AWS WAF Reviews

I use AWS WAF to protect web applications and web traffic. It handles application input and throughput - typical web application firewall tasks.

We integrate AWS WAF with several platforms within cloud hosting and other security solutions and provisions in our business. Regarding AI, it's been around for about 20 years, so it's not new. It's just a new buzzword. I've been in security for 30 years and remember using AI when I started 25-30 years ago. We have multiple forms of AI within our business.

We're considering replacing it shortly, so I've looked at alternatives like Aqua and others.

I'd like to see improvements in its usability and functionality. I'm also concerned about being too dependent on the cloud provider's WAF version. For security, using multiple vendors and not putting all our eggs in one basket is better.

The functionality I'd like to see improved is mainly around the applications and cloud integration elements.

I have been working with the product for three years. 

We haven't encountered any stability issues. 

The solution is scalable and my company has 30,000 users. 

The solution's support is quite good and fair.

I see several pros and cons when I compare AWS WAF to other WAF products. The main advantages are that the AWS Firewall functionality integrates well, it's easy to deploy and select, and the implementation is straightforward. The integration with AWS is also very good. However, the main drawback is that while it works well in the AWS environment, it doesn't necessarily work as well for other cloud or on-premise setups.

The initial setup of the AWS WAF solution always has complexities, regardless of which solution you choose. Our organization is multi-tenant, multi-hosted, multi-cloud, multi-located, and international, so we always face challenges during implementation. No matter how good the product is, there will always be challenges.

For implementation, we usually follow a TOGAF model for project planning. Sometimes, we use a waterfall approach, but we stick to TOGAF mostly. Some parts of the business use Agile, but I don't typically use Agile for WAFs.

From a maintenance perspective, AWS WAF isn't any more difficult to maintain than other solutions. I've had experience with nearly all the WAFs out there, and they're all pretty much the same in terms of maintenance, regardless of the service provider.

I rate the overall solution a six out of ten. 

AWS WAF is primarily used to prevent intrusion into web applications. You can also use it to protect virtual machines within the AWS cloud. The main process involves creating rules to block common threats like SQL injection and cross-site scripting. These rules can be selected from built-in options. After configuring the firewall settings, you create a target group and attach your web application to it. The firewall filters incoming traffic based on the selected rules, blocking any suspicious activity.

The most valuable feature of AWS WAF is its highly configurable rules system. You can set up rules based on specific criteria like SQL injection, general web threats, and even advanced features like DDoS protection and region-based blocking. The richness of available rules, including options for custom rule configurations from third-party partners, enhances its effectiveness.

One area for improvement in AWS WAF could be the limitation on the number of rules, particularly those from third-party sources, within the free tier. Users may face budget constraints when trying to implement additional rules beyond the free tier limit.

AWS WAF is stable, but I haven't tested it extensively with high request volumes.

In our IT organization, the usage of AWS varies by project, with approximately 50-60% of projects using AWS or Cloudflare. For our internal websites like BroadWorks.com, we use Cloudflare, while for client projects, about 60-70% make use of AWS WAF.

Setting up AWS WAF for initial installation was relatively straightforward, even for someone without extensive DevOps experience like myself. While it wasn't overly complex, it also wasn't overly simple. With the help of AWS documentation and resources, I was able to complete the setup within two to three days.

Whether AWS WAF is worth the monthly investment of $50 to $60 depends on your budget and preferences. While AWS WAF offers robust features, there are also free tools available like ModSecurity that require more configuration but can still provide adequate protection.

While AWS is a top choice, Cloudflare is also considered for smaller projects due to pricing. Overall, AWS WAF offers reasonable features compared to competitors like Cloudflare, GCP, and Azure.

Before using AWS WAF for the first time, it is important to consider where your infrastructure is hosted and where you want to implement the firewall. If you are already on AWS, AWS WAF would naturally be a suitable choice. Determine the level of security required based on your application's domain, such as financial applications needing more stringent security measures. Select appropriate rules for your use case, considering both conventional web rules and AWS Shield for critical applications. Additionally, after setting up AWS WAF, conduct thorough testing using vulnerability scanners like ThoughtSpot, Acunetix, or Nessus to ensure the effectiveness of your setup.

For beginners with around six months to a year of AWS experience, learning to use AWS WAF shouldn't be too difficult. However, integrating it with web applications across different cloud platforms might pose some challenges. Overall, experienced AWS users should find it manageable, while beginners may need some time to get used to it.

Overall, I would rate AWS WAF as a seven out of ten.

We use Managed Rules mostly.

ALB is integrated with WAF. When ALB spikes up, we know there’s something wrong. Usually, bots attack the applications.

Rule groups are valuable. We use it for DDoS. We do customizations with the help of Managed Rules in AWS. We use AWS WAF’s API to automate security tasks. The rule creation is similar to automation. We have enough understanding of how things work. It’s been one year since we have automated the tasks.

There are some limitations. We can add a maximum of four rate-based rules to the rule group. We must monitor and clean up the WAF manually. We cannot create rules if it goes above four. It requires manual intervention. We have to check, clean, and maintain it regularly. We do not want to do it. We are willing to pay extra if it can be improved. We need additional features so we do not have to do manual interventions.

I have been using the solution for three years.

We do not have any problems with the tool’s functionalities.

We are very happy about the product’s scalability. We did not face any issues. My organization is an enterprise.

We have a partnership. We can contact the consultants whenever we need anything. We don't have any problem with the support team.

Positive

The installation was not difficult. We have a separate team to deploy the solution in our organization. We do not face any issues with maintenance.

All our infrastructure is on AWS. My organization has been using AWS for the last eight years. Mid-size companies use ALB. We also use AWS Shield. Sometimes, we get alerts from AWS Shield. Our internal tools also send us alerts. We're completely on AWS. We do not integrate it with any other tool. Overall, I rate the product an eight out of ten.

If I have hosted your web applications or web services on AWS, and if you need a segregation in terms of different aspects, like at a country level or area level, especially when your website is not reachable for a particular country or a particular area, then you need to implement WAF on top of the public network. If WAF actually works on top of the network to manage each request at a global level, WAF is the first layer that handles the internet's every request, and depending on your choice, you can either accept or deny such requests.

Currently, most organizations face security challenges, and with the rise in hacking in every sector, like healthcare, IT, manufacturing, or infrastructure sector that we're talking about. You have to at least implement WAF on top of your network as well as the local network so that it filters every network traffic that comes in from any country. In our company, Fortinet WAF is what we use on top of the network as an anonymous network, and within the network, we use F5.

Due to security concerns or reasons, I recommend others to use AWS WAF and control the requests from multiple countries from a hacking point of view.

The area of reporting in the product needs to have a proper format. If you want to find the event log for an event and IP address from another country, there is a need to do some rework after the reporting part is taken care of so that the management can easily read the reports. A technical person in the organization can always understand where a particular network traffic comes in or where traffic is blocked with the help of WAF, but those in the management department would never understand the concepts that a technical person can understand. The reporting part of AWS WAF needs to be improved.

I have been using AWS WAF for five years.

It is a stable solution. Stability-wise, I rate the solution a ten out of ten.

It is an easily scalable solution. Scalability-wise, I rate the solution a ten out of ten.

More than 2,000 to 2,500 employees in my company use the solution.

The solution's technical support's response time and quality are very good. I rate the technical support a ten out of ten.

Positive

The product's initial setup phase was very simple.

The solution is deployed on the hybrid cloud model.

The product is deployed in a virtual environment and not in a physical one.

I rate the product price a five on a scale of one to ten, where one is high price, and ten is low price. I recommend people check for the services that run in the AWS WAF account. Each service that uses AWS will need the user to pay for some costs. Most of the people who use the solution are not able to understand the number of services that are running in the product. Even though there is a feature to help understand top-level management, people fail to figure out the number of services that are running in the product.

Compared to AWS WAF, Fortinet is easy to use and deploy. From a technical point of view, Fortinet is easy to implement and handle. I recommend Fortinet over AWS WAF to others.

I recommend Fortinet, as it is one of the best products, be it the virtual firewalls or the on-premises setup. If one wants to look for the on-premises setup, one must buy the hardware box.

I rate the overall tool a ten out of ten.

When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.

AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.

AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.

I have been using AWS WAF for five years.

We have never faced any stability issues with AWS WAF.

I rate AWS WAF ten out of ten for stability.

AWS WAF is more suited for small and medium businesses.

I rate AWS WAF a nine out of ten for scalability.

The solution’s initial setup is simple.

AWS WAF has reasonable pricing.

Third-party competitors like F5 and Imperva have more features than AWS WAF.

Overall, I rate AWS WAF a nine out of ten.

We use the solution to secure our public web server and run our document management process. We have service-oriented web servers and interactive web servers.

Custom rules are valuable to us. We have country-specific rules that we apply. The solution meets all our requirements. We never had a problem with the tool. The interface is good. We never had downtime. The solution does its job.

The price could be improved.

I have been using the solution for more than two years.

The tool is highly stable.

The tool is highly scalable. Almost all AWS products are highly scalable. I am the only user in my organization. The solution is running regularly. We check the logs whenever we have some issues. We do not include it in our security management system. It's a very small application. We use it to manage some documents.

The initial setup is easy. The deployment took an hour. The setup and maintenance is easy. We do not face any issues with configuration.

We deployed the solution in-house.

The solution is reasonably priced.

We never had DDoS attacks. We do not check logs deeply. The service is a very small portion of our application server. It is not a business-critical service. We check logs only when we have any performance or connectivity issues. Overall, I rate the product a nine out of ten.

We use the product to protect the environment from DDoS and SQL injection attacks. We implement WAF in the public site.

WAF filters based on IPs. If hackers try to insert bugs, the tool blocks it.

Google uses an AI tool to provide insights about rules. It will be helpful if the product recommends rules that we can implement.

I have been using the solution for six years.

The tool is stable.

AWS takes care of the product's scalability, security, and performance. We do not have to maintain it.

Google’s console is minimalistic. It provides AI tools that help us create rules.

The deployment is very easy. It takes around five minutes. WAF plays an important role in the network. We need to implement WAF in the first level of security. We can implement it with the help of a console. We need one person to deploy the tool.

We pay $0.8 per hour. The product’s pricing is reasonable.

When we faced a DDoS attack before, we were not able to find the logs to identify the source of the attack. People who want to use the solution must have a basic knowledge about different attacks. Using the solution is easier if we know how the attacks happen. Overall, I rate the product a ten out of ten.

Our company uses the solution with F5 to secure applications from the injection, the track, and vulnerabilities. 

We use the built-in solution provided by SGO for the web. 

The web solution effectively protects from vulnerabilities and cyber attacks. 

The solution is menu driven and operates with no coding.

It is easy to manage and use the solution. 

The solution should identify why it blocks particular websites. The solution performs high-level blocks but doesn't provide very much detail. For example, a particular IT is blocked due to a vulnerability but we are not able to identify the reason for the block. Our developers or IT staff need to be able to identify vulnerabilities to fix applications. 

We would like output that tracks how many concurrent requests come through a particular application gateway, the response times for requests, and the latency parameters. 

I have been using the solution for two years. 

The solution is very stable so I rate stability a ten out of ten. 

The setup is easy so I rate it a nine out of ten. 

We implemented through a third party and it only took a few minutes. 

The pricing is good and manageable. I rate pricing a ten out of ten. 

I recommend the solution for protecting web applications. 

I rate the solution a ten out of ten.