AWS WAF Reviews

I'm a manager and in charge of IT infrastructure and information security for an airline company. We're a customer of AWS WAF. We use the product to protect the websites that our customers access to book flights. It provides the sites with DDoS protection and OWASP top 10 application security.

The best features are the security firewall and the features that protect against database injections or scripting, and against overall OWASP top 10, but I have concerns about the cloud front which doesn't handle bot attacks properly, so it's not as effective as I would like it to be.

A significant improvement would be built in bots protection enhancement, or seamless integration with other products. For now, there are limited feature to protect against an attack from the bad bots so users go to third party solutions, which just complicates integration and operation.

A helpful additional feature would be to have a fully unified unique product, including the DDoS, with sophisticated attack capabilities including anti bot management. They should also take a look at reviewing the complexity of the integration with other third-party vendor solutions.

I've been using the product for the last two years. We upgraded recently and I'm using the latest version. 

Technical support is good. 

Deployment is easy, it's not complex.The complexity is when you need it for integration with other third-party products. We also use CDN, part of the web solution from Amazon. 

The price of the product is fair enough and one of the product's advantages. Their price is good compared to other vendors. 

The main difference with other similar products is the security efficiency against the type of attacks because normally Amazon works with certain types of attacks and is unable to deal with most of the more sophisticated new attacks that are now the market. So if you compare AWS WAF to the leaders in the field like Imperva, Akamai or radware, they are still beyond these products.

I would recommend that if you don't have a critical heavy use website, and you have a simple business that doesn't require high protection or high-security efficiency, go with this product, but if you have something where security is critical you should go with the leaders in the market, companies like Akamai, Radware, PerimeterX or Imperva.

I would rate this product a seven out of 10. 

We use the product for the protection of our public-facing web applications. 

We preferred the product based on its cost. AWS WAF is an out-of-the-box solution and integrates with the AWS services that we use. It's natively integrated with AWS. 

We have issues with reporting, troubleshooting, and analytics. AWS WAF needs to bring costs down. 

I have been working with the solution for 18 months. 

AWS WAF is stable. 

The solution is scalable. 

We use Amazon enterprise support. It is good but expensive. 

We used Cloudflare and Palo Alto before. We chose AWS WAF since it integrates with native services. 

The tool's setup is complex but it is easy after installation. 

I would rate AWS WAF's pricing a seven out of ten. 

I would rate AWS WAF a seven out of ten. 

I primarily use the solution as a gateway service and a transaction portal. 

We haven't had any issues with the solution so far.

The pricing of the product is very good. They make it very reasonable and it's very easy to afford.

Their technical support has been quite good.

The performance is excellent. It's reliable.

We've found the solution to be quite stable.

We haven't faced any problems with the solution. I can't speak to any missing features. Every aspect of it has been quite good.

I've been using the solution for a while.

The stability has been very good. We've enjoyed a very reliable performance. There are no bugs or glitches. It doesn't crash or freeze. It's been good.

Technical support has been quite good. We've found them helpful and responsive. We are quite satisfied with the level of support that is provided to us.

The solution is very reasonably priced. 

I'm just a customer and an end-user. I don't have a business relationship or partnership with AWS.

I have pretty good experience in AWS. I have a certificate in AWS.

I'd rate the solution at a ten out of ten. We've been extremely satisfied with the solution.

We use this solution to protect our web applications against common vulnerabilities. The CDN component is also quite powerful. We use this solution alongside Azure WAF.

The simple configuration and the scalability have been most valuable. We are able to scale across all of our different AWS instances.

This solution could be improved if the configuration steps were more specific to WAF, compared to other cloud services. 

I have been using this solution for two years. 

This is a stable solution. We rely on AWS's other cloud services and we've never experienced any stability issues. 

This is a scalable solution. 

Our support experience has been quite good. 

Neutral

The main reason we switched from using CloudFlare to AWS is to have a native offering because all of our cloud solutions are on AWS. This made it simpler compared to using a third party and easier to reroute traffic.

It depends on your AWS configuration, but what we've experienced is that the rule policy configuration is really straightforward. It took a couple of weeks. 

We had in-house expertise.

We have a medium amount of traffic per month and the cost is in the hundreds rather than in the thousands. I don't know the exact number.

I would advise others to ensure they understand what can be done internally and then what you need expertise for externally. If you have the expertise internally, it can be easily configured. Keep the SIEM configuration as simple as possible, rather than trying to modify and configure too many things.

I would rate this solution an eight out of ten. 

We use this solution for online web applications.

The most valuable features are the geo-restriction denials and the web ACL.

I enjoy using it because it is very easy.

Also, it's quite efficient.

The service itself is fine. On the UI side, I would like it if they could bring back the conditions view which had geo match, IP sets and etc. When using WAF classic you could see this option on the left side of the console. Currently IP sets and regex strings is there but geo match does not seem to be included, not sure if geo matching is still supported.

I have been using AWS WAF for almost three years.

We are using the newest version of AWS WAF, which is Version 2.

It's a stable solution. I have not experienced any issues.

There are approximately 1,000 people who are using this solution on a daily basis.

It is easy to scale. Just ensure that you cover the relevant resources within it. You can cover multiple resources such as CDN or use them in your AOD.

It's quite scalable.

I have not contacted technical support.

I have always used AWS. It's been the focus for the last three years.

The initial setup was simple.

It took less than an hour to deploy.

The implementation was completed internally.

It's quite affordable. It's in the middle.

Everything is included with the usage that you take up when you implement the service.

The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion.

I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS.

I would rate AWS WAF a solid ten out of ten.

We use the solution for filtering traffic. We do not want our developers to use unnecessary websites. So, we filter the websites using the tool.

All the features are good. AWS Lambda and S3 are valuable tools. We have to use these tools when we build applications.

The cost must be reduced.

I have been using the solution for a year. I use the latest version.

The tool’s stability is very good. It is better than GCP.

The tool’s scalability is good. We have almost 20 users.

The support is helpful.

Positive

We also use GCP.

The initial setup is very easy. Everything is on the cloud. The deployment takes one full day.

We deploy the product in-house. We need one senior solution architect and one junior solution architect to deploy the tool. We have a team of analysts for experiments. We need only one person to maintain the solution.

The product is expensive.

We use almost 40 services. Overall, I rate the product an eight out of ten.

It's all about the security of the cloud system.

It has improved our organization a lot because before we were having problems with access management. Things have gotten better using this product. It's protecting the files. It has been the best step for us.

We are no longer having problems with unauthorized access, where somebody breaches the system or comprises documents. Nothing like that has happened over the past year that we have been using this product. We're doing well and I believe we will continue to do well with this product.

Staff productivity has been high since we started using it. It has saved 80 to 90 percent of their time in some cases.

The most valuable feature is the security, making sure that files are protected, preventing unauthorized users from accessing the system. These are the best.

I would like them to fortify the system more. In every software platform there are issues or bugs, even though presently, there aren't many known and it is running without problems.

They have to do more to improve, to innovate more features. They need to increase the security. It has to be more active in detecting threats. It's better for the system if the platform is more proactive in detecting threats immediately, so that technicians or people on the security team will know that a threat is coming in.

It's stable, it's a strong system. The stability is going to be even better because they're still trying to improve on it, and they bringing out more features.

Scalability is one of the features. It has to be scalable to be able to effectively secure the system.

Amazon Web Services has very good technical support. Whenever you encounter a problem you just call the support team. You'll be able to walk them through the problem and then they'll solve it.

Our company didn't have structured security controls before this. We were encountering a lot of problems when it came to security, protection of the documents and system. They restructured the whole system. This is the platform that was recommended to us. Since we started using it, it has been great.

The initial setup was rather complex.

Most of the time we try to use a consultant for deployment. Our experience with them has been good. They know their jobs. They try to incorporate more features, teach us how to do things. It's a learning process and they're always there to make sure that we understand the stuff. They get things going.

It's an annual subscription. There are no additional fees beyond the standard licensing.

Everybody handles their own platform differently. Some people love what they have but haven't necessarily experienced anything else. This platform is a good one. If you have your own platform and you think it's better, that's fine. But get a taste of this one, try it and see how it feels in terms of security.

Security has always been a problem and it will always be a problem. There's no security platform or software that is 100 percent. We don't know when a Zero-day will happen. Hackers are everywhere, they are creating things and innovating every day. As far as I am concerned right now, the platform is good. It's doing its job.

I rate the solution at six out of ten. I don't want to give them 100 percent because sometimes things happen.

At the moment, it's just myself working with AWS WAF in my company, and our use case for it is normal, or what you would expect from a Web Application Firewall. That includes basic DoS blocking and malicious IP address blocking. It's not a big thing for us, and just takes care of our baseline security.

As a basic WAF, it's better than having nothing. So if you need something simple out of the box with default features, AWS WAF is good.

I think there's a lot wrong with AWS WAF. Here are the two main areas where I think it could be improved:

Blocking: We don't have much control over blocking, because the WAF is managed by AWS. What happens is that they will put down the rules on their side and we don't have proper visibility on that. So we'll have to track down the issues and see what is wrong or not. For example, with IP address blocking, it's difficult to find out which IPs are getting blocked. If we managed our own WAF completely, we wouldn't have this kind of problem. Right now, this aspect is half managed by us, and half managed by AWS. Because of this, I think it would be far more helpful to us if we went for our own tool instead.

Automation: As in, a lot of separate blocks if something goes wrong. For example, every company will have their own rules for automation, in terms of their goals for the product. Like, "I want my WAF to do this. I want my WAF to do that." But that's the kind of thing that I think we will only see when we do some POCs with our clients. 

I have been working with AWS WAF for around one year now. 

The performance has been good, even though it could be better. At any rate, the WAF has not caused any lag on our side.

It is scalable in my experience, but the lack of features doesn't take it very far in terms of actual usage. Eventually, customers will move away from it. If there's no one interested in managing the WAF, that's fine, then customers may keep using it. But for us, we are not planning to scale it out further.

AWS technical support is good.

Neutral

The setup is easy and nothing serious. You don't have to do a lot to get set up with it. Compared to other WAFs out there, I think AWS WAF is very simple, especially since most of it is managed by AWS.

We haven't needed anyone from AWS to help us with the deployment or implementation. It's all me at this point.

It's less cost and easy to setup

There are multiple other options which we could have gone for, but it depends on the budget, typically. I am especially interested in a WAF which has serious support for automation and more complex configuration options.

For people who don't have any WAF currently, and who just need something basic, it's not a bad idea to go with AWS WAF for starters. But if you are someone who is looking for a fully-fledged and self-managed WAF, you should look elsewhere for a better tool. You should certainly not stick with AWS WAF if you are serious about managing your security and mitigating your risks.

Overall, I would recommend AWS WAF to others, but only under the conditions I have mentioned. If you have the budget and the resources, however, go for something else.

I would rate AWS WAF a five out of ten.