I have not compared AWS WAF with any other WAF solution yet, but whatever WAF you choose, there will always be challenges, and it cannot block all malicious traffic. For AWS WAF, we have seen cases where it allowed suspicious HTTPS headers even if they carried malicious payloads. However, the malicious payloads are not straightforward, and there are assembly scripts that come with the HTTP headers that sometimes AWS WAF misses. In the last four or five years, we have seen a case where WAF was unable to capture a threat. On the other hand, we also see alerts from WAF indicating that it has figured out many DDoS protection alerts and was able to block them, even with rate limiting. Rule-based WAF works perfectly fine, but I don't think any threat intelligence-based WAF solutions can be 100% accurate. The integration with AWS Organizations and enforcement of security policies, particularly SCP, is difficult to deploy in most of my companies due to client environments. When I say difficult, it depends on the client's organization processes, not AWS itself. The SCP feature is excellent in my view and is the best way to reduce the attack surface for organizations structured in a specific manner. While we have used it internally, limited features of SCPs can be utilized by customers. Regarding automating security policy deployment, we have utilized automated security policy features, but it is difficult in some instances. We have identified what has been identified, but enabling automated SCP policies can be restrictive, which is actually good but makes it hard to implement for all organizations. Automating security policy features could understand the customer's environment better. An AI- or ML-enabled automated SCP could be a better option since it can understand the actions of administrators or developers in the customer's organization within the AWS platform, providing more in-depth automated assessments and SCP features. I rate this solution 8 out of 10.
