IT Central Station is now PeerSpot: Here's why

AWS WAF OverviewUNIXBusinessApplication

AWS WAF is #6 ranked solution in top Web Application Firewalls. PeerSpot users give AWS WAF an average rating of 7.6 out of 10. AWS WAF is most commonly compared to Microsoft Azure Application Gateway: AWS WAF vs Microsoft Azure Application Gateway. AWS WAF is popular among the large enterprise segment, accounting for 66% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
AWS WAF Buyer's Guide

Download the AWS WAF Buyer's Guide including reviews and more. Updated: August 2022

What is AWS WAF?

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

AWS WAF was previously known as AWS Web Application Firewall.

AWS WAF Customers

eVitamins, 9Splay, Senao International

AWS WAF Video

AWS WAF Pricing Advice

What users are saying about AWS WAF pricing:
  • "We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise."
  • "It's cheap."
  • "It's quite affordable. It's in the middle."
  • "The pricing should be more affordable, especially as it pertains to small clients."
  • "AWS WAF is pay-as-you-go, I only pay for what I'm using. There is no subscription or any payment upfront, I can terminate use at any time. Which is an advantage."
  • "It has a variable pricing scheme."
  • "The price of AWS WAF is expensive if you do not know how to manage your software up or down. I price of the solution is average amongst the other competitors but it would be better if it was less expensive."
  • AWS WAF Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Rodrigo Garcia - PeerSpot reviewer
    Physical Designer at Semtech Corporation
    Real User
    Top 5
    Does what it is supposed to do, probably not in the best way and not in the best UI
    Pros and Cons
    • "The access instruction feature is the most valuable. This is what we use the most."
    • "It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful. It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one. Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right."

    What is our primary use case?

    The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us.

    We're using it through the web console and API. We're just using the managed service.

    How has it helped my organization?

    Our organization is launching a lot of betas. We are creating a lot of new different systems for different customers. AWS WAF helps us a lot to make sure that the right customer gets the right access to the system.

    What is most valuable?

    The access instruction feature is the most valuable. This is what we use the most.

    What needs improvement?

    It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful.

    It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one.

    Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right.

    Buyer's Guide
    AWS WAF
    August 2022
    Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
    620,600 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using AWS WAF for about six months.

    What do I think about the stability of the solution?

    Stability-wise, it works as expected.

    What do I think about the scalability of the solution?

    I definitely see places where it can be more designed to scale. In addition to amazon resources, there is some stuff from other vendors that we wanted to protect. WAF was not a solution for us because we don't have a way to integrate with those things. That was the biggest challenge that we faced. In terms of the number of users, our end users could be in the thousands.

    How are customer service and support?

    It is okay.

    How was the initial setup?

    It was okay. We went for the cloud formation, and our deployments happen probably every week.

    What about the implementation team?

    Everything is managed through cloud formation. After implementation, three or four hours a week are required for maintenance.

    What's my experience with pricing, setup cost, and licensing?

    We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise.

    What other advice do I have?

    I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. 

    Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors.

    I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but management is the thing that we don't love the most. If things keep improving, we're definitely going to scale with AWS WAF.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Engineer at a renewables & environment company with 1,001-5,000 employees
    Real User
    Top 20
    A basic WAF with limited controls, but cheap and better than having no WAF in place.
    Pros and Cons
    • "As a basic WAF, it's better than nothing. So if you need something simple out of the box with default features, AWS WAF is good."
    • "We don't have much control over blocking, because the WAF is managed by AWS."

    What is our primary use case?

    At the moment, it's just myself working with AWS WAF in my company, and our use case for it is normal, or what you would expect from a Web Application Firewall. That includes basic DoS blocking and malicious IP address blocking. It's not a big thing for us, and just takes care of our baseline security.

    What is most valuable?

    As a basic WAF, it's better than having nothing. So if you need something simple out of the box with default features, AWS WAF is good.

    What needs improvement?

    I think there's a lot wrong with AWS WAF. Here are the two main areas where I think it could be improved:

    Blocking: We don't have much control over blocking, because the WAF is managed by AWS. What happens is that they will put down the rules on their side and we don't have proper visibility on that. So we'll have to track down the issues and see what is wrong or not. For example, with IP address blocking, it's difficult to find out which IPs are getting blocked. If we managed our own WAF completely, we wouldn't have this kind of problem. Right now, this aspect is half managed by us, and half managed by AWS. Because of this, I think it would be far more helpful to us if we went for our own tool instead.

    Automation: As in, a lot of separate blocks if something goes wrong. For example, every company will have their own rules for automation, in terms of their goals for the product. Like, "I want my WAF to do this. I want my WAF to do that." But that's the kind of thing that I think we will only see when we do some POCs with our clients. 

    For how long have I used the solution?

    I have been working with AWS WAF for around one year now. 

    What do I think about the stability of the solution?

    The performance has been good, even though it could be better. At any rate, the WAF has not caused any lag on our side.

    What do I think about the scalability of the solution?

    It is scalable in my experience, but the lack of features doesn't take it very far in terms of actual usage. Eventually, customers will move away from it. If there's no one interested in managing the WAF, that's fine, then customers may keep using it. But for us, we are not planning to scale it out further.

    How are customer service and support?

    AWS technical support is good.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The setup is easy and nothing serious. You don't have to do a lot to get set up with it. Compared to other WAFs out there, I think AWS WAF is very simple, especially since most of it is managed by AWS.

    What about the implementation team?

    We haven't needed anyone from AWS to help us with the deployment or implementation. It's all me at this point.

    What's my experience with pricing, setup cost, and licensing?

    It's less cost and easy to setup

    Which other solutions did I evaluate?

    There are multiple other options which we could have gone for, but it depends on the budget, typically. I am especially interested in a WAF which has serious support for automation and more complex configuration options.

    What other advice do I have?

    For people who don't have any WAF currently, and who just need something basic, it's not a bad idea to go with AWS WAF for starters. But if you are someone who is looking for a fully-fledged and self-managed WAF, you should look elsewhere for a better tool. You should certainly not stick with AWS WAF if you are serious about managing your security and mitigating your risks.

    Overall, I would recommend AWS WAF to others, but only under the conditions I have mentioned. If you have the budget and the resources, however, go for something else.

    I would rate AWS WAF a five out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    AWS WAF
    August 2022
    Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
    620,600 professionals have used our research since 2012.
    AWS Security Specialist at a tech services company with 501-1,000 employees
    Real User
    Top 20
    Easy to scale, flexible, quite efficient, and the geo-restriction capabilities are helpful
    Pros and Cons
    • "The most valuable features are the geo-restriction denials and the web ACL."
    • "On the UI side, I would like it if they could bring back the geolocation view on the corner."

    What is our primary use case?

    We use this solution for online web applications.

    What is most valuable?

    The most valuable features are the geo-restriction denials and the web ACL.

    I enjoy using it because it is very easy.

    Also, it's quite efficient.

    What needs improvement?

    The service itself is fine. On the UI side, I would like it if they could bring back the conditions view which had geo match, IP sets and etc. When using WAF classic you could see this option on the left side of the console. Currently IP sets and regex strings is there but geo match does not seem to be included, not sure if geo matching is still supported.

    For how long have I used the solution?

    I have been using AWS WAF for almost three years.

    We are using the newest version of AWS WAF, which is Version 2.

    What do I think about the stability of the solution?

    It's a stable solution. I have not experienced any issues.

    What do I think about the scalability of the solution?

    There are approximately 1,000 people who are using this solution on a daily basis.

    It is easy to scale. Just ensure that you cover the relevant resources within it. You can cover multiple resources such as CDN or use them in your AOD.

    It's quite scalable.

    How are customer service and technical support?

    I have not contacted technical support.

    Which solution did I use previously and why did I switch?

    I have always used AWS. It's been the focus for the last three years.

    How was the initial setup?

    The initial setup was simple.

    It took less than an hour to deploy.

    What about the implementation team?

    The implementation was completed internally.

    What's my experience with pricing, setup cost, and licensing?

    It's quite affordable. It's in the middle.

    Everything is included with the usage that you take up when you implement the service.

    What other advice do I have?

    The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion.

    I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS.

    I would rate AWS WAF a solid ten out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Solution Architect at a non-profit with 10,001+ employees
    Real User
    Top 20
    A stable solution, but installation, navigation and configuration are overly complex and the price is not efficient for small customers
    Pros and Cons
    • "The solution is stable."
    • "While the complexity of the installation can vary from one service to another, overall, I would say that it and the configuration and navigation are somewhat complex."

    What is our primary use case?

    While I cannot say for certain, I believe that we are using the latest version. 

    What is most valuable?

    I like the scalability, as it provides platform, infrastructure and software as a service. These are the best features. When it comes to the API Gateway, such as Amazon Web Application Framework, the web application will be protected by all industry standard security aspects. We are talking about encryption, firewalls, SSL and TLS. Basically, all web exploit policies and rules will be applied, so that one's web or mobile app can be highly secured.

    In terms of hosting the instances, the solution takes care of all necessary scaling to ensure that the application load is balanced. The horizontal or vertical scaling can be automatically removed. As such, AWS provides many services and features. 

    What needs improvement?

    The pricing should be more affordable, especially as it pertains to small clients. 

    While the complexity of the installation can vary from one service to another, overall, I would say that it and the configuration and navigation are somewhat complex. These could stand improvement and bring down my rating of the product. 

    Customer support should also be improved. 

    For how long have I used the solution?

    I have been using AWS WAF for around two years. 

    What do I think about the stability of the solution?

    The solution is stable. 

    What do I think about the scalability of the solution?

    The solution is scalable. 

    How was the initial setup?

    While it can vary according to the service involved, installation, configuration and navigation are, broadly speaking, complex. 

    What's my experience with pricing, setup cost, and licensing?

    The solution could be more cost-efficient for small customers. 

    What other advice do I have?

    The solution may be expensive for smaller customers and vendors, although it would be recommended for large ones who can afford it. 

    Our organization has only a few years, consisting of the internal team, who are making use of the solution. 

    I rate AWS WAF as a six out of ten. 

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Principal Cloud Architect at a tech services company with 51-200 employees
    Real User
    Top 20
    Beneficial cloud service, flexible on-demand features, but requires better security
    Pros and Cons
    • "The most valuable features of AWS WAF are its cloud-native and on-demand."
    • "The solution could improve by having better rules, they are very basic at the moment. There are more attacks coming and we have to use third-party solutions, such as FIA. The features are not sufficient to prevent all the attacks, such as DDoS. Overall the solution should be more secure."

    What is our primary use case?

    We use AWS WAF to prevent cyberattacks, such as SQL Injection attacks and cross-site scripting attacks. The end users' traffic has more threats and the web application gives good support.

    What is most valuable?

    The most valuable features of AWS WAF are its cloud-native and on-demand.

    Any customer can leverage AWS WAF immediately, it has a basic set of rules that are available.

    What needs improvement?

    The solution could improve by having better rules, they are very basic at the moment. There are more attacks coming and we have to use third-party solutions, such as FIA. The features are not sufficient to prevent all the attacks, such as DDoS. Overall the solution should be more secure.

    For how long have I used the solution?

    I have been using AWS WAF for approximately four years.

    What do I think about the stability of the solution?

    This is a very stable solution.

    What do I think about the scalability of the solution?

    AWS WAF is scalable.

    We have approximately five customers using this solution.

    How are customer service and support?

    The technical support is very good. They are responsive and knowledgeable, they have always come back with a resolution or a workaround to help us.

    How was the initial setup?

    The initial setup took approximately 15 mins, it is easy.

    What about the implementation team?

    We have a team that does the support for the solution.

    What's my experience with pricing, setup cost, and licensing?

    AWS WAF is pay-as-you-go, I only pay for what I'm using. There is no subscription or any payment upfront, I can terminate use at any time. Which is an advantage.

    What other advice do I have?

    The first version of AWS WAF was not mature but the second version is very mature.

    I would recommend this solution to others because instead of choosing a third-party solution which will take time, and you will have to be in negotiations. It is good to start with AWS WAF for their minimal primary security firewall to save their workload. AWS WAF is available on-demand from day one.

    I rate AWS WAF a seven out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    President at a tech services company with 1-10 employees
    Real User
    Top 10
    It is a scalable, stable solution but needs simpler setup and pricing schemes.
    Pros and Cons
    • "Its best feature is that it is on the cloud and does not require local hardware resources."
    • "The pricing model is complicated."
    • "The setup is complicated."

    What is our primary use case?

    My whole business is cloud cost management. What I do is help people manage expenses. That encompasses everything from cleaning up software as a service subscriptions to optimizing AWS. My use cases for AWS WAF have to do with cloud research only.  

    What is most valuable?

    The best part about it is that it is a cloud solution.  

    What needs improvement?

    The complexity of deploying turnkey solutions could be simplified.  

    They actually have too many different things that you can tinker with and too many different ways to do the same thing. It may be helpful if the product were to be more directed and if it used best practices with technical and non-technical users in mind.  

    For how long have I used the solution?

    We have been using WAF (Web Application Firewall) for six months.  

    What do I think about the stability of the solution?

    WAF is very stable.  

    What do I think about the scalability of the solution?

    I believe WAF is very scalable.  

    We have only two staff in our organization who are using AWS WAF.  

    How are customer service and technical support?

    Technical support is more-or-less fair. That is where most technical support falls these days.  

    How was the initial setup?

    The initial setup is really sorta complex. That is something which could probably be made easier.  

    What's my experience with pricing, setup cost, and licensing?

    The licensing costs are variable. For me, it is under a hundred dollars a month.  

    The range of your costs with Amazon Web Services is going to be different depending on a lot of factors. It can go as low as actually being free all the way up to millions of dollars. It depends on the organization and how the service is used.  

    What other advice do I have?

    On a scale of one to ten where one is the worst and ten is the best, I would rate this product as a seven-out-of-ten. A change in the pricing structure that favors the client and simplification is something they would have to do to improve to make that score closer to a ten.  

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    AdviseIT67 - PeerSpot reviewer
    Cloud Architect at Tata Consultancy Services
    Real User
    Helps secure applications, highly stable, and good support
    Pros and Cons
    • "The most valuable feature of AWS WAF is the extra layer of security that I have when connecting to my web applications."
    • "AWS WAF could improve by making the overall management easier. Many people that have started working with AWS WAF do not have an easy time. They should make it easy to use."

    What is most valuable?

    The most valuable feature of AWS WAF is the extra layer of security that I have when connecting to my web applications.

    What needs improvement?

    AWS WAF could improve by making the overall management easier. Many people that have started working with AWS WAF do not have an easy time. They should make it easy to use. 

    The AWS WAF documentation sometimes is not clear and could improve for all levels of people using the solution, such as developers. The interface could be easier to use.

    For how long have I used the solution?

    I have been using AWS WAF for approximately three years.

    What do I think about the stability of the solution?

    AWS WAF is a highly stable solution.

    What do I think about the scalability of the solution?

    We have approximately 35 applications that are using the AWS WAF.

    How are customer service and support?

    The support from AWS WAF is good, I have used them often. 

    Which solution did I use previously and why did I switch?

    I was previously using Cisco and I switched to AWS WAF because I was working mostly with cloud environments and needed more services. Additionally, I have used Microsoft Azure.

    How was the initial setup?

    The initial setup is AWS WAF complex. The steps to complete the implementation could be easier, such as making the web traffic go through the WAF and then through the web service. The information for connectivity could be documented or done easier. The whole process can take approximately 20 minutes.

    What's my experience with pricing, setup cost, and licensing?

    The price of AWS WAF is expensive if you do not know how to manage your software up or down. I price of the solution is average amongst the other competitors but it would be better if it was less expensive.

    What other advice do I have?

    My advice to others is they should give AWS WAF a try. It works well, secures the applications, and it improves them against attacks.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Harkamal-Singh - PeerSpot reviewer
    Solution architect at NTT
    Real User
    Top 5
    Protects web applications against attacks; stable and scalable firewall with a straightforward setup
    Pros and Cons
    • "Stable and scalable web application firewall. Setting it up is straightforward."
    • "Technical support for AWS WAF needs improvement."

    What needs improvement?

    Support for AWS WAF needs improvement.

    For how long have I used the solution?

    I've been using AWS WAF for a very short period, e.g. just a few weeks.

    What do I think about the stability of the solution?

    I find AWS WAF to be a stable product.

    What do I think about the scalability of the solution?

    AWS WAF is a scalable product.

    How are customer service and support?

    Technical support for AWS WAF could still be improved, e.g. support could be faster, more knowledgeable, and friendlier.

    How was the initial setup?

    The initial setup for AWS WAF was straightforward. It could take between two days to two weeks.

    What about the implementation team?

    We implemented AWS WAF through our in-house team and a consultant.

    What other advice do I have?

    I've been using a mix of AWS products, including AWS WAF.

    I'm satisfied with AWS WAF, and I've had no issues with it. I can't really find fault in the product. It's a good product.

    We have hundreds of AWS WAF users within our company. We also have plans of increasing the number of users of the product.

    The advice I would give to people who want to start using AWS WAF is that it's a good option if they're migrating to the cloud. It can take up a lot of legacy systems, e.g. it's scalable. Most of my customers are on the cloud, and for anyone who's struggling, it would be good to start anytime. Start small and scale, rather than just going fully onto the cloud.

    Users need to pay for the product license.

    My rating for AWS WAF is eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.
    Updated: August 2022
    Buyer's Guide
    Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.