AWS WAF Reviews

Name: AWS WAF
Brand: Amazon Web Services (AWS)
Rating: 4.0 (59 reviews)

Vendor: Amazon Web Services (AWS)

4.0 out of 5

59 reviews
80% willing to recommend

562 followers

Start review

What is AWS WAF?

AWS Web Application Firewall (WAF) is a firewall security system that monitors incoming and outgoing traffic for applications and websites based on your pre-defined web security rules. AWS WAF defends applications and websites from common Web attacks that could otherwise damage application performance and availability and compromise security.

Get the AWS WAF Buyer's Guide and find out what your peers are saying about AWS WAF, Prisma Cloud by Palo Alto Networks, Microsoft Azure Application Gateway and more!

AWS WAF is the #1 ranked solution in top Web Application Firewalls. PeerSpot users give AWS WAF an average rating of 8.0 out of 10. AWS WAF is most commonly compared to Prisma Cloud by Palo Alto Networks: AWS WAF vs Prisma Cloud by Palo Alto Networks. AWS WAF is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 15% of all views.

Helped 849,686 peers since 2012

Featured AWS WAF reviews

Kavin Kalaiarasu

Security Analyst at M2P Fintech

The dashboarding could be improved, and the default metrics provided by AWS WAF could be upgraded. The rate at which AWS updates their managed rule sets could be better. Features like bot protection or DDoS mitigation, available with other WAF vendors, do not come natively with AWS WAF. Instead, they are part of AWS Shield. Providing DDoS protection as part of their WAF solution would be beneficial.

Read full review

AshishGautam

IT Project Manager at Rajiv Gandhi Cancer Institute In India

The area of reporting in the product needs to have a proper format. If you want to find the event log for an event and IP address from another country, there is a need to do some rework after the reporting part is taken care of so that the management can easily read the reports. A technical person in the organization can always understand where a particular network traffic comes in or where traffic is blocked with the help of WAF, but those in the management department would never understand the concepts that a technical person can understand. The reporting part of AWS WAF needs to be improved.

Read full review

Abdul Qayyum

Software Architect at Vodworks

Before using AWS WAF for the first time, it is important to consider where your infrastructure is hosted and where you want to implement the firewall. If you are already on AWS, AWS WAF would naturally be a suitable choice. Determine the level of security required based on your application's domain, such as financial applications needing more stringent security measures. Select appropriate rules for your use case, considering both conventional web rules and AWS Shield for critical applications. Additionally, after setting up AWS WAF, conduct thorough testing using vulnerability scanners like ThoughtSpot, Acunetix, or Nessus to ensure the effectiveness of your setup. For beginners with around six months to a year of AWS experience, learning to use AWS WAF shouldn't be too difficult. However, integrating it with web applications across different cloud platforms might pose some challenges. Overall, experienced AWS users should find it manageable, while beginners may need some time to get used to it. Overall, I would rate AWS WAF as a seven out of ten.

Read full review

AWS WAF mindshare

As of May 2025, the mindshare of AWS WAF in the Web Application Firewall (WAF) category stands at 10.6%, down from 13.5% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Web Application Firewall (WAF)

PeerResearch reports based on AWS WAF reviews

Type	Title	Date
Category	Web Application Firewall (WAF)	May 1, 2025	Download
Product	Reviews, tips, and advice from real users	May 1, 2025	Download
Comparison	AWS WAF vs F5 Advanced WAF	May 1, 2025	Download
Comparison	AWS WAF vs Microsoft Azure Application Gateway	May 1, 2025	Download
Comparison	AWS WAF vs Fortinet FortiWeb	May 1, 2025	Download

Title	Rating	Mindshare	Recommending
Prisma Cloud by Palo Alto Networks	4.2	2.1%	98%	110 interviews Add to research
Microsoft Azure Application Gateway	3.6	8.6%	78%	47 interviews Add to research

Valuable Features

AWS WAF users highlight aspects like efficient threat blocking, seamless AWS integration, and robust rule-based security features. Its flexibility allows customization for enhanced protection against web threats like SQL injections and DDoS attacks. The scalable architecture and ease of deployment are praised, making it an appealing choice for cloud-native applications. Users appreciate the cost-effectiveness and automation features, which enhance the protection of web applications and simplify security management.

"Some valuable features of AWS WAF include its seamless integration and ease of orchestration within the AWS platform."
"The cloud-native nature of AWS is crucial since most of our workload is in AWS, making AWS WAF native to Amazon Web Services."
"The cloud-native nature of AWS is crucial since most of our workload is in AWS, making AWS WAF native to Amazon Web Services."

Room for Improvement

AWS WAF users seek automation and improved UI for simpler management and global support. Security enhancements, advanced threat detection, and proactive measures are desired. Integration with third-party solutions, simplified billing, and enhanced bot protection are necessary. Users want real-time alerts and reduced pricing. The documentation needs clarity and updates to match new features, with better DDoS protection and explanation of block reasons. Users require more advanced rate limiting and standardized configuration guidelines.

"AWS WAF's signature sets have room for improvement due to false positives."
"The rate at which AWS updates their managed rule sets could be better. Features like bot protection or DDoS mitigation, available with other WAF vendors, do not come natively with AWS WAF."
"The dashboarding could be improved, and the default metrics provided by AWS WAF could be upgraded."

ROI

AWS WAF delivers a significant return on investment through enhanced security and cost savings for organizations. Users find it essential for security, despite it being potentially costly. Successful prevention of hacks signifies an immediate return on investment. As AWS WAF is part of the AWS ecosystem, it saves time and resources, boosting customer satisfaction, particularly for organizations focused on AWS services. Managers have not expressed concerns regarding its expenses.

Pricing

Enterprise buyers evaluating AWS WAF find its pricing as pay-as-you-go, with costs depending on usage. Many appreciate its affordability and flexibility, with monthly expenses ranging from $5 for basic use to potentially higher amounts with increased traffic. Some users rate pricing as moderate, while others find it expensive compared to alternative solutions. AWS WAF's pricing varies based on factors like the number of requests, server count, and organizational needs, often offering value within AWS ecosystems.

"For Kubernetes microservices, AWS is more expensive compared to OCI. AWS costs approximately 70 cents per hour, while OCI is 50% cheaper."
"On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven or eight out of ten."
"The solution is affordable."

Popular Use Cases

AWS WAF is primarily used for web application security, protecting backend services and preventing common cyberattacks like SQL Injection and DDoS. It offers perimeter protection, secures infrastructure, provides threat insights, and allows deployment across cloud platforms like AWS, Azure, and GCP. Organizations use it for traffic filtering, application-specific protection, virtual machine security, and creating custom security rules. It's often integrated with tools like CloudFront, S3, EBS, F5, and Azure WAF for comprehensive security.

Service and Support

AWS WAF customers express mixed experiences with support. Many find the team knowledgeable and responsive, particularly with enterprise agreements. However, some report slow response times and challenges in contacting support without additional fees. While some appreciate the technical expertise and resolution capabilities, others feel improvements in flexibility and speed are necessary. Users mention both prompt issue identification and delays due to a lack of product understanding among support personnel.

Deployment

AWS WAF's initial setup varies in complexity. Some find it straightforward and quick, requiring minimal effort and time, with deployment often completed in under an hour. Others experience a more complex setup due to unique environments or additional integrations, sometimes taking weeks or months. Experience levels vary, with some utilizing extensive AWS resources and automation tools. While many report ease on maintenance, complexities arise in large or multi-tenant environments, often involving additional teams for cloud, security, and deployment tasks.

Scalability

AWS WAF receives high marks for scalability, being described as highly scalable and easily managed within the cloud environment. It accommodates various business sizes, with automatic scaling handling traffic efficiently. Many users praise its performance, though some prefer additional feature integration. Generally rated eight to nine out of ten, AWS WAF handles significant user numbers, highlighting its efficiency for different infrastructures without common scaling challenges.

Stability

AWS WAF is considered to have strong stability by users, with many rating it highly. The platform is regarded as reliable, handling operations without bugs or glitches. It provides robust performance, even though some believe improvements can be made. Users appreciate its reliability, with multiple availability zones ensuring dependability. While a few mention minor issues with request handling, the majority experience a stable and secure environment, contributing to seamless functionality and minimal security concerns.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our AWS WAF Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

15%

Financial Services Firm

14%

Manufacturing Company

Government

Insurance Company

Comms Service Provider

Healthcare Company

Real Estate/Law Firm

Retailer

Media Company

Educational Organization

University

Energy/Utilities Company

Hospitality Company

Construction Company

Non Profit

Wholesaler/Distributor

Legal Firm

Recreational Facilities/Services Company

Outsourcing Company

Pharma/Biotech Company

Transportation Company

Performing Arts

Consumer Goods Company

Engineering Company

Logistics Company

Compare AWS WAF with alternative products

Learn more about AWS WAF

You can create rules in AWS WAF that can include blocking specific HTTP headers, IP addresses, and URI strings. These rules prevent common web exploits, such as SQL injection or cross-site scripting. Once defined, new rules are deployed within seconds, and can easily be tracked so you can monitor their effectiveness via real-time insights. These saved metrics include URIs, IP addresses, and geo locations for each request.

AWS WAF Features

Some of the solution's top features include:

Web traffic filtering: Get an extra layer of security by creating a centralized set of rules, easily deployable across multiple websites. These rules filter out web traffic based on conditions like HTTP headers, URIs, and IP addresses. This is very helpful for protection against exploits such as SQL injection and cross-site scripting as well as attacks from third-party applications.

Bot control: Malicious bot traffic can consume excessive resources and cause downtime. Gain visibility and control over bot traffic with a managed rule group. You can easily block harmful bots, such as scrapers and crawlers, and you can allow common bots, like search engines and status monitors.

Fraud prevention: Effectively defend your application against bot attacks by monitoring your application’s login page with a managed rule group that prevents hackers from accessing user accounts using compromised credentials. The managed rule group helps protect against credential stuffing attacks, brute-force login attempts, and other harmful login activities.

API for AWS WAF Management: Automatically create and maintain rules and integrate them into your development process.

Metrics for real-time visibility: Receive real-time metrics and captures of raw requests with details about geo-locations, IP addresses, URIs, user agents, and referrers. Integrate seamlessly with Amazon CloudWatch to set up custom alarms when events or attacks occur. These metrics provide valuable data intelligence that can be used to create new rules that significantly improve your application protections.

Firewall management: AWS Firewall Manager automatically scans and notifies the security team when there is a policy violation, so they can swiftly take action. When new resources are created, your security team can guarantee that they comply with your organization’s security rules.

Reviews from Real Users

AWS WAF stands out among its competitors for a number of reasons. Two major ones are its user-friendly interface and its integration capabilities.

Kavin K., a security analyst at M2P Fintech, writes, “I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through.”

AWS WAF was previously known as AWS Web Application Firewall.