AWS WAF Reviews

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

The price could be improved.

I have been using the solution for more than two years.

The tool is highly stable.

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

We deployed the solution in-house.

The solution is reasonably priced.

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

We use the solution for our applications. We have deployed multiple applications on the AWS platform. We use the tool to provide additional security to our applications.

The product’s availability, ease of configuration, and documentation are valuable.

The product has fewer features. It didn’t fulfill all our requirements when we installed it. It is getting better now, though. The product must provide more features.

I have been using the solution for a few years.

I rate the product’s stability a nine out of ten.

The product is highly scalable and highly available. I rate the scalability a nine out of ten. We have deployed three applications. We have two administrators for our infrastructure. The number of users varies according to our customers. We provide the user interface to our customers.

The technical support team is good. The support persons provide prompt responses. They are always available and provide solutions to our queries.

Positive

The setup is very easy. We have proper documentation, so we have no issues. We have deployed the tool for additional security. It is a cloud solution. We need two members from the cloud infrastructure team and eight from the application support team for the deployment and maintenance of the tool.

We deploy the tool ourselves.

The solution provides an additional layer of security.

The solution is affordable.

If a company needs an additional layer of security, it can use AWS WAF. I recommend the product to others. Overall, I rate the product a ten out of ten.

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

I have been using AWS WAF for a couple of years.

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

Positive

The initial setup was very simple. It's just a click of a button.

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.

For AWS WAF, currently, we use this new application. This is another service provided by AWS for the sales business, and it's used for education. So, AWS WAF works in conjunction with AWS Cognito.  We observe this when there's some kind of bot attempting to access our application or when you're trying to use a bot as a control mechanism to transcribe or manage a high volume of traffic through our endpoints. 

AWS WAF manages both human traffic and bot-controlled traffic, and it can redirect you to a catch-up mechanism or sometimes simply for use. So, we've implemented different kinds of mechanisms within AWS WAF.

We use it in the production environment. From time to time, we can see the metrics for the generated traffic on both the WAF and the infrastructure

These metrics are presented on the dashboard. We review this information and conclude that regular monitoring, along with dashboard evaluations, reaffirms the effectiveness of the system. This allows us to ensure that the investment we're making is justified and worthwhile.

The most valuable feature is that it is very easy to configure. It just takes a couple of minutes. 

There is room for improvement in pricing. 

The pricing for each rule group is a bit too high. It's a monthly subscription, and it can get quite expensive for rules that I won't use for my application. For example, I might create a rule group that costs $10, and I only use one of the rules in the group. That's $10 for a rule that I'm not even using! So, the pricing could be more flexible, or there could be a way to get discounts for unused rules.

So, AWS WAF should have a pay-as-you-go pricing model, where I can only pay for the rules that I use. 

I have been using this solution for three years. 

It is a stable solution to some extent.

For my use cases, it is a scalable solution. There are less than 2,000 end users using this solution in our organization.

I reached out to support when I was setting it up initially, I had some questions. And we have some kind of first-line support with AWS. So I reached out to them whenever I had questions.

However, the support depends on the support we are paying for. The support we are paying for is cheap support. I'm on the standard support plan, so my SLA is four hours. There's a phone queue, so I can't always get through right away. But the support engineers are knowledgeable and can usually point me in the right direction. 

Neutral

The initial setup is fairly easy. AWS does everything for us—just some clicks. 

There is no maintenance required. AWS also upgrades new offerings. AWS does all these things. Like, it does why it's very expensive.  And they give us the metrics.

Just evaluate these simple things you need. And don't try to put too many features at the beginning because you might not need them. Every application is designed differently. 

Every business and customer is also very different, so if your application is more susceptible to some kind of engineering traffic then it's going to be very expensive.

Overall, I would rate the solution an eight out of ten. 

AWS WAF is a tool we use in my company since we don't currently have a firewall. We can be safer if we have a firewall, and the receive protection side can avoid any vulnerability attacks.

AWS WAF is a firewall we use from time to time in my company.

I don't think any improvement is needed in AWS WAF.

As technology develops and grows, AWS WAF will have to improve as a product.

AWS WAF should provide better protection to its users, and the security features need to improve.

I have been using AWS WAF for six years. There is no specific version of the product since the vendor provides the services for the solution, and my company just uses it.

AWS WAF is a stable solution. The performance of the solution is very good.

Stability-wise, I rate the solution a ten out of ten.

My company doesn't rely on AWS WAF's scalability since it's a tool that is totally on the cloud. If the tool goes down by any chance, AWS provides the solution on the steps that need to be taken.

Around 30 employees in my company use AWS WAF.

The product is not extensively used in my company.

My company has no plans to increase the number of users of AWS WAF. If our client wants to increase the number of users, we need to act on the server.

The solution's technical support is good.

The product's setup phase was pretty easy.

Sharing the code files and database configurations are the two steps we follow for deploying the product.

The product's setup phase was carried out in-house.

There are no separate licensing costs we pay for since it is included in the plan we purchase.

AWS WAF has been releasing the product on a test-case basis.

It's always good to take precautionary methods for the production website. If everything goes fine, do work in your staging and UAT, not in the production part. The aforementioned details are the precautionary methods we have to follow.

Overall, I rate the solution a ten out of ten.

We primarily use the solution for its rich insights to improve customer experience.

The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match.

The AI functionality and the machine learning are very good.

The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively.

The solution is very stable.

The solution is extremely scalable.

We have Amazon managed services, and, as part of our agreement, we have the lower end of that managed service. The solution is not a business-critical system for us, so we have a four hour SLA for resolution. That's pretty good. We're very satisfied with technical support.

Previous to this solution, we used Microsoft Azure.

Amazon allows you to provision more services once you have the initial platform in place. Using Amazon Marketplace, it's so simple to provide additional services and functionality so it allows you to grow the capability of the platform with very little integration into other systems because it's all built into the marketplace. With Azure, it's only capable of some products and they don't have APIs available to integrate as well as Amazon does. 

The initial setup was straightforward. Deployment took about three months. For the setup of the platform, we had six people. For the maintenance of the platform, we now have three people maintaining it.

We brought Amazon on to set everything up for us. They made implementation very easy. 

We use the public cloud deployment model. We use the Amazon cloud.

From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation.

I would rate the solution nine out of ten.