AWSAWS WAFSecurity

aws_wafv2_web_acl cost estimation

A web application firewall. $5/month per Web ACL, $1/month per rule, plus $0.60 per million inspected requests.

An aws_wafv2_web_acl is a Web Application Firewall protecting CloudFront, ALB, API Gateway, AppSync, or Cognito. Pricing has three components.

Web ACL: $5/month per Web ACL. Charged regardless of association.

Rules: $1/month per rule (custom or AWS-managed). Free tier of 10 rules per Web ACL. Rules above 10 are billed each. AWS Managed Rule Groups have variable rule counts (some include 10+ rules in one group).

Requests inspected: $0.60 per million requests examined. Each rule evaluation against a request counts as one request inspection.

A typical setup with one Web ACL, three rule groups (10 rules each = 30 rules, 20 over free tier), and 10M monthly requests: $5 + ($1 × 20) + ($0.60 × 10) = $31/month.

Bot Control: optional managed rule group with significantly higher per-request charges ($1.00 per million). Right for high-value targets where automated bot traffic is a real concern.

Captcha challenges: $0.40 per challenge. Used by Bot Control to verify suspicious traffic.

CloudFront WAF is regional (us-east-1 only); ALB/API Gateway WAF is per-region. A multi-region application needs multiple Web ACLs.

c3x reads the Web ACL and its rule references. Request volume is usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_wafv2_web_acl" "api" {
  name        = "api-protection"
  description = "WAF for production API"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "AWS-AWSManagedRulesCommonRuleSet"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "common-rules"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "api-protection"
    sampled_requests_enabled   = true
  }
}

Pricing dimensions

What you actually pay for when you provision aws_wafv2_web_acl.

DimensionUnitWhat's being charged
Web ACLper ACL per monthFlat fee for each Web ACL.
$5/month
Rulesper rule per monthFirst 10 rules per Web ACL are free. Additional rules billed each.
$1/month per rule beyond first 10
Request inspectionsper 1M requestsEach request evaluated against rules.
$0.60/1M requests
Bot Control inspectionsper 1M requestsHigher rate when Bot Control managed rule group is active.
$1.00/1M requests
Captcha challengesper challengeRight for suspicious traffic verification. Free during Bot Control evaluation.
$0.40 per challenge

Optimization tips

Common ways to reduce aws_wafv2_web_acl cost without changing the workload.

Use AWS Managed Rule Groups instead of many custom rules

$1/month per rule consolidated

A managed rule group counts as one rule for pricing but evaluates many internal rules. Right for common attack patterns (OWASP Top 10).

Skip Bot Control unless you have a bot problem

$0.40/M requests inspected

Bot Control is $1.00/M requests on top of base $0.60. For high-traffic APIs, this doubles request fees. Only enable when bot traffic is genuinely costly.

Consolidate Web ACLs across applications

$5/month per consolidated ACL

Each Web ACL is $5/month + per-rule fees. Multiple small applications can share one Web ACL with different listener associations.

Use CloudFront WAF for global apps

Workload-dependent

CloudFront WAF inspects requests at edge locations, often filtering bad traffic before it hits origin. For globally-distributed apps, edge WAF can be cheaper than per-region ALB WAF.

FAQ

Why is WAF more expensive than I expect?

Three usual causes: too many rules above the free 10 (each $1/month), Bot Control enabled when not needed ($0.40/M extra), and multiple Web ACLs when one would suffice ($5/month each). Audit your setup.

How does c3x estimate WAF cost?

Web ACL base fee and rule fees are estimated directly. Request inspections are usage-based; specify monthly_requests on the WAF resource in c3x-usage.yml.

What about WAF Classic (aws_wafregional_web_acl)?

WAF Classic is deprecated. New deployments should use WAFv2 (aws_wafv2_web_acl). Classic still works but lacks the managed rule groups and most modern features.

Are CloudWatch metrics for WAF free?

WAF includes basic CloudWatch metrics free. Detailed sampled requests visualization also free. Custom metric publishing or extended retention via Logs would add charges.

Related resources

AWS
aws_cloudfront_distribution

Common WAF protection target

AWS
aws_lb

ALB protected by WAF

AWS
aws_api_gateway_rest_api

API Gateway protected by WAF

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_wafv2_web_acl.

Get StartedStar on GitHub
← Browse all AWS resources