AWS WAF protects web applications from common exploits like SQL injection, cross-site scripting, and bot traffic. The pricing model combines fixed monthly charges for Web ACLs and rules with per-request inspection fees. Costs can escalate quickly when adding managed rule groups, Bot Control, and Fraud Control, making it important to plan your WAF configuration carefully.
TL;DR: WAF costs $5.00/month per Web ACL, $1.00/month per rule, and $0.60 per million requests inspected. Bot Control adds $10/month plus $1.00/million requests. A typical setup with one Web ACL, 10 rules, and 50 million requests/month costs $45.00. Shield Standard (DDoS protection) is free. Shield Advanced costs $3,000/month with a 1-year commitment.
Core WAF Pricing
| Component | Price |
|---|---|
| Web ACL | $5.00/month |
| Rule | $1.00/month per rule |
| Request Inspection | $0.60/million requests |
What Counts as a Rule?
Each individual rule within a Web ACL counts toward the per-rule charge. A rule can be a simple IP set match, a rate-based rule, or a complex rule with multiple conditions. Rule groups (including managed rule groups) count as a single rule for billing, regardless of how many individual rules they contain internally.
For a standard web application setup:
| Component | Quantity | Monthly Cost |
|---|---|---|
| Web ACL | 1 | $5.00 |
| Custom Rules | 5 | $5.00 |
| AWS Managed Rule Groups | 3 | $3.00 |
| Request Inspection (50M requests) | 50M | $30.00 |
| Total | $43.00 |
Managed Rule Group Pricing
| Rule Group | Monthly Fee | Per-Request Fee |
|---|---|---|
| AWS Core Rule Set (CRS) | $0 (free) | Included in standard request pricing |
| AWS Known Bad Inputs | $0 (free) | Included |
| AWS SQL Injection | $0 (free) | Included |
| AWS IP Reputation | $0 (free) | Included |
| Marketplace Rule Groups | $5-50/month (varies by vendor) | $0-2.00/million (varies) |
AWS provides several managed rule groups at no additional cost beyond the standard $1.00/rule-group/month charge. Third-party rule groups from AWS Marketplace add vendor-specific fees on top of the base rule charge.
Bot Control Pricing
| Component | Price |
|---|---|
| Bot Control (Common) | $10.00/month |
| Common Bot Inspection | $1.00/million requests |
| Bot Control (Targeted) | $10.00/month |
| Targeted Bot Inspection | $10.00/million requests |
Common vs Targeted Bot Control
Common Bot Control identifies and categorizes bot traffic (search engines, scrapers, monitoring bots) at $1.00/million requests. Targeted Bot Control adds advanced detection for sophisticated bots that mimic human behavior, at $10.00/million requests.
For a site receiving 100 million requests/month where 40% is bot traffic:
| Configuration | Monthly Cost |
|---|---|
| Without Bot Control | $60 (requests only) |
| With Common Bot Control | $60 + $10 + $100 = $170 |
| With Targeted Bot Control | $60 + $10 + $1,000 = $1,070 |
Targeted Bot Control is 10x more expensive per request. Use it only for high-value pages like login, checkout, and account creation rather than across your entire application.
Fraud Control Pricing
| Component | Price |
|---|---|
| Account Creation Fraud Prevention | $10.00/month + $1.00/1,000 attempts |
| Account Takeover Prevention | $10.00/month + $1.00/1,000 login attempts |
Fraud Control analyzes account creation and login attempts for suspicious patterns. At $1.00 per 1,000 attempts, it costs significantly more per request than standard WAF inspection. Apply it selectively to registration and login endpoints only.
Shield Standard vs Shield Advanced
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Monthly Cost | Free | $3,000/month (1-year commitment) |
| DDoS Protection | Layer 3/4 | Layer 3/4/7 |
| DDoS Response Team | Not included | 24/7 access |
| Cost Protection | Not included | Automatic scaling cost credits |
| WAF Included | Not included | WAF charges included |
| Health Checks | Basic | Enhanced Route 53 health checks |
When Shield Advanced Makes Sense
Shield Advanced at $3,000/month is expensive but includes WAF at no additional charge, eliminating Web ACL, rule, and request inspection fees. For organizations already spending over $2,000/month on WAF, Shield Advanced can be cost-neutral while adding DDoS response team access and cost protection guarantees.
Shield Advanced also provides automatic credits for scaling costs incurred during DDoS attacks, preventing unexpected bills from traffic spikes caused by attacks.
Cost Optimization Strategies
-
Consolidate Web ACLs. Each Web ACL costs $5.00/month. Instead of creating separate Web ACLs for each CloudFront distribution or ALB, share a single Web ACL across multiple resources where the same security rules apply.
-
Use rate-based rules instead of Bot Control. For basic bot mitigation, rate-based rules (included in the $1.00/rule cost) block IPs exceeding a request threshold. This is significantly cheaper than Bot Control at $1.00-10.00/million requests for simple use cases.
-
Apply Bot Control selectively. Scope Bot Control to critical paths (login, API endpoints, checkout) rather than all traffic. Use a scope-down statement to inspect only matching requests, reducing the per-request volume.
-
Start with free AWS managed rules. The Core Rule Set, Known Bad Inputs, SQL Injection, and IP Reputation managed rule groups are free beyond the $1.00/rule-group charge. These cover the most common attack vectors before you invest in marketplace rule groups.
-
Monitor request volume by rule. Use CloudWatch metrics to identify rules that rarely trigger. Rules that have not blocked a request in 30 days may be unnecessary and cost $1.00/month each.
-
Evaluate Shield Advanced for high WAF spend. If your monthly WAF bill exceeds $2,000, Shield Advanced at $3,000/month may be cost-effective since it includes WAF charges and adds DDoS protection and cost credits.
Related Guides
- AWS CloudFront Pricing Guide
- AWS API Gateway Pricing Guide
- AWS ELB Pricing Guide
- AWS Route 53 Pricing Guide
FAQ
How much does a basic WAF setup cost?
A minimal WAF configuration with one Web ACL, the free AWS Core Rule Set, a rate-based rule, and 10 million requests/month costs approximately $13.00/month ($5 Web ACL + $2 rules + $6 requests). This provides solid baseline protection against common web exploits and basic DDoS mitigation.
Does AWS WAF protect against DDoS attacks?
AWS WAF handles Layer 7 (application layer) attacks like HTTP floods. Shield Standard (free, automatic) protects against Layer 3/4 network DDoS attacks. For comprehensive DDoS protection with a dedicated response team, Shield Advanced is required at $3,000/month.
Can I use WAF with multiple services simultaneously?
Yes. A single Web ACL can be associated with multiple CloudFront distributions, Application Load Balancers, API Gateway stages, and AppSync APIs. This is a key cost optimization since you pay one $5.00/month Web ACL charge instead of creating separate ACLs for each resource.
Lower Your WAF Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your WAF costs. Through group buying power, Wring negotiates better rates so you pay less per Web ACL and million requests inspected.
