AWS WAF Reviews

We use this solution to protect our web applications against common vulnerabilities. The CDN component is also quite powerful. We use this solution alongside Azure WAF.

The simple configuration and the scalability have been most valuable. We are able to scale across all of our different AWS instances.

This solution could be improved if the configuration steps were more specific to WAF, compared to other cloud services. 

I have been using this solution for two years. 

This is a stable solution. We rely on AWS's other cloud services and we've never experienced any stability issues. 

This is a scalable solution. 

Our support experience has been quite good. 

Neutral

The main reason we switched from using CloudFlare to AWS is to have a native offering because all of our cloud solutions are on AWS. This made it simpler compared to using a third party and easier to reroute traffic.

It depends on your AWS configuration, but what we've experienced is that the rule policy configuration is really straightforward. It took a couple of weeks. 

We had in-house expertise.

We have a medium amount of traffic per month and the cost is in the hundreds rather than in the thousands. I don't know the exact number.

I would advise others to ensure they understand what can be done internally and then what you need expertise for externally. If you have the expertise internally, it can be easily configured. Keep the SIEM configuration as simple as possible, rather than trying to modify and configure too many things.

I would rate this solution an eight out of ten. 

We are using AWS WAF for business purposes for clients. We host our client's platforms on AWS WAF.

AWS WAF has a lot of integrated features and services. For example, there are security services that can be integrated very well for our customers.

The serverless product from AWS WAF could be improved. For example, they have only one serverless series, Lambda, but they should extend and improve it. Additionally, the firewall rules are not very easy to configure.

I have used AWS WAF for approximately five years.

I have found AWS WAF to be stable.

The scalability of AWS WAF is very good.

The solution can be used in small to large-sized businesses.

The customer service has been fine, we had no issues with them. We have been satisfied.

The setup of AWS WAF is very easy.

The price of AWS WAF is reasonable, it is not expensive and it is not cheap.

I would recommend this solution to others.

I rate AWS WAF a seven out of ten.

We use this product for our web application firewall. It is used for production services.

I am not a direct customer but I have installed it for one of my clients.

The most valuable feature is that it is integrated with other AWS services.

I would like to see it more tightly integrated with other AWS services.

I have been working intermittently with AWS WAF over the past two years.

AWS WAF is extremely scalable.

At this point, we don't have any plans to increase our usage of it.

Prior to AWS WAF, I was using a Cisco web application firewall. However, when I started using AWS, I switched.

This is not a product that you need to install. You just use it.

The only people that need to work with it are those who configure it.

You need an additional AWS subscription for this product if you are buying a managed tool.

Overall, this is a good product and I recommend it. My advice for anybody who is just getting started with it is to follow the instructions.

I would rate this solution an eight out of ten.

We use AWS WAF to prevent cyberattacks, such as SQL Injection attacks and cross-site scripting attacks. The end users' traffic has more threats and the web application gives good support.

The most valuable features of AWS WAF are its cloud-native and on-demand.

Any customer can leverage AWS WAF immediately, it has a basic set of rules that are available.

The solution could improve by having better rules, they are very basic at the moment. There are more attacks coming and we have to use third-party solutions, such as FIA. The features are not sufficient to prevent all the attacks, such as DDoS. Overall the solution should be more secure.

I have been using AWS WAF for approximately four years.

This is a very stable solution.

AWS WAF is scalable.

We have approximately five customers using this solution.

The technical support is very good. They are responsive and knowledgeable, they have always come back with a resolution or a workaround to help us.

The initial setup took approximately 15 mins, it is easy.

We have a team that does the support for the solution.

AWS WAF is pay-as-you-go, I only pay for what I'm using. There is no subscription or any payment upfront, I can terminate use at any time. Which is an advantage.

The first version of AWS WAF was not mature but the second version is very mature.

I would recommend this solution to others because instead of choosing a third-party solution which will take time, and you will have to be in negotiations. It is good to start with AWS WAF for their minimal primary security firewall to save their workload. AWS WAF is available on-demand from day one.

I rate AWS WAF a seven out of ten.

At the moment, it's just myself working with AWS WAF in my company, and our use case for it is normal, or what you would expect from a Web Application Firewall. That includes basic DoS blocking and malicious IP address blocking. It's not a big thing for us, and just takes care of our baseline security.

As a basic WAF, it's better than having nothing. So if you need something simple out of the box with default features, AWS WAF is good.

I think there's a lot wrong with AWS WAF. Here are the two main areas where I think it could be improved:

Blocking: We don't have much control over blocking, because the WAF is managed by AWS. What happens is that they will put down the rules on their side and we don't have proper visibility on that. So we'll have to track down the issues and see what is wrong or not. For example, with IP address blocking, it's difficult to find out which IPs are getting blocked. If we managed our own WAF completely, we wouldn't have this kind of problem. Right now, this aspect is half managed by us, and half managed by AWS. Because of this, I think it would be far more helpful to us if we went for our own tool instead.

Automation: As in, a lot of separate blocks if something goes wrong. For example, every company will have their own rules for automation, in terms of their goals for the product. Like, "I want my WAF to do this. I want my WAF to do that." But that's the kind of thing that I think we will only see when we do some POCs with our clients. 

I have been working with AWS WAF for around one year now. 

The performance has been good, even though it could be better. At any rate, the WAF has not caused any lag on our side.

It is scalable in my experience, but the lack of features doesn't take it very far in terms of actual usage. Eventually, customers will move away from it. If there's no one interested in managing the WAF, that's fine, then customers may keep using it. But for us, we are not planning to scale it out further.

AWS technical support is good.

Neutral

The setup is easy and nothing serious. You don't have to do a lot to get set up with it. Compared to other WAFs out there, I think AWS WAF is very simple, especially since most of it is managed by AWS.

We haven't needed anyone from AWS to help us with the deployment or implementation. It's all me at this point.

It's less cost and easy to setup

There are multiple other options which we could have gone for, but it depends on the budget, typically. I am especially interested in a WAF which has serious support for automation and more complex configuration options.

For people who don't have any WAF currently, and who just need something basic, it's not a bad idea to go with AWS WAF for starters. But if you are someone who is looking for a fully-fledged and self-managed WAF, you should look elsewhere for a better tool. You should certainly not stick with AWS WAF if you are serious about managing your security and mitigating your risks.

Overall, I would recommend AWS WAF to others, but only under the conditions I have mentioned. If you have the budget and the resources, however, go for something else.

I would rate AWS WAF a five out of ten.

I primarily use the solution as a gateway service and a transaction portal. 

We haven't had any issues with the solution so far.

The pricing of the product is very good. They make it very reasonable and it's very easy to afford.

Their technical support has been quite good.

The performance is excellent. It's reliable.

We've found the solution to be quite stable.

We haven't faced any problems with the solution. I can't speak to any missing features. Every aspect of it has been quite good.

I've been using the solution for a while.

The stability has been very good. We've enjoyed a very reliable performance. There are no bugs or glitches. It doesn't crash or freeze. It's been good.

Technical support has been quite good. We've found them helpful and responsive. We are quite satisfied with the level of support that is provided to us.

The solution is very reasonably priced. 

I'm just a customer and an end-user. I don't have a business relationship or partnership with AWS.

I have pretty good experience in AWS. I have a certificate in AWS.

I'd rate the solution at a ten out of ten. We've been extremely satisfied with the solution.

We use this solution for online web applications.

The most valuable features are the geo-restriction denials and the web ACL.

I enjoy using it because it is very easy.

Also, it's quite efficient.

The service itself is fine. On the UI side, I would like it if they could bring back the conditions view which had geo match, IP sets and etc. When using WAF classic you could see this option on the left side of the console. Currently IP sets and regex strings is there but geo match does not seem to be included, not sure if geo matching is still supported.

I have been using AWS WAF for almost three years.

We are using the newest version of AWS WAF, which is Version 2.

It's a stable solution. I have not experienced any issues.

There are approximately 1,000 people who are using this solution on a daily basis.

It is easy to scale. Just ensure that you cover the relevant resources within it. You can cover multiple resources such as CDN or use them in your AOD.

It's quite scalable.

I have not contacted technical support.

I have always used AWS. It's been the focus for the last three years.

The initial setup was simple.

It took less than an hour to deploy.

The implementation was completed internally.

It's quite affordable. It's in the middle.

Everything is included with the usage that you take up when you implement the service.

The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion.

I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS.

I would rate AWS WAF a solid ten out of ten.

The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us.

We're using it through the web console and API. We're just using the managed service.

Our organization is launching a lot of betas. We are creating a lot of new different systems for different customers. AWS WAF helps us a lot to make sure that the right customer gets the right access to the system.

The access instruction feature is the most valuable. This is what we use the most.

It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful.

It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one.

Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right.

I have been using AWS WAF for about six months.

Stability-wise, it works as expected.

I definitely see places where it can be more designed to scale. In addition to amazon resources, there is some stuff from other vendors that we wanted to protect. WAF was not a solution for us because we don't have a way to integrate with those things. That was the biggest challenge that we faced. In terms of the number of users, our end users could be in the thousands.

It is okay.

It was okay. We went for the cloud formation, and our deployments happen probably every week.

Everything is managed through cloud formation. After implementation, three or four hours a week are required for maintenance.

We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise.

I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. 

Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors.

I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but management is the thing that we don't love the most. If things keep improving, we're definitely going to scale with AWS WAF.