AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront pricing, Application Load Balancer (ALB) pricing, Amazon API Gateway pricing, or AWS AppSync pricing.

AWS WAF

You will be charged for each web ACL that you create and each rule that you create per web ACL. In addition, you will be charged for the number of web requests processed by the web ACL. Pricing is same across all AWS Regions. Monthly fees are prorated hourly. Pricing for AWS WAF Classic is same as shown in the table below.

You will be charged for rules inside rule groups that are created by you. In addition, you will be charged $1.00 per month (prorated hourly) for each rule group or each managed rule group that you add to your web ACL.

Intelligent threat mitigation from AWS WAF

The following table lists fees for optional security features that can be enabled on your web ACL. These charges are in addition to the AWS WAF fees listed in the previous table. The cost saving you receive from enabling AWS Shield Advanced resource protection does not apply to security features listed in the following table. Pricing is the same across all AWS Regions. You pay subscription fee (prorated hourly), request fee, and analysis fee where applicable.

Captcha attempt is when a user completes a Captcha challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single Captcha response can result in multiple attempts. If the attempt is successful, you will be charged an additional request fee when the original request is automatically retried after the successful attempt.

Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge. If the user makes an attempt and is successful, you will be charged an additional request fee when the original request is automatically retried after the successful attempt.

Login attempt is when a user submits user name and password through your application’s login page.

Free tiers

Bot Control - Common Bot Control free usage tier includes first 10 million requests inspected per month. Targeted Bot Control free usage tier includes first 1 million requests inspected per month.

Fraud Control – Account Takeover Prevention free usage tier includes first 10,000 attempts analyzed per month.

Managed rule groups from AWS Marketplace

When you subscribe to a managed rule group provided by an AWS Marketplace seller, you will be charged additional fees based on the price set by the seller. These charges are in addition to the AWS WAF fees described earlier.

Pricing examples

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote

Learn how to get started with AWS WAF

Visit the getting started page
Ready to build?
Get started with AWS WAF
Have more questions?
Contact us