AWS WAF Reviews

Our company uses the solution with F5 to secure applications from the injection, the track, and vulnerabilities. 

We use the built-in solution provided by SGO for the web. 

The web solution effectively protects from vulnerabilities and cyber attacks. 

The solution is menu driven and operates with no coding.

It is easy to manage and use the solution. 

The solution should identify why it blocks particular websites. The solution performs high-level blocks but doesn't provide very much detail. For example, a particular IT is blocked due to a vulnerability but we are not able to identify the reason for the block. Our developers or IT staff need to be able to identify vulnerabilities to fix applications. 

We would like output that tracks how many concurrent requests come through a particular application gateway, the response times for requests, and the latency parameters. 

I have been using the solution for two years. 

The solution is very stable so I rate stability a ten out of ten. 

The setup is easy so I rate it a nine out of ten. 

We implemented through a third party and it only took a few minutes. 

The pricing is good and manageable. I rate pricing a ten out of ten. 

I recommend the solution for protecting web applications. 

I rate the solution a ten out of ten. 

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

I have been using AWS WAF for a couple of years.

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

Positive

The initial setup was very simple. It's just a click of a button.

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.

We primarily use the solution for load balancing. 

We have some microsites exposed through the AWS cloud. These are some sort of pilot and we are using WAF to learn how this new product fits with us, and are mostly in the testing phase with a limited impact application. We are obviously not migrating core applications or those which have a significant impact on availability or on integrity and confidentiality. Mostly we have it on microsites where we don't see a significant risk, and it is more of a learning exercise for us.

The most important aspect for us is that AWS WAF is easy to deploy. The ease of implementation, ease of management, and flexibility are great. We like the potential for pay as you grow as you have instant deployment, infrastructure as a code, or any other automation tools that can leverage these deployments. The most important thing for us is that it stays flexible and scalable. That is true not only with WAF but with all the cloud services where you can provision any product in minutes. 

With the cloud, you have these integrated tools that provide a single glass pane. 

You have automation, ease of export, or ease of seeing the logs and exporting to a SIEM; these aspects are also great. The agility is great for us in terms of cloud services in general.

Usually, if we're talking about standard WAF, this is easy to deploy and is good at protecting low to medium applications.

As of now, regarding WAF, I'm not sure what the minuses or pluses are. You have the native WAF, which you can deploy directly on the load balancer. However, you also have that store where you can actually deploy some other vendors' specifics. At this point, feature-wise, I don't see anything lacking, more or less. Obviously, if we want to migrate, which is not yet the case, there might be a significant impact.

For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends. If every company is building its own framework based on their experience or their past experience, this might be subjective, and it'll end up with each company having its own framework, which can be good. However, it'll be better to have a standardized baseline that every company could build on. 

We've been using the solution for more than a year at this point. 

You have multiple availability zones and regions. The availability or durability is not something that we need to concern ourselves with very much here. Regarding the availability, I don't think this is something that the average company could match. They have a lot of availability zones, redundancy, and all the other things like that.

It's scalable. Mostly, what I would look into is having cloud resiliency in the sense that we want multiple vendors, so if something happens with AWS, you'll need some sort of strategy and you'll need some other vendor to provide you with similar services. 

We have a number of users per application. It's hard to quantify how many users are on the solution in general. 

For us, it's a bit of a different model where we have services provided by one central team or central entity. The others will have some sort of hub and spoke with the central entity providing or re-providing services to the other network units. The relationship with AWS is maintained by our central unit, and we somehow take services from the central unit and customize them per our needs. However, if we have some issues, this will be raised by the group. Issues may be resolved by AWS or an SME that works with us. 

In terms of the initial setup, from what I heard, it initially being a new technology, you want to deploy it in a correct manner. Therefore, it will need more diligence in the first deployment as security is not something you can learn and adjust. You need to make it right from day one in order to avoid breaches. However, after that, with infrastructure as a code and the automatic deployment, it's easier. You just create your setup, and you use the rules and go. You have network access to a security group, which provides you with very general filtering for problematic traffic. 

From my experience, the cloud provides everything we need; however, we still lack the knowledge and framework in terms of who is doing what, et cetera.

It's quite different between on-premise and cloud. In the cloud, DevOps is doing a lot of things. On-premise, you have someone from infrastructure, someone installing the OS, and someone doing the vulnerability and patch management.

Depending on how you deploy, the activities need to be revised. You need to have this framework to work in the cloud, and it's more of a challenge in company philosophy rather than technical capabilities. Companies can find it challenging to migrate to new tools. Sometimes existing teams need to be re-educated. 

We have multiple applications, so usually, it takes a while to refine the framework with the responsibility inside the company. It's to be optimized. However, in terms of actual deployment, security-wise, it takes some time to do the security checks, including the scanning and vulnerability asset inventory. It might take two or three months per application.

I definitely recommend not only AWS. I also recommend Azure as an option. We have the integration with Office and the entire portfolio. The cloud, in general, it's a new thing to consider. For example, you have this GDPR with data in Europe. However, in the case of most of the clouds, you can select your regions and you have some control. 

I'd rate the solution nine out of ten. 

There are a huge amount of products. I'm not saying it's a bad or a good thing. However, it can be quite confusing. There are VPC, EC2, and other instances, and there are a lot of other services that you can use like Macie, where you can filter sensitive information. There are a lot of tools that require hands-on and new capabilities. For me, being at the beginning of this journey for cloud migration, I've been mostly quite happy with the results.

The solution protects my customers’ web applications hosted in AWS.

The ease of deployment of the product is valuable to me. AWS WAF might be one of the easiest WAFs that can be deployed. The only constraint is that our application must be running in AWS.

The default content policy available in the tool is not very strong compared to the competitors. Most of the WAFs will have a default set of policies and rules that we need to enable, which will satisfy our requirements. However, for AWS, we must put some time and effort into creating our content policy to get optimal protection.

I have been providing the solution for a year or more.

The product is stable. I have no complaints. I rate the stability a nine out of ten.

The product is scalable. I rate the scalability a nine out of ten.

The technical support is good. I have no complaints. The support team is fast, knowledgeable, and customer-friendly.

Positive

The initial setup is straightforward. It takes merely half an hour or less to deploy the solution. The solution is deployed on the cloud.

Whether we need a consultant to help with the deployment depends on our knowledge of the cloud platform and our applications. It is a complex solution. We can do it ourselves if we know about WAFs, rule sets, and deployments. It is not a solution for a novice or someone unfamiliar with the security and application firewall. Such people might need the help of an administrator or consultant. We deployed the solution ourselves.

Depending on how our AWS billing is configured, we are billed on a monthly or yearly billing cycle. The product is moderately priced. It is not too cheap but not too high either. There are no additional costs associated with the product.

I would recommend the solution to others. If a web application is completely hosted in AWS, then AWS WAF is a good choice. We can easily adopt it. Overall, I rate the solution a seven out of ten.

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

We faced many potential threats, such as hackers flooding in the requests, so we started using AWS WAF to block those IPs and stop those attacks. If multiple IPs are trying to attack our product, we'll also use AWS WAF by selecting the endpoints the hackers were attacking and then blocking those endpoints. Our cybersecurity team primarily uses AWS WAF.

What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours. From the start, I know its purpose and its use case.

AWS WAF also has documentation. It's a user-friendly tool, and it's easy to know how to block the IPs and endpoints.

AWS WAF would be better if it uses AI or machine learning to detect a potential attack or a potential IP that creates an attack even before it happens. I want AWS WAF to capture the IP and automatically write the rule to automate the entire process. I want an AI feature in AWS WAF in the future.

I only saw how AWS WAF works for seven months when the cybersecurity team used it, so my knowledge of the tool is basic. I'm not an expert on AWS WAF.

AWS WAF is a stable product.

I have yet to contact the AWS WAF technical support.

As the company is an Amazon customer, the company looked into what other Amazon services could prevent the attack and came across AWS WAF when the attack happened. The tool was also easy to use and could prevent attacks and safeguard the company's product, so the company decided to use AWS WAF.

The initial setup for AWS WAF was simple. It was a basic setup process, though I have no idea about deployment time.

AWS WAF costs $5 monthly plus $1 for the rule. It's cheap, cost-wise. It's worth the money.

AWS WAF has three users within the company.

If I were to advise you on using AWS WAF, I'd tell you first to understand how the attack is happening. For example, is it a single server attack or multiple servers or regions? It would be best to find out which target is being attacked. You need to know the basics before using AWS WAF. You also need to know the rules. You need to understand how to secure your endpoints. Users should have a basic understanding of AWS WAF and its purposes before using it. You need basic cybersecurity knowledge.

I'm new to cybersecurity, so AWS WAF is the first cybersecurity product I used and based on my experience and usage, it's a ten out of ten. AWS WAF is a user-friendly, on-point tool, and I could understand it easily.

My company is an Amazon customer.

It's more of an application security tool that we use to secure applications. 

AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.

It's pretty much an AWS native service, so it's something that they improve year after year. They do continuous improvements on a year-by-year basis, so the product is really good. An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently.

It could also support multi-cloud integration where you can integrate with applications other than AWS applications. It would be a good feature or use case for this solution.

I've been using this solution for almost three to four years.

It's stable. I'd rate it an eight out of ten in terms of stability.

It's scalable. We probably have more than a hundred users. It's pretty much being used by everyone, such as engineers, managers, etc. Everyone is into it.

We get good support. I'd rate them a nine out of ten.

Positive

We didn't use any similar solution previously. In the future, we might use another solution, but for now, we are more into AWS WAF.

It's neither complex nor simple. It's somewhere in the middle. I'd rate it a six out of ten in terms of the ease of the setup.

It's a cloud solution, and we have a multi-cloud scenario. We are pretty much using all four clouds: Amazon, Azure, AWS, and Oracle. It's a mix-and-match or hybrid.

In terms of maintenance, there would be a team of engineers to maintain it.

Its price is fair. There is a very fair amount that they charge.

It has a pay-as-you-go model, so it pretty much depends on how much a user uses it. As per the cloud norms, the more you use, the more you pay. I would rate it a five out of ten in terms of pricing.

Overall, I'd rate it a seven out of ten because it's not automated and it's a bit complicated to implement or deploy the solution.

We primarily use this solution for monitoring and blocking to ensure protection against application layer attacks. These include application-related core rules, database-specific attacks, Linux-based attacks and some custom rules deployed. These rules assist us in blocking specific attacks that come from the internet into our cloud infrastructure.

The customizable features are good. For example, we can write our own rules and match character and size limits.

The product could be improved by expanding the weightage units of rules we have when writing policy. Currently, our company uses WAF policy and Web ACL but is limited to only 1500 units of rules.

We have been using this solution for three years and are currently using version two. We deploy this solution on Amazon public cloud.

This solution is stable. 

This solution is scalable because it provides many features.

We have received good support from the customer service and support team. They identify our problems and assist in resolving any issues we have.

Our initial setup was straightforward, and deployment by automation only took a few minutes.

I cannot comment on licensing costs and pricing as I am unsure of the exact costs.

I rate AWS WAF an eight out of ten. I would advise new customers to choose custom policies because they provide more flexibility in guarding against attacks on cloud infrastructures. Additionally, it protects both regional and global servers.