Try our new research platform with insights from 80,000+ expert users
Aravind D - PeerSpot reviewer
Senior Cloud Engineer at ASSA ABLOY Group
Real User
Top 5
A stable and reasonably priced solution that protects organizations from hackers and other security threats
Pros and Cons
  • "If hackers try to insert bugs, the tool blocks it."
  • "It will be helpful if the product recommends rules that we can implement."

What is our primary use case?

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

What is most valuable?

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

What needs improvement?

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

For how long have I used the solution?

I have been using the solution for six years.

Buyer's Guide
AWS WAF
December 2024
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

The tool is stable.

What do I think about the scalability of the solution?

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Which solution did I use previously and why did I switch?

Google’s console is minimalistic. It provides AI tools that help us create rules.

How was the initial setup?

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

What's my experience with pricing, setup cost, and licensing?

We pay $0.8 per hour. The product’s pricing is reasonable.

What other advice do I have?

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Manager - Cyber Security and SOC at Continental Tire
Real User
Top 20
The product is stable, scalable, and easy to deploy, but the default content policy of the tool is not very strong
Pros and Cons
  • "The ease of deployment of the product is valuable to me."
  • "The default content policy available in the tool is not very strong compared to the competitors."

What is our primary use case?

The solution protects my customers’ web applications hosted in AWS.

What is most valuable?

The ease of deployment of the product is valuable to me. AWS WAF might be one of the easiest WAFs that can be deployed. The only constraint is that our application must be running in AWS.

What needs improvement?

The default content policy available in the tool is not very strong compared to the competitors. Most of the WAFs will have a default set of policies and rules that we need to enable, which will satisfy our requirements. However, for AWS, we must put some time and effort into creating our content policy to get optimal protection.

For how long have I used the solution?

I have been providing the solution for a year or more.

What do I think about the stability of the solution?

The product is stable. I have no complaints. I rate the stability a nine out of ten.

What do I think about the scalability of the solution?

The product is scalable. I rate the scalability a nine out of ten.

How are customer service and support?

The technical support is good. I have no complaints. The support team is fast, knowledgeable, and customer-friendly.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward. It takes merely half an hour or less to deploy the solution. The solution is deployed on the cloud.

What about the implementation team?

Whether we need a consultant to help with the deployment depends on our knowledge of the cloud platform and our applications. It is a complex solution. We can do it ourselves if we know about WAFs, rule sets, and deployments. It is not a solution for a novice or someone unfamiliar with the security and application firewall. Such people might need the help of an administrator or consultant. We deployed the solution ourselves.

What's my experience with pricing, setup cost, and licensing?

Depending on how our AWS billing is configured, we are billed on a monthly or yearly billing cycle. The product is moderately priced. It is not too cheap but not too high either. There are no additional costs associated with the product.

What other advice do I have?

I would recommend the solution to others. If a web application is completely hosted in AWS, then AWS WAF is a good choice. We can easily adopt it. Overall, I rate the solution a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
AWS WAF
December 2024
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Aravindhan Suresh - PeerSpot reviewer
DevOps Engineer at Hippo Video
Real User
Top 5
It is user-friendly and has documentation on how to use it; it is stable and has a simple setup
Pros and Cons
  • "What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours."
  • "AWS WAF would be better if it uses AI or machine learning to detect a potential attack or a potential IP that creates an attack even before it happens. I want AWS WAF to capture the IP and automatically write the rule to automate the entire process."

What is our primary use case?

We faced many potential threats, such as hackers flooding in the requests, so we started using AWS WAF to block those IPs and stop those attacks. If multiple IPs are trying to attack our product, we'll also use AWS WAF by selecting the endpoints the hackers were attacking and then blocking those endpoints. Our cybersecurity team primarily uses AWS WAF.

What is most valuable?

What I like best about AWS WAF is that it's a simple tool, so I could understand the basics of AWS WAF in two to three hours. From the start, I know its purpose and its use case.

AWS WAF also has documentation. It's a user-friendly tool, and it's easy to know how to block the IPs and endpoints.

What needs improvement?

AWS WAF would be better if it uses AI or machine learning to detect a potential attack or a potential IP that creates an attack even before it happens. I want AWS WAF to capture the IP and automatically write the rule to automate the entire process. I want an AI feature in AWS WAF in the future.

For how long have I used the solution?

I only saw how AWS WAF works for seven months when the cybersecurity team used it, so my knowledge of the tool is basic. I'm not an expert on AWS WAF.

What do I think about the stability of the solution?

AWS WAF is a stable product.

How are customer service and support?

I have yet to contact the AWS WAF technical support.

Which solution did I use previously and why did I switch?

As the company is an Amazon customer, the company looked into what other Amazon services could prevent the attack and came across AWS WAF when the attack happened. The tool was also easy to use and could prevent attacks and safeguard the company's product, so the company decided to use AWS WAF.

How was the initial setup?

The initial setup for AWS WAF was simple. It was a basic setup process, though I have no idea about deployment time.

What's my experience with pricing, setup cost, and licensing?

AWS WAF costs $5 monthly plus $1 for the rule. It's cheap, cost-wise. It's worth the money.

What other advice do I have?

AWS WAF has three users within the company.

If I were to advise you on using AWS WAF, I'd tell you first to understand how the attack is happening. For example, is it a single server attack or multiple servers or regions? It would be best to find out which target is being attacked. You need to know the basics before using AWS WAF. You also need to know the rules. You need to understand how to secure your endpoints. Users should have a basic understanding of AWS WAF and its purposes before using it. You need basic cybersecurity knowledge.

I'm new to cybersecurity, so AWS WAF is the first cybersecurity product I used and based on my experience and usage, it's a ten out of ten. AWS WAF is a user-friendly, on-point tool, and I could understand it easily.

My company is an Amazon customer.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
OCI/AWS Consultant at a government with 11-50 employees
Real User
Top 5Leaderboard
Straightforward to setup but expensive and could be more efficient
Pros and Cons
  • "AWS WAF acts as a barrier, analyzing HTTP communications between external users and web applications."
  • "There is a lot of innovation talk, however, implementation might be lacking."

What is our primary use case?

AWS WAF is a firewall that protects web applications by filtering and monitoring HTTP traffic between web applications and the network. I use it for protecting infrastructure that has sensitive data, including personal identification information like Social Security numbers. AWS WAF promotes the security of this data by preventing leakage.

How has it helped my organization?

AWS WAF helps to protect sensitive data and customer records.

What is most valuable?

AWS WAF acts as a barrier, analyzing HTTP communications between external users and web applications. It gives flexibility in HTTP communication, which is a feature I like.

What needs improvement?

AWS doesn't need improvement with AWS WAF. However, there may be room for improvement in RDS services and EKS services. The purpose of AWS WAF is clear: whether it allows or blocks connections, its goal is to ensure the safety and security of private subnets.

For how long have I used the solution?

AWS WAF has been used for almost five years, starting with a proof of concept in 2019.

What do I think about the stability of the solution?

AWS WAF is stable. There have not been significant issues, and it functions like a firewall.

What do I think about the scalability of the solution?

AWS is questioned for how much scalability can be achieved in terms of vCPUs and handling capacity, yet AWS WAF itself handles the configurations well.

How are customer service and support?

Amazon's support is mixed. Technically knowledgeable people are part of the support team. That said, there are promises made, especially during sales pitches, that often don't match reality. There is a lot of innovation talk, yet implementation might be lacking.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

A proof of concept was done with AWS and Oracle Cloud Infrastructure (OCI), even though OCI offered better efficiency and cost benefits.

How was the initial setup?

Setting up AWS WAF is straightforward; you create a subnet VPC and attach it, which is simple.

What's my experience with pricing, setup cost, and licensing?

For Kubernetes microservices, AWS is more expensive compared to OCI. AWS costs approximately 70 cents per hour, while OCI is 50% cheaper. AWS pricing perspective is considered expensive, especially for Kubernetes and RDS. OCI offers lower costs with better efficiency.

Which other solutions did I evaluate?

Oracle Cloud Infrastructure (OCI) was evaluated alongside AWS, and while OCI was preferred for efficiency and cost benefits, AWS was selected due to governmental requirements.

What other advice do I have?

Technological understanding is crucial for AWS products like AWS WAF. This understanding separates out the simple setup process from understanding the underlying complex mechanisms.

I'd rate the solution four out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
Group IT Manager at Civcns
Real User
Top 5
A highly stable product that provides a good interface and is easy to configure
Pros and Cons
  • "The interface is good."
  • "The price could be improved."

What is our primary use case?

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

What is most valuable?

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

What needs improvement?

The price could be improved.

For how long have I used the solution?

I have been using the solution for more than two years.

What do I think about the stability of the solution?

The tool is highly stable.

What do I think about the scalability of the solution?

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

How was the initial setup?

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

What about the implementation team?

We deployed the solution in-house.

What's my experience with pricing, setup cost, and licensing?

The solution is reasonably priced.

What other advice do I have?

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Kavin Kalaiarasu - PeerSpot reviewer
Security Analyst at M2P Fintech
Real User
A user-friendly web application firewall with a useful integration feature, but it could be more flexible
Pros and Cons
  • "I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through."
  • "It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic. Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications. In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation."

What is our primary use case?

We partner with many banks in India, and many partners use our portals to access their credit card or debit card information. So we use AWS WAF to protect our web application servers, app servers, and API servers from any malicious attacks which arise from the public internet. We also use AWS WAF for virtual patching of our servers to prevent any malicious requests from reaching the gateway to our internal systems.

What is most valuable?

I believe the most impressive features are integration and ease of use. The best part of AWS WAF is the cloud-native WAF integration. There aren't any hidden deployments or hidden infrastructure which we have to maintain to have AWS WAF. AWS maintains everything; all we have to do is click the button, and WAF will be activated. Any packet coming through the internet will be filtered through. 

What needs improvement?

It would be better if AWS WAF were more flexible. For example, if you take a third-party WAF like Imperva, they maintain the rule set, and these rule sets are constantly updated. They push security insights or new rules into the firewall. However, when it comes to AWS, it has a standard set of rules, and only those sets of rules in the application firewalls trigger alerts, block, and manage traffic.

Alternative WAFs have something like bot mitigation or bot control within the WAF, but you don't have such things in AWS WAF. I will say there could have been better bot mitigation plans, there could have been better dealer mitigation plans, and there could be better-updated rule sets for every security issue which arises in web applications.

In the next release, I would like to see if AWS WAF could take on DDoS protection within itself rather than being in a stand-alone solution like AWS Shield. I would also like a solution like a bot mitigation.

For how long have I used the solution?

I have been using AWS WAF for a couple of years.

What do I think about the stability of the solution?

We haven't faced any issues over the past couple of years, so I believe AWS WAF is a stable product.

What do I think about the scalability of the solution?

Since we are AWS-native, it's very scalable. It can handle almost any infrastructure running within the AWS public cloud. We have around 20 portals, and about 20 products usually use AWS WAF. I'll say that about 15 people use AWS WAF to manage the traffic and filter out security issues. Those people are security analysts, SOC analysts, and layer 1 network analysts.

How are customer service and support?

In our business use case, sometimes it has triggered a false positive where it blocks some of our legitimate traffic. So we contact support to ask if this is legitimate and if we have to implement a new rule or if we have to allow such traffic and not mark it as a false positive. We have contacted them only for such occasions, and their support was really good.

On a scale from one to five, I would give technical support a four.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup was very simple. It's just a click of a button.

What about the implementation team?

We already have web applications running on an AWS account, so it probably took about two minutes to implement this solution.

What's my experience with pricing, setup cost, and licensing?

For our infrastructure, we probably pay around $16,000 per month for AWS WAF. Because alternative WAF solutions provide even more features, I think the AWS WAF is a bit pricey

What other advice do I have?

I would say that I think it's easy to use, easy to deploy, and has all the basic WAF features. It has no advanced features like bot mitigation or DDoS protection built-in. If it had bot mitigation or advanced security filter patching features, I would probably give it a higher rating, like a nine.

On a scale from one to ten, I would give AWS WAF a seven.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Adrian Milea - PeerSpot reviewer
Raiffeisen at Raiffeisen Bank Romania
Real User
Easy to deploy, implement, and manage
Pros and Cons
  • "The agility is great for us in terms of cloud services in general."
  • "For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends."

What is our primary use case?

We primarily use the solution for load balancing. 

We have some microsites exposed through the AWS cloud. These are some sort of pilot and we are using WAF to learn how this new product fits with us, and are mostly in the testing phase with a limited impact application. We are obviously not migrating core applications or those which have a significant impact on availability or on integrity and confidentiality. Mostly we have it on microsites where we don't see a significant risk, and it is more of a learning exercise for us.

What is most valuable?

The most important aspect for us is that AWS WAF is easy to deploy. The ease of implementation, ease of management, and flexibility are great. We like the potential for pay as you grow as you have instant deployment, infrastructure as a code, or any other automation tools that can leverage these deployments. The most important thing for us is that it stays flexible and scalable. That is true not only with WAF but with all the cloud services where you can provision any product in minutes. 

With the cloud, you have these integrated tools that provide a single glass pane. 

You have automation, ease of export, or ease of seeing the logs and exporting to a SIEM; these aspects are also great. The agility is great for us in terms of cloud services in general.

Usually, if we're talking about standard WAF, this is easy to deploy and is good at protecting low to medium applications.

What needs improvement?

As of now, regarding WAF, I'm not sure what the minuses or pluses are. You have the native WAF, which you can deploy directly on the load balancer. However, you also have that store where you can actually deploy some other vendors' specifics. At this point, feature-wise, I don't see anything lacking, more or less. Obviously, if we want to migrate, which is not yet the case, there might be a significant impact.

For uniformity, AWS has a well-accepted framework. However, it'll be better for us if we could have some more documented guidelines on how the specific business should be structured and the roles that the cloud recommends. If every company is building its own framework based on their experience or their past experience, this might be subjective, and it'll end up with each company having its own framework, which can be good. However, it'll be better to have a standardized baseline that every company could build on. 

For how long have I used the solution?

We've been using the solution for more than a year at this point. 

What do I think about the stability of the solution?

You have multiple availability zones and regions. The availability or durability is not something that we need to concern ourselves with very much here. Regarding the availability, I don't think this is something that the average company could match. They have a lot of availability zones, redundancy, and all the other things like that.

What do I think about the scalability of the solution?

It's scalable. Mostly, what I would look into is having cloud resiliency in the sense that we want multiple vendors, so if something happens with AWS, you'll need some sort of strategy and you'll need some other vendor to provide you with similar services. 

We have a number of users per application. It's hard to quantify how many users are on the solution in general. 

How are customer service and support?

For us, it's a bit of a different model where we have services provided by one central team or central entity. The others will have some sort of hub and spoke with the central entity providing or re-providing services to the other network units. The relationship with AWS is maintained by our central unit, and we somehow take services from the central unit and customize them per our needs. However, if we have some issues, this will be raised by the group. Issues may be resolved by AWS or an SME that works with us. 

How was the initial setup?

In terms of the initial setup, from what I heard, it initially being a new technology, you want to deploy it in a correct manner. Therefore, it will need more diligence in the first deployment as security is not something you can learn and adjust. You need to make it right from day one in order to avoid breaches. However, after that, with infrastructure as a code and the automatic deployment, it's easier. You just create your setup, and you use the rules and go. You have network access to a security group, which provides you with very general filtering for problematic traffic. 

From my experience, the cloud provides everything we need; however, we still lack the knowledge and framework in terms of who is doing what, et cetera.

It's quite different between on-premise and cloud. In the cloud, DevOps is doing a lot of things. On-premise, you have someone from infrastructure, someone installing the OS, and someone doing the vulnerability and patch management.

Depending on how you deploy, the activities need to be revised. You need to have this framework to work in the cloud, and it's more of a challenge in company philosophy rather than technical capabilities. Companies can find it challenging to migrate to new tools. Sometimes existing teams need to be re-educated. 

We have multiple applications, so usually, it takes a while to refine the framework with the responsibility inside the company. It's to be optimized. However, in terms of actual deployment, security-wise, it takes some time to do the security checks, including the scanning and vulnerability asset inventory. It might take two or three months per application.

What other advice do I have?

I definitely recommend not only AWS. I also recommend Azure as an option. We have the integration with Office and the entire portfolio. The cloud, in general, it's a new thing to consider. For example, you have this GDPR with data in Europe. However, in the case of most of the clouds, you can select your regions and you have some control. 

I'd rate the solution nine out of ten. 

There are a huge amount of products. I'm not saying it's a bad or a good thing. However, it can be quite confusing. There are VPC, EC2, and other instances, and there are a lot of other services that you can use like Macie, where you can filter sensitive information. There are a lot of tools that require hands-on and new capabilities. For me, being at the beginning of this journey for cloud migration, I've been mostly quite happy with the results.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Head of Digital Product Office at a energy/utilities company with 10,001+ employees
Real User
An excellent solution that's extremely scalable, very stable, and has great AI functionality
Pros and Cons
  • "The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match."
  • "The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively."

What is our primary use case?

We primarily use the solution for its rich insights to improve customer experience.

What is most valuable?

The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match.

The AI functionality and the machine learning are very good.

What needs improvement?

The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively.

For how long have I used the solution?

I've been using the solution for almost a year.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is extremely scalable.

How are customer service and technical support?

We have Amazon managed services, and, as part of our agreement, we have the lower end of that managed service. The solution is not a business-critical system for us, so we have a four hour SLA for resolution. That's pretty good. We're very satisfied with technical support.

Which solution did I use previously and why did I switch?

Previous to this solution, we used Microsoft Azure.

Amazon allows you to provision more services once you have the initial platform in place. Using Amazon Marketplace, it's so simple to provide additional services and functionality so it allows you to grow the capability of the platform with very little integration into other systems because it's all built into the marketplace. With Azure, it's only capable of some products and they don't have APIs available to integrate as well as Amazon does. 

How was the initial setup?

The initial setup was straightforward. Deployment took about three months. For the setup of the platform, we had six people. For the maintenance of the platform, we now have three people maintaining it.

What about the implementation team?

We brought Amazon on to set everything up for us. They made implementation very easy. 

What other advice do I have?

We use the public cloud deployment model. We use the Amazon cloud.

From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation.

I would rate the solution nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.