.

Negative

The initial setup was simple and I did it myself. I would rate it an eight out of ten in terms of easiness. The deployment was in-house and it took five to ten minutes. It is mostly automated so it did not require much manual assistance. If errors or failures occur, reports are generated and shared with the relevant team for resolution. The deployment process involved specifying endpoint URLs in the web test code to enable automatic integration and we had to wait a little due to cooling time on the web test board. 

The solution is really expensive. I would give it a ten out of ten in terms of costliness. You have to pay additionally for data transfer. 

I would advise someone considering AWS WAF to start with testing on AWS but be cautious of data transfer costs, especially if the project is longer than four months because that is when the additional cost appears. You should assess if it's suitable for your specific use case and make sure to test it before committing to avoid unexpected expenses when moving to the cloud. Overall, I would rate the solution a six out of ten.

AWS WAF is a tool we use in my company since we don't currently have a firewall. We can be safer if we have a firewall, and the receive protection side can avoid any vulnerability attacks.

AWS WAF is a firewall we use from time to time in my company.

I don't think any improvement is needed in AWS WAF.

As technology develops and grows, AWS WAF will have to improve as a product.

AWS WAF should provide better protection to its users, and the security features need to improve.

I have been using AWS WAF for six years. There is no specific version of the product since the vendor provides the services for the solution, and my company just uses it.

AWS WAF is a stable solution. The performance of the solution is very good.

Stability-wise, I rate the solution a ten out of ten.

My company doesn't rely on AWS WAF's scalability since it's a tool that is totally on the cloud. If the tool goes down by any chance, AWS provides the solution on the steps that need to be taken.

Around 30 employees in my company use AWS WAF.

The product is not extensively used in my company.

My company has no plans to increase the number of users of AWS WAF. If our client wants to increase the number of users, we need to act on the server.

The solution's technical support is good.

The product's setup phase was pretty easy.

Sharing the code files and database configurations are the two steps we follow for deploying the product.

The product's setup phase was carried out in-house.

There are no separate licensing costs we pay for since it is included in the plan we purchase.

AWS WAF has been releasing the product on a test-case basis.

It's always good to take precautionary methods for the production website. If everything goes fine, do work in your staging and UAT, not in the production part. The aforementioned details are the precautionary methods we have to follow.

Overall, I rate the solution a ten out of ten.

We faced many potential threats, such as hackers flooding in the requests, so we started using AWS WAF to block those IPs and stop those attacks. If multiple IPs are trying to attack our product, we'll also use AWS WAF by selecting the endpoints the hackers were attacking and then blocking those endpoints. Our cybersecurity team primarily uses AWS WAF.

What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours. From the start, I know its purpose and its use case.

AWS WAF also has documentation. It's a user-friendly tool, and it's easy to know how to block the IPs and endpoints.

AWS WAF would be better if it uses AI or machine learning to detect a potential attack or a potential IP that creates an attack even before it happens. I want AWS WAF to capture the IP and automatically write the rule to automate the entire process. I want an AI feature in AWS WAF in the future.

I only saw how AWS WAF works for seven months when the cybersecurity team used it, so my knowledge of the tool is basic. I'm not an expert on AWS WAF.

AWS WAF is a stable product.

I have yet to contact the AWS WAF technical support.

As the company is an Amazon customer, the company looked into what other Amazon services could prevent the attack and came across AWS WAF when the attack happened. The tool was also easy to use and could prevent attacks and safeguard the company's product, so the company decided to use AWS WAF.

The initial setup for AWS WAF was simple. It was a basic setup process, though I have no idea about deployment time.

AWS WAF costs $5 monthly plus $1 for the rule. It's cheap, cost-wise. It's worth the money.

AWS WAF has three users within the company.

If I were to advise you on using AWS WAF, I'd tell you first to understand how the attack is happening. For example, is it a single server attack or multiple servers or regions? It would be best to find out which target is being attacked. You need to know the basics before using AWS WAF. You also need to know the rules. You need to understand how to secure your endpoints. Users should have a basic understanding of AWS WAF and its purposes before using it. You need basic cybersecurity knowledge.

I'm new to cybersecurity, so AWS WAF is the first cybersecurity product I used and based on my experience and usage, it's a ten out of ten. AWS WAF is a user-friendly, on-point tool, and I could understand it easily.

My company is an Amazon customer.

It's more of an application security tool that we use to secure applications. 

AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.

It's pretty much an AWS native service, so it's something that they improve year after year. They do continuous improvements on a year-by-year basis, so the product is really good. An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently.

It could also support multi-cloud integration where you can integrate with applications other than AWS applications. It would be a good feature or use case for this solution.

I've been using this solution for almost three to four years.

It's stable. I'd rate it an eight out of ten in terms of stability.

It's scalable. We probably have more than a hundred users. It's pretty much being used by everyone, such as engineers, managers, etc. Everyone is into it.

We get good support. I'd rate them a nine out of ten.

Positive

We didn't use any similar solution previously. In the future, we might use another solution, but for now, we are more into AWS WAF.

It's neither complex nor simple. It's somewhere in the middle. I'd rate it a six out of ten in terms of the ease of the setup.

It's a cloud solution, and we have a multi-cloud scenario. We are pretty much using all four clouds: Amazon, Azure, AWS, and Oracle. It's a mix-and-match or hybrid.

In terms of maintenance, there would be a team of engineers to maintain it.

Its price is fair. There is a very fair amount that they charge.

It has a pay-as-you-go model, so it pretty much depends on how much a user uses it. As per the cloud norms, the more you use, the more you pay. I would rate it a five out of ten in terms of pricing.

Overall, I'd rate it a seven out of ten because it's not automated and it's a bit complicated to implement or deploy the solution.