AWS WAF Reviews

Support for AWS WAF needs improvement.

I've been using AWS WAF for a very short period, e.g. just a few weeks.

I find AWS WAF to be a stable product.

AWS WAF is a scalable product.

Technical support for AWS WAF could still be improved, e.g. support could be faster, more knowledgeable, and friendlier.

The initial setup for AWS WAF was straightforward. It could take between two days to two weeks.

We implemented AWS WAF through our in-house team and a consultant.

I've been using a mix of AWS products, including AWS WAF.

I'm satisfied with AWS WAF, and I've had no issues with it. I can't really find fault in the product. It's a good product.

We have hundreds of AWS WAF users within our company. We also have plans of increasing the number of users of the product.

The advice I would give to people who want to start using AWS WAF is that it's a good option if they're migrating to the cloud. It can take up a lot of legacy systems, e.g. it's scalable. Most of my customers are on the cloud, and for anyone who's struggling, it would be good to start anytime. Start small and scale, rather than just going fully onto the cloud.

Users need to pay for the product license.

My rating for AWS WAF is eight out of ten.

The solution's price is affordable compared to Fastly.

They should make the solution's implementation process faster. Presently, we have to write code and work a lot more for integration. It doesn't provide any default logs. So, we need help getting logs, audio, and dashboard queries. Also, there should be technical documentation for the solution in case of errors. Every time we have to log a support case with AWS to obtain details to resolve it. Instead, it would be better if they provide a proper document for reference.

The solution is stable.

The solution is very scalable. We have 150 solution users in our organization.

The solution's technical support is good.

We have used Fastly before. It is easier to implement but is expensive compared to AWS.

The solution's initial setup process is very complex. We need to write code for image optimization. Overall, its implementation is time-consuming.

The solution's cost depends on the use cases.

I rate the solution a ten. It requires executives with technical knowledge to understand the use cases.

I use the solution for firewall protection. It can also be used for authentication and authorization.

AWS WAF is a great solution. We can host any DB or application on the solution.

The solution can improve its price.

I have been using the solution for five years.

The solution is very stable.

The solution is very scalable. Approximately 1000 people in our organization use the solution.

The initial setup is straightforward.

When we had set it up for a large insurance company, the deployment took us over six weeks. We deployed the solution with an in-house team. We need quite a bit of technical staff to maintain the solution.

I use the latest version of the solution. I have used Oracle and Azure too. Overall, I rate the solution a five out of ten.

We use the AWS platform to implement custom security rules based on our company's SOP. We apply custom rules to protect specific APIs and specific endpoint URLs. This allows us to tailor our security measures to our specific needs and requirements.

AWS WAF has improved our organization by allowing us to restrict access to our services based on location, which means that only customers from specific locations can access our services. It helps protect against unauthorized access and data breaches.

The most valuable feature is the capability to limit access based on geographical location by restricting specific IP addresses.

In terms of improvement, AWS WAF works perfectly fine right now. I would like to see the addition of more advanced rate-limiting features in the next release. It would be beneficial to extend rate limiting beyond just web servers to the main node level.

I have been using AWS WAF for three years.

I would rate the stability of the solution an eight out of ten.

I would rate the scalability of AWS WAF an eight out of ten. All requests, about 100,000 per month, go through the AWS App, ensuring the entire infrastructure is compliant with it. We use it 24/7.

The technical support is slow to respond, and it's a paid service. I wouldn't recommend relying on it.

Negative

The initial setup was simple and I did it myself. I would rate it an eight out of ten in terms of easiness. The deployment was in-house and it took five to ten minutes. It is mostly automated so it did not require much manual assistance. If errors or failures occur, reports are generated and shared with the relevant team for resolution. The deployment process involved specifying endpoint URLs in the web test code to enable automatic integration and we had to wait a little due to cooling time on the web test board. 

The solution is really expensive. I would give it a ten out of ten in terms of costliness. You have to pay additionally for data transfer. 

I would advise someone considering AWS WAF to start with testing on AWS but be cautious of data transfer costs, especially if the project is longer than four months because that is when the additional cost appears. You should assess if it's suitable for your specific use case and make sure to test it before committing to avoid unexpected expenses when moving to the cloud. Overall, I would rate the solution a six out of ten.

There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data.  

The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them.  

Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one is for the local server access. That is how you want to secure a server. You are securing a server, database, app servers, and ATA gateways. The other one is for implementing security for the AWS. You want to have both running side-by-side.  

Let me give you an example. Suppose, most of the people working for your company are connected from external locations with company-provided laptops or systems. I want to check all devices to make sure that they are being used in a secure way and not creating any breach of security. Those checks cannot be taken care of reliably from the AWS perspective. This is why you need two solutions.  

The most valuable feature is the ability to use the product to enhance security in deploying web applications.  

We have not implemented WAF completely. We are working around that issue right now in the AWS. We are creating log files and then we are using Kibana for analysis. Out WAF deployment is not perfected yet so it is not implemented as our long-term solution. It will take another month to complete the setup. I do not have the big picture on it yet in a live environment, so my view of what will need to be improved under load is limited.  

I think one thing that should be available is that if there are technical problems in the AWS, then there should be automated alerts to AWS. Calling support is not that easy. It would be better to automatically send emails to them to report that there is a bug in their programming.  

I have an idea for a new feature to consider. I think the security area and other things that they provide are good, and I know there are third-party integrations. It provides a lot of value. The problem is that the 'value' of the solution makes it very costly. That is a big thing. $20,000 for this solution seems like a lot.  

Right now we are limited to only MySQL and PostgreSQL databases. There should be other options and also a way to check the security of it. I think AWS should develop and make available some kind of a management screen so we can see the logs, which servers are using the service, and how the security is performing. All we can see right now is if there are any security breaches. This is not enough information to evaluate the performance of the system.  

For example, there are a lot of people using MongoDB databases. Over the last two years, a lot of them got hacked. Mongo should have had a way to alert end users if its facilities get hacked. A manager or some administrator should receive an email saying that this or that account got hacked and there was a security breach. This would be enough notification to prompt taking other appropriate actions.  

There should also be a report or alerts which tell us that the configuration is having security issues. I think there is something called PVE security rules which might be implemented. Of course, Cisco's security rules could also be implemented. Once the rules are implemented, we know for certain if they are providing a secure connection or not. We need some type of check on the configuration that can create alerts for potential security issues and to have proper notifications.  

We have been in the implementation process with the product for some time but it is not yet live because we are not totally satisfied with the setup.  

I am not satisfied with AWS technical support. It is a long story. Two years back I contacted support because their code was not working. The solution itself was not perfect and there was a bug in the system. It was creating a lot of issues and there is no way to contact support. 

I tried to contact them to tell them that they had a problem with AWS, they wanted me to pay them $200 to tell them there was a problem with their product — which is very strange. What I did instead was to send an email to their sales department at AWS to explain to them that there was a coding issue and that the software was not working as it was supposed to. After many months, they replied that this was not a problem for the sales department. They said they would forward the issue to the technical support team. When the technical support team received the information, they asked for money again to solve the problem in the coding of their own product.  

I just wanted to tell them that they had a problem. They gave me a run-around and would not even look at the issue that was on their end which must have affected more clients than just me. So I think in that way, the technical support is not good. If there is a problem or a bug within the AWS services, there is no way to contact anyone for a resolution. That is a problem and not a good way to run technical support.  

We were using ManageEngine. A problem with using ManageEngine was that ManageEngine can help in securing the servers and API gateways and app servers, but it cannot help to tell if there is any breach in security from a company-provided laptop. We needed a better solution that covered this vulnerability.  

This product is not straightforward to set up and deploy. In the area of database security, it is especially complex. This is especially true when you want to do security for the cloud. There may be applications that will allow software on the cloud to access your in-house servers. If your in-house servers are available and there is a database, you want to secure it. You can do that more easily in-house than you can on the cloud but you have to be sure it is configured and secured properly.  

As far as pricing considerations, there are other competitors to consider. All the solutions are not easy and all will not do exactly the same thing or even what you need. SecureSphere is expensive, I think $20,000 per year. If you go for ManageEngine or any other solution, they also go for close to $10,000. It depends on how many applications you are running and how many servers you have. They can easily run into close to $10,000 a year. Database security and application security are generally costly solutions.  

AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39.  

On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.  

We primarily use this solution for monitoring and blocking to ensure protection against application layer attacks. These include application-related core rules, database-specific attacks, Linux-based attacks and some custom rules deployed. These rules assist us in blocking specific attacks that come from the internet into our cloud infrastructure.

The customizable features are good. For example, we can write our own rules and match character and size limits.

The product could be improved by expanding the weightage units of rules we have when writing policy. Currently, our company uses WAF policy and Web ACL but is limited to only 1500 units of rules.

We have been using this solution for three years and are currently using version two. We deploy this solution on Amazon public cloud.

This solution is stable. 

This solution is scalable because it provides many features.

We have received good support from the customer service and support team. They identify our problems and assist in resolving any issues we have.

Our initial setup was straightforward, and deployment by automation only took a few minutes.

I cannot comment on licensing costs and pricing as I am unsure of the exact costs.

I rate AWS WAF an eight out of ten. I would advise new customers to choose custom policies because they provide more flexibility in guarding against attacks on cloud infrastructures. Additionally, it protects both regional and global servers.

The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us.

We're using it through the web console and API. We're just using the managed service.

Our organization is launching a lot of betas. We are creating a lot of new different systems for different customers. AWS WAF helps us a lot to make sure that the right customer gets the right access to the system.

The access instruction feature is the most valuable. This is what we use the most.

It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful.

It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one.

Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right.

I have been using AWS WAF for about six months.

Stability-wise, it works as expected.

I definitely see places where it can be more designed to scale. In addition to amazon resources, there is some stuff from other vendors that we wanted to protect. WAF was not a solution for us because we don't have a way to integrate with those things. That was the biggest challenge that we faced. In terms of the number of users, our end users could be in the thousands.

It is okay.

It was okay. We went for the cloud formation, and our deployments happen probably every week.

Everything is managed through cloud formation. After implementation, three or four hours a week are required for maintenance.

We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise.

I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. 

Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors.

I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but management is the thing that we don't love the most. If things keep improving, we're definitely going to scale with AWS WAF.

It's all about the security of the cloud system.

It has improved our organization a lot because before we were having problems with access management. Things have gotten better using this product. It's protecting the files. It has been the best step for us.

We are no longer having problems with unauthorized access, where somebody breaches the system or comprises documents. Nothing like that has happened over the past year that we have been using this product. We're doing well and I believe we will continue to do well with this product.

Staff productivity has been high since we started using it. It has saved 80 to 90 percent of their time in some cases.

The most valuable feature is the security, making sure that files are protected, preventing unauthorized users from accessing the system. These are the best.

I would like them to fortify the system more. In every software platform there are issues or bugs, even though presently, there aren't many known and it is running without problems.

They have to do more to improve, to innovate more features. They need to increase the security. It has to be more active in detecting threats. It's better for the system if the platform is more proactive in detecting threats immediately, so that technicians or people on the security team will know that a threat is coming in.

It's stable, it's a strong system. The stability is going to be even better because they're still trying to improve on it, and they bringing out more features.

Scalability is one of the features. It has to be scalable to be able to effectively secure the system.

Amazon Web Services has very good technical support. Whenever you encounter a problem you just call the support team. You'll be able to walk them through the problem and then they'll solve it.

Our company didn't have structured security controls before this. We were encountering a lot of problems when it came to security, protection of the documents and system. They restructured the whole system. This is the platform that was recommended to us. Since we started using it, it has been great.

The initial setup was rather complex.

Most of the time we try to use a consultant for deployment. Our experience with them has been good. They know their jobs. They try to incorporate more features, teach us how to do things. It's a learning process and they're always there to make sure that we understand the stuff. They get things going.

It's an annual subscription. There are no additional fees beyond the standard licensing.

Everybody handles their own platform differently. Some people love what they have but haven't necessarily experienced anything else. This platform is a good one. If you have your own platform and you think it's better, that's fine. But get a taste of this one, try it and see how it feels in terms of security.

Security has always been a problem and it will always be a problem. There's no security platform or software that is 100 percent. We don't know when a Zero-day will happen. Hackers are everywhere, they are creating things and innovating every day. As far as I am concerned right now, the platform is good. It's doing its job.

I rate the solution at six out of ten. I don't want to give them 100 percent because sometimes things happen.