Do we need a WAF and which (AWS WAF, Application Gateway WAF, Cloud Armor)?
Do you have a public form, login, or API? Then yes, a WAF. The cloud-native options are enough for most SMBs, a third-party WAF (Cloudflare, Fastly) only if you need global edge.
Try this first
- 1AWS: put AWS WAF in front of the ALB or CloudFront, with Managed Rules Core Rule Set and Known Bad Inputs. That covers OWASP Top 10 at baseline.
- 2Azure: Application Gateway with WAF v2 or Front Door with WAF. OWASP CRS 3.2 as baseline. Keep Detection mode 2 weeks before Prevention mode.
- 3GCP: Cloud Armor with the OWASP rules. Combine with Identity-Aware Proxy for internal apps.
- 4Bot protection and Layer 7 DDoS aren't always in the baseline. For login forms and payment flows, consider AWS Shield Advanced or Cloudflare.
- 5Run the WAF in count/detect mode first, review false positives, then move to block. Otherwise you'll block legitimate customers on day one.
When to bring us in
If you process payments or patient data, a WAF tuning trajectory with someone who reads OWASP fingerprints is usually worth it.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.