Try our new research platform with insights from 80,000+ expert users
CVO at Megaaisec
Real User
Top 5
Helps to implement response recovery procedures
Pros and Cons
  • "One common use case is using detection protection for enhancing security models in AWS. Another use case is implementing log analysis and response recovery procedures for email services."
  • "I believe there is a need to move towards real-time analysis with the help of AI and intelligent systems in the future. This would reduce the reliance on manual work and enhance the functionality of detection protection. By incorporating AI-driven data analysis and data science techniques, we can improve the solution's user-friendliness, security compatibility, and accuracy."

What is our primary use case?

One common use case is using detection protection for enhancing security models in AWS. Another use case is implementing log analysis and response recovery procedures for email services.

What needs improvement?

I believe there is a need to move towards real-time analysis with the help of AI and intelligent systems in the future. This would reduce the reliance on manual work and enhance the functionality of detection protection. By incorporating AI-driven data analysis and data science techniques, we can improve the solution's user-friendliness, security compatibility, and accuracy.

For how long have I used the solution?

I have been using the solution for almost a decade.

What do I think about the stability of the solution?

AWS WAF is stable. 

Buyer's Guide
AWS WAF
February 2025
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
832,138 professionals have used our research since 2012.

What do I think about the scalability of the solution?

The solution is scalable.

How was the initial setup?

The initial setup was easy.

What about the implementation team?

Our in-house engineers implemented the solution. They are already familiar with AWS and hold AWS certifications.

What other advice do I have?

Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1143783 - PeerSpot reviewer
Advisory and IT Transformation Consultant at a tech services company with 10,001+ employees
Real User
Top 20
A straightforward setup with a quick deployment with good auto-management features
Pros and Cons
  • "The initial setup was very straightforward. Deployment took about ten minutes or less."
  • "They should work to define more threats, add more security, and make it more compliant with more security companies."

What is our primary use case?

The primary use of the solution is for perimeter security. I use it to secure my application and infrastructure.

What is most valuable?

Fast deployment and auto-manage are the most valuable aspects of the solution. The auto-manage primarily reacts and has to do all the little things like putting in the ACL, etc. 

What needs improvement?

The solution could be faster in detecting threats.

They should work to define more threats, add more security, and make it more compliant with more security companies.

The solution could always be more automated.

For how long have I used the solution?

I've been using the solution for three years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is easily scalable.

How are customer service and technical support?

I have a number for WAF, but I've never used technical support.

Which solution did I use previously and why did I switch?

I previously used a different solution. The complex setup and installation were the main differences between that and WAF. I've worked with system compliance for many years, and it usually involves complex solutions. You have to know the CLF, etc. Cisco, for example, is so complex that you need to know many things. Whereas with WAF, you have to put up your host, your network, and you have the solution up and running.

How was the initial setup?

The initial setup was very straightforward. Deployment took about ten minutes or less. You only need one person to handle deployment and maintenance.

What about the implementation team?

I implemented the solution myself.

What other advice do I have?

We use the public cloud deployment model.

I use everything AWS. I need it to work for me, and it does. I hope that the solution continues to improve, but for me, it's perfect right now.

For those considering implementing the solution, I would advise that they understand how networks work because sometimes they can be quite complex. Many architects do not understand the basic concepts of networking.

I would recommend the solution. I would rate it nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
AWS WAF
February 2025
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.
832,138 professionals have used our research since 2012.
reviewer1399293 - PeerSpot reviewer
Superintendent of Cloud Platforms at a manufacturing company with 1,001-5,000 employees
Real User
Protects public-facing web applications but pricing is expensive
Pros and Cons
  • "We preferred the product based on its cost. AWS WAF is an out-of-the-box solution and integrates with the AWS services that we use. It's natively integrated with AWS."
  • "We have issues with reporting, troubleshooting, and analytics. AWS WAF needs to bring costs down."

What is our primary use case?

We use the product for the protection of our public-facing web applications. 

What is most valuable?

We preferred the product based on its cost. AWS WAF is an out-of-the-box solution and integrates with the AWS services that we use. It's natively integrated with AWS

What needs improvement?

We have issues with reporting, troubleshooting, and analytics. AWS WAF needs to bring costs down. 

For how long have I used the solution?

I have been working with the solution for 18 months. 

What do I think about the stability of the solution?

AWS WAF is stable. 

What do I think about the scalability of the solution?

The solution is scalable. 

How are customer service and support?

We use Amazon enterprise support. It is good but expensive. 

Which solution did I use previously and why did I switch?

We used Cloudflare and Palo Alto before. We chose AWS WAF since it integrates with native services. 

How was the initial setup?

The tool's setup is complex but it is easy after installation. 

What's my experience with pricing, setup cost, and licensing?

I would rate AWS WAF's pricing a seven out of ten. 

What other advice do I have?

I would rate AWS WAF a seven out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Information Security Specialist at a tech services company with 1,001-5,000 employees
Real User
Blocks threats to our external applications and has caught everything so far
Pros and Cons
  • "The most valuable feature is the way it blocks threats to external applications."
  • "In a future release I would like to see automation. There's no interaction between the applications and that makes it tedious. We have to do the preparation all over again for each of our other applications."

What is our primary use case?

It is our web application firewall.

How has it helped my organization?

We do have a lot of external applications which are exposed to the internet and WAF provides protection for them. We haven't seen a decrease in the mean time to respond to threats because it has caught everything.

The solution has also increased staff productivity by as much as 50 percent.

What is most valuable?

The most valuable feature is the way it blocks threats to external applications.

What needs improvement?

In a future release I would like to see automation. There's no interaction between the applications and that makes it tedious. We have to do the preparation all over again for each of our other applications.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We haven't had any problems with the stability at all.

What do I think about the scalability of the solution?

Up to now, the scalability has been good.

How are customer service and technical support?

I haven't had to use technical support yet.

Which solution did I use previously and why did I switch?

Our previous solution was also a WAF but it was not a scalable environment like the cloud is. Everybody is moving to the cloud. We were stuck on an appliance in our data center and we decided to move. We went with this solution because of the stability and quick response.

How was the initial setup?

The setup was a bit complex because our environment is a bit different. It was tough but it was good in the end.

What about the implementation team?

We used a consultant for the deployment and it was a great experience with them.

What's my experience with pricing, setup cost, and licensing?

There are no costs in addition to the standard licensing fees.

What other advice do I have?

My advice is "go for it, use it."

In terms of our security program's maturity, we're just beginning so we are still like a baby. But we are trying to get all the new stuff and improve altogether.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1515378 - PeerSpot reviewer
AWS Security Specialist at a tech services company with 501-1,000 employees
Real User
Easy to scale, flexible, quite efficient, and the geo-restriction capabilities are helpful
Pros and Cons
  • "The most valuable features are the geo-restriction denials and the web ACL."
  • "On the UI side, I would like it if they could bring back the geolocation view on the corner."

What is our primary use case?

We use this solution for online web applications.

What is most valuable?

The most valuable features are the geo-restriction denials and the web ACL.

I enjoy using it because it is very easy.

Also, it's quite efficient.

What needs improvement?

The service itself is fine. On the UI side, I would like it if they could bring back the conditions view which had geo match, IP sets and etc. When using WAF classic you could see this option on the left side of the console. Currently IP sets and regex strings is there but geo match does not seem to be included, not sure if geo matching is still supported.

For how long have I used the solution?

I have been using AWS WAF for almost three years.

We are using the newest version of AWS WAF, which is Version 2.

What do I think about the stability of the solution?

It's a stable solution. I have not experienced any issues.

What do I think about the scalability of the solution?

There are approximately 1,000 people who are using this solution on a daily basis.

It is easy to scale. Just ensure that you cover the relevant resources within it. You can cover multiple resources such as CDN or use them in your AOD.

It's quite scalable.

How are customer service and technical support?

I have not contacted technical support.

Which solution did I use previously and why did I switch?

I have always used AWS. It's been the focus for the last three years.

How was the initial setup?

The initial setup was simple.

It took less than an hour to deploy.

What about the implementation team?

The implementation was completed internally.

What's my experience with pricing, setup cost, and licensing?

It's quite affordable. It's in the middle.

Everything is included with the usage that you take up when you implement the service.

What other advice do I have?

The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion.

I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS.

I would rate AWS WAF a solid ten out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user1376373 - PeerSpot reviewer
Cloud security Consultant at 8KMiles
MSP
Stable and scalable with a free-to-use version
Pros and Cons
  • "AWS has flexibility in terms of WAF rules."
  • "When users choose the free service, there isn't great support available to them."

What is our primary use case?

A primary use case example is when a customer from the cloud wants to expose his applications to the internet. We make sure that the clients, the applications, whatever they're trying to export, are public but that it's not going directly public. We make a backup, for instance, to protect the sellers and applications from security checks, etc. 

What is most valuable?

There are two models. One is, you can use the free services which you can download from the AWS website. There is also a paid version, where you can go for individual vendors, like Impala, Fortinet, and different vendors, which helps you to attain the top end web application security. It helps them to update the security patches, etc.

AWS has flexibility in terms of WAF rules. Users can choose from using a free service, which you can do from your own end, or a third-party vendor if you want to as well by choosing a paid version. WAF rules can be managed either by your own self or you can go for a third party.

The best thing with the solution is there is no hard and fast route and when I go for AWS. It's not a monopoly environment.

What needs improvement?

There isn't room for improvement per se. the cloud is constantly evolving and changing however, so we'll see what the future brings.

When users choose the free service, there isn't great support available to them. This is because, when it comes to any issues, due to the fact that it says that when the rules are defined by the users, it becomes their responsibility. When there are any problems or threats, which don't get mitigated or the threat is not being properly managed, since the rules are owned by the user, they take responsibility for everything. It would be helpful if AWS could take a bit of responsibility here and help users understand where things went wrong.

Support wise, I don't think they are that good compared to individual vendors. When it comes to vendors, it becomes their product, and being a product owner, they take more responsibility and ownership of issues. AWS doesn't do that at all.

For how long have I used the solution?

I've been using the solution for two and a half years.

What do I think about the stability of the solution?

The solution is quite stable. We haven't run into bugs or glitches. It's reliable. You don't see any downtime.

What do I think about the scalability of the solution?

Since we're talking more about the cloud version of the web application firewall, it's highly scalable. When I say scaling, there is a concept called auto-scaling wherein which you can scale up and scale down according to your amount of traffic load. It's automated, so it's highly scalable, actually.

While any company can use AWS, we see a lot of medium-sized firms using this particular solution, as opposed to larger companies, as those have already their own vendors which are already in the on-premises data centers environment.

How are customer service and technical support?

I would say from the support point of view, there should be more flexibility when it comes to when users have issues to be able to ask for their help. They need to try to go the extra mile and right now they just aren't doing that.

Which solution did I use previously and why did I switch?

We've only used AWS for a few customers. Usually, we recommend a different solution. However, it depends on the client and the type of budget that they have. As one version of AWS is free, sometimes that is the only option.

How was the initial setup?

The initial setup is not difficult. It's very straightforward.

Deployment is pretty quick and might take up to one and a half hours at most.

You don't need too many people for maintenance. If they are knowledgable enough, a single person can handle it with no problems. They're even able to do some scripting language to handle the deployment and can set up some automation protocols as well.

When it comes to maintenance, the real challenge comes into play for mitigation. You might need maybe we need four to five people, at a large organization.

What's my experience with pricing, setup cost, and licensing?

There are two versions of the solution available, one of which is free, which is the version we use, so we don't pay for anything.

What other advice do I have?

We're using the latest version of the solution.

When customers tend to use multi-cloud vendors and multi-cloud environments, they want solid security protection. That's where the third party comes into the purchase. If any customer is specific to some cloud like AWS or Azure, we won't recommend third party. We'll try to use AWS's own specific services so that it's smarter cost-wise and flexibility wise, so it adds value to the customer.

However, when things go to a multi-cloud environment or a hybrid cloud architecture, that's when the third party comes into the picture. 

I would recommend this solution to companies who are looking for cloud solutions with firewall flexibility. AWS is very user-friendly and largely inexpensive, however, if an organization has the budget, there are lots of great products out there that do largely the same thing.

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1530864 - PeerSpot reviewer
Engineer at a renewables & environment company with 501-1,000 employees
Real User
Top 5
A basic WAF with limited controls, but cheap and better than having no WAF in place.
Pros and Cons
  • "As a basic WAF, it's better than nothing. So if you need something simple out of the box with default features, AWS WAF is good."
  • "We don't have much control over blocking, because the WAF is managed by AWS."

What is our primary use case?

At the moment, it's just myself working with AWS WAF in my company, and our use case for it is normal, or what you would expect from a Web Application Firewall. That includes basic DoS blocking and malicious IP address blocking. It's not a big thing for us, and just takes care of our baseline security.

What is most valuable?

As a basic WAF, it's better than having nothing. So if you need something simple out of the box with default features, AWS WAF is good.

What needs improvement?

I think there's a lot wrong with AWS WAF. Here are the two main areas where I think it could be improved:

Blocking: We don't have much control over blocking, because the WAF is managed by AWS. What happens is that they will put down the rules on their side and we don't have proper visibility on that. So we'll have to track down the issues and see what is wrong or not. For example, with IP address blocking, it's difficult to find out which IPs are getting blocked. If we managed our own WAF completely, we wouldn't have this kind of problem. Right now, this aspect is half managed by us, and half managed by AWS. Because of this, I think it would be far more helpful to us if we went for our own tool instead.

Automation: As in, a lot of separate blocks if something goes wrong. For example, every company will have their own rules for automation, in terms of their goals for the product. Like, "I want my WAF to do this. I want my WAF to do that." But that's the kind of thing that I think we will only see when we do some POCs with our clients. 

For how long have I used the solution?

I have been working with AWS WAF for around one year now. 

What do I think about the stability of the solution?

The performance has been good, even though it could be better. At any rate, the WAF has not caused any lag on our side.

What do I think about the scalability of the solution?

It is scalable in my experience, but the lack of features doesn't take it very far in terms of actual usage. Eventually, customers will move away from it. If there's no one interested in managing the WAF, that's fine, then customers may keep using it. But for us, we are not planning to scale it out further.

How are customer service and support?

AWS technical support is good.

How would you rate customer service and support?

Neutral

How was the initial setup?

The setup is easy and nothing serious. You don't have to do a lot to get set up with it. Compared to other WAFs out there, I think AWS WAF is very simple, especially since most of it is managed by AWS.

What about the implementation team?

We haven't needed anyone from AWS to help us with the deployment or implementation. It's all me at this point.

What's my experience with pricing, setup cost, and licensing?

It's less cost and easy to setup

Which other solutions did I evaluate?

There are multiple other options which we could have gone for, but it depends on the budget, typically. I am especially interested in a WAF which has serious support for automation and more complex configuration options.

What other advice do I have?

For people who don't have any WAF currently, and who just need something basic, it's not a bad idea to go with AWS WAF for starters. But if you are someone who is looking for a fully-fledged and self-managed WAF, you should look elsewhere for a better tool. You should certainly not stick with AWS WAF if you are serious about managing your security and mitigating your risks.

Overall, I would recommend AWS WAF to others, but only under the conditions I have mentioned. If you have the budget and the resources, however, go for something else.

I would rate AWS WAF a five out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jefe subdepartamento Operaciones at a government with 10,001+ employees
Real User
Reasonably priced, stable, and offers excellent performance
Pros and Cons
  • "Their technical support has been quite good."
  • "We haven't faced any problems with the solution."

What is our primary use case?

I primarily use the solution as a gateway service and a transaction portal. 

What is most valuable?

We haven't had any issues with the solution so far.

The pricing of the product is very good. They make it very reasonable and it's very easy to afford.

Their technical support has been quite good.

The performance is excellent. It's reliable.

We've found the solution to be quite stable.

What needs improvement?

We haven't faced any problems with the solution. I can't speak to any missing features. Every aspect of it has been quite good.

For how long have I used the solution?

I've been using the solution for a while.

What do I think about the stability of the solution?

The stability has been very good. We've enjoyed a very reliable performance. There are no bugs or glitches. It doesn't crash or freeze. It's been good.

How are customer service and technical support?

Technical support has been quite good. We've found them helpful and responsive. We are quite satisfied with the level of support that is provided to us.

What's my experience with pricing, setup cost, and licensing?

The solution is very reasonably priced. 

What other advice do I have?

I'm just a customer and an end-user. I don't have a business relationship or partnership with AWS.

I have pretty good experience in AWS. I have a certificate in AWS.

I'd rate the solution at a ten out of ten. We've been extremely satisfied with the solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.
Updated: February 2025
Buyer's Guide
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.