AWS WAF OverviewUNIXBusinessApplication

AWS WAF is the #4 ranked solution in top Web Application Firewalls. PeerSpot users give AWS WAF an average rating of 7.8 out of 10. AWS WAF is most commonly compared to Microsoft Azure Application Gateway: AWS WAF vs Microsoft Azure Application Gateway. AWS WAF is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 21% of all views.
AWS WAF Buyer's Guide

Download the AWS WAF Buyer's Guide including reviews and more. Updated: December 2022

What is AWS WAF?

AWS Web Application Firewall (WAF) is a firewall security system that monitors incoming and outgoing traffic for applications and websites based on your pre-defined web security rules. AWS WAF defends applications and websites from common Web attacks that could otherwise damage application performance and availability and compromise security.

You can create rules in AWS WAF that can include blocking specific HTTP headers, IP addresses, and URI strings. These rules prevent common web exploits, such as SQL injection or cross-site scripting. Once defined, new rules are deployed within seconds, and can easily be tracked so you can monitor their effectiveness via real-time insights. These saved metrics include URIs, IP addresses, and geo locations for each request.

AWS WAF Features

Some of the solution's top features include:

  • Web traffic filtering: Get an extra layer of security by creating a centralized set of rules, easily deployable across multiple websites. These rules filter out web traffic based on conditions like HTTP headers, URIs, and IP addresses. This is very helpful for protection against exploits such as SQL injection and cross-site scripting as well as attacks from third-party applications.
  • Bot control: Malicious bot traffic can consume excessive resources and cause downtime. Gain visibility and control over bot traffic with a managed rule group. You can easily block harmful bots, such as scrapers and crawlers, and you can allow common bots, like search engines and status monitors.
  • Fraud prevention: Effectively defend your application against bot attacks by monitoring your application’s login page with a managed rule group that prevents hackers from accessing user accounts using compromised credentials. The managed rule group helps protect against credential stuffing attacks, brute-force login attempts, and other harmful login activities.
  • API for AWS WAF Management: Automatically create and maintain rules and integrate them into your development process.
  • Metrics for real-time visibility: Receive real-time metrics and captures of raw requests with details about geo-locations, IP addresses, URIs, user agents, and referrers. Integrate seamlessly with Amazon CloudWatch to set up custom alarms when events or attacks occur. These metrics provide valuable data intelligence that can be used to create new rules that significantly improve your application protections.
  • Firewall management: AWS Firewall Manager automatically scans and notifies the security team when there is a policy violation, so they can swiftly take action. When new resources are created, your security team can guarantee that they comply with your organization’s security rules.

Reviews from Real Users

AWS WAF stands out among its competitors for a number of reasons. Two major ones are its user-friendly interface and its integration capabilities.

Kavin K., a security analyst at M2P Fintech, writes, “I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through.”

AWS WAF was previously known as AWS Web Application Firewall.

AWS WAF Customers

eVitamins, 9Splay, Senao International

AWS WAF Video

Archived AWS WAF Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Rodrigo Garcia - PeerSpot reviewer
Physical Designer at Semtech Corporation
Real User
Does what it is supposed to do, probably not in the best way and not in the best UI
Pros and Cons
  • "The access instruction feature is the most valuable. This is what we use the most."
  • "It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful. It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one. Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right."

What is our primary use case?

The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us.

We're using it through the web console and API. We're just using the managed service.

How has it helped my organization?

Our organization is launching a lot of betas. We are creating a lot of new different systems for different customers. AWS WAF helps us a lot to make sure that the right customer gets the right access to the system.

What is most valuable?

The access instruction feature is the most valuable. This is what we use the most.

What needs improvement?

It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful.

It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one.

Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right.

Buyer's Guide
AWS WAF
December 2022
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
656,862 professionals have used our research since 2012.

For how long have I used the solution?

I have been using AWS WAF for about six months.

What do I think about the stability of the solution?

Stability-wise, it works as expected.

What do I think about the scalability of the solution?

I definitely see places where it can be more designed to scale. In addition to amazon resources, there is some stuff from other vendors that we wanted to protect. WAF was not a solution for us because we don't have a way to integrate with those things. That was the biggest challenge that we faced. In terms of the number of users, our end users could be in the thousands.

How are customer service and support?

It is okay.

How was the initial setup?

It was okay. We went for the cloud formation, and our deployments happen probably every week.

What about the implementation team?

Everything is managed through cloud formation. After implementation, three or four hours a week are required for maintenance.

What's my experience with pricing, setup cost, and licensing?

We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise.

What other advice do I have?

I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. 

Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors.

I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but management is the thing that we don't love the most. If things keep improving, we're definitely going to scale with AWS WAF.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
President at a tech services company with 1-10 employees
Real User
It is a scalable, stable solution but needs simpler setup and pricing schemes.
Pros and Cons
  • "Its best feature is that it is on the cloud and does not require local hardware resources."
  • "The pricing model is complicated."
  • "The setup is complicated."

What is our primary use case?

My whole business is cloud cost management. What I do is help people manage expenses. That encompasses everything from cleaning up software as a service subscriptions to optimizing AWS. My use cases for AWS WAF have to do with cloud research only.  

What is most valuable?

The best part about it is that it is a cloud solution.  

What needs improvement?

The complexity of deploying turnkey solutions could be simplified.  

They actually have too many different things that you can tinker with and too many different ways to do the same thing. It may be helpful if the product were to be more directed and if it used best practices with technical and non-technical users in mind.  

For how long have I used the solution?

We have been using WAF (Web Application Firewall) for six months.  

What do I think about the stability of the solution?

WAF is very stable.  

What do I think about the scalability of the solution?

I believe WAF is very scalable.  

We have only two staff in our organization who are using AWS WAF.  

How are customer service and technical support?

Technical support is more-or-less fair. That is where most technical support falls these days.  

How was the initial setup?

The initial setup is really sorta complex. That is something which could probably be made easier.  

What's my experience with pricing, setup cost, and licensing?

The licensing costs are variable. For me, it is under a hundred dollars a month.  

The range of your costs with Amazon Web Services is going to be different depending on a lot of factors. It can go as low as actually being free all the way up to millions of dollars. It depends on the organization and how the service is used.  

What other advice do I have?

On a scale of one to ten where one is the worst and ten is the best, I would rate this product as a seven-out-of-ten. A change in the pricing structure that favors the client and simplification is something they would have to do to improve to make that score closer to a ten.  

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
AWS WAF
December 2022
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
656,862 professionals have used our research since 2012.
Vinamra Singhai - PeerSpot reviewer
Principal Engineer at Nineleaps Technology
Real User
Use this product to make it possible to deploy web applications securely
Pros and Cons
  • "This product supplies options for web security for applications accessing sensitive information."
  • "The technical support does not respond to bugs in the coding of the product."

What is our primary use case?

There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data.  

The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them.  

Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one is for the local server access. That is how you want to secure a server. You are securing a server, database, app servers, and ATA gateways. The other one is for implementing security for the AWS. You want to have both running side-by-side.  

Let me give you an example. Suppose, most of the people working for your company are connected from external locations with company-provided laptops or systems. I want to check all devices to make sure that they are being used in a secure way and not creating any breach of security. Those checks cannot be taken care of reliably from the AWS perspective. This is why you need two solutions.  

What is most valuable?

The most valuable feature is the ability to use the product to enhance security in deploying web applications.  

What needs improvement?

We have not implemented WAF completely. We are working around that issue right now in the AWS. We are creating log files and then we are using Kibana for analysis. Out WAF deployment is not perfected yet so it is not implemented as our long-term solution. It will take another month to complete the setup. I do not have the big picture on it yet in a live environment, so my view of what will need to be improved under load is limited.  

I think one thing that should be available is that if there are technical problems in the AWS, then there should be automated alerts to AWS. Calling support is not that easy. It would be better to automatically send emails to them to report that there is a bug in their programming.  

I have an idea for a new feature to consider. I think the security area and other things that they provide are good, and I know there are third-party integrations. It provides a lot of value. The problem is that the 'value' of the solution makes it very costly. That is a big thing. $20,000 for this solution seems like a lot.  

Right now we are limited to only MySQL and PostgreSQL databases. There should be other options and also a way to check the security of it. I think AWS should develop and make available some kind of a management screen so we can see the logs, which servers are using the service, and how the security is performing. All we can see right now is if there are any security breaches. This is not enough information to evaluate the performance of the system.  

For example, there are a lot of people using MongoDB databases. Over the last two years, a lot of them got hacked. Mongo should have had a way to alert end users if its facilities get hacked. A manager or some administrator should receive an email saying that this or that account got hacked and there was a security breach. This would be enough notification to prompt taking other appropriate actions.  

There should also be a report or alerts which tell us that the configuration is having security issues. I think there is something called PVE security rules which might be implemented. Of course, Cisco's security rules could also be implemented. Once the rules are implemented, we know for certain if they are providing a secure connection or not. We need some type of check on the configuration that can create alerts for potential security issues and to have proper notifications.  

For how long have I used the solution?

We have been in the implementation process with the product for some time but it is not yet live because we are not totally satisfied with the setup.  

How are customer service and technical support?

I am not satisfied with AWS technical support. It is a long story. Two years back I contacted support because their code was not working. The solution itself was not perfect and there was a bug in the system. It was creating a lot of issues and there is no way to contact support. 

I tried to contact them to tell them that they had a problem with AWS, they wanted me to pay them $200 to tell them there was a problem with their product — which is very strange. What I did instead was to send an email to their sales department at AWS to explain to them that there was a coding issue and that the software was not working as it was supposed to. After many months, they replied that this was not a problem for the sales department. They said they would forward the issue to the technical support team. When the technical support team received the information, they asked for money again to solve the problem in the coding of their own product.  

I just wanted to tell them that they had a problem. They gave me a run-around and would not even look at the issue that was on their end which must have affected more clients than just me. So I think in that way, the technical support is not good. If there is a problem or a bug within the AWS services, there is no way to contact anyone for a resolution. That is a problem and not a good way to run technical support.  

Which solution did I use previously and why did I switch?

We were using ManageEngine. A problem with using ManageEngine was that ManageEngine can help in securing the servers and API gateways and app servers, but it cannot help to tell if there is any breach in security from a company-provided laptop. We needed a better solution that covered this vulnerability.  

How was the initial setup?

This product is not straightforward to set up and deploy. In the area of database security, it is especially complex. This is especially true when you want to do security for the cloud. There may be applications that will allow software on the cloud to access your in-house servers. If your in-house servers are available and there is a database, you want to secure it. You can do that more easily in-house than you can on the cloud but you have to be sure it is configured and secured properly.  

What's my experience with pricing, setup cost, and licensing?

As far as pricing considerations, there are other competitors to consider. All the solutions are not easy and all will not do exactly the same thing or even what you need. SecureSphere is expensive, I think $20,000 per year. If you go for ManageEngine or any other solution, they also go for close to $10,000. It depends on how many applications you are running and how many servers you have. They can easily run into close to $10,000 a year. Database security and application security are generally costly solutions.  

AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39.  

What other advice do I have?

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1376373 - PeerSpot reviewer
Cloud security Consultant at 8KMiles
MSP
Stable and scalable with a free-to-use version
Pros and Cons
  • "AWS has flexibility in terms of WAF rules."
  • "When users choose the free service, there isn't great support available to them."

What is our primary use case?

A primary use case example is when a customer from the cloud wants to expose his applications to the internet. We make sure that the clients, the applications, whatever they're trying to export, are public but that it's not going directly public. We make a backup, for instance, to protect the sellers and applications from security checks, etc. 

What is most valuable?

There are two models. One is, you can use the free services which you can download from the AWS website. There is also a paid version, where you can go for individual vendors, like Impala, Fortinet, and different vendors, which helps you to attain the top end web application security. It helps them to update the security patches, etc.

AWS has flexibility in terms of WAF rules. Users can choose from using a free service, which you can do from your own end, or a third-party vendor if you want to as well by choosing a paid version. WAF rules can be managed either by your own self or you can go for a third party.

The best thing with the solution is there is no hard and fast route and when I go for AWS. It's not a monopoly environment.

What needs improvement?

There isn't room for improvement per se. the cloud is constantly evolving and changing however, so we'll see what the future brings.

When users choose the free service, there isn't great support available to them. This is because, when it comes to any issues, due to the fact that it says that when the rules are defined by the users, it becomes their responsibility. When there are any problems or threats, which don't get mitigated or the threat is not being properly managed, since the rules are owned by the user, they take responsibility for everything. It would be helpful if AWS could take a bit of responsibility here and help users understand where things went wrong.

Support wise, I don't think they are that good compared to individual vendors. When it comes to vendors, it becomes their product, and being a product owner, they take more responsibility and ownership of issues. AWS doesn't do that at all.

For how long have I used the solution?

I've been using the solution for two and a half years.

What do I think about the stability of the solution?

The solution is quite stable. We haven't run into bugs or glitches. It's reliable. You don't see any downtime.

What do I think about the scalability of the solution?

Since we're talking more about the cloud version of the web application firewall, it's highly scalable. When I say scaling, there is a concept called auto-scaling wherein which you can scale up and scale down according to your amount of traffic load. It's automated, so it's highly scalable, actually.

While any company can use AWS, we see a lot of medium-sized firms using this particular solution, as opposed to larger companies, as those have already their own vendors which are already in the on-premises data centers environment.

How are customer service and technical support?

I would say from the support point of view, there should be more flexibility when it comes to when users have issues to be able to ask for their help. They need to try to go the extra mile and right now they just aren't doing that.

Which solution did I use previously and why did I switch?

We've only used AWS for a few customers. Usually, we recommend a different solution. However, it depends on the client and the type of budget that they have. As one version of AWS is free, sometimes that is the only option.

How was the initial setup?

The initial setup is not difficult. It's very straightforward.

Deployment is pretty quick and might take up to one and a half hours at most.

You don't need too many people for maintenance. If they are knowledgable enough, a single person can handle it with no problems. They're even able to do some scripting language to handle the deployment and can set up some automation protocols as well.

When it comes to maintenance, the real challenge comes into play for mitigation. You might need maybe we need four to five people, at a large organization.

What's my experience with pricing, setup cost, and licensing?

There are two versions of the solution available, one of which is free, which is the version we use, so we don't pay for anything.

What other advice do I have?

We're using the latest version of the solution.

When customers tend to use multi-cloud vendors and multi-cloud environments, they want solid security protection. That's where the third party comes into the purchase. If any customer is specific to some cloud like AWS or Azure, we won't recommend third party. We'll try to use AWS's own specific services so that it's smarter cost-wise and flexibility wise, so it adds value to the customer.

However, when things go to a multi-cloud environment or a hybrid cloud architecture, that's when the third party comes into the picture. 

I would recommend this solution to companies who are looking for cloud solutions with firewall flexibility. AWS is very user-friendly and largely inexpensive, however, if an organization has the budget, there are lots of great products out there that do largely the same thing.

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
it_user753234 - PeerSpot reviewer
IT Governance at Globecast
Real User
Redirects any threats and attacks and protects our code
Pros and Cons
  • "The most valuable aspect is that it protects our code. It's a bit difficult to overwrite code in our application. It also protects against threats."
  • "It's a bit difficult to apply the right rules for the right security."

What is our primary use case?

Our primary use case is to protect our internal web solution. We use it to have an internal application for our customers. We are an SME worldwide company, so we have some internal website solutions architects that use this as an internal portal to the internet. We apply a WAF front to our web application.

What is most valuable?

The most valuable aspect is that it protects our code. It's a bit difficult to overwrite code in our application. It also protects against threats. It's important to protect the code against the threats on the internet. It redirects any threat, any attack, to a Fail2ban mechanism.

What needs improvement?

Sometimes it's a bit difficult to check the rules because when you apply a rule, sometimes it's too much and we need to rewrite the rules and make compromises on the rules because it will block too many things. It's a bit difficult to apply the right rules for the right security.

For how long have I used the solution?

We have used AWS WAF for around a year. 

How are customer service and technical support?

Their support is very good. We have an enterprise agreement with Amazon.

How was the initial setup?

I don't remember there being any problems with the setup.

What other advice do I have?

I think AWS WAF is a great solution. You can define big and a bit smaller architectures and scale out architecture as you need, due to the edge location. Its features are very amazing. 

I would definitely recommend AWS WAF. I asked my security director to move from our internal WAF to the AWS WAF because we can make global unique WAF services for our on-premise web servers and also our AWS web servers with one common rule and one common authority to manage these rules

I would rate AWS WAF an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Principal Consultant at a tech services company with 10,001+ employees
Consultant
Scales according to our requirements, but the interface needs some additional functionality
Pros and Cons
  • "The most valuable feature is the scalability because it automatically scales up or scales down as per our requirements."
  • "I would like to be able to view a graphical deployment map in the user interface that will give me an overview of the configuration and help to determine whether I have missed any steps."

What is our primary use case?

We are a technical services company and this is one of the solutions that we have helped implement for our clients. We stopped using AWS about six months ago and as such, we are not currently using the AWS Web Application Firewall.

What is most valuable?

The most valuable feature is the scalability because it automatically scales up or scales down as per our requirements.

What needs improvement?

I would like to be able to view a graphical deployment map in the user interface that will give me an overview of the configuration and help to determine whether I have missed any steps.

What do I think about the stability of the solution?

The stability is good. From our experience, I've felt very happy with all of the AWS components in terms of stability. They work fine and have met our requirements.

What do I think about the scalability of the solution?

The scalability of this solution is very good.

How are customer service and technical support?

I am really happy with the AWS customer support, although I have not needed to contact them for this solution.

Which solution did I use previously and why did I switch?

We have changed solutions because the choice of product depends on the customer's preferences and requirements. When I am working on a contract, I am required to use whatever they ask me to. If I already have the experience then I apply it. Otherwise, I learn what I need to, which sometimes involves taking training courses.

What other advice do I have?

My advice for anybody who is implementing this solution is not to simply look it up on Google before starting to use it. I would suggest taking some training courses, start to understand how it works internally, and then begin using it.

Overall, it is a good product and it generally fits well for my purposes.

I would rate this solution a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
MohammedAbourafia - PeerSpot reviewer
Manager, IT Infrastructure & Information Security at flyadeal
Real User
Provides good OWASP top 10 protection but needs improvement in security efficiency related to bad bots
Pros and Cons
  • "The security firewall plus the features that protect against database injections or scripting,"
  • "For now, there is no feature to protect against attack of the bad bots"

What is our primary use case?

I'm a manager and in charge of IT infrastructure and information security for an airline company. We're a customer of AWS WAF. We use the product to protect the websites that our customers access to book flights. It provides the sites with DDoS protection and OWASP top 10 application security.

What is most valuable?

The best features are the security firewall and the features that protect against database injections or scripting, and against overall OWASP top 10, but I have concerns about the cloud front which doesn't handle bot attacks properly, so it's not as effective as I would like it to be.

What needs improvement?

A significant improvement would be built in bots protection enhancement, or seamless integration with other products. For now, there are limited feature to protect against an attack from the bad bots so users go to third party solutions, which just complicates integration and operation.

A helpful additional feature would be to have a fully unified unique product, including the DDoS, with sophisticated attack capabilities including anti bot management. They should also take a look at reviewing the complexity of the integration with other third-party vendor solutions.

For how long have I used the solution?

I've been using the product for the last two years. We upgraded recently and I'm using the latest version. 

How are customer service and technical support?

Technical support is good. 

How was the initial setup?

Deployment is easy, it's not complex.The complexity is when you need it for integration with other third-party products. We also use CDN, part of the web solution from Amazon. 

What's my experience with pricing, setup cost, and licensing?

The price of the product is fair enough and one of the product's advantages. Their price is good compared to other vendors. 

What other advice do I have?

The main difference with other similar products is the security efficiency against the type of attacks because normally Amazon works with certain types of attacks and is unable to deal with most of the more sophisticated new attacks that are now the market. So if you compare AWS WAF to the leaders in the field like Imperva, Akamai or radware, they are still beyond these products.

I would recommend that if you don't have a critical heavy use website, and you have a simple business that doesn't require high protection or high-security efficiency, go with this product, but if you have something where security is critical you should go with the leaders in the market, companies like Akamai, Radware, PerimeterX or Imperva.

I would rate this product a seven out of 10. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Head of Digital Product Office at a energy/utilities company with 10,001+ employees
Real User
An excellent solution that's extremely scalable, very stable, and has great AI functionality
Pros and Cons
  • "The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match."
  • "The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively."

What is our primary use case?

We primarily use the solution for its rich insights to improve customer experience.

What is most valuable?

The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match.

The AI functionality and the machine learning are very good.

What needs improvement?

The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively.

For how long have I used the solution?

I've been using the solution for almost a year.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is extremely scalable.

How are customer service and technical support?

We have Amazon managed services, and, as part of our agreement, we have the lower end of that managed service. The solution is not a business-critical system for us, so we have a four hour SLA for resolution. That's pretty good. We're very satisfied with technical support.

Which solution did I use previously and why did I switch?

Previous to this solution, we used Microsoft Azure.

Amazon allows you to provision more services once you have the initial platform in place. Using Amazon Marketplace, it's so simple to provide additional services and functionality so it allows you to grow the capability of the platform with very little integration into other systems because it's all built into the marketplace. With Azure, it's only capable of some products and they don't have APIs available to integrate as well as Amazon does. 

How was the initial setup?

The initial setup was straightforward. Deployment took about three months. For the setup of the platform, we had six people. For the maintenance of the platform, we now have three people maintaining it.

What about the implementation team?

We brought Amazon on to set everything up for us. They made implementation very easy. 

What other advice do I have?

We use the public cloud deployment model. We use the Amazon cloud.

From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation.

I would rate the solution nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
AdviseIT67 - PeerSpot reviewer
Cloud Architect at Tata Consultancy Services
Real User
Top 20
A straightforward setup with a quick deployment with good auto-management features
Pros and Cons
  • "The initial setup was very straightforward. Deployment took about ten minutes or less."
  • "They should work to define more threats, add more security, and make it more compliant with more security companies."

What is our primary use case?

The primary use of the solution is for perimeter security. I use it to secure my application and infrastructure.

What is most valuable?

Fast deployment and auto-manage are the most valuable aspects of the solution. The auto-manage primarily reacts and has to do all the little things like putting in the ACL, etc. 

What needs improvement?

The solution could be faster in detecting threats.

They should work to define more threats, add more security, and make it more compliant with more security companies.

The solution could always be more automated.

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is easily scalable.

How are customer service and technical support?

I have a number for WAF, but I've never used technical support.

Which solution did I use previously and why did I switch?

I previously used a different solution. The complex setup and installation were the main differences between that and WAF. I've worked with system compliance for many years, and it usually involves complex solutions. You have to know the CLF, etc. Cisco, for example, is so complex that you need to know many things. Whereas with WAF, you have to put up your host, your network, and you have the solution up and running.

How was the initial setup?

The initial setup was very straightforward. Deployment took about ten minutes or less. You only need one person to handle deployment and maintenance.

What about the implementation team?

I implemented the solution myself.

What other advice do I have?

We use the public cloud deployment model.

I use everything AWS. I need it to work for me, and it does. I hope that the solution continues to improve, but for me, it's perfect right now.

For those considering implementing the solution, I would advise that they understand how networks work because sometimes they can be quite complex. Many architects do not understand the basic concepts of networking.

I would recommend the solution. I would rate it nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Developer at a tech services company with 1-10 employees
Real User
The customized billing is key for us

What is our primary use case?

Application security is our primary use case.

What is most valuable?

The customized billing is the most valuable feature.

What needs improvement?

In a future release of this solution, I would like to see additional management features to make things simpler.

What other advice do I have?

It's pretty good, as long as the pricing matches your budget.

I would rate AWS WAF at eight out of ten. It does everything pretty well. I would just like additional management tools.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Founder at a consultancy with 1-10 employees
Consultant
It is a one-click WAF with no effort needed, but we need more support as we go global

What is our primary use case?

The primary use case is application security.

We are using the latest version.

How has it helped my organization?

It is a one-click WAF with no effort needed.

What is most valuable?

Protection and WAF.

What needs improvement?

We need more support as we go global.

The UI could use improvement.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is Amazon. Everything is scalable. It is beyond what we need.

How are customer service and technical support?

We hardly received technical support on this product.

How was the initial setup?

It was super easy to set up. We did it with one click.

Which other solutions did I evaluate?

We chose this solution because it is cloud native Amazon.

What other advice do I have?

We have an above average security posture.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Engineer at a tech vendor with 501-1,000 employees
Real User
Integrates well with our existing AWS solution, but the UI is lacking
Pros and Cons
  • "It's simple, easy to use."
  • "The user experience, the interface, is lacking. Sometimes it's hard to find certain areas that it has alerted on."

What is our primary use case?

We use it to protect our backend services.

How has it helped my organization?

Because it integrates with the existing AWS solution, we get a lot of support without having to do much extra work. It has helped increase staff productivity and has probably saved at least one engineer, not having to have an engineer on staff for it.

What is most valuable?

  • It's simple, easy to use.
  • Integration.

What needs improvement?

The user experience, the interface, is lacking. Sometimes it's hard to find certain areas that it has alerted on. Also, more fine-tuning would be convenient.

What do I think about the stability of the solution?

We haven't had any problems with it.

What do I think about the scalability of the solution?

We haven't run into any scale issues at the moment.

How are customer service and technical support?

AWS, in general, has good support.

Which solution did I use previously and why did I switch?

We were using just the built-in Amazon intrusion detection stuff. Then we decided to go for an actual full-blown WAF. We weren't using any actual WAF before. WAF is a general solution that we knew that we needed. It's a standard security measure.

How was the initial setup?

It was relatively simple, for the integration.

What's my experience with pricing, setup cost, and licensing?

There are different scale options available for WAF.

What other advice do I have?

The integration with AWS is simple and can get you off the ground and going quickly. But you could, over time, outgrow it.

We're working on having a more mature security portfolio. This allows us to have a different tool in the belt, to measure different issues that might pop up.

I would rate the solution as a six out of ten because of its relative ease of use. However, it's not as configurable as a third-party option.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Information Security Specialist at a tech services company with 1,001-5,000 employees
Real User
Blocks threats to our external applications and has caught everything so far
Pros and Cons
  • "The most valuable feature is the way it blocks threats to external applications."
  • "In a future release I would like to see automation. There's no interaction between the applications and that makes it tedious. We have to do the preparation all over again for each of our other applications."

What is our primary use case?

It is our web application firewall.

How has it helped my organization?

We do have a lot of external applications which are exposed to the internet and WAF provides protection for them. We haven't seen a decrease in the mean time to respond to threats because it has caught everything.

The solution has also increased staff productivity by as much as 50 percent.

What is most valuable?

The most valuable feature is the way it blocks threats to external applications.

What needs improvement?

In a future release I would like to see automation. There's no interaction between the applications and that makes it tedious. We have to do the preparation all over again for each of our other applications.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We haven't had any problems with the stability at all.

What do I think about the scalability of the solution?

Up to now, the scalability has been good.

How are customer service and technical support?

I haven't had to use technical support yet.

Which solution did I use previously and why did I switch?

Our previous solution was also a WAF but it was not a scalable environment like the cloud is. Everybody is moving to the cloud. We were stuck on an appliance in our data center and we decided to move. We went with this solution because of the stability and quick response.

How was the initial setup?

The setup was a bit complex because our environment is a bit different. It was tough but it was good in the end.

What about the implementation team?

We used a consultant for the deployment and it was a great experience with them.

What's my experience with pricing, setup cost, and licensing?

There are no costs in addition to the standard licensing fees.

What other advice do I have?

My advice is "go for it, use it."

In terms of our security program's maturity, we're just beginning so we are still like a baby. But we are trying to get all the new stuff and improve altogether.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Network Analyst
Real User
Makes sure files are protected, but the solution should be more proactive in detecting threats
Pros and Cons
  • "The most valuable feature is the security, making sure that files are protected, preventing unauthorized users from accessing the system."
  • "They have to do more to improve, to innovate more features. They need to increase the security. It has to be more active in detecting threats."

What is our primary use case?

It's all about the security of the cloud system.

How has it helped my organization?

It has improved our organization a lot because before we were having problems with access management. Things have gotten better using this product. It's protecting the files. It has been the best step for us.

We are no longer having problems with unauthorized access, where somebody breaches the system or comprises documents. Nothing like that has happened over the past year that we have been using this product. We're doing well and I believe we will continue to do well with this product.

Staff productivity has been high since we started using it. It has saved 80 to 90 percent of their time in some cases.

What is most valuable?

The most valuable feature is the security, making sure that files are protected, preventing unauthorized users from accessing the system. These are the best.

What needs improvement?

I would like them to fortify the system more. In every software platform there are issues or bugs, even though presently, there aren't many known and it is running without problems.

They have to do more to improve, to innovate more features. They need to increase the security. It has to be more active in detecting threats. It's better for the system if the platform is more proactive in detecting threats immediately, so that technicians or people on the security team will know that a threat is coming in.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's stable, it's a strong system. The stability is going to be even better because they're still trying to improve on it, and they bringing out more features.

What do I think about the scalability of the solution?

Scalability is one of the features. It has to be scalable to be able to effectively secure the system.

How are customer service and technical support?

Amazon Web Services has very good technical support. Whenever you encounter a problem you just call the support team. You'll be able to walk them through the problem and then they'll solve it.

Which solution did I use previously and why did I switch?

Our company didn't have structured security controls before this. We were encountering a lot of problems when it came to security, protection of the documents and system. They restructured the whole system. This is the platform that was recommended to us. Since we started using it, it has been great.

How was the initial setup?

The initial setup was rather complex.

What about the implementation team?

Most of the time we try to use a consultant for deployment. Our experience with them has been good. They know their jobs. They try to incorporate more features, teach us how to do things. It's a learning process and they're always there to make sure that we understand the stuff. They get things going.

What's my experience with pricing, setup cost, and licensing?

It's an annual subscription. There are no additional fees beyond the standard licensing.

What other advice do I have?

Everybody handles their own platform differently. Some people love what they have but haven't necessarily experienced anything else. This platform is a good one. If you have your own platform and you think it's better, that's fine. But get a taste of this one, try it and see how it feels in terms of security.

Security has always been a problem and it will always be a problem. There's no security platform or software that is 100 percent. We don't know when a Zero-day will happen. Hackers are everywhere, they are creating things and innovating every day. As far as I am concerned right now, the platform is good. It's doing its job.

I rate the solution at six out of ten. I don't want to give them 100 percent because sometimes things happen.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2022
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.