AWS WAF Pricing: Web ACLs, Request Charges, Bot Control, and Logging Boundaries
Start with a calculator if you need a first-pass estimate, then use this guide to validate the assumptions and catch the billing traps.
Use this page when you need to decide what belongs inside the WAF bill model before you argue about optimization. This is the AWS WAF bill-boundary page.
Stay here when the open question is Web ACLs, rules, evaluated requests, optional managed protections, and the downstream logging or SIEM costs that should be tracked beside WAF rather than confused with it. Go back to the security parent page if the broader security spike question is still unclear.
Quick pricing read
AWS WAF pricing is not only a request counter. The bill starts with the Web ACL baseline, then adds rules or rule groups, evaluated requests, and any optional intelligent protections such as Bot Control, Fraud Control, or CAPTCHA and Challenge actions. The important boundary is that blocked traffic still counts as evaluated traffic, but logging, storage, SIEM analysis, and investigation workflows still belong beside the WAF bill rather than inside it.
- Web ACLs are the first baseline: each Web ACL creates a baseline charge, so environment sprawl and duplicated protection surfaces increase cost before traffic is even discussed.
- Rules and rule groups add structural cost: custom rules, managed rule groups, and other rule-group choices change the baseline posture of the bill.
- Evaluated requests are the main variable surface: allowed and blocked traffic both count, which is why attack windows can raise spend even when the origin is protected successfully.
- Managed protections can change the bill shape: Bot Control, Fraud Control, and CAPTCHA or Challenge usage are not the same as a simple Web ACL plus request model.
- Logging boundaries still matter: CloudWatch, S3, Firehose, and SIEM pipelines belong beside WAF because teams often create a second security-observability bill after WAF has already done its work.
This page was updated on 2026-06-18 against the current AWS WAF pricing page, AWS WAF logging documentation, and AWS-managed intelligent threat documentation.
What to model (baseline + variable)
- Web ACL count: how many ACLs you maintain (often per environment/app)
- Rule count: custom rules + managed rule groups you enable (based on your pricing model)
- Requests/month: total evaluated requests, including blocked traffic and attack-driven spikes
- Managed protections: Bot Control, Fraud Control, CAPTCHA, or Challenge actions when your protection model uses them
- Downstream: log delivery, storage, search/analytics, and SIEM ingestion
The two most common budgeting failures are (1) modeling only the baseline and missing request spikes and (2) paying a second bill for logs and analysis.
Inside the WAF bill vs outside the WAF bill
- Inside the WAF bill: Web ACL baselines, rule or managed-rule coverage, evaluated requests including blocked traffic during attack windows, and any WAF-native intelligent protection add-ons that are enabled on the Web ACL.
- Usually outside the WAF bill: log delivery, retention, query scans, SIEM ingestion, and analyst workflows triggered by WAF events.
- Why that boundary matters: teams often blame WAF for total security-observability spend when the real multiplier sits in downstream logging and investigation.
A fast estimate (baseline + spike)
Use AWS WAF Cost Calculator for the baseline + request model, then add log/analysis and any security tooling.
- Baseline scenario: typical month requests and current ACL/rule inventory.
- Spike scenario: attack or bot window where evaluated requests are much higher and optional protections may activate more often.
Worked estimate template (copy/paste)
- Baseline = ACLs + rules (and any managed add-ons you actually use)
- Requests/month = evaluated requests (allowed + blocked), baseline + spike
- Managed protections = Bot Control / Fraud Control / CAPTCHA or Challenge assumptions that are actually enabled
- Logs = (bytes per request) * requests/month + retention + query scans
Where to get inputs (evidence path)
- Evaluated requests: from WAF metrics/logs for a representative week; keep a separate spike window.
- ACL and rule inventory: list ACLs by environment and identify duplicated policies (sprawl is common).
- Managed protections: confirm whether Bot Control, Fraud Control, CAPTCHA, or Challenge are enabled on the same ACL instead of assuming a plain request-only model.
- Log volume: measure bytes per event and multiply by events/day; do not assume "logs are small".
Common pitfalls
- Underestimating request volume during incidents (bot traffic, attacks).
- Keeping many almost-identical ACLs and rules across environments.
- Forgetting that blocked traffic still counts in evaluated request volume.
- Ignoring paid managed protections and then comparing the bill to a plain ACL-plus-requests estimate.
- Streaming full logs everywhere without volume controls.
- Using one average and missing peak hours (spikes drive the bill).
How to validate the pricing model
- Reconcile evaluated requests against the bill for the same window (baseline week + spike window).
- Confirm rule/ACL inventory matches what is deployed (copy/paste ACL sprawl is common).
- Confirm whether Bot Control, Fraud Control, CAPTCHA, or Challenge are part of the deployed policy set.
- Verify logging controls: sampling, retention, and dashboard query windows.
When this is not the right page
- If you still need to separate WAF from KMS, secrets, or audit logging as the main security cost surface, go back to security costs first.
- If your main problem is turning real traffic and attack windows into a defendable evaluated-request model, go to Estimate WAF requests.
- If the model is already believable and you now need operational changes, go to WAF cost optimization.
- If you are investigating a specific surge window, use WAF cost spikes during attacks instead of treating every month like the same pattern.
Related guides
Validation checklist
- Validate the primary driver with measured usage from a representative window.
- Confirm units and pricing units (per 10k vs per 1M, GB vs GiB) before trusting the estimate.
- Re-check incident windows: retries/timeouts often multiply cost drivers.
Related reading
Sources
- AWS WAF pricing
- AWS WAF Bot Control managed rule group
- AWS WAF CAPTCHA and Challenge
- AWS WAF logging