AWS WAF Reviews

Our main use cases for AWS WAF involve restricting users who are not supposed to intend to use our application, such as potential hackers. We use it for blocking certain countries as well.

The features I find most useful in AWS WAF are that we can integrate and write custom regex rules where we can specify URLs or links that cannot be accessed by certain countries or specific IPs. For example, if we have a back-end that is supposed to be accessed only by UAE users, we can say that this specific URL can be accessed only from UAE. If a user is sitting outside UAE, they cannot access the back-end.

AWS WAF helps to address potential threats through monitoring. AWS WAF is used to protect us from users who are not supposed to access our system, so we can configure monitoring here. We can additionally configure CloudWatch to know if some IPs are coming to our application that are not supposed to access it.

The biggest benefit of AWS WAF for us is to filter malicious requests, so we can protect our environment and application from malicious actors.

For improvement in AWS WAF, we can have better monitoring. One of the things that should be improved in AWS WAF is the monitoring; we need to identify the requests and where they are coming from.

If it's a bot, we should differentiate the requests, whether they are automated or not. The way we see it now is just mentioned as a percentage from bots and actual users, which should include proper graphs and detailed information. We also need a feature where we can filter specific requests. If there are scripts in the requests, we should be able to filter those requests to see if there are any scripts running from them.

We have been working with AWS WAF for almost four years.

We faced issues with AWS WAF when writing the custom rules. Sometimes the rules didn't work, so we need to go back and ensure we have a proper rule set to make sure our AWS WAF rule does what it's supposed to do.

We didn't contact AWS for support regarding AWS WAF.

Negative

Regarding the setup of AWS WAF, if you go with the managed rules, it is pretty straightforward. However, if you're writing your own custom rules, it will be a little complex, and it needs tuning as well. For example, if you apply a rule, you need to monitor it to ensure it works properly and does not block genuine users; it should only block malicious requests. So, in that scenario, it is a little complex—you need to monitor and be aware of what you're applying there, and tuning is needed. There's always room for progress and improvement.

The setup for custom rules takes hardly 30 to 40 minutes, not more than that.

We did it ourselves without using any integrator, reseller, or consultant for the deployment.

AWS WAF is affordable; it depends on the number of rules you apply.

The licensing cost for AWS WAF is just pay-as-you-go; it is a service-based model.

I recommend that those considering AWS WAF should be aware that one drawback is that AWS WAF does not directly support DDoS protection. It is a web application firewall, but it will not support DDoS protection. It will give you some protection against attacks such as man-in-the-middle, but if there's request flooding, it will not help, so you need to consider something else for DDoS protection.

On a scale of one to ten, I would give AWS WAF a rating of eight.

I use AWS WAF to block public-facing web applications that receive suspicious traffic and to block any IP addresses.

I had an issue in my current role where we were receiving suspicious unwanted traffic and unwanted threats from other IPs.

I was seeing suspicious attacks such as SQL injection attempting to get into our network and our web application. AWS WAF helped me handle it by allowing me to develop a web-based rule. I used it to blacklist all those IPs, and I also used it at the level of CloudFront and the load balancer to protect all of the different traffic coming from that particular IP.

The good thing about it is that I also chose to blacklist a particular IP that I knew was where those threats were coming into our environment and posed an attack into our environment. At the end of the day, this malicious traffic was reduced significantly, and we also maintained our application availability.

AWS WAF has also helped me protect our load balancer. I configured web applications at the level of the load balancer, which also helped to block any suspicious and malicious activity coming from outside into our web application. It has really helped me to make sure that unwanted threats and unwanted suspicious traffic did not get into our application.

AWS WAF offers a great feature that allows you to blacklist different IP addresses. It is not just one IP address; you can use it to blacklist as many as possible that you are suspecting of malicious activities. It is not just about blocking one particular IP; you use it to block as many as you can. This is one of the best features, and you can also use it to block SQL injections and any abusive IPs.

AWS WAF uses managed and custom rules, so you can easily enable those managed rules and customize the ones you need to customize.

It is pretty much simple, and with a few clicks, you will be able to enable those rules and set them up.

AWS WAF has helped to strengthen the security of my environment. It has also helped to improve the posture of our application, prevent all DDoS attacks, and unnecessary traffic and SQL injection that is reducing the performance of our application.

AWS WAF has helped to speed up our processes because it is all about automation. It helps to speed up our application, and our application works better because all this other traffic was already blocked. When you block that traffic, especially traffic coming from DDoS attacks that are slowing down performance, it makes a significant difference.

AWS WAF can be improved if the dashboard is enhanced in such a way that everything will be displayed automatically without you going in there to see what is going on. Once you log into your dashboard, you will be able to see everything.

I think that is something that needs to be improved, but overall, it is a very good tool.

I have been using AWS WAF for over five years.

AWS WAF is stable because it blocks malicious and bot traffic before it reaches the application. Since it protects web applications from common attacks such as SQL injection and XSS, it is very stable. It also uses custom rules, so it is very stable.

AWS WAF does scale in the sense that it is fully managed and has automatic scaling. There is no infrastructure to provision or manage, making it scalable.

I have a very positive experience with the support team for AWS WAF. They reach out when you send them a ticket, and within 24 hours or less, someone is able to get back to you to solve your problem.

Negative

When it comes to money saved, AWS WAF has helped us to save money.

It reduced cost because we did not hire more security personnel. With AWS WAF, it is easier for us to block unwanted malicious DDoS attacks and threats from coming into our web application. It helps to reduce cost because we do not have to employ more engineers. Two or three security engineers were able to work in my environment instead of employing more security engineers. It helps to prevent cost by reducing the number of engineers needed.

We are using AWS WAF in the public cloud.

The advice I am going to give to others looking into using AWS WAF is that they need to start with using the managed rules provided by AWS. They also need to use their rate-based rules to protect other traffic and monitor AWS logs in CloudWatch to find out what is going on because CloudWatch is more of a watchdog.

Additionally, they need to regularly review their rules to reduce any false positives that might be coming into their environment, and they also need to automate alerts and responses where possible to have great visibility into their environment. They should treat AWS WAF as a living security control, monitoring, tuning, and improving it continuously, and they should deploy in count mode first to avoid blocking any legitimate users.

AWS WAF is scalable and fully managed because it automatically adjusts to traffic demand without requiring any infrastructure change. This is one of the strongest features of AWS WAF that makes it more recommendable and user-friendly. I would rate this product 9 out of 10.

My main use case for AWS WAF is for firewalling the web application in our company. We use it not only in AWS but also in other public clouds and reference from other public clouds into AWS WAF. In our environment, we use AWS WAF to defend our web application firewall, ensuring that this application will be protecting our web application itself.

The best features AWS WAF offers include defending against OWASP, which is the most valuable; however, sometimes it is too sensitive and sometimes it is not sensitive enough in making sure that the data itself is secure or already filtered.

In our day-to-day use, defending, allowing, and blocking with OWASP is better with the filtering, and our findings in the logs can be from an anonymous IP from a VPN or from any malicious attack that uses VPN-related IPs.

AWS WAF has positively impacted our organization by improving our defense from our WAF firewalling the web application, including production and non-production environments. We have a single source of truth for all of our web application firewalls in another public cloud, which we use not only in AWS but also in other public clouds. The specific outcomes showing how AWS WAF has helped our organization include improving our security posture by reducing the attack surface and reducing malicious attacks.

AWS WAF can be improved by not being too sensitive for some data because with some XML, it is sometimes very sensitive. When we upload videos or photos, it is flagged as a malicious pattern, and sometimes it is not sensitive enough because some query patterns that have the capability to perform malicious actions still result in false positives from AWS.

It would be better for AWS WAF if it not only had logs but also specific payloads or something that directly included the specific logs so we can have more detail in our analysis. I think it should be better if they improve their capabilities in reducing the attack surface and also have better visibility for OWASP top 10 web applications and the API.

Regarding AWS WAF's AI capabilities, its governance and security are very good because our attack surface is mostly reduced. The new dashboard is a bit complicated; it is easier for non-technical users, but for technical professionals, it is sometimes confusing. While the security itself is good and the governance is good, I think it needs to improve the UI or the flow itself.

The accuracy and reliability of AWS WAF's output is better than others. With the free version, it has a good filter with the attack surface and the reliability is good, but sometimes we need to adjust. With the free version, we also have to pay some amount of money if the number exceeds the default provided by AWS.

I have been using AWS WAF for more than two years.

My advice for others looking into using AWS WAF is that if you are confident, the free version could cover most of the attack surfaces, but you still need to review the logs because you cannot be confident with the free version alone. Sometimes you need to tune it up, but it is easier to tune up the regex and the rules inside the JSON in AWS WAF. It is best practice to utilize at least most of the free version as it can help significantly with attack surface reduction. I would rate this solution a 9 out of 10.

I used AWS WAF for the Web Application Firewall, which has the same use cases that AWS makes possible.

I have been using AWS WAF for two years. The initial setup is easy. The stability of AWS WAF is generally good; I think that is usually managed by AWS, so I do not need to take care of it.

I do not prefer AWS WAF that much; it is nothing great. If you are looking for something that has low latency, you can use it; otherwise, I would not recommend it.

The issue with AWS WAF is that the rule structure is very complicated and it is very hard to maintain. The level of granularity is not great, and as you cross a certain threshold, the cost goes up by twenty or thirty percent every time. It is not something that is exceptional.

When I say that the rule structure is complicated, I can explain that the default rules AWS provides that you can plug and play are acceptable, but if I want to use extra rules, I will have to end up paying for it, which is very expensive. Also, if I want to write my own custom rule, it requires a lot of effort, and there is not that much customizability available, so that is a limitation.

I have been using AWS WAF for about two years.

The stability of AWS WAF is generally good; I think that is usually managed by AWS, so I do not need to take care of it.

I have contacted AWS for support and they are very good.

The initial setup is easy.

I would not recommend AWS WAF; I would recommend something else. I gave this review a rating of 5.

Neutral

I am working on AWS Web Services to manage infrastructure as a platform. I use services like KMS, EBS, CloudFront, S3, and EC2. I also work on WAF version two.

AWS WAF has provided great insights about requests, helping secure our infrastructure. It contributes by continuing to get the latest security updates without administrative overhead.

The automation of blocking for security attacks is valuable, with AWS applying rate limiting. The custom rules depend on rate limiting and origin address to secure infrastructure. OWASP integration with reverse proxy APIs like Kong API supports security against potential attacks.

In future improvements, I plan to add security testing inside my pipeline and create new dashboards for observability. Compatibility and integration functionalities, especially with services like Kafka for event-driven messaging, could be better.

I have been working with the AWS WAF product for three years.

The overall stability of AWS WAF has been good without any issues.

AWS WAF scales well and does not have scalability issues.

I have not escalated any questions to AWS tech support regarding the WAF solution.

Positive

Previously, I worked as a data center engineer with firewall systems including WatchGuard and Sophos.

The initial setup can be straightforward through the GUI but may require following AWS documentation and preparation. Deployment through Terraform is preferred as it allows the description of all infrastructure through code.

I use Terraform and AWS SDK for implementation, leveraging AWS CLI as well.

From a cost perspective, AWS WAF is essential for security but can be costly. However, I have not heard any negative feedback from my manager regarding its cost.

Pricing is reasonable depending on the organization’s needs. Some organizations might find it costly, leading them to other solutions like OWASP.

Some organizations try to avoid AWS WAF due to cost and use OWASP with reverse proxies instead.

I recommend AWS WAF version two to any organization because it's a great tool for managing security and reducing administrative overhead.

I would rate it an eight out of ten.

I use AWS WAF instead of our load balancers. I have custom rule sets that are customized, as well as managed rule sets provided by AWS. I do some customization and also use the out-of-the-box configuration in certain places.

The cloud-native nature of AWS is crucial since most of our workload is in AWS, making AWS WAF native to Amazon Web Services. This aspect is the most important reason for switching to AWS WAF. 

Additionally, the ease of creating and enforcing new rules and studying them is a valuable feature for me. I switched from other vendors to prioritize AWS WAF for better control within our infrastructure.

The dashboarding could be improved, and the default metrics provided by AWS WAF could be upgraded. The rate at which AWS updates their managed rule sets could be better. Features like bot protection or DDoS mitigation, available with other WAF vendors, do not come natively with AWS WAF. Instead, they are part of AWS Shield. Providing DDoS protection as part of their WAF solution would be beneficial.

I have been working with AWS for about five years now.

Technical support from AWS is quite good. While not specific to WAF, their customer support is really good.

Neutral

Previously, when working with customers who were using AWS WAF, my organization also used AWS WAF and other web security products. We worked with Cloudflare and Imperva for a long time. After Imperva, we switched to AWS mainly for cost optimization.

Anyone with workloads on AWS seeking protection for their web applications should consider AWS WAF if they can handle the overhead of custom rule sets. 

I would rate it as seven out of ten.

AWS WAF is a firewall that protects web applications by filtering and monitoring HTTP traffic between web applications and the network. I use it for protecting infrastructure that has sensitive data, including personal identification information like Social Security numbers. AWS WAF promotes the security of this data by preventing leakage.

AWS WAF helps to protect sensitive data and customer records.

AWS WAF acts as a barrier, analyzing HTTP communications between external users and web applications. It gives flexibility in HTTP communication, which is a feature I like.

AWS doesn't need improvement with AWS WAF. However, there may be room for improvement in RDS services and EKS services. The purpose of AWS WAF is clear: whether it allows or blocks connections, its goal is to ensure the safety and security of private subnets.

AWS WAF has been used for almost five years, starting with a proof of concept in 2019.

AWS WAF is stable. There have not been significant issues, and it functions like a firewall.

AWS is questioned for how much scalability can be achieved in terms of vCPUs and handling capacity, yet AWS WAF itself handles the configurations well.

Amazon's support is mixed. Technically knowledgeable people are part of the support team. That said, there are promises made, especially during sales pitches, that often don't match reality. There is a lot of innovation talk, yet implementation might be lacking.

Neutral

A proof of concept was done with AWS and Oracle Cloud Infrastructure (OCI), even though OCI offered better efficiency and cost benefits.

Setting up AWS WAF is straightforward; you create a subnet VPC and attach it, which is simple.

For Kubernetes microservices, AWS is more expensive compared to OCI. AWS costs approximately 70 cents per hour, while OCI is 50% cheaper. AWS pricing perspective is considered expensive, especially for Kubernetes and RDS. OCI offers lower costs with better efficiency.

Oracle Cloud Infrastructure (OCI) was evaluated alongside AWS, and while OCI was preferred for efficiency and cost benefits, AWS was selected due to governmental requirements.

Technological understanding is crucial for AWS products like AWS WAF. This understanding separates out the simple setup process from understanding the underlying complex mechanisms.

I'd rate the solution four out of ten.

I use AWS WAF to protect web applications and web traffic. It handles application input and throughput - typical web application firewall tasks.

We integrate AWS WAF with several platforms within cloud hosting and other security solutions and provisions in our business. Regarding AI, it's been around for about 20 years, so it's not new. It's just a new buzzword. I've been in security for 30 years and remember using AI when I started 25-30 years ago. We have multiple forms of AI within our business.

We're considering replacing it shortly, so I've looked at alternatives like Aqua and others.

I'd like to see improvements in its usability and functionality. I'm also concerned about being too dependent on the cloud provider's WAF version. For security, using multiple vendors and not putting all our eggs in one basket is better.

The functionality I'd like to see improved is mainly around the applications and cloud integration elements.

I have been working with the product for three years. 

We haven't encountered any stability issues. 

The solution is scalable and my company has 30,000 users. 

The solution's support is quite good and fair.

I see several pros and cons when I compare AWS WAF to other WAF products. The main advantages are that the AWS Firewall functionality integrates well, it's easy to deploy and select, and the implementation is straightforward. The integration with AWS is also very good. However, the main drawback is that while it works well in the AWS environment, it doesn't necessarily work as well for other cloud or on-premise setups.

The initial setup of the AWS WAF solution always has complexities, regardless of which solution you choose. Our organization is multi-tenant, multi-hosted, multi-cloud, multi-located, and international, so we always face challenges during implementation. No matter how good the product is, there will always be challenges.

For implementation, we usually follow a TOGAF model for project planning. Sometimes, we use a waterfall approach, but we stick to TOGAF mostly. Some parts of the business use Agile, but I don't typically use Agile for WAFs.

From a maintenance perspective, AWS WAF isn't any more difficult to maintain than other solutions. I've had experience with nearly all the WAFs out there, and they're all pretty much the same in terms of maintenance, regardless of the service provider.

I rate the overall solution a six out of ten. 

My usual use case involves monitoring incoming calls and services deployed in AWS cloud. Security and privacy are primary concerns, so we use AWS WAF to monitor and ensure that only appropriate calls are allowed. AWS Shield is also used to protect against DDoS attacks, but I'm using the basic free version due to budget constraints.

AWS WAF has helped to improve the security of our products by filtering web app traffic and specifying conditions such as IP addresses and HTTP headers. These features, along with others, have enhanced the overall security and effectiveness of our applications. The integration with IAM restricts access to the server, providing additional security.

One of the most valuable features of AWS WAF is its ability to filter web app traffic, allowing us to specify conditions such as IP addresses and HTTP headers. We can create rules accordingly to prevent attacks, like SQL injection and cross-site scripting. AWS WAF, combined with firewall manager, enhances security by allowing us to specify security rules. Custom rules are useful for allowing access to specific traffic, and AWS WAF handles false positives by limiting requests from certain IPs or setting geographic match conditions.

I find the documentation somewhat complex to implement during the initial stages. If it were made simpler and more user-friendly, with the right examples provided, it would be more helpful.

I have been working with AWS WAF for almost six years.

AWS WAF provides a stable environment by preventing unknown attacks, allowing us to deploy services securely. I rate the stability as nine out of ten. It ensures that our applications run without security concerns.

I rate the scalability of AWS WAF as a seven out of ten. It adapts well to our needs and serves its purpose effectively.

The customer service and support from AWS are excellent. I rate them ten out of ten. My interactions have been positive, with prompt responses to issues like quota requests and additional resource allocations.

Positive

Before AWS WAF, we used Azure but did not deploy these specific solutions on it. We migrated to AWS to fully utilize their security features.

The initial setup was complex, with a steep learning curve related to rules and implementation. I would rate the initial setup experience as a six out of ten, as it took substantial time to get everything functioning smoothly.

We managed the deployment process internally without needing external assistance. Our team uses automated deployment strategies via GitLab, which automates deployment across various environments.

Using solutions deployed in AWS cloud enhances customer satisfaction since AWS is a well-known and widely accessible cloud service provider.

The pricing is reasonable when using free credits; otherwise, it would be rated a six in terms of cost.

I did not evaluate other options extensively as AWS WAF with Firewall Manager seemed to offer the best security strategy.

Properly go through the documentation and reference examples. Understand your use cases and apply the correct rules for the solution. AWS support can assist with setup and implementation. 

I rate the overall solution as nine out of ten.