---
title: Amazon CloudFront Pricing: Regional Tiers, Per-Request Fees, and the Lambda@Edge Surprise
description: CloudFront bills $0.085/GB egress in North America tiered down to $0.020/GB at extreme volume, plus $0.0075–$0.0100 per 10K requests, plus origin egress. Regional price classes drop the bill 30–60% by skipping expensive geographies. Real-time logs at $0.01 per million entries surprise high-traffic sites. Lambda@Edge is dramatically more expensive than CloudFront Functions.
url: https://www.factualminds.com/blog/amazon-cloudfront-pricing-regional-tiers-requests-security/
datePublished: 2026-06-13T00:00:00.000Z
dateModified: 2026-06-13T00:00:00.000Z
author: palaniappan-p
category: Cost Optimization & FinOps
tags: amazon-cloudfront, cloudfront-pricing, aws-pricing, cost-optimization, finops, cdn
---

# Amazon CloudFront Pricing: Regional Tiers, Per-Request Fees, and the Lambda@Edge Surprise

> CloudFront bills $0.085/GB egress in North America tiered down to $0.020/GB at extreme volume, plus $0.0075–$0.0100 per 10K requests, plus origin egress. Regional price classes drop the bill 30–60% by skipping expensive geographies. Real-time logs at $0.01 per million entries surprise high-traffic sites. Lambda@Edge is dramatically more expensive than CloudFront Functions.

import PricingHeroStats from '~/components/blog/PricingHeroStats.astro';
import PricingDimensionTable from '~/components/blog/PricingDimensionTable.astro';
import BillSurpriseCallout from '~/components/blog/BillSurpriseCallout.astro';
import PricingDecisionCard from '~/components/blog/PricingDecisionCard.astro';

Amazon CloudFront is AWS's content delivery network with the most complex pricing matrix in the CDN space — egress tiered by region and volume, separate request fees by protocol, optional edge primitives (Origin Shield, KeyValueStore, Functions, Lambda@Edge) each with their own rate, and a new generation of flat-rate plans launched for predictable workloads. The right configuration can cut a high-traffic CloudFront bill by 50% without affecting end-user experience; the wrong defaults compound silently.

<PricingHeroStats
  stats={[
    { value: '$0.085', label: 'NA/EU egress / GB first 10 TB', note: 'Tiered down to $0.020/GB at extreme volume' },
    { value: '30–60%', label: 'Saving from Price Class 100', note: 'Skip expensive regions for NA/EU-only audiences' },
    {
      value: '$0.10 vs $0.60',
      label: 'Functions vs Lambda@Edge / M',
      note: '6× rate differential plus duration billing',
    },
    { value: 'Free', label: 'Tier: 1 TB + 10M req / mo', note: 'First-12-months free tier for new accounts' },
  ]}
  caption="us-east-1 list prices, June 2026. Egress rates vary substantially by region. Verify against the AWS CloudFront pricing page."
/>

This post is the bill story. For the CDN selection decision — CloudFront vs Cloudflare vs Fastly vs Akamai — see our [CloudFront vs Cloudflare comparison](/compare/aws-cloudfront-vs-cloudflare/).

## The 10 CloudFront Billing Dimensions

<PricingDimensionTable
  title="CloudFront pricing breakdown — us-east-1, June 2026"
  intro="Egress to viewers dominates most bills. Price class, Origin Shield, and edge primitive choice are the high-leverage decisions."
  region="us-east-1"
  dimensions={[
    {
      name: 'Egress NA/EU first 10 TB',
      unitPrice: '$0.085 / GB',
      example: '5 TB / month',
      monthly: '$425',
      note: 'Tiered down at 10 TB, 50 TB, 150 TB',
      highlight: true,
    },
    {
      name: 'Egress NA/EU next 40 TB',
      unitPrice: '$0.080 / GB',
      example: '40 TB / month',
      monthly: '$3,200',
      note: 'Slight tier-down',
    },
    {
      name: 'Egress NA/EU next 100 TB',
      unitPrice: '$0.060 / GB',
      example: '100 TB / month',
      monthly: '$6,000',
      note: 'Larger tier-down',
    },
    {
      name: 'Egress NA/EU above 350 TB',
      unitPrice: '$0.020–$0.040 / GB',
      example: 'Volume-tiered',
      monthly: 'Significant scale',
      note: 'Negotiable at very high volume',
    },
    {
      name: 'Egress Asia / South America',
      unitPrice: '$0.110–$0.140 / GB',
      example: 'Higher than NA/EU',
      monthly: 'Variable',
      note: 'Skip via Price Class 100 if not target',
    },
    {
      name: 'HTTP requests',
      unitPrice: '$0.0075 / 10K',
      example: '100M HTTP requests',
      monthly: '$75',
      note: 'Lower than HTTPS rate',
    },
    {
      name: 'HTTPS requests',
      unitPrice: '$0.0100 / 10K',
      example: '500M HTTPS requests',
      monthly: '$500',
      note: 'Standard for most modern sites',
      highlight: true,
    },
    {
      name: 'Data transfer to origin',
      unitPrice: '$0.020 / GB',
      example: '100 GB / month uploads',
      monthly: '$2',
      note: 'PUT/POST/PATCH bodies to origin',
    },
    {
      name: 'Invalidations',
      unitPrice: 'First 1000 free, then $0.005 each',
      example: '5000 invalidations / mo',
      monthly: '$20',
      note: 'Wildcard invalidations charge per matched path',
    },
    {
      name: 'Origin Shield',
      unitPrice: '$0.0075 / 10K requests + transfer to origin',
      example: 'Origin offload layer',
      monthly: 'Variable',
      note: 'Reduces origin load 60–80% for cache-miss-heavy workloads',
    },
    {
      name: 'KeyValueStore',
      unitPrice: '$0.000010 read / $0.000040 write / $0.000200 PutKey',
      example: '100M reads / month',
      monthly: '$1',
      note: 'Edge state for routing, flags, A/B',
    },
    {
      name: 'CloudFront Functions',
      unitPrice: '$0.10 / million invocations',
      example: '500M invocations',
      monthly: '$50',
      note: 'Lightweight URL/header manipulation',
    },
    {
      name: 'Lambda@Edge',
      unitPrice: '$0.60 / M requests + $0.00005001 / GB-second',
      example: '50M requests / month',
      monthly: '$30+ plus duration',
      note: '6× CloudFront Functions; reserve for complex logic',
      highlight: true,
    },
    {
      name: 'Real-time logs',
      unitPrice: '$0.01 / M log entries + Kinesis cost',
      example: '1B requests / month',
      monthly: '$10,000+ at scale',
      note: 'Standard logs to S3 are free',
      highlight: true,
    },
  ]}
  footnote="Egress to viewers and HTTPS requests dominate most distributions. The remaining lines compound at scale or with optional features."
/>

## Price Classes: The Biggest Single-Setting Saving

CloudFront price classes determine which edge locations are eligible to serve cached content:

<PricingDimensionTable
  title="Price Class comparison — same workload, three configurations"
  intro="Choose based on actual user geography. For NA/EU-targeted services, skipping expensive regions cuts the egress bill substantially."
  region="us-east-1"
  dimensions={[
    {
      name: 'Price Class All',
      unitPrice: 'Includes every edge globally',
      example: 'Worldwide audience',
      monthly: 'Baseline cost',
      note: 'Best performance everywhere; highest cost in India/SA/AU/ME',
    },
    {
      name: 'Price Class 200',
      unitPrice: 'Excludes South America + Australia',
      example: 'NA/EU/Asia/ME audience',
      monthly: '~10–20% lower',
      note: 'Drops two highest-cost regions',
    },
    {
      name: 'Price Class 100',
      unitPrice: 'NA + EU only',
      example: 'NA/EU primary audience',
      monthly: '~30–60% lower',
      note: 'Major saving; minor impact on global users',
      highlight: true,
    },
  ]}
  footnote="Set per distribution. For multi-region products, deploy separate distributions per geography with appropriate price classes."
/>

<BillSurpriseCallout
  variant="optimization"
  title="Switch NA/EU-targeted distributions to Price Class 100"
  amount="30–60% egress saving"
>
  For products whose user base is concentrated in North America and Europe, Price Class 100 saves dramatically on egress
  without measurable impact on the target audience. Verify your user geography via CloudFront usage reports before
  switching. The change applies immediately.
</BillSurpriseCallout>

## CloudFront Functions vs Lambda@Edge

The two edge compute primitives have very different economics:

<PricingDimensionTable
  title="CloudFront Functions vs Lambda@Edge — 100M edge invocations / month"
  intro="Functions for simple operations; Lambda@Edge for complex logic. The rate differential is 6×, plus Lambda@Edge bills duration."
  region="us-east-1"
  dimensions={[
    {
      name: 'CloudFront Functions',
      unitPrice: '$0.10 / M invocations',
      example: 'URL rewriting, header injection',
      monthly: '$10',
      note: 'Sub-ms execution; constrained runtime',
      highlight: true,
    },
    {
      name: 'Lambda@Edge',
      unitPrice: '$0.60 / M + $0.00005001 / GB-s',
      example: 'Full Node.js/Python runtime',
      monthly: '$60 + duration',
      note: '6× per-invocation rate; full execution flexibility',
    },
    {
      name: 'Lambda@Edge with 200ms avg @ 128 MB',
      unitPrice: 'Add duration',
      example: 'Network calls in handler',
      monthly: '$60 + $1.30 = $61.30',
      note: 'Duration is small but non-zero',
    },
    {
      name: 'Lambda@Edge with 1s avg @ 512 MB',
      unitPrice: 'Add duration',
      example: 'External API call per request',
      monthly: '$60 + $26 = $86',
      note: 'Duration becomes meaningful',
    },
  ]}
  footnote="Use Functions for header/URL manipulation and lightweight A/B routing. Use Lambda@Edge only when you genuinely need network calls or larger code dependencies."
/>

## Real-Time Logs: The Hidden Bill Driver

CloudFront real-time logs deliver request log entries to a Kinesis Data Stream within seconds of the request. Cost: $0.01 per million log entries plus the underlying Kinesis Data Stream cost.

For a high-traffic distribution serving billions of requests/month, the real-time log bill becomes substantial — $10K+/month from real-time logs alone, plus the downstream Kinesis processing cost.

<BillSurpriseCallout
  variant="trap"
  title="Real-time logs enabled on a high-traffic distribution at 100% sampling"
  amount="$10K+/month at billion-request scale"
>
  Most use cases for log analysis tolerate the 5-minute batch delivery of standard logs (which are free). Configure
  real-time logs only when sub-minute visibility into requests is operationally required — and configure sampling (e.g.,
  1% or 10% of requests) rather than 100% delivery. Standard logs delivered to S3 cover virtually all ad-hoc analysis
  needs.
</BillSurpriseCallout>

## Origin Shield: When the Caching Layer Pays Off

Origin Shield is an additional caching layer between CloudFront edge and origin, located in a single regional shield. The cost: $0.0075 per 10K requests plus standard data transfer to origin.

The win: reduced origin load. Without Origin Shield, every edge location independently fetches the origin on cache miss, multiplying origin requests. With Origin Shield, requests aggregate at a single regional layer before hitting origin.

When Origin Shield pays off:

- **Cache-miss-heavy workloads** (frequently-changing content, low cache hit ratios).
- **Workloads where origin compute or egress dominates the bill** — Origin Shield reduces both.
- **Multi-region origin setups** where cross-region edge requests would otherwise compound.

When Origin Shield does not pay off:

- **High-cache-hit workloads** (static assets, long TTLs) — Origin Shield adds cost without reducing origin load meaningfully.
- **Low-volume workloads** — the marginal saving doesn't justify the additional request fee.

## KeyValueStore: The Edge State Primitive

CloudFront KeyValueStore is the AWS-native edge state primitive for routing logic, feature flags, A/B test variants, and rarely-changing configuration. Pricing:

- Reads: $0.000010 per read — nearly free at edge scale.
- Writes: $0.000040 per write — slightly more expensive.
- PutKey operations: $0.000200 per PutKey.

At edge request rates, reads are negligible. The cost driver is write/PutKey volume — KeyValueStore is designed for rarely-changing configuration, not for high-frequency mutable state.

The right use cases:

- Feature flags consulted on every request.
- A/B test variant assignment.
- Routing tables for header/path-based origin selection.
- Geo-based routing rules.

The wrong use cases:

- User session state (use DynamoDB Global Tables).
- Frequently-updated counters (use DynamoDB with conditional updates).
- Anything requiring strong consistency across edge.

## When to Use Each CloudFront Feature

<PricingDecisionCard
  headline="Price Class 100 for NA/EU audiences; Origin Shield for cache-miss-heavy; Functions for simple edge logic; Lambda@Edge only when network calls needed."
  useWhen={[
    'Price Class 100 for products targeting NA + EU users — major egress saving',
    'Price Class 200 for global products that can skip South America and Australia',
    'Origin Shield for low-cache-hit-ratio workloads or expensive origins',
    'CloudFront Functions for URL rewriting, header injection, A/B routing',
    'Lambda@Edge for edge logic requiring network calls or larger code',
    'KeyValueStore for feature flags and rarely-changing edge configuration',
    'Standard logs (S3) for ad-hoc analysis — free and 5-minute delivery is fine for most needs',
  ]}
  avoidWhen={[
    'Price Class All for products with concentrated geographic audiences — pay for edges users do not hit',
    'Origin Shield on high-cache-hit static workloads — adds cost without reducing origin load',
    'Lambda@Edge for simple URL manipulation — CloudFront Functions is 6× cheaper',
    'Real-time logs at 100% sampling on high-traffic distributions — sampling or standard logs almost always sufficient',
    'KeyValueStore for high-frequency mutable state — wrong primitive for the workload',
    'Invalidations as a caching strategy — use cache headers and short TTLs for frequently-changing content',
  ]}
  footnote="CloudFront cost optimization is largely configuration choices. The CDN primitive itself is the right answer for AWS-hosted workloads; the bill problems are settings."
/>

## A 30-Day CloudFront Bill Cleanup Plan

**Week 1 — Price class audit.** For each distribution, check the configured price class against the actual user geography (CloudFront usage reports). Switch distributions targeting NA/EU users to Price Class 100; switch global-with-no-SA/AU traffic to Price Class 200.

**Week 2 — Edge function migration.** Identify Lambda@Edge functions that perform only URL/header manipulation. Migrate to CloudFront Functions where the constrained runtime supports the use case. 6× per-invocation saving.

**Week 3 — Real-time logs scope.** Identify distributions with real-time logs enabled. Disable on distributions where standard logs suffice; apply sampling on distributions where real-time visibility is required.

**Week 4 — Cache hit ratio review.** For each distribution, check the CloudFront `CacheHitRate` metric. Identify distributions with low cache-hit ratios; investigate cache header configuration, origin response headers, and consider Origin Shield for those workloads.

## What This Post Doesn't Cover

- **Multi-CDN strategies** (CloudFront + Cloudflare + Fastly) — covered in our CDN architecture content.
- **CloudFront Origin types** (S3 vs ALB vs custom origins) — covered in our CDN architecture content.
- **AWS WAF integration cost** in depth — WAF bills per rule and per request; covered in our security content.
- **Shield Advanced** — fixed $3K/month per organization plus per-protected-resource fees; covered in our DDoS protection content.

## If You Only Do One Thing This Week

Check the Price Class configured on each CloudFront distribution against the actual user geography. Run `aws cloudfront list-distributions` to enumerate; for each, check `PriceClass` and cross-reference against the distribution's traffic reports. Distributions targeting NA + EU users should be on PriceClass_100; the egress saving is typically 30–60% with no measurable impact on the target audience. The change is `aws cloudfront update-distribution` with the updated PriceClass; it applies immediately to new requests.

For the broader CDN selection decision — when CloudFront vs alternatives — the [CloudFront vs Cloudflare comparison](/compare/aws-cloudfront-vs-cloudflare/) covers the trade-offs.

## FAQ

### What is the difference between Price Class All, 200, and 100?
CloudFront price classes determine which edge locations serve traffic. Price Class All uses every CloudFront edge globally — best performance everywhere, highest cost in expensive regions (India, South America, Australia, Middle East). Price Class 200 excludes South America and Australia. Price Class 100 includes only North America and Europe. For workloads where most users are in North America and Europe, Price Class 100 cuts the egress bill by 30–60% with minimal performance impact for the target user base. Set the price class per distribution; revisit when traffic geography changes.

### How much does Origin Shield really save?
Origin Shield is an additional caching layer between CloudFront edge and origin. It costs $0.0075 per 10K requests (HTTP) plus standard data transfer to origin. The saving comes from reducing origin requests — without Origin Shield, every edge location independently requests the origin on cache miss, multiplying the origin load. With Origin Shield, requests aggregate at a single regional layer before hitting the origin. For workloads with many cache misses (frequently-changing content, low-cache-hit-ratio APIs), Origin Shield can reduce origin load by 60–80%, paying for itself in reduced origin compute and egress. For static-content workloads with high cache-hit ratios already, Origin Shield is overhead without benefit.

### What is CloudFront KeyValueStore and how is it priced?
KeyValueStore is a low-latency, eventually-consistent key-value store available globally at CloudFront edge — designed for routing logic, feature flags, A/B test variants, and other edge-state needs. Pricing: $0.000010 per read, $0.000040 per write, $0.000200 per PutKey operation. At edge scale, reads are nearly free; writes and PutKey operations add up if used as a frequently-mutating database (which it is not designed for). The right use: rarely-changing configuration consulted on every request (think "what feature flag is on for this user segment?"). The wrong use: frequently-mutating data — that workload belongs on DynamoDB Global Tables or another primary database.

### When does Lambda@Edge cost surprisingly more than CloudFront Functions?
CloudFront Functions is $0.10 per million invocations with minimal added latency, designed for simple URL manipulation, header rewriting, and lightweight A/B routing. Lambda@Edge is $0.60 per million requests plus $0.00005001 per GB-second of duration — 6× the per-invocation rate plus duration billing. A function processing 100 million requests/month costs $10 on CloudFront Functions vs $60+ on Lambda@Edge (plus duration). The differential is dramatic at scale. The decision: use CloudFront Functions for anything that fits its constrained execution model (no network calls, no large dependencies, 1ms execution limit); use Lambda@Edge only when you genuinely need the broader runtime.

### Are real-time logs really expensive at scale?
Real-time logs bill $0.01 per million log entries delivered, plus the underlying Kinesis Data Stream cost. For a high-traffic distribution serving billions of requests/month, the real-time log bill can land at thousands per month. The mitigations: sample real-time logs at the source (configure the LogPublishing rate per distribution), use standard logs (free; delivered to S3 in 5-minute batches) for ad-hoc analysis, and reserve real-time logs for high-priority debugging windows rather than always-on. Most workloads do not need real-time visibility into every CloudFront request; sampled standard logs answer most questions at a fraction of the cost.

### Should I migrate to a CloudFront security savings bundle?
AWS introduced security savings bundles that combine CloudFront, WAF, and Shield Advanced into discounted multi-product commitments. For organizations using all three products, the bundle can save 20–40% on the combined bill. For organizations using only CloudFront with light WAF rules, the bundle is overcommitment. Audit your CloudFront + security spend; if Shield Advanced ($3K/month per organization base) and substantial WAF usage are already in scope, the bundle pays off. Otherwise, à la carte is more flexible.

### How does the new flat-rate CloudFront plan compare to traditional usage-based pricing?
AWS introduced flat-rate CloudFront plans for predictable workloads — commit to a monthly fee for an included data transfer allowance and request count, with overages billed at standard rates. For predictable high-volume distributions (e.g., a video streaming service with consistent monthly traffic), flat-rate provides cost predictability and a small discount on the commit. For variable workloads (event-driven traffic spikes, marketing campaigns), usage-based remains more flexible. Evaluate based on 3-month traffic predictability; if the variance is under 20%, flat-rate may save money.

---

*Source: https://www.factualminds.com/blog/amazon-cloudfront-pricing-regional-tiers-requests-security/*