AWS WAF pricing: what to model (ACLs, rules, requests)

AWS WAF-style pricing is usually a combination of fixed monthly baselines (Web ACLs + rules) plus a request-based charge that scales with total evaluated requests.

What to model (baseline + variable)

  • Web ACL count: how many ACLs you maintain (often per environment/app)
  • Rule count: custom rules + managed rule groups you enable (based on your pricing model)
  • Requests/month: total evaluated requests (watch out for attack traffic)
  • Downstream: log delivery, storage, search/analytics, and SIEM ingestion

The two most common budgeting failures are (1) modeling only the baseline and missing request spikes and (2) paying a second bill for logs and analysis.

A fast estimate (baseline + spike)

Use AWS WAF Cost Calculator for the baseline + request model, then add log/analysis and any security tooling.

  • Baseline scenario: typical month requests and current ACL/rule inventory.
  • Spike scenario: attack/bot window where evaluated requests are much higher.

Worked estimate template (copy/paste)

  • Baseline = ACLs + rules (and any managed add-ons you actually use)
  • Requests/month = evaluated requests (allowed + blocked), baseline + spike
  • Logs = (bytes per request) * requests/month + retention + query scans

Where to get inputs (evidence path)

  • Evaluated requests: from WAF metrics/logs for a representative week; keep a separate spike window.
  • ACL and rule inventory: list ACLs by environment and identify duplicated policies (sprawl is common).
  • Log volume: measure bytes per event and multiply by events/day; do not assume "logs are small".

Common pitfalls

  • Underestimating request volume during incidents (bot traffic, attacks).
  • Keeping many almost-identical ACLs and rules across environments.
  • Streaming full logs everywhere without volume controls.
  • Measuring allowed requests only and forgetting blocked traffic in evaluated volume.
  • Using one average and missing peak hours (spikes drive the bill).

How to validate the pricing model

  • Reconcile evaluated requests against the bill for the same window (baseline week + spike window).
  • Confirm rule/ACL inventory matches what is deployed (copy/paste ACL sprawl is common).
  • Verify logging controls: sampling, retention, and dashboard query windows.

Related guides

Estimate WAF requests WAF cost spikes during attacks AWS WAF vs Cloudflare WAF cost

Validation checklist

  • Validate the primary driver with measured usage from a representative window.
  • Confirm units and pricing units (per 10k vs per 1M, GB vs GiB) before trusting the estimate.
  • Re-check incident windows: retries/timeouts often multiply cost drivers.

Related reading

Cost estimation checklist Network transfer costs Request-based pricing

Sources

Related guides

Estimate WAF request volume (CDN/LB to monthly requests)
How to estimate WAF request volume for cost models: from CDN/LB metrics, from logs, and what to do about bot spikes.
KMS pricing: what to model (keys + requests)
A practical AWS KMS pricing checklist: key-months, request volume, and the services and patterns that generate surprise KMS request bills.
WAF cost optimization (reduce requests + rule sprawl)
A practical playbook to reduce WAF spend: cut evaluated requests, keep rule count tight, and avoid downstream logging waste.
API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
AWS WAF vs Cloudflare WAF cost: a practical comparison checklist
Compare AWS WAF vs Cloudflare WAF cost using a practical checklist: request-based charges, rule/policy baselines, logging/analytics costs, and what to model for your traffic shape.
Estimate KMS requests per month (where they come from)
A practical workflow to estimate AWS KMS request volume: identify call sources, translate workload volume into KMS API calls, and validate with billing/CloudTrail so you can budget and optimize safely.

Related calculators

RPS to Monthly Requests Calculator
Estimate monthly request volume from RPS, hours/day, and utilization.
API Request Cost Calculator
Estimate request-based charges from monthly requests and $ per million.
CDN Request Cost Calculator
Estimate CDN request fees from monthly requests and $ per 10k/1M pricing.

FAQ

What typically drives WAF cost?
Request volume plus the baseline of Web ACLs and rules you configure. During traffic spikes, request charges can dominate.
What costs sit downstream of WAF?
Logging, storage, and analysis. If you stream WAF logs into CloudWatch/S3/SIEM and run searches, those can exceed the WAF bill.
Last updated: 2026-01-27