awswafsecuritynetworkingcost-optimization

AWS WAF cost explained: the three meters that drive your bill

AWS WAF charges $5/month per Web ACL + $1/month per rule + $0.60 per million requests, plus paid add-ons like Bot Control. Here's how the meters stack and how to keep them down.

The C3X Team··7 min read

Quick answer

AWS WAF costs $5/month per Web ACL + $1/month per rule + $0.60 per million requests inspected. A 10-rule ACL on 50M requests/month is ~$45. The bill grows with request volume and paid managed rule groups (Bot Control adds $10/month plus per-request fees). Cut it by sharing one ACL across resources, pruning rules that never match, and being selective with paid managed groups.

WAF pricing looks cheap rule by rule and then surprises people at the invoice, because it has three independent meters that all move at once: the ACL, the rules, and the request inspections. Understanding which one dominates your bill tells you where to optimize.

The three charges

  • Web ACL: $5/month, flat, per ACL. Charged whether or not it inspects a single request.
  • Rules: $1/month per rule or managed rule group attached to the ACL. A managed group counts as one rule here, though some carry their own subscription fee.
  • Requests: $0.60 per million web requests inspected by the ACL. This is the dimension that scales with traffic.

A worked example

Web ACL                                    $5.00
10 rules × $1                             $10.00
50M requests × $0.60/million              $30.00
                                  Total   $45.00/month

Notice the shape: at 50M requests the per-request fee is already the biggest line. At 500M requests it's $300 and the ACL/rules are a rounding error. Low-traffic sites pay mostly for the ACL and rules; high-traffic sites pay mostly for inspection.

The add-ons that surprise people

The base price assumes plain rules. The paid managed features cost more:

  • Bot Control: ~$10/month plus $1 per million requests analyzed — on top of the base request fee.
  • Fraud Control / Account Takeover Prevention: per-ACL monthly fee plus per-request analysis.
  • CAPTCHA / Challenge: per-attempt charges.
  • AWS Marketplace managed rules: third-party rule groups bill their own subscription.

How to keep it down

  1. Share one Web ACL across resources. An ACL can protect multiple ALBs, CloudFront distributions, and API Gateways. One ACL per resource needlessly multiplies the $5 base and per-rule fees.
  2. Prune dead rules. Rules that never match still cost $1/month each. Review CloudWatch rule-match metrics and drop the ones that haven't fired.
  3. Be deliberate with Bot Control. It's valuable on login and checkout paths; applying it to all traffic multiplies the per-request cost for little benefit. Scope it.
  4. Don't inspect what you don't need to. Scope rules so static-asset or health-check traffic isn't inspected at $0.60/million for no security value.

FAQ

How much does AWS WAF cost?

Three charges add up: $5/month per Web ACL, $1/month per rule (or rule group) in that ACL, and $0.60 per million requests inspected. A typical ACL with 10 rules handling 50M requests/month is $5 + $10 + $30 = $45/month. Managed rule groups and add-ons like Bot Control cost extra.

Why is my WAF bill higher than expected?

Usually request volume or managed rule groups. The $0.60-per-million request fee scales directly with traffic, so a high-traffic site pays mostly for inspection. AWS Managed Rules groups and especially Bot Control ($10/month plus $1 per million requests) and Fraud Control/CAPTCHA add charges on top of the base rules.

Does each WAF rule cost money?

Yes, $1/month per rule or managed rule group attached to a Web ACL. A managed rule group counts as a single rule for this charge regardless of how many internal rules it contains, but it may carry its own subscription fee. Unused or duplicate rules are pure waste.

Is WAF charged per Web ACL or per resource?

Per Web ACL. One ACL associated with several resources (ALBs, CloudFront distributions, API Gateways) is charged once for the ACL and its rules. Creating a separate ACL per resource multiplies the $5 base and the per-rule fees unnecessarily.

How can I reduce AWS WAF costs?

Share one Web ACL across resources instead of one per resource, remove rules that never match, be selective with Bot Control and other paid managed groups, and scope rules so you're not inspecting traffic that doesn't need it. At high traffic, the per-request fee dominates — focus there.

How does C3X estimate WAF cost?

C3X prices an aws_wafv2_web_acl from its base ACL fee and rule count, and treats request inspection as usage-driven — add expected monthly requests in c3x-usage.yml to include the per-million charge.

What to do next

The base WAF cost (ACL + rules) is fixed and easy to forget across many environments. C3X prices every aws_wafv2_web_acl in your Terraform from its rule count, so duplicate or per-resource ACLs show up before they sprawl. Add your request volume to model the per-million fee. The quickstart totals it across your stack in one run.

Share this post

Share on TwitterShare on LinkedInSubmit to Hacker News

Try C3X on your own Terraform

Free and open source. No API key required. One command to install, one command to estimate.

Get StartedStar on GitHub
← Back to all posts