AWS WAF Reviews

We primarily use the solution for its rich insights to improve customer experience.

The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match.

The AI functionality and the machine learning are very good.

The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively.

The solution is very stable.

The solution is extremely scalable.

We have Amazon managed services, and, as part of our agreement, we have the lower end of that managed service. The solution is not a business-critical system for us, so we have a four hour SLA for resolution. That's pretty good. We're very satisfied with technical support.

Previous to this solution, we used Microsoft Azure.

Amazon allows you to provision more services once you have the initial platform in place. Using Amazon Marketplace, it's so simple to provide additional services and functionality so it allows you to grow the capability of the platform with very little integration into other systems because it's all built into the marketplace. With Azure, it's only capable of some products and they don't have APIs available to integrate as well as Amazon does. 

The initial setup was straightforward. Deployment took about three months. For the setup of the platform, we had six people. For the maintenance of the platform, we now have three people maintaining it.

We brought Amazon on to set everything up for us. They made implementation very easy. 

We use the public cloud deployment model. We use the Amazon cloud.

From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation.

I would rate the solution nine out of ten.

AWS WAF is a firewall that protects web applications by filtering and monitoring HTTP traffic between web applications and the network. I use it for protecting infrastructure that has sensitive data, including personal identification information like Social Security numbers. AWS WAF promotes the security of this data by preventing leakage.

AWS WAF helps to protect sensitive data and customer records.

AWS WAF acts as a barrier, analyzing HTTP communications between external users and web applications. It gives flexibility in HTTP communication, which is a feature I like.

AWS doesn't need improvement with AWS WAF. However, there may be room for improvement in RDS services and EKS services. The purpose of AWS WAF is clear: whether it allows or blocks connections, its goal is to ensure the safety and security of private subnets.

AWS WAF has been used for almost five years, starting with a proof of concept in 2019.

AWS WAF is stable. There have not been significant issues, and it functions like a firewall.

AWS is questioned for how much scalability can be achieved in terms of vCPUs and handling capacity, yet AWS WAF itself handles the configurations well.

Amazon's support is mixed. Technically knowledgeable people are part of the support team. That said, there are promises made, especially during sales pitches, that often don't match reality. There is a lot of innovation talk, yet implementation might be lacking.

Neutral

A proof of concept was done with AWS and Oracle Cloud Infrastructure (OCI), even though OCI offered better efficiency and cost benefits.

Setting up AWS WAF is straightforward; you create a subnet VPC and attach it, which is simple.

For Kubernetes microservices, AWS is more expensive compared to OCI. AWS costs approximately 70 cents per hour, while OCI is 50% cheaper. AWS pricing perspective is considered expensive, especially for Kubernetes and RDS. OCI offers lower costs with better efficiency.

Oracle Cloud Infrastructure (OCI) was evaluated alongside AWS, and while OCI was preferred for efficiency and cost benefits, AWS was selected due to governmental requirements.

Technological understanding is crucial for AWS products like AWS WAF. This understanding separates out the simple setup process from understanding the underlying complex mechanisms.

I'd rate the solution four out of ten.

The primary use case for AWS WAF involves securing applications for our customers, who are mainly software developers. Their application is positioned behind the firewall.

DDoS attacks are being blocked by AWS WAF, which is something some of my customers really need as they are targeted quite often.

The most valuable feature of AWS WAF is the OWASP filtering rules. They filter a lot of attacks out. Moreover, the service includes DDoS protection.

Rule exclusion could be a bit more transparent. However, it works great overall.

I have been working with AWS WAF for two years now.

AWS WAF is stable. I have no complaints regarding its stability.

It is easy to scale up AWS WAF. I would rate it an eight out of ten on the scale of scalability.

I have never needed customer support for AWS WAF.

Positive

The old team I worked at is still using Enable Insight remote monitoring, but personally, I am now using Datadog.

AWS WAF is easy to connect, and I would rate the overall setup process as a seven since it's still a lot of work.

I manage the AWS WAF for my clients and am responsible for the implementation.

The return on investment is difficult to determine. When a successful hack attempt is stopped, the investment is already returned.

The customers think AWS WAF is expensive. Compared to hardware solutions, it is slightly more expensive, but it includes extra services. Personally, I find it fairly priced.

I did not explicitly evaluate any alternate solutions for AWS WAF.

If security is an issue and you want to be secure, you should use AWS WAF.

I'd rate the solution eight out of ten.

There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data.  

The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them.  

Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one is for the local server access. That is how you want to secure a server. You are securing a server, database, app servers, and ATA gateways. The other one is for implementing security for the AWS. You want to have both running side-by-side.  

Let me give you an example. Suppose, most of the people working for your company are connected from external locations with company-provided laptops or systems. I want to check all devices to make sure that they are being used in a secure way and not creating any breach of security. Those checks cannot be taken care of reliably from the AWS perspective. This is why you need two solutions.  

The most valuable feature is the ability to use the product to enhance security in deploying web applications.  

We have not implemented WAF completely. We are working around that issue right now in the AWS. We are creating log files and then we are using Kibana for analysis. Out WAF deployment is not perfected yet so it is not implemented as our long-term solution. It will take another month to complete the setup. I do not have the big picture on it yet in a live environment, so my view of what will need to be improved under load is limited.  

I think one thing that should be available is that if there are technical problems in the AWS, then there should be automated alerts to AWS. Calling support is not that easy. It would be better to automatically send emails to them to report that there is a bug in their programming.  

I have an idea for a new feature to consider. I think the security area and other things that they provide are good, and I know there are third-party integrations. It provides a lot of value. The problem is that the 'value' of the solution makes it very costly. That is a big thing. $20,000 for this solution seems like a lot.  

Right now we are limited to only MySQL and PostgreSQL databases. There should be other options and also a way to check the security of it. I think AWS should develop and make available some kind of a management screen so we can see the logs, which servers are using the service, and how the security is performing. All we can see right now is if there are any security breaches. This is not enough information to evaluate the performance of the system.  

For example, there are a lot of people using MongoDB databases. Over the last two years, a lot of them got hacked. Mongo should have had a way to alert end users if its facilities get hacked. A manager or some administrator should receive an email saying that this or that account got hacked and there was a security breach. This would be enough notification to prompt taking other appropriate actions.  

There should also be a report or alerts which tell us that the configuration is having security issues. I think there is something called PVE security rules which might be implemented. Of course, Cisco's security rules could also be implemented. Once the rules are implemented, we know for certain if they are providing a secure connection or not. We need some type of check on the configuration that can create alerts for potential security issues and to have proper notifications.  

We have been in the implementation process with the product for some time but it is not yet live because we are not totally satisfied with the setup.  

I am not satisfied with AWS technical support. It is a long story. Two years back I contacted support because their code was not working. The solution itself was not perfect and there was a bug in the system. It was creating a lot of issues and there is no way to contact support. 

I tried to contact them to tell them that they had a problem with AWS, they wanted me to pay them $200 to tell them there was a problem with their product — which is very strange. What I did instead was to send an email to their sales department at AWS to explain to them that there was a coding issue and that the software was not working as it was supposed to. After many months, they replied that this was not a problem for the sales department. They said they would forward the issue to the technical support team. When the technical support team received the information, they asked for money again to solve the problem in the coding of their own product.  

I just wanted to tell them that they had a problem. They gave me a run-around and would not even look at the issue that was on their end which must have affected more clients than just me. So I think in that way, the technical support is not good. If there is a problem or a bug within the AWS services, there is no way to contact anyone for a resolution. That is a problem and not a good way to run technical support.  

We were using ManageEngine. A problem with using ManageEngine was that ManageEngine can help in securing the servers and API gateways and app servers, but it cannot help to tell if there is any breach in security from a company-provided laptop. We needed a better solution that covered this vulnerability.  

This product is not straightforward to set up and deploy. In the area of database security, it is especially complex. This is especially true when you want to do security for the cloud. There may be applications that will allow software on the cloud to access your in-house servers. If your in-house servers are available and there is a database, you want to secure it. You can do that more easily in-house than you can on the cloud but you have to be sure it is configured and secured properly.  

As far as pricing considerations, there are other competitors to consider. All the solutions are not easy and all will not do exactly the same thing or even what you need. SecureSphere is expensive, I think $20,000 per year. If you go for ManageEngine or any other solution, they also go for close to $10,000. It depends on how many applications you are running and how many servers you have. They can easily run into close to $10,000 a year. Database security and application security are generally costly solutions.  

AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39.  

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.  

We are using it to monitor the requests on our site, to block sudden surges of users on our website, and also to prevent DDoS attacks.

The addition of managed tools that help us create customizable rules. In case we want to block a particular request, we can make use of those rules.

One area that could be improved is the DDoS protection. We had a DDoS attack recently, and even though we had set a limit of 1,000 requests per five minutes, AWS WAF was not able to block all of the requests.  

AWS wasn't able to clarify all the DDoS attacks. It may have been due to a wrong configuration in the rules, but AWS didn't block all the requests.

It's been deployed in a project for one year.

I would rate the stability a ten out of ten. It is a very stable solution. There are over 16 end users using the solution. 

I would rate the scalability a nine out of ten. There is room for improvement. 

The initial setup is easy. You don't need to do too many things. 

The deployment was done manually on the console, there is no need of propriety.  It took around an hour and half. 

The pricing totally depends on the number of requests entering the WAF. For example, in case we have a DDoS type of attack, at that time, the price will surge quickly. For example, it will go up to two hundred dollars within three to four days. So it totally depends on the number of requests it is processing.

There are additional costs to the standard license because it totally depends on the number of incoming requests.

Overall, I would rate the solution an eight out of ten. 

I would recommend that understanding how the rules work exactly and finding patterns based on those rules is the most important thing in AWS WAF. It's quite easy to deploy at first, but afterward, it's essential to know how to handle it properly. Enabling the managed tools of AWS can sometimes block legitimate requests too. So, it's important to understand the type of requests you want to allow and how to configure the rules accordingly. It's quite an interesting aspect of AWS WAF.

It's more of an application security tool that we use to secure applications. 

AWS WAF is something that someone from a cloud background or cloud security background leverages. If they want to natively use a solution in the cloud, AWS WAF comes in handy. It's very useful for that, and the way we can fine-tune the WAF rules is also nice.

It's pretty much an AWS native service, so it's something that they improve year after year. They do continuous improvements on a year-by-year basis, so the product is really good. An improvement area would be that it's more of a manual effort when you have to enable rules. That's one of the downsides. If that can be done in an automated way, it would be great. That's a lagging feature currently.

It could also support multi-cloud integration where you can integrate with applications other than AWS applications. It would be a good feature or use case for this solution.

I've been using this solution for almost three to four years.

It's stable. I'd rate it an eight out of ten in terms of stability.

It's scalable. We probably have more than a hundred users. It's pretty much being used by everyone, such as engineers, managers, etc. Everyone is into it.

We get good support. I'd rate them a nine out of ten.

Positive

We didn't use any similar solution previously. In the future, we might use another solution, but for now, we are more into AWS WAF.

It's neither complex nor simple. It's somewhere in the middle. I'd rate it a six out of ten in terms of the ease of the setup.

It's a cloud solution, and we have a multi-cloud scenario. We are pretty much using all four clouds: Amazon, Azure, AWS, and Oracle. It's a mix-and-match or hybrid.

In terms of maintenance, there would be a team of engineers to maintain it.

Its price is fair. There is a very fair amount that they charge.

It has a pay-as-you-go model, so it pretty much depends on how much a user uses it. As per the cloud norms, the more you use, the more you pay. I would rate it a five out of ten in terms of pricing.

Overall, I'd rate it a seven out of ten because it's not automated and it's a bit complicated to implement or deploy the solution.

AWS WAF is a tool we use in my company since we don't currently have a firewall. We can be safer if we have a firewall, and the receive protection side can avoid any vulnerability attacks.

AWS WAF is a firewall we use from time to time in my company.

I don't think any improvement is needed in AWS WAF.

As technology develops and grows, AWS WAF will have to improve as a product.

AWS WAF should provide better protection to its users, and the security features need to improve.

I have been using AWS WAF for six years. There is no specific version of the product since the vendor provides the services for the solution, and my company just uses it.

AWS WAF is a stable solution. The performance of the solution is very good.

Stability-wise, I rate the solution a ten out of ten.

My company doesn't rely on AWS WAF's scalability since it's a tool that is totally on the cloud. If the tool goes down by any chance, AWS provides the solution on the steps that need to be taken.

Around 30 employees in my company use AWS WAF.

The product is not extensively used in my company.

My company has no plans to increase the number of users of AWS WAF. If our client wants to increase the number of users, we need to act on the server.

The solution's technical support is good.

The product's setup phase was pretty easy.

Sharing the code files and database configurations are the two steps we follow for deploying the product.

The product's setup phase was carried out in-house.

There are no separate licensing costs we pay for since it is included in the plan we purchase.

AWS WAF has been releasing the product on a test-case basis.

It's always good to take precautionary methods for the production website. If everything goes fine, do work in your staging and UAT, not in the production part. The aforementioned details are the precautionary methods we have to follow.

Overall, I rate the solution a ten out of ten.

The most valuable feature of AWS WAF is the extra layer of security that I have when connecting to my web applications.

AWS WAF could improve by making the overall management easier. Many people that have started working with AWS WAF do not have an easy time. They should make it easy to use. 

The AWS WAF documentation sometimes is not clear and could improve for all levels of people using the solution, such as developers. The interface could be easier to use.

I have been using AWS WAF for approximately three years.

AWS WAF is a highly stable solution.

We have approximately 35 applications that are using the AWS WAF.

The support from AWS WAF is good, I have used them often. 

I was previously using Cisco and I switched to AWS WAF because I was working mostly with cloud environments and needed more services. Additionally, I have used Microsoft Azure.

The initial setup is AWS WAF complex. The steps to complete the implementation could be easier, such as making the web traffic go through the WAF and then through the web service. The information for connectivity could be documented or done easier. The whole process can take approximately 20 minutes.

The price of AWS WAF is expensive if you do not know how to manage your software up or down. I price of the solution is average amongst the other competitors but it would be better if it was less expensive.

My advice to others is they should give AWS WAF a try. It works well, secures the applications, and it improves them against attacks.