AWS WAF Reviews

AWS WAF is a firewall that protects web applications by filtering and monitoring HTTP traffic between web applications and the network. I use it for protecting infrastructure that has sensitive data, including personal identification information like Social Security numbers. AWS WAF promotes the security of this data by preventing leakage.

AWS WAF helps to protect sensitive data and customer records.

AWS WAF acts as a barrier, analyzing HTTP communications between external users and web applications. It gives flexibility in HTTP communication, which is a feature I like.

AWS doesn't need improvement with AWS WAF. However, there may be room for improvement in RDS services and EKS services. The purpose of AWS WAF is clear: whether it allows or blocks connections, its goal is to ensure the safety and security of private subnets.

AWS WAF has been used for almost five years, starting with a proof of concept in 2019.

AWS WAF is stable. There have not been significant issues, and it functions like a firewall.

AWS is questioned for how much scalability can be achieved in terms of vCPUs and handling capacity, yet AWS WAF itself handles the configurations well.

Amazon's support is mixed. Technically knowledgeable people are part of the support team. That said, there are promises made, especially during sales pitches, that often don't match reality. There is a lot of innovation talk, yet implementation might be lacking.

Neutral

A proof of concept was done with AWS and Oracle Cloud Infrastructure (OCI), even though OCI offered better efficiency and cost benefits.

Setting up AWS WAF is straightforward; you create a subnet VPC and attach it, which is simple.

For Kubernetes microservices, AWS is more expensive compared to OCI. AWS costs approximately 70 cents per hour, while OCI is 50% cheaper. AWS pricing perspective is considered expensive, especially for Kubernetes and RDS. OCI offers lower costs with better efficiency.

Oracle Cloud Infrastructure (OCI) was evaluated alongside AWS, and while OCI was preferred for efficiency and cost benefits, AWS was selected due to governmental requirements.

Technological understanding is crucial for AWS products like AWS WAF. This understanding separates out the simple setup process from understanding the underlying complex mechanisms.

I'd rate the solution four out of ten.

I use AWS WAF to protect web applications and web traffic. It handles application input and throughput - typical web application firewall tasks.

We integrate AWS WAF with several platforms within cloud hosting and other security solutions and provisions in our business. Regarding AI, it's been around for about 20 years, so it's not new. It's just a new buzzword. I've been in security for 30 years and remember using AI when I started 25-30 years ago. We have multiple forms of AI within our business.

We're considering replacing it shortly, so I've looked at alternatives like Aqua and others.

I'd like to see improvements in its usability and functionality. I'm also concerned about being too dependent on the cloud provider's WAF version. For security, using multiple vendors and not putting all our eggs in one basket is better.

The functionality I'd like to see improved is mainly around the applications and cloud integration elements.

I have been working with the product for three years. 

We haven't encountered any stability issues. 

The solution is scalable and my company has 30,000 users. 

The solution's support is quite good and fair.

I see several pros and cons when I compare AWS WAF to other WAF products. The main advantages are that the AWS Firewall functionality integrates well, it's easy to deploy and select, and the implementation is straightforward. The integration with AWS is also very good. However, the main drawback is that while it works well in the AWS environment, it doesn't necessarily work as well for other cloud or on-premise setups.

The initial setup of the AWS WAF solution always has complexities, regardless of which solution you choose. Our organization is multi-tenant, multi-hosted, multi-cloud, multi-located, and international, so we always face challenges during implementation. No matter how good the product is, there will always be challenges.

For implementation, we usually follow a TOGAF model for project planning. Sometimes, we use a waterfall approach, but we stick to TOGAF mostly. Some parts of the business use Agile, but I don't typically use Agile for WAFs.

From a maintenance perspective, AWS WAF isn't any more difficult to maintain than other solutions. I've had experience with nearly all the WAFs out there, and they're all pretty much the same in terms of maintenance, regardless of the service provider.

I rate the overall solution a six out of ten. 

AWS WAF is primarily used to prevent intrusion into web applications. You can also use it to protect virtual machines within the AWS cloud. The main process involves creating rules to block common threats like SQL injection and cross-site scripting. These rules can be selected from built-in options. After configuring the firewall settings, you create a target group and attach your web application to it. The firewall filters incoming traffic based on the selected rules, blocking any suspicious activity.

The most valuable feature of AWS WAF is its highly configurable rules system. You can set up rules based on specific criteria like SQL injection, general web threats, and even advanced features like DDoS protection and region-based blocking. The richness of available rules, including options for custom rule configurations from third-party partners, enhances its effectiveness.

One area for improvement in AWS WAF could be the limitation on the number of rules, particularly those from third-party sources, within the free tier. Users may face budget constraints when trying to implement additional rules beyond the free tier limit.

AWS WAF is stable, but I haven't tested it extensively with high request volumes.

In our IT organization, the usage of AWS varies by project, with approximately 50-60% of projects using AWS or Cloudflare. For our internal websites like BroadWorks.com, we use Cloudflare, while for client projects, about 60-70% make use of AWS WAF.

Setting up AWS WAF for initial installation was relatively straightforward, even for someone without extensive DevOps experience like myself. While it wasn't overly complex, it also wasn't overly simple. With the help of AWS documentation and resources, I was able to complete the setup within two to three days.

Whether AWS WAF is worth the monthly investment of $50 to $60 depends on your budget and preferences. While AWS WAF offers robust features, there are also free tools available like ModSecurity that require more configuration but can still provide adequate protection.

While AWS is a top choice, Cloudflare is also considered for smaller projects due to pricing. Overall, AWS WAF offers reasonable features compared to competitors like Cloudflare, GCP, and Azure.

Before using AWS WAF for the first time, it is important to consider where your infrastructure is hosted and where you want to implement the firewall. If you are already on AWS, AWS WAF would naturally be a suitable choice. Determine the level of security required based on your application's domain, such as financial applications needing more stringent security measures. Select appropriate rules for your use case, considering both conventional web rules and AWS Shield for critical applications. Additionally, after setting up AWS WAF, conduct thorough testing using vulnerability scanners like ThoughtSpot, Acunetix, or Nessus to ensure the effectiveness of your setup.

For beginners with around six months to a year of AWS experience, learning to use AWS WAF shouldn't be too difficult. However, integrating it with web applications across different cloud platforms might pose some challenges. Overall, experienced AWS users should find it manageable, while beginners may need some time to get used to it.

Overall, I would rate AWS WAF as a seven out of ten.

We use Managed Rules mostly.

ALB is integrated with WAF. When ALB spikes up, we know there’s something wrong. Usually, bots attack the applications.

Rule groups are valuable. We use it for DDoS. We do customizations with the help of Managed Rules in AWS. We use AWS WAF’s API to automate security tasks. The rule creation is similar to automation. We have enough understanding of how things work. It’s been one year since we have automated the tasks.

There are some limitations. We can add a maximum of four rate-based rules to the rule group. We must monitor and clean up the WAF manually. We cannot create rules if it goes above four. It requires manual intervention. We have to check, clean, and maintain it regularly. We do not want to do it. We are willing to pay extra if it can be improved. We need additional features so we do not have to do manual interventions.

I have been using the solution for three years.

We do not have any problems with the tool’s functionalities.

We are very happy about the product’s scalability. We did not face any issues. My organization is an enterprise.

We have a partnership. We can contact the consultants whenever we need anything. We don't have any problem with the support team.

Positive

The installation was not difficult. We have a separate team to deploy the solution in our organization. We do not face any issues with maintenance.

All our infrastructure is on AWS. My organization has been using AWS for the last eight years. Mid-size companies use ALB. We also use AWS Shield. Sometimes, we get alerts from AWS Shield. Our internal tools also send us alerts. We're completely on AWS. We do not integrate it with any other tool. Overall, I rate the product an eight out of ten.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

The price could be improved.

I have been using the solution for more than two years.

The tool is highly stable.

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

We deployed the solution in-house.

The solution is reasonably priced.

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

I have been using the solution for six years.

The tool is stable.

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Google’s console is minimalistic. It provides AI tools that help us create rules.

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

We pay $0.8 per hour. The product’s pricing is reasonable.

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

Our company uses the solution with F5 to secure applications from the injection, the track, and vulnerabilities. 

We use the built-in solution provided by SGO for the web. 

The web solution effectively protects from vulnerabilities and cyber attacks. 

The solution is menu driven and operates with no coding.

It is easy to manage and use the solution. 

The solution should identify why it blocks particular websites. The solution performs high-level blocks but doesn't provide very much detail. For example, a particular IT is blocked due to a vulnerability but we are not able to identify the reason for the block. Our developers or IT staff need to be able to identify vulnerabilities to fix applications. 

We would like output that tracks how many concurrent requests come through a particular application gateway, the response times for requests, and the latency parameters. 

I have been using the solution for two years. 

The solution is very stable so I rate stability a ten out of ten. 

The setup is easy so I rate it a nine out of ten. 

We implemented through a third party and it only took a few minutes. 

The pricing is good and manageable. I rate pricing a ten out of ten. 

I recommend the solution for protecting web applications. 

I rate the solution a ten out of ten.