AWS WAF Pricing: Web ACLs, Request Charges, Bot Control, and Logging Boundaries

Reviewed by CloudCostKit Editorial Team. Last updated: 2026-06-18. Editorial policy and methodology.

Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.


Use this page when you need to decide what belongs inside the WAF bill model before you argue about optimization. This is the AWS WAF bill-boundary page.

Stay here when the open question is Web ACLs, rules, evaluated requests, optional managed protections, and the downstream logging or SIEM costs that should be tracked beside WAF rather than confused with it. Go back to the security parent page if the broader security spike question is still unclear.

Quick pricing read

AWS WAF pricing is not only a request counter. The bill starts with the Web ACL baseline, then adds rules or rule groups, evaluated requests, and any optional intelligent protections such as Bot Control, Fraud Control, or CAPTCHA and Challenge actions. The important boundary is that blocked traffic still counts as evaluated traffic, but logging, storage, SIEM analysis, and investigation workflows still belong beside the WAF bill rather than inside it.

  • Web ACLs are the first baseline: each Web ACL creates a baseline charge, so environment sprawl and duplicated protection surfaces increase cost before traffic is even discussed.
  • Rules and rule groups add structural cost: custom rules, managed rule groups, and other rule-group choices change the baseline posture of the bill.
  • Evaluated requests are the main variable surface: allowed and blocked traffic both count, which is why attack windows can raise spend even when the origin is protected successfully.
  • Managed protections can change the bill shape: Bot Control, Fraud Control, and CAPTCHA or Challenge usage are not the same as a simple Web ACL plus request model.
  • Logging boundaries still matter: CloudWatch, S3, Firehose, and SIEM pipelines belong beside WAF because teams often create a second security-observability bill after WAF has already done its work.

This page was updated on 2026-06-18 against the current AWS WAF pricing page, AWS WAF logging documentation, and AWS-managed intelligent threat documentation.

What to model (baseline + variable)

  • Web ACL count: how many ACLs you maintain (often per environment/app)
  • Rule count: custom rules + managed rule groups you enable (based on your pricing model)
  • Requests/month: total evaluated requests, including blocked traffic and attack-driven spikes
  • Managed protections: Bot Control, Fraud Control, CAPTCHA, or Challenge actions when your protection model uses them
  • Downstream: log delivery, storage, search/analytics, and SIEM ingestion

The two most common budgeting failures are (1) modeling only the baseline and missing request spikes and (2) paying a second bill for logs and analysis.

Inside the WAF bill vs outside the WAF bill

  • Inside the WAF bill: Web ACL baselines, rule or managed-rule coverage, evaluated requests including blocked traffic during attack windows, and any WAF-native intelligent protection add-ons that are enabled on the Web ACL.
  • Usually outside the WAF bill: log delivery, retention, query scans, SIEM ingestion, and analyst workflows triggered by WAF events.
  • Why that boundary matters: teams often blame WAF for total security-observability spend when the real multiplier sits in downstream logging and investigation.

A fast estimate (baseline + spike)

Use AWS WAF Cost Calculator for the baseline + request model, then add log/analysis and any security tooling.

  • Baseline scenario: typical month requests and current ACL/rule inventory.
  • Spike scenario: attack or bot window where evaluated requests are much higher and optional protections may activate more often.

Worked estimate template (copy/paste)

  • Baseline = ACLs + rules (and any managed add-ons you actually use)
  • Requests/month = evaluated requests (allowed + blocked), baseline + spike
  • Managed protections = Bot Control / Fraud Control / CAPTCHA or Challenge assumptions that are actually enabled
  • Logs = (bytes per request) * requests/month + retention + query scans

Where to get inputs (evidence path)

  • Evaluated requests: from WAF metrics/logs for a representative week; keep a separate spike window.
  • ACL and rule inventory: list ACLs by environment and identify duplicated policies (sprawl is common).
  • Managed protections: confirm whether Bot Control, Fraud Control, CAPTCHA, or Challenge are enabled on the same ACL instead of assuming a plain request-only model.
  • Log volume: measure bytes per event and multiply by events/day; do not assume "logs are small".

Common pitfalls

  • Underestimating request volume during incidents (bot traffic, attacks).
  • Keeping many almost-identical ACLs and rules across environments.
  • Forgetting that blocked traffic still counts in evaluated request volume.
  • Ignoring paid managed protections and then comparing the bill to a plain ACL-plus-requests estimate.
  • Streaming full logs everywhere without volume controls.
  • Using one average and missing peak hours (spikes drive the bill).

How to validate the pricing model

  • Reconcile evaluated requests against the bill for the same window (baseline week + spike window).
  • Confirm rule/ACL inventory matches what is deployed (copy/paste ACL sprawl is common).
  • Confirm whether Bot Control, Fraud Control, CAPTCHA, or Challenge are part of the deployed policy set.
  • Verify logging controls: sampling, retention, and dashboard query windows.

When this is not the right page

  • If you still need to separate WAF from KMS, secrets, or audit logging as the main security cost surface, go back to security costs first.
  • If your main problem is turning real traffic and attack windows into a defendable evaluated-request model, go to Estimate WAF requests.
  • If the model is already believable and you now need operational changes, go to WAF cost optimization.
  • If you are investigating a specific surge window, use WAF cost spikes during attacks instead of treating every month like the same pattern.

Related guides

Validation checklist

  • Validate the primary driver with measured usage from a representative window.
  • Confirm units and pricing units (per 10k vs per 1M, GB vs GiB) before trusting the estimate.
  • Re-check incident windows: retries/timeouts often multiply cost drivers.

Related reading

Sources


Related guides

Estimate WAF request volume (CDN/LB to monthly requests)
Estimate AWS WAF evaluated requests from CDN or load balancer metrics, log samples, attack windows, and bot spikes so monthly request models reflect baseline traffic and incident-heavy months.
WAF cost spikes during attacks: how to budget request surges
A practical guide to WAF cost spikes during attacks: why request-based charges jump, how to model surge traffic, and how to reduce evaluated requests and logging volume safely.
AWS WAF vs Cloudflare WAF cost: a practical comparison checklist
Compare AWS WAF vs Cloudflare WAF cost using a practical checklist: request-based charges, rule/policy baselines, logging/analytics costs, and what to model for your traffic shape.
WAF cost optimization (reduce requests + rule sprawl)
Reduce AWS WAF cost by cutting evaluated requests, tightening rule sprawl, and controlling downstream logging volume so attack-month savings do not come at the expense of real security coverage.
API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
KMS cost optimization (reduce request volume safely)
A practical AWS KMS cost optimization checklist focused on the real driver: request volume. Learn where KMS calls come from, how to reduce them safely with caching and batching, and how to validate savings.

Related calculators


FAQ

What typically drives WAF cost?
The core WAF bill is shaped by Web ACL count, rules or rule groups, evaluated requests, and any paid managed protections such as Bot Control or Fraud Control. During attacks, evaluated requests can dominate quickly.
What costs sit downstream of WAF?
Logging, storage, and analysis. If you stream WAF logs into CloudWatch/S3/SIEM and run searches, those can exceed the WAF bill.

Last updated: 2026-06-18. Reviewed against CloudCostKit methodology and current provider documentation. See the Editorial Policy .