AWS WAF Pricing
AWS WAF Pricing
AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront pricing, AWS Cognito pricing, Application Load Balancer (ALB) pricing, Amazon API Gateway pricing, AWS AppSync pricing billed by Amazon CloudWatch based on WAF specific Vended Logs pricing. The per GB rate for WAF-specific vended logs pricing matches the CloudWatch Vended Logs pricing per region. WAF logs specific charges will show under the VendedLog-Bytes-WAFlogs (for CW-Standard), S3-Egress-Bytes-WAFLogs (for S3), and VendedLogIA-Bytes-WAFlogs (for CW-IA) usage types.
AWS Pricing Calculator
Calculate your AWS WAF and architecture cost in a single estimate.
Pricing components
-
AWS WAF
-
Bot Control
-
Fraud Control
-
DDoS protection
-
AWS WAF
-
You will be charged for each web ACL that you create and each rule that you create per web ACL. In addition, you will be charged for the number of web requests processed by the web ACL. Pricing may vary across AWS Regions. Monthly fees are prorated hourly. Pricing for AWS WAF Classic is the same as shown in the table below.
You will be charged for rules inside rule groups that are created by you. In addition, you will be charged €0.99 per month (prorated hourly) for each rule group or each managed rule group that you add to your web ACL.
* You will be charged an additional €0.1975 per million requests for each 500 WCUs the Web ACL uses beyond the default allocation of 1500. In addition, you will be charged €0.395 per million requests for each additional 16KB analyzed beyond the default body inspection limit. For more information about default limits, see Developer Guide.
AWS WAF supports standard rule actions such as Allow, Block, Count at no additional charge. You will be charged per each CAPTCHA attempt and Challenge response as per the table below.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
-
Bot Control
-
AWS WAF Bot Control are AWS Managed Rules that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime or other undesired activities. Common Bot Control includes the first 10 million requests per month for free. Targeted Bot Control includes the first 1 million requests per month for free.
The following table lists fees for additional security features that can be enabled on your web ACL. These charges are in addition to the AWS WAF fees listed in the previous table. The cost saving you receive from enabling AWS Shield Advanced resource protection does not apply to security features listed in the following table. Pricing is the same across all AWS Regions. You pay subscription fees (prorated hourly), request fees, and analysis fees where applicable.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
-
Fraud Control
-
AWS WAF Fraud Control are AWS Managed Rules that protects your login and sign-up pages against attacks such as credential stuffing, credential cracking and fake account creation attacks.
AWS WAF Fraud Control consists of Account Takeover Prevention and Account Creation Fraud Prevention. You will be charged a request fee as per the following table for the total requests analyzed by Account Takeover Prevention and Account Creation Fraud Prevention. You also pay a subscription fee of €9.8685755 per month per WebACL for using the AMR.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
-
DDoS protection
-
AWS WAF DDoS Protection offers protection against Layer 7 distributed denial of service attacks. Pricing is shown in the table below.
Pricing examples
-
Case A: No managed rule group and 19 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (19 rules) = €18.81
Request charges = €0.59/million * 10 million = €5.90
Total combined charges = €29.64/month
-
Case B: One rule group containing 5 rules and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (19 rules) = €18.81
Request charges = €0.59/million * 10 million = €5.90
Total combined charges = €29.64/month
-
Case C: One rule group containing 5 rules and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (1 rule group + 5 rules + 9 rules) = €14.85
Request charges = €0.59/million * 10 million = €5.90
Total combined charges = €25.68/month
-
Case D: Bot Control enabled on web ACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 22 million requests per month.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (1 managed rule group + 7 rules) = €7.92
Request charges = €0.59/million * 22 million = €12.98
Total WAF charges = €25.83/monthBot Control subscription charges = €9.87 * 1 = €9.87
Bot Control request charges = €0.99/million * (22 million requests - 10 million free requests) = €11.88
Total Bot Control charges = €21.75/month
Total combined charges = €47.58/month
-
Case E: Common Bot Control with scope down statement enabled on WebACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 20 million requests per month. In addition, let’s assume that you have specified scope down statement to limit traffic inspected by Bot Control, resulting in 50% decrease in traffic evaluated by Bot Control.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (1 managed rule group + 7 rules) = €7.92
Request charges = €0.59/million * 20 million = €11.80
Total WAF charges = €24.65/monthBot Control subscription charges = €9.87 * 1 = €9.87
Bot Control request charges = €0.99/million * (20 million requests * 50% - 10 million free requests) = €0
Total Bot Control charges = €9.87/monthTotal combined charges = €34.52/month
-
Case F: Targeted Bot Control enabled on 3 WebACLs and 21 rules written by you processing 35 million requests
Let’s assume that you have multiple web applications protected by 3 web ACLs with combined traffic of 35 million requests per month.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (3 managed rule group + 21 rules) = €23.76
Request charges = €0.59/million * 35 million = €20.65
Total WAF charges = €49.34/monthBot Control subscription charges = €9.87 * 3 = €29.61
Targeted Bot Control request charges = €9.87/million * (35 million requests - 1 million free requests) = €335.58
Total Bot Control charges = €365.19/monthTotal combined charges = €414.53/month
-
Case G: Web ACL with CAPTCHA enabled and containing 4 rules inspecting 100M requests
Let's assume that you have a web application with 4 rules and traffic of 100 million requests per month.CAPTCHA is enabled for one or more rules that, together, match on 1 million requests per month. Of those requests, 10,000 CAPTCHA challenges are attempted and 1,000 challenges are successful, resulting in 1,000 retry requests. For the remaining requests that match the rules, CAPTCHA challenges are either not attempted or the request is automatically allowed without having to complete a challenge because the user had previously completed a CAPTCHA challenge within the configured bypass time window.
Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (4 rules) = €3.96
Request charges = €0.59/million * (100 million requests + 1,000 retries) = €59.00
CAPTCHA attempts = €0.39/thousand * 10,000 = €3.90
Total combined charges = €71.79/month
-
Case H: Web ACL with 1500 WCUs inspecting 100M and 1M requests with 16KB and 32KB body size, respectively
Let's assume that you have a web ACL with 1500 web capacity units inspecting 100M request with a 16kb body size and 1M requests with a 32kb body size.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (4 rules) = €3.96
Request charges = €0.59/million * (100 million requests) = €59.00
Oversized request handling charges for 32kb body size = €0.89/million * (1 million requests) = €0.89
Total combined charges = €68.78/month
*For WebACLs associated with CloudFront distributions
-
Case I: Web ACL with 2000 WCUs inspecting 100 million requests, with a default request body inspection limit of 16KB
Let’s assume that you have a web ACL with 2000 web capacity units inspecting 100M request with 16KB body size.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (4 rules) = €3.96
Request charges = €0.79/million * (100 million requests) = €79.00Total combined charges = €87.89/month
*For WebACLs associated with CloudFront distributions
-
Case M: Web ACL created using Application Load Balancer’s 1-click experience, which adds 3 managed rule groups, sending 10M requests
Let's assume you used an Application Load Balancer to create a web ACL, inspecting 10M requests.Web ACL charges = €4.93 * 1 = €4.93
Rule charges = €0.99 * (3 managed rule groups) = €2.97
Request charges = €0.59/million * 10 million = €5.90Total combined charges = €13.80/month per 10 million requests
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalized quote