AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront pricing, Application Load Balancer (ALB) pricing, Amazon API Gateway pricing, or AWS AppSync pricing.
AWS WAF
You will be charged for each web ACL that you create and each rule that you create per web ACL. In addition, you will be charged for the number of web requests processed by the web ACL. Pricing is same across all AWS Regions. Monthly fees are prorated hourly. Pricing for AWS WAF Classic is same as shown in the table below.
You will be charged for rules inside rule groups that are created by you. In addition, you will be charged $1.00 per month (prorated hourly) for each rule group or each managed rule group that you add to your web ACL.
Intelligent threat mitigation from AWS WAF
The following table lists fees for optional security features that can be enabled on your web ACL. These charges are in addition to the AWS WAF fees listed in the previous table. The cost saving you receive from enabling AWS Shield Advanced resource protection does not apply to security features listed in the following table. Pricing is the same across all AWS Regions. You pay subscription fee (prorated hourly), request fee, and analysis fee where applicable.
Captcha attempt is when a user completes a Captcha challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single Captcha response can result in multiple attempts. If the attempt is successful, you will be charged an additional request fee when the original request is automatically retried after the successful attempt.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge. If the user makes an attempt and is successful, you will be charged an additional request fee when the original request is automatically retried after the successful attempt.
Login attempt is when a user submits user name and password through your application’s login page.
Free tiers
Bot Control - Common Bot Control free usage tier includes first 10 million requests inspected per month. Targeted Bot Control free usage tier includes first 1 million requests inspected per month.
Fraud Control – Account Takeover Prevention free usage tier includes first 10,000 attempts analyzed per month.
Managed rule groups from AWS Marketplace
When you subscribe to a managed rule group provided by an AWS Marketplace seller, you will be charged additional fees based on the price set by the seller. These charges are in addition to the AWS WAF fees described earlier.
Pricing examples
-
Case A: No managed rule group and 19 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (19 rules) = $19.00
Request charges = $0.60/million * 10 million = $6.00
Total combined charges = $30.00/month -
Case B: One managed rule group from AWS Marketplace seller and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month. In addition, let’s assume that the seller sets the price of its managed rule group at $20.00 per month (prorated hourly) and $1.20 per 1 million requests seen and processed by the managed rule group.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 9 rules) = $10.00
Request charges = $0.60/million * 10 million = $6.00
Total AWS WAF charges = $21.00/monthManaged rule group charges = $20.00
Managed rule group request charges = $1.20/million * 10 million = $12.00
Total AWS Marketplace charges = $32.00/monthTotal combined charges = $53.00/month
-
Case C: One rule group containing 5 rules and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 rule group + 5 rules + 9 rules) = $15.00
Request charges = $0.60/million * 10 million = $6.00
Total combined charges = $26.00/month -
Case D: Bot Control enabled on web ACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 22 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 7 rules) = $8.00
Request charges = $0.60/million * 22 million = $13.20
Total WAF charges = $26.20/monthBot Control charges = $10.00 * 1 = $10.00
Bot Control request charges = $1.00/million * (22 million requests - 10 million free requests) = $12.00
Total Bot Control charges = $22.00/month
Total combined charges = $48.20/month
-
Case E: Common Bot Control with scope down statement enabled on WebACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 20 million requests per month. In addition, let’s assume that you have specified scope down statement to limit traffic inspected by Bot Control, resulting in 50% decrease in traffic evaluated by Bot Control.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 7 rules) = $8.00
Request charges = $0.60/million * 20 million = $12.00
Total WAF charges = $25.00/monthBot Control charges = $10.00 * 1 = $10.00
Bot Control request charges = $1.00/million * (20 million requests * 50% - 10 million free requests) = $0
Total Bot Control charges = $10.00/month
Total combined charges = $35.00/month
-
Case F: Targeted Bot Control enabled on 3 WebACLs and 21 rules written by you processing 35 million requests
Let’s assume that you have multiple web applications protected by 3 web ACLs with combined traffic of 35 million requests per month.Web ACL charges = $5.00 * 3 = $15.00
Rule charges = $1.00 * (3 managed rule group + 21 rules) = $24.00
Request charges = $0.60/million * 35 million = $21.00
Total WAF charges = $60.00/monthBot Control charges = $10.00 * 3 = $30.00
Bot Control request charges = $10.00/million * (35 million requests - 1 million free requests) = $340.00
Total Bot Control charges = $370.00/monthTotal combined charges = $430.00/month
-
Case G: One web ACL with Captcha enabled
Let's assume that you have a web application with 4 rules and traffic of 100 million requests per month.Captcha is enabled for one or more rules that, together, match on 1 million requests per month. Of those requests, 10,000 Captcha challenges are attempted and 1,000 challenges are successful, resulting in 1,000 retry requests. For the remaining requests that match the rules, Captcha challenges are either not attempted or the request is automatically allowed without having to complete a challenge because the user had previously completed a Captcha challenge within the configured bypass time window.
Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (4 rules) = $4.00
Request charges = $0.60/million * (100 million requests + 1,000 retries) = $60.00
Captcha attempts = $0.40/thousand * 10,000 = $4.00Total combined charges = $73.00/month
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalized quote
Learn how to get started with AWS WAF