AWSAWS Firewall ManagerSecurity & Identity

aws_fms_policy cost estimation

A Firewall Manager policy that centrally manages WAF/Shield/security-group rules across accounts, billed ~$100/policy/region/month — plus the resources it deploys.

An aws_fms_policy centrally manages and enforces security configurations — WAF rule groups, Shield Advanced protections, security-group rules, Network Firewall, DNS Firewall — across all accounts in an AWS Organization. Cost is ~$100 per policy per region per month for the Firewall Manager management itself, on top of the cost of whatever the policy deploys (the WAF ACLs, Network Firewall endpoints, etc., bill on their own meters).

So Firewall Manager has two cost layers: the per-policy management fee (~$100/policy/region) and the underlying security resources it rolls out organization-wide. The management fee is the FMS-specific cost; for an org running several policies across multiple regions, those $100 fees add up before the protected resources.

Firewall Manager makes sense for organizations needing centralized, automatically-enforced security posture across many accounts — the $100/policy is justified by not manually configuring WAF/firewalls per account. For a single account or a couple of resources, configuring WAF/Network Firewall directly is cheaper than the FMS management fee.

c3x prices the policy at the per-policy management fee; the resources it deploys are priced on their own.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_fms_policy" "waf" {
  name                  = "org-waf-policy"
  exclude_resource_tags = false
  remediation_enabled   = true
  resource_type         = "AWS::ElasticLoadBalancingV2::LoadBalancer"

  security_service_policy_data {
    type = "WAFV2"
    # managed_service_data with rule groups ...
  }
}

Pricing dimensions

What you actually pay for when you provision aws_fms_policy.

DimensionUnitWhat's being charged
Firewall Manager policyper region-month~$100 per policy per region per month for FMS management, on top of the resources the policy deploys.
~$100/policy/region/month
Deployed resourcesvariousThe WAF ACLs, Network Firewall endpoints, Shield Advanced, etc. that the policy rolls out bill on their own meters.

Sample C3X output

One Firewall Manager policy in one region (management fee only):

aws_fms_policy.waf
└─ Firewall Manager policy   1 region-month   $100.00
                             Monthly          $100.00

Optimization tips

Common ways to reduce aws_fms_policy cost without changing the workload.

Use FMS only for multi-account organizations

$100/policy/region when FMS isn't needed

The ~$100/policy/region fee is justified when centrally enforcing security across many accounts. For a single account or a couple of resources, configure WAF/Network Firewall directly — it's cheaper than the FMS management fee.

Consolidate policies and regions

$100/month per avoided policy-region

Each policy in each region is ~$100/month. Consolidate overlapping policies and deploy to only the regions you operate in rather than all of them.

Account for the deployed resources too

Underlying resource cost

The $100 is just FMS management; the WAF ACLs, Network Firewall endpoints, and Shield it deploys bill separately. Optimize those underlying resources (see the WAF and Network Firewall guides) for the larger cost.

FAQ

How is AWS Firewall Manager billed?

~$100 per policy per region per month for the Firewall Manager management, plus the cost of whatever the policy deploys (WAF ACLs, Network Firewall endpoints, Shield Advanced) on their own meters. Several policies across regions add up before the protected resources.

Is Firewall Manager worth the $100/policy fee?

For multi-account organizations needing centralized, automatically-enforced security posture, yes — it saves configuring WAF/firewalls per account manually. For a single account or a few resources, configuring those services directly is cheaper.

How does c3x estimate the cost?

It prices the per-policy management fee. The resources the policy deploys (WAF, Network Firewall, etc.) are priced on their own, so add them for the full Firewall Manager cost.

Related resources

AWS
aws_wafv2_web_acl

A common resource type Firewall Manager deploys org-wide

AWS
aws_networkfirewall_firewall

Network Firewall is another FMS-managed resource type

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_fms_policy.

Get StartedStar on GitHub
← Browse all AWS resources