AWS WAF Pricing
AWS WAF charges are based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront pricing, AWS Cognito pricing, Application Load Balancer (ALB) pricing, Amazon API Gateway pricing, or AWS AppSync pricing.
Pricing components
-
AWS WAF
-
Bot Control
-
Fraud Control
-
AWS WAF
-
You will be charged for each web ACL that you create and each rule that you create per web ACL. In addition, you will be charged for the number of web requests processed by the web ACL. Pricing may vary across AWS Regions. Monthly fees are prorated hourly. Pricing for AWS WAF Classic is the same as shown in the table below.
You will be charged for rules inside rule groups that are created by you. In addition, you will be charged $1.00 per month (prorated hourly) for each rule group or each managed rule group that you add to your web ACL.
* You will be charged an additional $0.20 per million requests for each 500 WCUs the Web ACL uses beyond the default allocation of 1500. In addition, you will be charged $0.30 per million requests for each additional 16KB analyzed beyond the default body inspection limit. For more information about default limits, see Developer Guide.
AWS WAF supports standard rule actions such as Allow, Block, Count at no additional charge. You will be charged per each CAPTCHA attempt and Challenge response as per the table below.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
-
Bot Control
-
AWS WAF Bot Control are AWS Managed Rules that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime or other undesired activities. Common Bot Control includes the first 10 million requests per month for free. Targeted Bot Control includes the first 1 million requests per month for free.
The following table lists fees for additional security features that can be enabled on your web ACL. These charges are in addition to the AWS WAF fees listed in the previous table. The cost saving you receive from enabling AWS Shield Advanced resource protection does not apply to security features listed in the following table. Pricing is the same across all AWS Regions. You pay subscription fees (prorated hourly), request fees, and analysis fees where applicable.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
-
Fraud Control
-
AWS WAF Fraud Control are AWS Managed Rules that protects your login and sign-up pages against attacks such as credential stuffing, credential cracking and fake account creation attacks.
AWS WAF Fraud Control consists of Account Takeover Prevention and Account Creation Fraud Prevention. You will be charged a request fee as per the following table for the total requests analyzed by Account Takeover Prevention and Account Creation Fraud Prevention. You also pay a subscription fee of $10 per month per WebACL for using the AMR.
CAPTCHA attempt is when a user completes a CAPTCHA challenge that is submitted to AWS WAF for analysis, regardless of the outcome. A single CAPTCHA response can result in multiple attempts.
Challenge response is when a user is served a challenge page by AWS WAF as a result of a challenge action, regardless of whether the user attempts the challenge.
Managed rule groups from AWS Marketplace
When you subscribe to a managed rule group provided by an AWS Marketplace seller, you will be charged additional fees based on the price set by the seller. These charges are in addition to the AWS WAF fees described earlier.
Pricing examples
-
Case A: No managed rule group and 19 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (19 rules) = $19.00
Request charges = $0.60/million * 10 million = $6.00
Total combined charges = $30.00/month -
Case B: One managed rule group from AWS Marketplace seller and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month. In addition, let’s assume that the seller sets the price of its managed rule group at $20.00 per month (prorated hourly) and $1.20 per 1 million requests seen and processed by the managed rule group.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 9 rules) = $10.00
Request charges = $0.60/million * 10 million = $6.00
Total AWS WAF charges = $21.00/monthManaged rule group charges = $20.00
Managed rule group request charges = $1.20/million * 10 million = $12.00
Total AWS Marketplace charges = $32.00/monthTotal combined charges = $53.00/month
-
Case C: One rule group containing 5 rules and 9 rules written by you
Let’s assume that you have a web application with traffic of 10 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 rule group + 5 rules + 9 rules) = $15.00
Request charges = $0.60/million * 10 million = $6.00
Total combined charges = $26.00/month -
Case D: Bot Control enabled on web ACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 22 million requests per month.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 7 rules) = $8.00
Request charges = $0.60/million * 22 million = $13.20
Total WAF charges = $26.20/monthBot Control charges = $10.00 * 1 = $10.00
Bot Control request charges = $1.00/million * (22 million requests - 10 million free requests) = $12.00
Total Bot Control charges = $22.00/month
Total combined charges = $48.20/month
-
Case E: Common Bot Control with scope down statement enabled on WebACL and 7 rules written by you
Let’s assume that you have a web application with traffic of 20 million requests per month. In addition, let’s assume that you have specified scope down statement to limit traffic inspected by Bot Control, resulting in 50% decrease in traffic evaluated by Bot Control.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 7 rules) = $8.00
Request charges = $0.60/million * 20 million = $12.00
Total WAF charges = $25.00/monthBot Control charges = $10.00 * 1 = $10.00
Bot Control request charges = $1.00/million * (20 million requests * 50% - 10 million free requests) = $0
Total Bot Control charges = $10.00/month
Total combined charges = $35.00/month
-
Case F: Targeted Bot Control enabled on 3 WebACLs and 21 rules written by you processing 35 million requests
Let’s assume that you have multiple web applications protected by 3 web ACLs with combined traffic of 35 million requests per month.Web ACL charges = $5.00 * 3 = $15.00
Rule charges = $1.00 * (3 managed rule group + 21 rules) = $24.00
Request charges = $0.60/million * 35 million = $21.00
Total WAF charges = $60.00/monthBot Control charges = $10.00 * 3 = $30.00
Bot Control request charges = $10.00/million * (35 million requests - 1 million free requests) = $340.00
Total Bot Control charges = $370.00/monthTotal combined charges = $430.00/month
-
Case G: Web ACL with CAPTCHA enabled and containing 4 rules inspecting 100M requests
Let's assume that you have a web application with 4 rules and traffic of 100 million requests per month.CAPTCHA is enabled for one or more rules that, together, match on 1 million requests per month. Of those requests, 10,000 CAPTCHA challenges are attempted and 1,000 challenges are successful, resulting in 1,000 retry requests. For the remaining requests that match the rules, CAPTCHA challenges are either not attempted or the request is automatically allowed without having to complete a challenge because the user had previously completed a CAPTCHA challenge within the configured bypass time window.
Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (4 rules) = $4.00
Request charges = $0.60/million * (100 million requests + 1,000 retries) = $60.00
CAPTCHA attempts = $0.40/thousand * 10,000 = $4.00Total combined charges = $73.00/month
-
Case H: Web ACL with 1500 WCUs inspecting 100M and 1M requests with 16KB and 32KB body size, respectively
Let's assume that you have a web ACL with 1500 web capacity units inspecting 100M request with a 16kb body size and 1M requests with a 32kb body size.Web ACL charges* = $5.00 * 1 = $5.00
Rule charges = $1.00 * (4 rules) = $4.00
Request charges = $0.60/million * (100 million requests) = $60.00
Oversized request handling charges for 32kb body size = $0.90/million * (1 million requests) = $0.90Total combined charges = $69.90/month
*For WebACLs associated with CloudFront distributions
-
Case I: Web ACL with 2000 WCUs inspecting 100 million requests, with a default request body inspection limit of 16KB
Let’s assume that you have a web ACL with 2000 web capacity units inspecting 100M request with 16KB body size.Web ACL charges* = $5.00 * 1 = $5.00
Rule charges = $1.00 * (4 rules) = $4.00
Request charges = $0.80/million * (100 million requests) = $80.00Total combined charges = $89.00/month
*For WebACLs associated with CloudFront distributions
-
Case J: Web ACL with account takeover prevention applied on login pages and account creation fraud prevention on registration page, with 3 rules written by you at 1500 WCU and 16kb body inspection, sending 40M requests
Let’s assume you have a web ACL with account takeover prevention and account creation fraud prevention with 1500 web capacity units inspecting 40M requests with a default body inspection limit of 16KB.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 3 rules) = $4.00
Request charges = $0.60/million * 40 million = $24.00
Account Takeover Prevention subscription = $10.00 * 1 = $10.00
Account Creation Fraud Prevention subscription = $10.00 * 1 = $10.00
Fraud Control request charges = ($1000.00/million * 2 million requests) + ($700.00/million * 3 million requests) + ($400.00/million * 10 million requests) + ($200.00/million * 15 million requests) + ($50.00/million * 10 million requests) + 10,000 free requests = $11,600.00
Total Fraud Control charges = $11,620.00
Total combined charges = $11653.00/month
-
Case K: Web ACL with only Account creation fraud prevention on registration page, with 3 rules written by you at 1500 WCU and 16kb body inspection, sending 5M requests
Let’s assume you have a web ACL with account creation fraud prevention with 1500 web capacity units, inspecting 5M requests with a default body inspection limit of 16KB.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 3 rules) = $4.00
Request charges = $0.60/million * 5 million = $3.00
Account Creation Fraud Prevention subscription = $10.00 * 1 = $10.00
Fraud Control request charges = ($1000.00/million * 2 million requests) + ($700.00/million * 3 million requests) + 10,000 free requests = $4100.00
Total Fraud Control charges = $4110.00
Total combined charges = $4122.00/month
-
Case L: Web ACL with only Account takeover prevention applied on sign-in pages, with 3 rules written by you at 1500 WCU and 16kb body inspection, sending 15M requests
Let’s assume you have a web ACL with account takeover prevention with 1500 web capacity units, inspecting 15M requests with a default body inspection limit of 16KB.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (1 managed rule group + 3 rules) = $4.00
Request charges = $0.60/million * 15 million = $9.00
Account Takeover Prevention subscription = $10.00 * 1 = $10.00
Fraud Control request charges = ($1000.00/million * 2 million requests) + ($700.00/million * 3 million requests + ($400.00/million * 10 million requests) + 10,000 free requests = $8100.00
Total Fraud Control charges = $8110.00
Total combined charges = $8128.00/month
-
Case M: Web ACL created using Application Load Balancer’s 1-click experience, which adds 3 managed rule groups, sending 10M requests
Let's assume you used an Application Load Balancer to create a web ACL, inspecting 10M requests.Web ACL charges = $5.00 * 1 = $5.00
Rule charges = $1.00 * (3 managed rule groups) = $3.00
Request charges = $0.60/million * 10 million = $6.00
Total combined charges = $14.00/month per 10 million requests
Additional pricing resources
Easily calculate your monthly costs with AWS
Contact AWS specialists to get a personalized quote