AWS WAF Reviews

The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us.

We're using it through the web console and API. We're just using the managed service.

Our organization is launching a lot of betas. We are creating a lot of new different systems for different customers. AWS WAF helps us a lot to make sure that the right customer gets the right access to the system.

The access instruction feature is the most valuable. This is what we use the most.

It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful.

It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one.

Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right.

I have been using AWS WAF for about six months.

Stability-wise, it works as expected.

I definitely see places where it can be more designed to scale. In addition to amazon resources, there is some stuff from other vendors that we wanted to protect. WAF was not a solution for us because we don't have a way to integrate with those things. That was the biggest challenge that we faced. In terms of the number of users, our end users could be in the thousands.

It is okay.

It was okay. We went for the cloud formation, and our deployments happen probably every week.

Everything is managed through cloud formation. After implementation, three or four hours a week are required for maintenance.

We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise.

I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. 

Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors.

I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but management is the thing that we don't love the most. If things keep improving, we're definitely going to scale with AWS WAF.

We use the solution for filtering traffic. We do not want our developers to use unnecessary websites. So, we filter the websites using the tool.

All the features are good. AWS Lambda and S3 are valuable tools. We have to use these tools when we build applications.

The cost must be reduced.

I have been using the solution for a year. I use the latest version.

The tool’s stability is very good. It is better than GCP.

The tool’s scalability is good. We have almost 20 users.

The support is helpful.

Positive

We also use GCP.

The initial setup is very easy. Everything is on the cloud. The deployment takes one full day.

We deploy the product in-house. We need one senior solution architect and one junior solution architect to deploy the tool. We have a team of analysts for experiments. We need only one person to maintain the solution.

The product is expensive.

We use almost 40 services. Overall, I rate the product an eight out of ten.

We use the solution as a firewall to protect the network from malicious requests.

The solution helps our organization to comply with our security standards.

The solution allows us to set up rules for blocking malicious requests. We can configure a pool of such sources and choose what to do (allow/block/count) when a request comes from them.

The solution can include provisions to block requests targeted at specific URIs (/.env) which are obviously malicious. Also, sometimes it blocks legitimate requests. We have to keep changing some of our rules in this case. It would be great if they maintained the AWS-managed rule sets properly.

We have been using the solution for the last eight months.

It is a stable solution. Although sometimes even legitimate requests fail.

I rate its stability an eight out of ten.

It is a scalable solution. We have two users in our organization.

The solution's initial setup process is easy.

I advise others to set their security principles while building the software itself, as WAF is not entirely reliable. I rate it an eight out of ten.

I'm a manager and in charge of IT infrastructure and information security for an airline company. We're a customer of AWS WAF. We use the product to protect the websites that our customers access to book flights. It provides the sites with DDoS protection and OWASP top 10 application security.

The best features are the security firewall and the features that protect against database injections or scripting, and against overall OWASP top 10, but I have concerns about the cloud front which doesn't handle bot attacks properly, so it's not as effective as I would like it to be.

A significant improvement would be built in bots protection enhancement, or seamless integration with other products. For now, there are limited feature to protect against an attack from the bad bots so users go to third party solutions, which just complicates integration and operation.

A helpful additional feature would be to have a fully unified unique product, including the DDoS, with sophisticated attack capabilities including anti bot management. They should also take a look at reviewing the complexity of the integration with other third-party vendor solutions.

I've been using the product for the last two years. We upgraded recently and I'm using the latest version. 

Technical support is good. 

Deployment is easy, it's not complex.The complexity is when you need it for integration with other third-party products. We also use CDN, part of the web solution from Amazon. 

The price of the product is fair enough and one of the product's advantages. Their price is good compared to other vendors. 

The main difference with other similar products is the security efficiency against the type of attacks because normally Amazon works with certain types of attacks and is unable to deal with most of the more sophisticated new attacks that are now the market. So if you compare AWS WAF to the leaders in the field like Imperva, Akamai or radware, they are still beyond these products.

I would recommend that if you don't have a critical heavy use website, and you have a simple business that doesn't require high protection or high-security efficiency, go with this product, but if you have something where security is critical you should go with the leaders in the market, companies like Akamai, Radware, PerimeterX or Imperva.

I would rate this product a seven out of 10. 

I primarily use the solution as a gateway service and a transaction portal. 

We haven't had any issues with the solution so far.

The pricing of the product is very good. They make it very reasonable and it's very easy to afford.

Their technical support has been quite good.

The performance is excellent. It's reliable.

We've found the solution to be quite stable.

We haven't faced any problems with the solution. I can't speak to any missing features. Every aspect of it has been quite good.

I've been using the solution for a while.

The stability has been very good. We've enjoyed a very reliable performance. There are no bugs or glitches. It doesn't crash or freeze. It's been good.

Technical support has been quite good. We've found them helpful and responsive. We are quite satisfied with the level of support that is provided to us.

The solution is very reasonably priced. 

I'm just a customer and an end-user. I don't have a business relationship or partnership with AWS.

I have pretty good experience in AWS. I have a certificate in AWS.

I'd rate the solution at a ten out of ten. We've been extremely satisfied with the solution.

The primary use of the solution is for perimeter security. I use it to secure my application and infrastructure.

Fast deployment and auto-manage are the most valuable aspects of the solution. The auto-manage primarily reacts and has to do all the little things like putting in the ACL, etc. 

The solution could be faster in detecting threats.

They should work to define more threats, add more security, and make it more compliant with more security companies.

The solution could always be more automated.

The solution is stable.

The solution is easily scalable.

I have a number for WAF, but I've never used technical support.

I previously used a different solution. The complex setup and installation were the main differences between that and WAF. I've worked with system compliance for many years, and it usually involves complex solutions. You have to know the CLF, etc. Cisco, for example, is so complex that you need to know many things. Whereas with WAF, you have to put up your host, your network, and you have the solution up and running.

The initial setup was very straightforward. Deployment took about ten minutes or less. You only need one person to handle deployment and maintenance.

I implemented the solution myself.

We use the public cloud deployment model.

I use everything AWS. I need it to work for me, and it does. I hope that the solution continues to improve, but for me, it's perfect right now.

For those considering implementing the solution, I would advise that they understand how networks work because sometimes they can be quite complex. Many architects do not understand the basic concepts of networking.

I would recommend the solution. I would rate it nine out of ten.

One common use case is using detection protection for enhancing security models in AWS. Another use case is implementing log analysis and response recovery procedures for email services.

I believe there is a need to move towards real-time analysis with the help of AI and intelligent systems in the future. This would reduce the reliance on manual work and enhance the functionality of detection protection. By incorporating AI-driven data analysis and data science techniques, we can improve the solution's user-friendliness, security compatibility, and accuracy.

I have been using the solution for almost a decade.

AWS WAF is stable. 

The solution is scalable.

The initial setup was easy.

Our in-house engineers implemented the solution. They are already familiar with AWS and hold AWS certifications.

Overall, I rate the solution an eight out of ten.

We use this solution to protect our web applications against common vulnerabilities. The CDN component is also quite powerful. We use this solution alongside Azure WAF.

The simple configuration and the scalability have been most valuable. We are able to scale across all of our different AWS instances.

This solution could be improved if the configuration steps were more specific to WAF, compared to other cloud services. 

I have been using this solution for two years. 

This is a stable solution. We rely on AWS's other cloud services and we've never experienced any stability issues. 

This is a scalable solution. 

Our support experience has been quite good. 

Neutral

The main reason we switched from using CloudFlare to AWS is to have a native offering because all of our cloud solutions are on AWS. This made it simpler compared to using a third party and easier to reroute traffic.

It depends on your AWS configuration, but what we've experienced is that the rule policy configuration is really straightforward. It took a couple of weeks. 

We had in-house expertise.

We have a medium amount of traffic per month and the cost is in the hundreds rather than in the thousands. I don't know the exact number.

I would advise others to ensure they understand what can be done internally and then what you need expertise for externally. If you have the expertise internally, it can be easily configured. Keep the SIEM configuration as simple as possible, rather than trying to modify and configure too many things.

I would rate this solution an eight out of ten.