Amazon CloudFront Pricing: Regional Tiers, Per-Request Fees, and the Lambda@Edge Surprise
Quick summary: CloudFront bills $0.085/GB egress in North America tiered down to $0.020/GB at extreme volume, plus $0.0075–$0.0100 per 10K requests, plus origin egress. Regional price classes drop the bill 30–60% by skipping expensive geographies. Real-time logs at $0.01 per million entries surprise high-traffic sites. Lambda@Edge is dramatically more expensive than CloudFront Functions.
Key Takeaways
- CloudFront bills $0
- 085/GB egress in North America tiered down to $0
- 020/GB at extreme volume, plus $0
- 0075–$0
- 0100 per 10K requests, plus origin egress
Table of Contents
Amazon CloudFront is AWS’s content delivery network with the most complex pricing matrix in the CDN space — egress tiered by region and volume, separate request fees by protocol, optional edge primitives (Origin Shield, KeyValueStore, Functions, Lambda@Edge) each with their own rate, and a new generation of flat-rate plans launched for predictable workloads. The right configuration can cut a high-traffic CloudFront bill by 50% without affecting end-user experience; the wrong defaults compound silently.
This post is the bill story. For the CDN selection decision — CloudFront vs Cloudflare vs Fastly vs Akamai — see our CloudFront vs Cloudflare comparison.
The 10 CloudFront Billing Dimensions
CloudFront pricing breakdown — us-east-1, June 2026
Prices in us-east-1
Egress to viewers dominates most bills. Price class, Origin Shield, and edge primitive choice are the high-leverage decisions.
| Dimension | Unit price | Example workload | Monthly cost |
|---|---|---|---|
| Egress NA/EU first 10 TB Tiered down at 10 TB, 50 TB, 150 TB | $0.085 / GB | 5 TB / month | $425 |
| Egress NA/EU next 40 TB Slight tier-down | $0.080 / GB | 40 TB / month | $3,200 |
| Egress NA/EU next 100 TB Larger tier-down | $0.060 / GB | 100 TB / month | $6,000 |
| Egress NA/EU above 350 TB Negotiable at very high volume | $0.020–$0.040 / GB | Volume-tiered | Significant scale |
| Egress Asia / South America Skip via Price Class 100 if not target | $0.110–$0.140 / GB | Higher than NA/EU | Variable |
| HTTP requests Lower than HTTPS rate | $0.0075 / 10K | 100M HTTP requests | $75 |
| HTTPS requests Standard for most modern sites | $0.0100 / 10K | 500M HTTPS requests | $500 |
| Data transfer to origin PUT/POST/PATCH bodies to origin | $0.020 / GB | 100 GB / month uploads | $2 |
| Invalidations Wildcard invalidations charge per matched path | First 1000 free, then $0.005 each | 5000 invalidations / mo | $20 |
| Origin Shield Reduces origin load 60–80% for cache-miss-heavy workloads | $0.0075 / 10K requests + transfer to origin | Origin offload layer | Variable |
| KeyValueStore Edge state for routing, flags, A/B | $0.000010 read / $0.000040 write / $0.000200 PutKey | 100M reads / month | $1 |
| CloudFront Functions Lightweight URL/header manipulation | $0.10 / million invocations | 500M invocations | $50 |
| Lambda@Edge 6× CloudFront Functions; reserve for complex logic | $0.60 / M requests + $0.00005001 / GB-second | 50M requests / month | $30+ plus duration |
| Real-time logs Standard logs to S3 are free | $0.01 / M log entries + Kinesis cost | 1B requests / month | $10,000+ at scale |
Egress NA/EU first 10 TB
$425Tiered down at 10 TB, 50 TB, 150 TB
- Unit price
- $0.085 / GB
- Example workload
- 5 TB / month
Egress NA/EU next 40 TB
$3,200Slight tier-down
- Unit price
- $0.080 / GB
- Example workload
- 40 TB / month
Egress NA/EU next 100 TB
$6,000Larger tier-down
- Unit price
- $0.060 / GB
- Example workload
- 100 TB / month
Egress NA/EU above 350 TB
Significant scaleNegotiable at very high volume
- Unit price
- $0.020–$0.040 / GB
- Example workload
- Volume-tiered
Egress Asia / South America
VariableSkip via Price Class 100 if not target
- Unit price
- $0.110–$0.140 / GB
- Example workload
- Higher than NA/EU
HTTP requests
$75Lower than HTTPS rate
- Unit price
- $0.0075 / 10K
- Example workload
- 100M HTTP requests
HTTPS requests
$500Standard for most modern sites
- Unit price
- $0.0100 / 10K
- Example workload
- 500M HTTPS requests
Data transfer to origin
$2PUT/POST/PATCH bodies to origin
- Unit price
- $0.020 / GB
- Example workload
- 100 GB / month uploads
Invalidations
$20Wildcard invalidations charge per matched path
- Unit price
- First 1000 free, then $0.005 each
- Example workload
- 5000 invalidations / mo
Origin Shield
VariableReduces origin load 60–80% for cache-miss-heavy workloads
- Unit price
- $0.0075 / 10K requests + transfer to origin
- Example workload
- Origin offload layer
KeyValueStore
$1Edge state for routing, flags, A/B
- Unit price
- $0.000010 read / $0.000040 write / $0.000200 PutKey
- Example workload
- 100M reads / month
CloudFront Functions
$50Lightweight URL/header manipulation
- Unit price
- $0.10 / million invocations
- Example workload
- 500M invocations
Lambda@Edge
$30+ plus duration6× CloudFront Functions; reserve for complex logic
- Unit price
- $0.60 / M requests + $0.00005001 / GB-second
- Example workload
- 50M requests / month
Real-time logs
$10,000+ at scaleStandard logs to S3 are free
- Unit price
- $0.01 / M log entries + Kinesis cost
- Example workload
- 1B requests / month
Egress to viewers and HTTPS requests dominate most distributions. The remaining lines compound at scale or with optional features.
Price Classes: The Biggest Single-Setting Saving
CloudFront price classes determine which edge locations are eligible to serve cached content:
Price Class comparison — same workload, three configurations
Prices in us-east-1
Choose based on actual user geography. For NA/EU-targeted services, skipping expensive regions cuts the egress bill substantially.
| Dimension | Unit price | Example workload | Monthly cost |
|---|---|---|---|
| Price Class All Best performance everywhere; highest cost in India/SA/AU/ME | Includes every edge globally | Worldwide audience | Baseline cost |
| Price Class 200 Drops two highest-cost regions | Excludes South America + Australia | NA/EU/Asia/ME audience | ~10–20% lower |
| Price Class 100 Major saving; minor impact on global users | NA + EU only | NA/EU primary audience | ~30–60% lower |
Price Class All
Baseline costBest performance everywhere; highest cost in India/SA/AU/ME
- Unit price
- Includes every edge globally
- Example workload
- Worldwide audience
Price Class 200
~10–20% lowerDrops two highest-cost regions
- Unit price
- Excludes South America + Australia
- Example workload
- NA/EU/Asia/ME audience
Price Class 100
~30–60% lowerMajor saving; minor impact on global users
- Unit price
- NA + EU only
- Example workload
- NA/EU primary audience
Set per distribution. For multi-region products, deploy separate distributions per geography with appropriate price classes.
CloudFront Functions vs Lambda@Edge
The two edge compute primitives have very different economics:
CloudFront Functions vs Lambda@Edge — 100M edge invocations / month
Prices in us-east-1
Functions for simple operations; Lambda@Edge for complex logic. The rate differential is 6×, plus Lambda@Edge bills duration.
| Dimension | Unit price | Example workload | Monthly cost |
|---|---|---|---|
| CloudFront Functions Sub-ms execution; constrained runtime | $0.10 / M invocations | URL rewriting, header injection | $10 |
| Lambda@Edge 6× per-invocation rate; full execution flexibility | $0.60 / M + $0.00005001 / GB-s | Full Node.js/Python runtime | $60 + duration |
| Lambda@Edge with 200ms avg @ 128 MB Duration is small but non-zero | Add duration | Network calls in handler | $60 + $1.30 = $61.30 |
| Lambda@Edge with 1s avg @ 512 MB Duration becomes meaningful | Add duration | External API call per request | $60 + $26 = $86 |
CloudFront Functions
$10Sub-ms execution; constrained runtime
- Unit price
- $0.10 / M invocations
- Example workload
- URL rewriting, header injection
Lambda@Edge
$60 + duration6× per-invocation rate; full execution flexibility
- Unit price
- $0.60 / M + $0.00005001 / GB-s
- Example workload
- Full Node.js/Python runtime
Lambda@Edge with 200ms avg @ 128 MB
$60 + $1.30 = $61.30Duration is small but non-zero
- Unit price
- Add duration
- Example workload
- Network calls in handler
Lambda@Edge with 1s avg @ 512 MB
$60 + $26 = $86Duration becomes meaningful
- Unit price
- Add duration
- Example workload
- External API call per request
Use Functions for header/URL manipulation and lightweight A/B routing. Use Lambda@Edge only when you genuinely need network calls or larger code dependencies.
Real-Time Logs: The Hidden Bill Driver
CloudFront real-time logs deliver request log entries to a Kinesis Data Stream within seconds of the request. Cost: $0.01 per million log entries plus the underlying Kinesis Data Stream cost.
For a high-traffic distribution serving billions of requests/month, the real-time log bill becomes substantial — $10K+/month from real-time logs alone, plus the downstream Kinesis processing cost.
Origin Shield: When the Caching Layer Pays Off
Origin Shield is an additional caching layer between CloudFront edge and origin, located in a single regional shield. The cost: $0.0075 per 10K requests plus standard data transfer to origin.
The win: reduced origin load. Without Origin Shield, every edge location independently fetches the origin on cache miss, multiplying origin requests. With Origin Shield, requests aggregate at a single regional layer before hitting origin.
When Origin Shield pays off:
- Cache-miss-heavy workloads (frequently-changing content, low cache hit ratios).
- Workloads where origin compute or egress dominates the bill — Origin Shield reduces both.
- Multi-region origin setups where cross-region edge requests would otherwise compound.
When Origin Shield does not pay off:
- High-cache-hit workloads (static assets, long TTLs) — Origin Shield adds cost without reducing origin load meaningfully.
- Low-volume workloads — the marginal saving doesn’t justify the additional request fee.
KeyValueStore: The Edge State Primitive
CloudFront KeyValueStore is the AWS-native edge state primitive for routing logic, feature flags, A/B test variants, and rarely-changing configuration. Pricing:
- Reads: $0.000010 per read — nearly free at edge scale.
- Writes: $0.000040 per write — slightly more expensive.
- PutKey operations: $0.000200 per PutKey.
At edge request rates, reads are negligible. The cost driver is write/PutKey volume — KeyValueStore is designed for rarely-changing configuration, not for high-frequency mutable state.
The right use cases:
- Feature flags consulted on every request.
- A/B test variant assignment.
- Routing tables for header/path-based origin selection.
- Geo-based routing rules.
The wrong use cases:
- User session state (use DynamoDB Global Tables).
- Frequently-updated counters (use DynamoDB with conditional updates).
- Anything requiring strong consistency across edge.
When to Use Each CloudFront Feature
Price Class 100 for NA/EU audiences; Origin Shield for cache-miss-heavy; Functions for simple edge logic; Lambda@Edge only when network calls needed.
Use when
- Price Class 100 for products targeting NA + EU users — major egress saving
- Price Class 200 for global products that can skip South America and Australia
- Origin Shield for low-cache-hit-ratio workloads or expensive origins
- CloudFront Functions for URL rewriting, header injection, A/B routing
- Lambda@Edge for edge logic requiring network calls or larger code
- KeyValueStore for feature flags and rarely-changing edge configuration
- Standard logs (S3) for ad-hoc analysis — free and 5-minute delivery is fine for most needs
Avoid when
- Price Class All for products with concentrated geographic audiences — pay for edges users do not hit
- Origin Shield on high-cache-hit static workloads — adds cost without reducing origin load
- Lambda@Edge for simple URL manipulation — CloudFront Functions is 6× cheaper
- Real-time logs at 100% sampling on high-traffic distributions — sampling or standard logs almost always sufficient
- KeyValueStore for high-frequency mutable state — wrong primitive for the workload
- Invalidations as a caching strategy — use cache headers and short TTLs for frequently-changing content
CloudFront cost optimization is largely configuration choices. The CDN primitive itself is the right answer for AWS-hosted workloads; the bill problems are settings.
A 30-Day CloudFront Bill Cleanup Plan
Week 1 — Price class audit. For each distribution, check the configured price class against the actual user geography (CloudFront usage reports). Switch distributions targeting NA/EU users to Price Class 100; switch global-with-no-SA/AU traffic to Price Class 200.
Week 2 — Edge function migration. Identify Lambda@Edge functions that perform only URL/header manipulation. Migrate to CloudFront Functions where the constrained runtime supports the use case. 6× per-invocation saving.
Week 3 — Real-time logs scope. Identify distributions with real-time logs enabled. Disable on distributions where standard logs suffice; apply sampling on distributions where real-time visibility is required.
Week 4 — Cache hit ratio review. For each distribution, check the CloudFront CacheHitRate metric. Identify distributions with low cache-hit ratios; investigate cache header configuration, origin response headers, and consider Origin Shield for those workloads.
What This Post Doesn’t Cover
- Multi-CDN strategies (CloudFront + Cloudflare + Fastly) — covered in our CDN architecture content.
- CloudFront Origin types (S3 vs ALB vs custom origins) — covered in our CDN architecture content.
- AWS WAF integration cost in depth — WAF bills per rule and per request; covered in our security content.
- Shield Advanced — fixed $3K/month per organization plus per-protected-resource fees; covered in our DDoS protection content.
If You Only Do One Thing This Week
Check the Price Class configured on each CloudFront distribution against the actual user geography. Run aws cloudfront list-distributions to enumerate; for each, check PriceClass and cross-reference against the distribution’s traffic reports. Distributions targeting NA + EU users should be on PriceClass_100; the egress saving is typically 30–60% with no measurable impact on the target audience. The change is aws cloudfront update-distribution with the updated PriceClass; it applies immediately to new requests.
For the broader CDN selection decision — when CloudFront vs alternatives — the CloudFront vs Cloudflare comparison covers the trade-offs.
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.
