When customers onboard a web application and want a WAF to protect it, they ask us to configure AWS WAF for them.
Director at AM Equipment & Services Private Limited
An easy-to-use and easy-to-configure solution that provides high stability
Pros and Cons
- "AWS WAF is very easy to use and configure on AWS."
- "It would be good if the solution provided managed WAF services."
What is our primary use case?
What is most valuable?
AWS WAF is very easy to use and configure on AWS. It is easy to make rules and very fast to set it up on AWS.
What needs improvement?
AWS WAF provides only basic protection, and they should provide more features like other third-party competitors. The world is now moving towards managed services. It would be good if the solution provided managed WAF services. If AWS WAF could detect that some attack is about to happen and alert the user, we can write some rules and stop that from happening.
For how long have I used the solution?
I have been using AWS WAF for five years.
Buyer's Guide
AWS WAF
February 2025
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
832,138 professionals have used our research since 2012.
What do I think about the stability of the solution?
We have never faced any stability issues with AWS WAF.
I rate AWS WAF ten out of ten for stability.
What do I think about the scalability of the solution?
AWS WAF is more suited for small and medium businesses.
I rate AWS WAF a nine out of ten for scalability.
How was the initial setup?
The solution’s initial setup is simple.
What's my experience with pricing, setup cost, and licensing?
AWS WAF has reasonable pricing.
Which other solutions did I evaluate?
Third-party competitors like F5 and Imperva have more features than AWS WAF.
What other advice do I have?
Overall, I rate AWS WAF a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
DevOps Engineer at SEKAI
Easy to configure and stable solution
Pros and Cons
- "The most valuable feature is that it is very easy to configure. It just takes a couple of minutes."
- "There is room for improvement in pricing."
What is our primary use case?
For AWS WAF, currently, we use this new application. This is another service provided by AWS for the sales business, and it's used for education. So, AWS WAF works in conjunction with AWS Cognito. We observe this when there's some kind of bot attempting to access our application or when you're trying to use a bot as a control mechanism to transcribe or manage a high volume of traffic through our endpoints.
AWS WAF manages both human traffic and bot-controlled traffic, and it can redirect you to a catch-up mechanism or sometimes simply for use. So, we've implemented different kinds of mechanisms within AWS WAF.
How has it helped my organization?
We use it in the production environment. From time to time, we can see the metrics for the generated traffic on both the WAF and the infrastructure
These metrics are presented on the dashboard. We review this information and conclude that regular monitoring, along with dashboard evaluations, reaffirms the effectiveness of the system. This allows us to ensure that the investment we're making is justified and worthwhile.
What is most valuable?
The most valuable feature is that it is very easy to configure. It just takes a couple of minutes.
What needs improvement?
There is room for improvement in pricing.
The pricing for each rule group is a bit too high. It's a monthly subscription, and it can get quite expensive for rules that I won't use for my application. For example, I might create a rule group that costs $10, and I only use one of the rules in the group. That's $10 for a rule that I'm not even using! So, the pricing could be more flexible, or there could be a way to get discounts for unused rules.
So, AWS WAF should have a pay-as-you-go pricing model, where I can only pay for the rules that I use.
For how long have I used the solution?
I have been using this solution for three years.
What do I think about the stability of the solution?
It is a stable solution to some extent.
What do I think about the scalability of the solution?
For my use cases, it is a scalable solution. There are less than 2,000 end users using this solution in our organization.
How are customer service and support?
I reached out to support when I was setting it up initially, I had some questions. And we have some kind of first-line support with AWS. So I reached out to them whenever I had questions.
However, the support depends on the support we are paying for. The support we are paying for is cheap support. I'm on the standard support plan, so my SLA is four hours. There's a phone queue, so I can't always get through right away. But the support engineers are knowledgeable and can usually point me in the right direction.
How would you rate customer service and support?
Neutral
How was the initial setup?
The initial setup is fairly easy. AWS does everything for us—just some clicks.
What about the implementation team?
There is no maintenance required. AWS also upgrades new offerings. AWS does all these things. Like, it does why it's very expensive. And they give us the metrics.
What other advice do I have?
Just evaluate these simple things you need. And don't try to put too many features at the beginning because you might not need them. Every application is designed differently.
Every business and customer is also very different, so if your application is more susceptible to some kind of engineering traffic then it's going to be very expensive.
Overall, I would rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
AWS WAF
February 2025
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
832,138 professionals have used our research since 2012.
Junior Associate - IT at a tech services company with 501-1,000 employees
Can block sudden surges of users on the website and provides protection against DDoS attacks
Pros and Cons
- "The most valuable feature is the addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules."
- "One area that could be improved is the DDoS protection."
What is our primary use case?
We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.
What is most valuable?
The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.
What needs improvement?
One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.
AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.
For how long have I used the solution?
It's been deployed in a project for one year.
What do I think about the stability of the solution?
I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution.
What do I think about the scalability of the solution?
I would rate the scalability a nine out of ten. There is room for improvement.
How was the initial setup?
The initial setup is easy. You don't need to do too many things.
What about the implementation team?
The deployment was done manually on the console, there is no need of propriety. It took around an hour and half.
What's my experience with pricing, setup cost, and licensing?
The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.
There are additional costs to the standard license because it totally depends on the number of incoming requests.
What other advice do I have?
Overall, I would rate the solution an eight out of ten.
I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Head of Digital Product Office at a energy/utilities company with 10,001+ employees
An excellent solution that's extremely scalable, very stable, and has great AI functionality
Pros and Cons
- "The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match."
- "The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively."
What is our primary use case?
We primarily use the solution for its rich insights to improve customer experience.
What is most valuable?
The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match.
The AI functionality and the machine learning are very good.
What needs improvement?
The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively.
For how long have I used the solution?
I've been using the solution for almost a year.
What do I think about the stability of the solution?
The solution is very stable.
What do I think about the scalability of the solution?
The solution is extremely scalable.
How are customer service and technical support?
We have Amazon managed services, and, as part of our agreement, we have the lower end of that managed service. The solution is not a business-critical system for us, so we have a four hour SLA for resolution. That's pretty good. We're very satisfied with technical support.
Which solution did I use previously and why did I switch?
Previous to this solution, we used Microsoft Azure.
Amazon allows you to provision more services once you have the initial platform in place. Using Amazon Marketplace, it's so simple to provide additional services and functionality so it allows you to grow the capability of the platform with very little integration into other systems because it's all built into the marketplace. With Azure, it's only capable of some products and they don't have APIs available to integrate as well as Amazon does.
How was the initial setup?
The initial setup was straightforward. Deployment took about three months. For the setup of the platform, we had six people. For the maintenance of the platform, we now have three people maintaining it.
What about the implementation team?
We brought Amazon on to set everything up for us. They made implementation very easy.
What other advice do I have?
We use the public cloud deployment model. We use the Amazon cloud.
From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation.
I would rate the solution nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Administrator at a media company with 51-200 employees
Advanced security with effective OWASP filtering rules and easy connectivity
Pros and Cons
- "They filter a lot of attacks out."
- "Rule exclusion could be a bit more transparent."
What is our primary use case?
The primary use case for AWS WAF involves securing applications for our customers, who are mainly software developers. Their application is positioned behind the firewall.
How has it helped my organization?
DDoS attacks are being blocked by AWS WAF, which is something some of my customers really need as they are targeted quite often.
What is most valuable?
The most valuable feature of AWS WAF is the OWASP filtering rules. They filter a lot of attacks out. Moreover, the service includes DDoS protection.
What needs improvement?
Rule exclusion could be a bit more transparent. However, it works great overall.
For how long have I used the solution?
I have been working with AWS WAF for two years now.
What do I think about the stability of the solution?
AWS WAF is stable. I have no complaints regarding its stability.
What do I think about the scalability of the solution?
It is easy to scale up AWS WAF. I would rate it an eight out of ten on the scale of scalability.
How are customer service and support?
I have never needed customer support for AWS WAF.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
The old team I worked at is still using Enable Insight remote monitoring, but personally, I am now using Datadog.
How was the initial setup?
AWS WAF is easy to connect, and I would rate the overall setup process as a seven since it's still a lot of work.
What about the implementation team?
I manage the AWS WAF for my clients and am responsible for the implementation.
What was our ROI?
The return on investment is difficult to determine. When a successful hack attempt is stopped, the investment is already returned.
What's my experience with pricing, setup cost, and licensing?
The customers think AWS WAF is expensive. Compared to hardware solutions, it is slightly more expensive, but it includes extra services. Personally, I find it fairly priced.
Which other solutions did I evaluate?
I did not explicitly evaluate any alternate solutions for AWS WAF.
What other advice do I have?
If security is an issue and you want to be secure, you should use AWS WAF.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
Last updated: Nov 12, 2024
Flag as inappropriateCloud Security Manager at a computer software company with 501-1,000 employees
Helps to secure applications and has good support, but needs more automation and easier deployment
Pros and Cons
- "AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice."
- "An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently."
What is our primary use case?
It's more of an application security tool that we use to secure applications.
What is most valuable?
AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.
What needs improvement?
It's pretty much an AWS native service, so it's something that they improve year after year. They do continuous improvements on a year-by-year basis, so the product is really good. An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently.
It could also support multi-cloud integration where you can integrate with applications other than AWS applications. It would be a good feature or use case for this solution.
For how long have I used the solution?
I've been using this solution for almost three to four years.
What do I think about the stability of the solution?
It's stable. I'd rate it an eight out of ten in terms of stability.
What do I think about the scalability of the solution?
It's scalable. We probably have more than a hundred users. It's pretty much being used by everyone, such as engineers, managers, etc. Everyone is into it.
How are customer service and support?
We get good support. I'd rate them a nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't use any similar solution previously. In the future, we might use another solution, but for now, we are more into AWS WAF.
How was the initial setup?
It's neither complex nor simple. It's somewhere in the middle. I'd rate it a six out of ten in terms of the ease of the setup.
It's a cloud solution, and we have a multi-cloud scenario. We are pretty much using all four clouds: Amazon, Azure, AWS, and Oracle. It's a mix-and-match or hybrid.
In terms of maintenance, there would be a team of engineers to maintain it.
What's my experience with pricing, setup cost, and licensing?
Its price is fair. There is a very fair amount that they charge.
It has a pay-as-you-go model, so it pretty much depends on how much a user uses it. As per the cloud norms, the more you use, the more you pay. I would rate it a five out of ten in terms of pricing.
What other advice do I have?
Overall, I'd rate it a seven out of ten because it's not automated and it's a bit complicated to implement or deploy the solution.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Advisory and IT Transformation Consultant at a tech services company with 10,001+ employees
Helps secure applications, highly stable, and good support
Pros and Cons
- "The most valuable feature of AWS WAF is the extra layer of security that I have when connecting to my web applications."
- "AWS WAF could improve by making the overall management easier. Many people that have started working with AWS WAF do not have an easy time. They should make it easy to use."
What is most valuable?
The most valuable feature of AWS WAF is the extra layer of security that I have when connecting to my web applications.
What needs improvement?
AWS WAF could improve by making the overall management easier. Many people that have started working with AWS WAF do not have an easy time. They should make it easy to use.
The AWS WAF documentation sometimes is not clear and could improve for all levels of people using the solution, such as developers. The interface could be easier to use.
For how long have I used the solution?
I have been using AWS WAF for approximately three years.
What do I think about the stability of the solution?
AWS WAF is a highly stable solution.
What do I think about the scalability of the solution?
We have approximately 35 applications that are using the AWS WAF.
How are customer service and support?
The support from AWS WAF is good, I have used them often.
Which solution did I use previously and why did I switch?
I was previously using Cisco and I switched to AWS WAF because I was working mostly with cloud environments and needed more services. Additionally, I have used Microsoft Azure.
How was the initial setup?
The initial setup is AWS WAF complex. The steps to complete the implementation could be easier, such as making the web traffic go through the WAF and then through the web service. The information for connectivity could be documented or done easier. The whole process can take approximately 20 minutes.
What's my experience with pricing, setup cost, and licensing?
The price of AWS WAF is expensive if you do not know how to manage your software up or down. I price of the solution is average amongst the other competitors but it would be better if it was less expensive.
What other advice do I have?
My advice to others is they should give AWS WAF a try. It works well, secures the applications, and it improves them against attacks.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
A stable tool offering good performance and technical support while needing an easy setup phase to get started
Pros and Cons
- "AWS WAF is a stable solution. The performance of the solution is very good."
- "AWS WAF should provide better protection to its users, and the security features need to improve."
What is our primary use case?
AWS WAF is a tool we use in my company since we don't currently have a firewall. We can be safer if we have a firewall, and the receive protection side can avoid any vulnerability attacks.
What is most valuable?
AWS WAF is a firewall we use from time to time in my company.
What needs improvement?
I don't think any improvement is needed in AWS WAF.
As technology develops and grows, AWS WAF will have to improve as a product.
AWS WAF should provide better protection to its users, and the security features need to improve.
For how long have I used the solution?
I have been using AWS WAF for six years. There is no specific version of the product since the vendor provides the services for the solution, and my company just uses it.
What do I think about the stability of the solution?
AWS WAF is a stable solution. The performance of the solution is very good.
Stability-wise, I rate the solution a ten out of ten.
What do I think about the scalability of the solution?
My company doesn't rely on AWS WAF's scalability since it's a tool that is totally on the cloud. If the tool goes down by any chance, AWS provides the solution on the steps that need to be taken.
Around 30 employees in my company use AWS WAF.
The product is not extensively used in my company.
My company has no plans to increase the number of users of AWS WAF. If our client wants to increase the number of users, we need to act on the server.
How are customer service and support?
The solution's technical support is good.
How was the initial setup?
The product's setup phase was pretty easy.
Sharing the code files and database configurations are the two steps we follow for deploying the product.
What about the implementation team?
The product's setup phase was carried out in-house.
What's my experience with pricing, setup cost, and licensing?
There are no separate licensing costs we pay for since it is included in the plan we purchase.
What other advice do I have?
AWS WAF has been releasing the product on a test-case basis.
It's always good to take precautionary methods for the production website. If everything goes fine, do work in your staging and UAT, not in the production part. The aforementioned details are the precautionary methods we have to follow.
Overall, I rate the solution a ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros
sharing their opinions.
Updated: February 2025
Product Categories
Web Application Firewall (WAF)Popular Comparisons
Prisma Cloud by Palo Alto Networks
Microsoft Azure Application Gateway
Azure Front Door
F5 Advanced WAF
Fortinet FortiWeb
NetScaler
Imperva Web Application Firewall
Cloudflare Web Application Firewall
Imperva DDoS
Akamai App and API Protector
Azure Web Application Firewall
Radware Alteon
NGINX App Protect
Barracuda Web Application Firewall
Fastly
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are the limitations of AWS WAF vs alternative WAFs?
- Can you share your experience on migration from Akamai Kona Site to Amazon CloudFront and AWS WAF?
- How does AWS WAF compare to Microsoft Azure Application Gateway?
- Which lesser known firewall product has the best chance at unseating the market leaders?
- Which WAF solution would you recommend to cater to 100 to 125 concurrent sessions?
- What do you recommend for a securing Web Application?
- Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.
- Imperva WAF vs. Barracuda: Which One is Better?
- F5 vs. Imperva WAF?
- When should companies use SSL Inspection?