AWS WAF Reviews

It is our web application firewall.

We do have a lot of external applications which are exposed to the internet and WAF provides protection for them. We haven't seen a decrease in the mean time to respond to threats because it has caught everything.

The solution has also increased staff productivity by as much as 50 percent.

The most valuable feature is the way it blocks threats to external applications.

In a future release I would like to see automation. There's no interaction between the applications and that makes it tedious. We have to do the preparation all over again for each of our other applications.

We haven't had any problems with the stability at all.

Up to now, the scalability has been good.

I haven't had to use technical support yet.

Our previous solution was also a WAF but it was not a scalable environment like the cloud is. Everybody is moving to the cloud. We were stuck on an appliance in our data center and we decided to move. We went with this solution because of the stability and quick response.

The setup was a bit complex because our environment is a bit different. It was tough but it was good in the end.

We used a consultant for the deployment and it was a great experience with them.

There are no costs in addition to the standard licensing fees.

My advice is "go for it, use it."

In terms of our security program's maturity, we're just beginning so we are still like a baby. But we are trying to get all the new stuff and improve altogether.

A primary use case example is when a customer from the cloud wants to expose his applications to the internet. We make sure that the clients, the applications, whatever they're trying to export, are public but that it's not going directly public. We make a backup, for instance, to protect the sellers and applications from security checks, etc. 

There are two models. One is, you can use the free services which you can download from the AWS website. There is also a paid version, where you can go for individual vendors, like Impala, Fortinet, and different vendors, which helps you to attain the top end web application security. It helps them to update the security patches, etc.

AWS has flexibility in terms of WAF rules. Users can choose from using a free service, which you can do from your own end, or a third-party vendor if you want to as well by choosing a paid version. WAF rules can be managed either by your own self or you can go for a third party.

The best thing with the solution is there is no hard and fast route and when I go for AWS. It's not a monopoly environment.

There isn't room for improvement per se. the cloud is constantly evolving and changing however, so we'll see what the future brings.

When users choose the free service, there isn't great support available to them. This is because, when it comes to any issues, due to the fact that it says that when the rules are defined by the users, it becomes their responsibility. When there are any problems or threats, which don't get mitigated or the threat is not being properly managed, since the rules are owned by the user, they take responsibility for everything. It would be helpful if AWS could take a bit of responsibility here and help users understand where things went wrong.

Support wise, I don't think they are that good compared to individual vendors. When it comes to vendors, it becomes their product, and being a product owner, they take more responsibility and ownership of issues. AWS doesn't do that at all.

I've been using the solution for two and a half years.

The solution is quite stable. We haven't run into bugs or glitches. It's reliable. You don't see any downtime.

Since we're talking more about the cloud version of the web application firewall, it's highly scalable. When I say scaling, there is a concept called auto-scaling wherein which you can scale up and scale down according to your amount of traffic load. It's automated, so it's highly scalable, actually.

While any company can use AWS, we see a lot of medium-sized firms using this particular solution, as opposed to larger companies, as those have already their own vendors which are already in the on-premises data centers environment.

I would say from the support point of view, there should be more flexibility when it comes to when users have issues to be able to ask for their help. They need to try to go the extra mile and right now they just aren't doing that.

We've only used AWS for a few customers. Usually, we recommend a different solution. However, it depends on the client and the type of budget that they have. As one version of AWS is free, sometimes that is the only option.

The initial setup is not difficult. It's very straightforward.

Deployment is pretty quick and might take up to one and a half hours at most.

You don't need too many people for maintenance. If they are knowledgable enough, a single person can handle it with no problems. They're even able to do some scripting language to handle the deployment and can set up some automation protocols as well.

When it comes to maintenance, the real challenge comes into play for mitigation. You might need maybe we need four to five people, at a large organization.

There are two versions of the solution available, one of which is free, which is the version we use, so we don't pay for anything.

We're using the latest version of the solution.

When customers tend to use multi-cloud vendors and multi-cloud environments, they want solid security protection. That's where the third party comes into the purchase. If any customer is specific to some cloud like AWS or Azure, we won't recommend third party. We'll try to use AWS's own specific services so that it's smarter cost-wise and flexibility wise, so it adds value to the customer.

However, when things go to a multi-cloud environment or a hybrid cloud architecture, that's when the third party comes into the picture. 

I would recommend this solution to companies who are looking for cloud solutions with firewall flexibility. AWS is very user-friendly and largely inexpensive, however, if an organization has the budget, there are lots of great products out there that do largely the same thing.

I'd rate the solution eight out of ten.

We use it to protect our backend services.

Because it integrates with the existing AWS solution, we get a lot of support without having to do much extra work. It has helped increase staff productivity and has probably saved at least one engineer, not having to have an engineer on staff for it.

• It's simple, easy to use.
• Integration.

The user experience, the interface, is lacking. Sometimes it's hard to find certain areas that it has alerted on. Also, more fine-tuning would be convenient.

We haven't had any problems with it.

We haven't run into any scale issues at the moment.

AWS, in general, has good support.

We were using just the built-in Amazon intrusion detection stuff. Then we decided to go for an actual full-blown WAF. We weren't using any actual WAF before. WAF is a general solution that we knew that we needed. It's a standard security measure.

It was relatively simple, for the integration.

There are different scale options available for WAF.

The integration with AWS is simple and can get you off the ground and going quickly. But you could, over time, outgrow it.

We're working on having a more mature security portfolio. This allows us to have a different tool in the belt, to measure different issues that might pop up.

I would rate the solution as a six out of ten because of its relative ease of use. However, it's not as configurable as a third-party option.

The primary use of the solution is for perimeter security. I use it to secure my application and infrastructure.

Fast deployment and auto-manage are the most valuable aspects of the solution. The auto-manage primarily reacts and has to do all the little things like putting in the ACL, etc. 

The solution could be faster in detecting threats.

They should work to define more threats, add more security, and make it more compliant with more security companies.

The solution could always be more automated.

The solution is stable.

The solution is easily scalable.

I have a number for WAF, but I've never used technical support.

I previously used a different solution. The complex setup and installation were the main differences between that and WAF. I've worked with system compliance for many years, and it usually involves complex solutions. You have to know the CLF, etc. Cisco, for example, is so complex that you need to know many things. Whereas with WAF, you have to put up your host, your network, and you have the solution up and running.

The initial setup was very straightforward. Deployment took about ten minutes or less. You only need one person to handle deployment and maintenance.

I implemented the solution myself.

We use the public cloud deployment model.

I use everything AWS. I need it to work for me, and it does. I hope that the solution continues to improve, but for me, it's perfect right now.

For those considering implementing the solution, I would advise that they understand how networks work because sometimes they can be quite complex. Many architects do not understand the basic concepts of networking.

I would recommend the solution. I would rate it nine out of ten.

We are a technical services company and this is one of the solutions that we have helped implement for our clients. We stopped using AWS about six months ago and as such, we are not currently using the AWS Web Application Firewall.

The most valuable feature is the scalability because it automatically scales up or scales down as per our requirements.

I would like to be able to view a graphical deployment map in the user interface that will give me an overview of the configuration and help to determine whether I have missed any steps.

The stability is good. From our experience, I've felt very happy with all of the AWS components in terms of stability. They work fine and have met our requirements.

The scalability of this solution is very good.

I am really happy with the AWS customer support, although I have not needed to contact them for this solution.

We have changed solutions because the choice of product depends on the customer's preferences and requirements. When I am working on a contract, I am required to use whatever they ask me to. If I already have the experience then I apply it. Otherwise, I learn what I need to, which sometimes involves taking training courses.

My advice for anybody who is implementing this solution is not to simply look it up on Google before starting to use it. I would suggest taking some training courses, start to understand how it works internally, and then begin using it.

Overall, it is a good product and it generally fits well for my purposes.

I would rate this solution a seven out of ten.

My whole business is cloud cost management. What I do is help people manage expenses. That encompasses everything from cleaning up software as a service subscriptions to optimizing AWS. My use cases for AWS WAF have to do with cloud research only.  

The best part about it is that it is a cloud solution.  

The complexity of deploying turnkey solutions could be simplified.  

They actually have too many different things that you can tinker with and too many different ways to do the same thing. It may be helpful if the product were to be more directed and if it used best practices with technical and non-technical users in mind.  

We have been using WAF (Web Application Firewall) for six months.  

WAF is very stable.  

I believe WAF is very scalable.  

We have only two staff in our organization who are using AWS WAF.  

Technical support is more-or-less fair. That is where most technical support falls these days.  

The initial setup is really sorta complex. That is something which could probably be made easier.  

The licensing costs are variable. For me, it is under a hundred dollars a month.  

The range of your costs with Amazon Web Services is going to be different depending on a lot of factors. It can go as low as actually being free all the way up to millions of dollars. It depends on the organization and how the service is used.  

On a scale of one to ten where one is the worst and ten is the best, I would rate this product as a seven-out-of-ten. A change in the pricing structure that favors the client and simplification is something they would have to do to improve to make that score closer to a ten.  

Our primary use case is to protect our internal web solution. We use it to have an internal application for our customers. We are an SME worldwide company, so we have some internal website solutions architects that use this as an internal portal to the internet. We apply a WAF front to our web application.

The most valuable aspect is that it protects our code. It's a bit difficult to overwrite code in our application. It also protects against threats. It's important to protect the code against the threats on the internet. It redirects any threat, any attack, to a Fail2ban mechanism.

Sometimes it's a bit difficult to check the rules because when you apply a rule, sometimes it's too much and we need to rewrite the rules and make compromises on the rules because it will block too many things. It's a bit difficult to apply the right rules for the right security.

We have used AWS WAF for around a year. 

Their support is very good. We have an enterprise agreement with Amazon.

I don't remember there being any problems with the setup.

I think AWS WAF is a great solution. You can define big and a bit smaller architectures and scale out architecture as you need, due to the edge location. Its features are very amazing. 

I would definitely recommend AWS WAF. I asked my security director to move from our internal WAF to the AWS WAF because we can make global unique WAF services for our on-premise web servers and also our AWS web servers with one common rule and one common authority to manage these rules

I would rate AWS WAF an eight out of ten.

We use AWS WAF to prevent cyberattacks, such as SQL Injection attacks and cross-site scripting attacks. The end users' traffic has more threats and the web application gives good support.

The most valuable features of AWS WAF are its cloud-native and on-demand.

Any customer can leverage AWS WAF immediately, it has a basic set of rules that are available.

The solution could improve by having better rules, they are very basic at the moment. There are more attacks coming and we have to use third-party solutions, such as FIA. The features are not sufficient to prevent all the attacks, such as DDoS. Overall the solution should be more secure.

I have been using AWS WAF for approximately four years.

This is a very stable solution.

AWS WAF is scalable.

We have approximately five customers using this solution.

The technical support is very good. They are responsive and knowledgeable, they have always come back with a resolution or a workaround to help us.

The initial setup took approximately 15 mins, it is easy.

We have a team that does the support for the solution.

AWS WAF is pay-as-you-go, I only pay for what I'm using. There is no subscription or any payment upfront, I can terminate use at any time. Which is an advantage.

The first version of AWS WAF was not mature but the second version is very mature.

I would recommend this solution to others because instead of choosing a third-party solution which will take time, and you will have to be in negotiations. It is good to start with AWS WAF for their minimal primary security firewall to save their workload. AWS WAF is available on-demand from day one.

I rate AWS WAF a seven out of ten.