AWS WAF Reviews

We use this solution to protect our web applications against common vulnerabilities. The CDN component is also quite powerful. We use this solution alongside Azure WAF.

The simple configuration and the scalability have been most valuable. We are able to scale across all of our different AWS instances.

This solution could be improved if the configuration steps were more specific to WAF, compared to other cloud services. 

I have been using this solution for two years. 

This is a stable solution. We rely on AWS's other cloud services and we've never experienced any stability issues. 

This is a scalable solution. 

Our support experience has been quite good. 

Neutral

The main reason we switched from using CloudFlare to AWS is to have a native offering because all of our cloud solutions are on AWS. This made it simpler compared to using a third party and easier to reroute traffic.

It depends on your AWS configuration, but what we've experienced is that the rule policy configuration is really straightforward. It took a couple of weeks. 

We had in-house expertise.

We have a medium amount of traffic per month and the cost is in the hundreds rather than in the thousands. I don't know the exact number.

I would advise others to ensure they understand what can be done internally and then what you need expertise for externally. If you have the expertise internally, it can be easily configured. Keep the SIEM configuration as simple as possible, rather than trying to modify and configure too many things.

I would rate this solution an eight out of ten. 

I primarily use the solution as a gateway service and a transaction portal. 

We haven't had any issues with the solution so far.

The pricing of the product is very good. They make it very reasonable and it's very easy to afford.

Their technical support has been quite good.

The performance is excellent. It's reliable.

We've found the solution to be quite stable.

We haven't faced any problems with the solution. I can't speak to any missing features. Every aspect of it has been quite good.

I've been using the solution for a while.

The stability has been very good. We've enjoyed a very reliable performance. There are no bugs or glitches. It doesn't crash or freeze. It's been good.

Technical support has been quite good. We've found them helpful and responsive. We are quite satisfied with the level of support that is provided to us.

The solution is very reasonably priced. 

I'm just a customer and an end-user. I don't have a business relationship or partnership with AWS.

I have pretty good experience in AWS. I have a certificate in AWS.

I'd rate the solution at a ten out of ten. We've been extremely satisfied with the solution.

We use this solution for online web applications.

The most valuable features are the geo-restriction denials and the web ACL.

I enjoy using it because it is very easy.

Also, it's quite efficient.

The service itself is fine. On the UI side, I would like it if they could bring back the conditions view which had geo match, IP sets and etc. When using WAF classic you could see this option on the left side of the console. Currently IP sets and regex strings is there but geo match does not seem to be included, not sure if geo matching is still supported.

I have been using AWS WAF for almost three years.

We are using the newest version of AWS WAF, which is Version 2.

It's a stable solution. I have not experienced any issues.

There are approximately 1,000 people who are using this solution on a daily basis.

It is easy to scale. Just ensure that you cover the relevant resources within it. You can cover multiple resources such as CDN or use them in your AOD.

It's quite scalable.

I have not contacted technical support.

I have always used AWS. It's been the focus for the last three years.

The initial setup was simple.

It took less than an hour to deploy.

The implementation was completed internally.

It's quite affordable. It's in the middle.

Everything is included with the usage that you take up when you implement the service.

The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion.

I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS.

I would rate AWS WAF a solid ten out of ten.

My whole business is cloud cost management. What I do is help people manage expenses. That encompasses everything from cleaning up software as a service subscriptions to optimizing AWS. My use cases for AWS WAF have to do with cloud research only.  

The best part about it is that it is a cloud solution.  

The complexity of deploying turnkey solutions could be simplified.  

They actually have too many different things that you can tinker with and too many different ways to do the same thing. It may be helpful if the product were to be more directed and if it used best practices with technical and non-technical users in mind.  

We have been using WAF (Web Application Firewall) for six months.  

WAF is very stable.  

I believe WAF is very scalable.  

We have only two staff in our organization who are using AWS WAF.  

Technical support is more-or-less fair. That is where most technical support falls these days.  

The initial setup is really sorta complex. That is something which could probably be made easier.  

The licensing costs are variable. For me, it is under a hundred dollars a month.  

The range of your costs with Amazon Web Services is going to be different depending on a lot of factors. It can go as low as actually being free all the way up to millions of dollars. It depends on the organization and how the service is used.  

On a scale of one to ten where one is the worst and ten is the best, I would rate this product as a seven-out-of-ten. A change in the pricing structure that favors the client and simplification is something they would have to do to improve to make that score closer to a ten.  

There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data.  

The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them.  

Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one is for the local server access. That is how you want to secure a server. You are securing a server, database, app servers, and ATA gateways. The other one is for implementing security for the AWS. You want to have both running side-by-side.  

Let me give you an example. Suppose, most of the people working for your company are connected from external locations with company-provided laptops or systems. I want to check all devices to make sure that they are being used in a secure way and not creating any breach of security. Those checks cannot be taken care of reliably from the AWS perspective. This is why you need two solutions.  

The most valuable feature is the ability to use the product to enhance security in deploying web applications.  

We have not implemented WAF completely. We are working around that issue right now in the AWS. We are creating log files and then we are using Kibana for analysis. Out WAF deployment is not perfected yet so it is not implemented as our long-term solution. It will take another month to complete the setup. I do not have the big picture on it yet in a live environment, so my view of what will need to be improved under load is limited.  

I think one thing that should be available is that if there are technical problems in the AWS, then there should be automated alerts to AWS. Calling support is not that easy. It would be better to automatically send emails to them to report that there is a bug in their programming.  

I have an idea for a new feature to consider. I think the security area and other things that they provide are good, and I know there are third-party integrations. It provides a lot of value. The problem is that the 'value' of the solution makes it very costly. That is a big thing. $20,000 for this solution seems like a lot.  

Right now we are limited to only MySQL and PostgreSQL databases. There should be other options and also a way to check the security of it. I think AWS should develop and make available some kind of a management screen so we can see the logs, which servers are using the service, and how the security is performing. All we can see right now is if there are any security breaches. This is not enough information to evaluate the performance of the system.  

For example, there are a lot of people using MongoDB databases. Over the last two years, a lot of them got hacked. Mongo should have had a way to alert end users if its facilities get hacked. A manager or some administrator should receive an email saying that this or that account got hacked and there was a security breach. This would be enough notification to prompt taking other appropriate actions.  

There should also be a report or alerts which tell us that the configuration is having security issues. I think there is something called PVE security rules which might be implemented. Of course, Cisco's security rules could also be implemented. Once the rules are implemented, we know for certain if they are providing a secure connection or not. We need some type of check on the configuration that can create alerts for potential security issues and to have proper notifications.  

We have been in the implementation process with the product for some time but it is not yet live because we are not totally satisfied with the setup.  

I am not satisfied with AWS technical support. It is a long story. Two years back I contacted support because their code was not working. The solution itself was not perfect and there was a bug in the system. It was creating a lot of issues and there is no way to contact support. 

I tried to contact them to tell them that they had a problem with AWS, they wanted me to pay them $200 to tell them there was a problem with their product — which is very strange. What I did instead was to send an email to their sales department at AWS to explain to them that there was a coding issue and that the software was not working as it was supposed to. After many months, they replied that this was not a problem for the sales department. They said they would forward the issue to the technical support team. When the technical support team received the information, they asked for money again to solve the problem in the coding of their own product.  

I just wanted to tell them that they had a problem. They gave me a run-around and would not even look at the issue that was on their end which must have affected more clients than just me. So I think in that way, the technical support is not good. If there is a problem or a bug within the AWS services, there is no way to contact anyone for a resolution. That is a problem and not a good way to run technical support.  

We were using ManageEngine. A problem with using ManageEngine was that ManageEngine can help in securing the servers and API gateways and app servers, but it cannot help to tell if there is any breach in security from a company-provided laptop. We needed a better solution that covered this vulnerability.  

This product is not straightforward to set up and deploy. In the area of database security, it is especially complex. This is especially true when you want to do security for the cloud. There may be applications that will allow software on the cloud to access your in-house servers. If your in-house servers are available and there is a database, you want to secure it. You can do that more easily in-house than you can on the cloud but you have to be sure it is configured and secured properly.  

As far as pricing considerations, there are other competitors to consider. All the solutions are not easy and all will not do exactly the same thing or even what you need. SecureSphere is expensive, I think $20,000 per year. If you go for ManageEngine or any other solution, they also go for close to $10,000. It depends on how many applications you are running and how many servers you have. They can easily run into close to $10,000 a year. Database security and application security are generally costly solutions.  

AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39.  

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.  

A primary use case example is when a customer from the cloud wants to expose his applications to the internet. We make sure that the clients, the applications, whatever they're trying to export, are public but that it's not going directly public. We make a backup, for instance, to protect the sellers and applications from security checks, etc. 

There are two models. One is, you can use the free services which you can download from the AWS website. There is also a paid version, where you can go for individual vendors, like Impala, Fortinet, and different vendors, which helps you to attain the top end web application security. It helps them to update the security patches, etc.

AWS has flexibility in terms of WAF rules. Users can choose from using a free service, which you can do from your own end, or a third-party vendor if you want to as well by choosing a paid version. WAF rules can be managed either by your own self or you can go for a third party.

The best thing with the solution is there is no hard and fast route and when I go for AWS. It's not a monopoly environment.

There isn't room for improvement per se. the cloud is constantly evolving and changing however, so we'll see what the future brings.

When users choose the free service, there isn't great support available to them. This is because, when it comes to any issues, due to the fact that it says that when the rules are defined by the users, it becomes their responsibility. When there are any problems or threats, which don't get mitigated or the threat is not being properly managed, since the rules are owned by the user, they take responsibility for everything. It would be helpful if AWS could take a bit of responsibility here and help users understand where things went wrong.

Support wise, I don't think they are that good compared to individual vendors. When it comes to vendors, it becomes their product, and being a product owner, they take more responsibility and ownership of issues. AWS doesn't do that at all.

I've been using the solution for two and a half years.

The solution is quite stable. We haven't run into bugs or glitches. It's reliable. You don't see any downtime.

Since we're talking more about the cloud version of the web application firewall, it's highly scalable. When I say scaling, there is a concept called auto-scaling wherein which you can scale up and scale down according to your amount of traffic load. It's automated, so it's highly scalable, actually.

While any company can use AWS, we see a lot of medium-sized firms using this particular solution, as opposed to larger companies, as those have already their own vendors which are already in the on-premises data centers environment.

I would say from the support point of view, there should be more flexibility when it comes to when users have issues to be able to ask for their help. They need to try to go the extra mile and right now they just aren't doing that.

We've only used AWS for a few customers. Usually, we recommend a different solution. However, it depends on the client and the type of budget that they have. As one version of AWS is free, sometimes that is the only option.

The initial setup is not difficult. It's very straightforward.

Deployment is pretty quick and might take up to one and a half hours at most.

You don't need too many people for maintenance. If they are knowledgable enough, a single person can handle it with no problems. They're even able to do some scripting language to handle the deployment and can set up some automation protocols as well.

When it comes to maintenance, the real challenge comes into play for mitigation. You might need maybe we need four to five people, at a large organization.

There are two versions of the solution available, one of which is free, which is the version we use, so we don't pay for anything.

We're using the latest version of the solution.

When customers tend to use multi-cloud vendors and multi-cloud environments, they want solid security protection. That's where the third party comes into the purchase. If any customer is specific to some cloud like AWS or Azure, we won't recommend third party. We'll try to use AWS's own specific services so that it's smarter cost-wise and flexibility wise, so it adds value to the customer.

However, when things go to a multi-cloud environment or a hybrid cloud architecture, that's when the third party comes into the picture. 

I would recommend this solution to companies who are looking for cloud solutions with firewall flexibility. AWS is very user-friendly and largely inexpensive, however, if an organization has the budget, there are lots of great products out there that do largely the same thing.

I'd rate the solution eight out of ten.

Our primary use case is to protect our internal web solution. We use it to have an internal application for our customers. We are an SME worldwide company, so we have some internal website solutions architects that use this as an internal portal to the internet. We apply a WAF front to our web application.

The most valuable aspect is that it protects our code. It's a bit difficult to overwrite code in our application. It also protects against threats. It's important to protect the code against the threats on the internet. It redirects any threat, any attack, to a Fail2ban mechanism.

Sometimes it's a bit difficult to check the rules because when you apply a rule, sometimes it's too much and we need to rewrite the rules and make compromises on the rules because it will block too many things. It's a bit difficult to apply the right rules for the right security.

We have used AWS WAF for around a year. 

Their support is very good. We have an enterprise agreement with Amazon.

I don't remember there being any problems with the setup.

I think AWS WAF is a great solution. You can define big and a bit smaller architectures and scale out architecture as you need, due to the edge location. Its features are very amazing. 

I would definitely recommend AWS WAF. I asked my security director to move from our internal WAF to the AWS WAF because we can make global unique WAF services for our on-premise web servers and also our AWS web servers with one common rule and one common authority to manage these rules

I would rate AWS WAF an eight out of ten.

We are a technical services company and this is one of the solutions that we have helped implement for our clients. We stopped using AWS about six months ago and as such, we are not currently using the AWS Web Application Firewall.

The most valuable feature is the scalability because it automatically scales up or scales down as per our requirements.

I would like to be able to view a graphical deployment map in the user interface that will give me an overview of the configuration and help to determine whether I have missed any steps.

The stability is good. From our experience, I've felt very happy with all of the AWS components in terms of stability. They work fine and have met our requirements.

The scalability of this solution is very good.

I am really happy with the AWS customer support, although I have not needed to contact them for this solution.

We have changed solutions because the choice of product depends on the customer's preferences and requirements. When I am working on a contract, I am required to use whatever they ask me to. If I already have the experience then I apply it. Otherwise, I learn what I need to, which sometimes involves taking training courses.

My advice for anybody who is implementing this solution is not to simply look it up on Google before starting to use it. I would suggest taking some training courses, start to understand how it works internally, and then begin using it.

Overall, it is a good product and it generally fits well for my purposes.

I would rate this solution a seven out of ten.