AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront pricing, Application Load Balancer (ALB) pricing, Amazon API Gateway pricing, or AWS AppSync pricing.
You will be charged for each web ACL that you create and each rule that you create per web ACL. In addition, you will be charged for the number of web requests processed by the web ACL. Pricing is same across all AWS Regions. Monthly fees are prorated hourly. Pricing for AWS WAF Classic is same as shown in the table below.
You will be charged for rules inside rule groups that are created by you. In addition, you will be charged $1.00 per month (prorated hourly) for each rule group or each managed rule group that you add to your web ACL.
Intelligent threat mitigation from AWS WAF
The following table lists fees for optional security features that can be enabled on your web ACL. These charges are in addition to the AWS WAF fees listed in the previous table. The cost saving you receive from enabling AWS Shield Advanced resource protection does not apply to security features listed in the following table. Pricing is the same across all AWS Regions. You pay subscription fee (prorated hourly), request fee, and analysis fee where applicable.
|Subscription fee||Request fee||Analysis fee|
|AWS WAF Bot Control|
|Bot Control||$10.00 per month||$1.00 per million requests inspected||-|
|Captcha||-||-||$0.40 per thousand challenge attempts analyzed|
|AWS WAF Fraud Control|
|Account Takeover Prevention||$10.00 per month||-||$1.00 per thousand login attempts analyzed|
Challenge attempt is when a user completes a Captcha challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single Captcha response can result in multiple attempts. If the attempt is successful, you will be charged an additional request fee when the original request is automatically retried after the successful attempt.
Login attempt is when a user submits user name and password through your application’s login page.
Bot Control free usage tier includes first 10 million requests inspected per month. Fraud Control – Account Takeover Prevention free usage tier includes first 10,000 attempts analyzed per month.
Managed rule groups from AWS Marketplace
When you subscribe to a managed rule group provided by an AWS Marketplace seller, you will be charged additional fees based on the price set by the seller. These charges are in addition to the AWS WAF fees described earlier.