AWS WAF pricing: what to model (ACLs, rules, requests)

Reviewed by CloudCostKit Editorial Team. Last updated: 2026-04-04. Editorial policy and methodology.

Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.

RPS to Monthly Requests Calculator API Request Cost Calculator CDN Request Cost Calculator

Use this page when you need to decide what belongs inside the WAF bill model before you argue about optimization. This is the AWS WAF bill-boundary page.

Stay here when the open question is Web ACLs, rules, evaluated requests, and the downstream logging or SIEM costs that should be tracked beside WAF rather than confused with it. Go back to the security parent page if the broader security spike question is still unclear.

What to model (baseline + variable)

  • Web ACL count: how many ACLs you maintain (often per environment/app)
  • Rule count: custom rules + managed rule groups you enable (based on your pricing model)
  • Requests/month: total evaluated requests (watch out for attack traffic)
  • Downstream: log delivery, storage, search/analytics, and SIEM ingestion

The two most common budgeting failures are (1) modeling only the baseline and missing request spikes and (2) paying a second bill for logs and analysis.

Inside the WAF bill vs outside the WAF bill

  • Inside the WAF bill: Web ACL baselines, rule or managed-rule coverage, and evaluated requests including blocked traffic during attack windows.
  • Usually outside the WAF bill: log delivery, retention, query scans, SIEM ingestion, and analyst workflows triggered by WAF events.
  • Why that boundary matters: teams often blame WAF for total security-observability spend when the real multiplier sits in downstream logging and investigation.

A fast estimate (baseline + spike)

Use AWS WAF Cost Calculator for the baseline + request model, then add log/analysis and any security tooling.

  • Baseline scenario: typical month requests and current ACL/rule inventory.
  • Spike scenario: attack/bot window where evaluated requests are much higher.

Worked estimate template (copy/paste)

  • Baseline = ACLs + rules (and any managed add-ons you actually use)
  • Requests/month = evaluated requests (allowed + blocked), baseline + spike
  • Logs = (bytes per request) * requests/month + retention + query scans

Where to get inputs (evidence path)

  • Evaluated requests: from WAF metrics/logs for a representative week; keep a separate spike window.
  • ACL and rule inventory: list ACLs by environment and identify duplicated policies (sprawl is common).
  • Log volume: measure bytes per event and multiply by events/day; do not assume "logs are small".

Common pitfalls

  • Underestimating request volume during incidents (bot traffic, attacks).
  • Keeping many almost-identical ACLs and rules across environments.
  • Streaming full logs everywhere without volume controls.
  • Measuring allowed requests only and forgetting blocked traffic in evaluated volume.
  • Using one average and missing peak hours (spikes drive the bill).

How to validate the pricing model

  • Reconcile evaluated requests against the bill for the same window (baseline week + spike window).
  • Confirm rule/ACL inventory matches what is deployed (copy/paste ACL sprawl is common).
  • Verify logging controls: sampling, retention, and dashboard query windows.

When this is not the right page

  • If you still need to separate WAF from KMS, secrets, or audit logging as the main security cost surface, go back to security costs first.
  • If your main problem is turning real traffic and attack windows into a defendable evaluated-request model, go to Estimate WAF requests.
  • If the model is already believable and you now need operational changes, go to WAF cost optimization.
  • If you are investigating a specific surge window, use WAF cost spikes during attacks instead of treating every month like the same pattern.

Related guides

Estimate WAF requests WAF cost spikes during attacks AWS WAF vs Cloudflare WAF cost

Validation checklist

  • Validate the primary driver with measured usage from a representative window.
  • Confirm units and pricing units (per 10k vs per 1M, GB vs GiB) before trusting the estimate.
  • Re-check incident windows: retries/timeouts often multiply cost drivers.

Related reading

Cost estimation checklist Network transfer costs Request-based pricing

Sources

Related guides

Estimate WAF request volume (CDN/LB to monthly requests)
How to estimate WAF request volume for cost models: from CDN/LB metrics, from logs, and what to do about bot spikes.
KMS pricing: what to model (keys + requests)
A practical AWS KMS pricing checklist: key-months, request volume, and the services and patterns that generate surprise KMS request bills.
WAF cost optimization (reduce requests + rule sprawl)
A practical playbook to reduce WAF spend: cut evaluated requests, keep rule count tight, and avoid downstream logging waste.
API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
AWS WAF vs Cloudflare WAF cost: a practical comparison checklist
Compare AWS WAF vs Cloudflare WAF cost using a practical checklist: request-based charges, rule/policy baselines, logging/analytics costs, and what to model for your traffic shape.
Estimate KMS requests per month (where they come from)
A practical workflow to estimate AWS KMS request volume: identify call sources, translate workload volume into KMS API calls, and validate with billing/CloudTrail so you can budget and optimize safely.

Related calculators

RPS to Monthly Requests Calculator
Estimate monthly request volume from RPS, hours/day, and utilization.
API Request Cost Calculator
Estimate request-based charges from monthly requests and $ per million.
CDN Request Cost Calculator
Estimate CDN request fees from monthly requests and $ per 10k/1M pricing.

FAQ

What typically drives WAF cost?
Request volume plus the baseline of Web ACLs and rules you configure. During traffic spikes, request charges can dominate.
What costs sit downstream of WAF?
Logging, storage, and analysis. If you stream WAF logs into CloudWatch/S3/SIEM and run searches, those can exceed the WAF bill.
Last updated: 2026-04-04. Reviewed against CloudCostKit methodology and current provider documentation. See the Editorial Policy .