AWS WAF Overview
What is AWS WAF?
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
AWS WAF is also known as AWS Web Application Firewall.
AWS WAF Buyer's Guide
Download the AWS WAF Buyer's Guide including reviews and more. Updated: April 2021
AWS WAF Customers
eVitamins, 9Splay, Senao International
AWS WAF Video
What users are saying about AWS WAF pricing:
- "AWS is not that costly by comparison. They are maybe close to $40 per month. I think it was between $29 or $39."
- "We are kind of doing a POC comparison to see what works best. Pricing-wise, AWS is one of the most attractive ones. It is fairly cheap, and we like the pricing part. We're trying to see what makes more sense operation-wise, license-wise, and pricing-wise."
- "It's quite affordable. It's in the middle."
- "It has a variable pricing scheme."
AWS WAF Reviews
- Highest Rating
- Lowest Rating
- Review Length
Showingreviews based on the current filters.
Principal Engineer at Nineleaps Technology
Real UserTop 5
Aug 9, 2020
Use this product to make it possible to deploy web applications securely
What is our primary use case?There are two things that we primarily use AWS WAF (Amazon Web Services Web Application Firewall) for. One use is within the company. Within the company, the intended use is to deploy our applications. It is like working with the cloud. We can start an application in S3 (Simple Storage Service), and use profiles for access to data. The other use is that most of our clients use a similar infrastructure. They are either using AWS, Azure or maybe Google Cloud Platform (GCP). We deploy this solution for them. Both uses are different. One is for the cloud solutions like AWS, Azure and GCP, and one… more »
Pros and Cons
- "This product supplies options for web security for applications accessing sensitive information."
- "The technical support does not respond to bugs in the coding of the product."
What other advice do I have?On a scale from one to ten where one is the worst and ten is the best, I would rate this product as a seven or an eight. I do not like to give it a solid rating as of now because we are still in the process of implementing it. Once we have completed the implementation, we will be able to give you a proper answer. As recent as two weeks we were still considering ManageEngine, but we did finally decide in our comparisons that it cannot provide all of the features that we are looking for.
Cloud security Consultant at 8KMiles
Jul 9, 2020
Stable and scalable with a free-to-use version
What is our primary use case?A primary use case example is when a customer from the cloud wants to expose his applications to the internet. We make sure that the clients, the applications, whatever they're trying to export, are public but that it's not going directly public. We make a backup, for instance, to protect the sellers and applications from security checks, etc.
Pros and Cons
- "AWS has flexibility in terms of WAF rules."
- "When users choose the free service, there isn't great support available to them."
What other advice do I have?We're using the latest version of the solution. When customers tend to use multi-cloud vendors and multi-cloud environments, they want solid security protection. That's where the third party comes into the purchase. If any customer is specific to some cloud like AWS or Azure, we won't recommend third party. We'll try to use AWS's own specific services so that it's smarter cost-wise and flexibility wise, so it adds value to the customer. However, when things go to a multi-cloud environment or a hybrid cloud architecture, that's when the third party comes into the picture. I would recommend this…
Learn what your peers think about AWS WAF. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
474,857 professionals have used our research since 2012.
Physical Designer at Semtech Corporation
Real UserTop 5
Nov 13, 2020
Does what it is supposed to do, probably not in the best way and not in the best UI
What is our primary use case?The regular use case is basically for blocking or giving access to different vendors to different domains. We also use it for managing and identifying the attacks and new rules that we should implement for our public domains to tune up the application firewall or tool, whatever makes more sense for us. We're using it through the web console and API. We're just using the managed service.
Pros and Cons
- "The access instruction feature is the most valuable. This is what we use the most."
- "It is sometimes a lot of work going through the rules and making sure you have everything covered for a use case. It is just the way rules are set and maintained in this solution. Some UI changes will probably be helpful. It is not easy to find the documentation of new features. Documentation not being updated is a common problem with all services, including this one. You have different versions of the console, and the options shown in the documentation are not there. For a new feature, there is probably an announcement about being released, but when it comes out, there is no actual documentation about how to use it. This makes you either go to technical support or community, which probably doesn't have an idea either. The documentation on the cloud should be the latest one. Finding information about a specific event can be a bit challenging. For this solution, not much documentation is available in the community. It could be because it is a new tool. Whenever there is an issue, it is just not that simple to resolve, especially if you don't have premium support. You have pretty much nowhere to look around, and you just need to poke around to try and make it work right."
What other advice do I have?I won't recommend it at the moment because I don't have a full picture to recommend it or say that it is bad or good. I'll probably just keep testing and go with it for probably another six months or a year, and then I can probably recommend it or not. Other vendors are also providing solutions for D-DOS protection and WAF. It would be nice to see something outside the box for AWS WAF to make it compete with other vendors. I would rate AWS WAF a seven out of ten. It does what it is supposed to do, probably not in the best way and not in the best UI, but it works. We like the pricing part, but…
Head of Digital Product Office at a energy/utilities company with 10,001+ employees
Sep 8, 2019
An excellent solution that's extremely scalable, very stable, and has great AI functionality
What is our primary use case?We primarily use the solution for its rich insights to improve customer experience.
Pros and Cons
- "The ability to take multiple data sets and match those data sets together is the solution's most valuable feature. The data lake that comes with it is very useful because that allows us to match data sets with different configurations that we wouldn't normally be able to match."
- "The solution is cloud-based, and therefore the billing model that comes with it could be more intuitive, in my opinion. It's very easy to not fully understand how you tag things for billing and then you can quite easily run up a high bill without realizing it. The solution needs to be more intuitive around the tagging system, which enables the billing. Right now, I have a cloud architect that does that on our behalf and it isn't something that a business user could use because it still requires quite a lot of technical knowledge to do effectively."
What other advice do I have?We use the public cloud deployment model. We use the Amazon cloud. From a technology perspective, Amazon is very simple. It requires, in order for it to run effectively, quite a mature cloud-based culture within your organization, however. My advice to others would be to get their operating model internally right before going ahead with the implementation. I would rate the solution nine out of ten.
Manager, IT Infrastructure & Information Security at flyadeal
Dec 9, 2019
Provides good OWASP top 10 protection but needs improvement in security efficiency related to bad bots
What is our primary use case?I'm a manager and in charge of IT infrastructure and information security for an airline company. We're a customer of AWS WAF. We use the product to protect the websites that our customers access to book flights. It provides the sites with DDoS protection and OWASP top 10 application security.
Pros and Cons
- "The security firewall plus the features that protect against database injections or scripting,"
- "For now, there is no feature to protect against attack of the bad bots"
What other advice do I have?The main difference with other similar products is the security efficiency against the type of attacks because normally Amazon works with certain types of attacks and is unable to deal with most of the more sophisticated new attacks that are now the market. So if you compare AWS WAF to the leaders in the field like Imperva, Akamai or radware, they are still beyond these products. I would recommend that if you don't have a critical heavy use website, and you have a simple business that doesn't require high protection or high-security efficiency, go with this product, but if you have something…
AWS Security Specialist at a tech services company with 501-1,000 employees
Mar 18, 2021
Easy to scale, flexible, quite efficient, and the geo-restriction capabilities are helpful
What is our primary use case?We use this solution for online web applications.
Pros and Cons
- "The most valuable features are the geo-restriction denials and the web ACL."
- "On the UI side, I would like it if they could bring back the geolocation view on the corner."
What other advice do I have?The product does not require any maintenance. You need to ensure how you consider your rules. You have to make sure that all of your considerations for your protection are done really well. Do regular updates to improve on the different threats and intrusion. I would recommend the product because it is very flexible and you are able to use it with multiple services within AWS. I would rate AWS WAF a solid ten out of ten.
President at a tech services company with 1-10 employees
Real UserTop 10
Sep 14, 2020
It is a scalable, stable solution but needs simpler setup and pricing schemes.
What is our primary use case?My whole business is cloud cost management. What I do is help people manage expenses. That encompasses everything from cleaning up software as a service subscriptions to optimizing AWS. My use cases for AWS WAF have to do with cloud research only.
Pros and Cons
- "Its best feature is that it is on the cloud and does not require local hardware resources."
- "The pricing model is complicated."
- "The setup is complicated."
What other advice do I have?On a scale of one to ten where one is the worst and ten is the best, I would rate this product as a seven-out-of-ten. A change in the pricing structure that favors the client and simplification is something they would have to do to improve to make that score closer to a ten.
Advisory and IT Transformation Consultant at Services dot cloud
Sep 5, 2019
A straightforward setup with a quick deployment with good auto-management features
What is our primary use case?The primary use of the solution is for perimeter security. I use it to secure my application and infrastructure.
Pros and Cons
- "The initial setup was very straightforward. Deployment took about ten minutes or less."
- "They should work to define more threats, add more security, and make it more compliant with more security companies."
What other advice do I have?We use the public cloud deployment model. I use everything AWS. I need it to work for me, and it does. I hope that the solution continues to improve, but for me, it's perfect right now. For those considering implementing the solution, I would advise that they understand how networks work because sometimes they can be quite complex. Many architects do not understand the basic concepts of networking. I would recommend the solution. I would rate it nine out of ten.
See 2 more AWS WAF Reviews
Product CategoriesWeb Application Firewall (WAF)
Download our free AWS WAF Report and get advice and tips from experienced pros sharing their opinions.
- Which lesser known firewall product has the best chance at unseating the market leaders?
- What do you recommend for a securing Web Application?
- What's right for me? Fortinet or Citrix?
- How does a WAF help to protect against DDoS attacks?
- Which Web Application Firewall (WAF) would you recommend? R&S or Imperva?
- What is a Bot Manager? How does it differ from WAF?
- F5 Silverline vs Imperva on Gartner Magic Quadrant: Why is F5 regressing while Imperva consolidates its leading position?