Skip to main content
AWS WAF
WebACL + rules + requests

AWS WAF Pricing Calculator

Estimate WAF WebACL hours, rule charges, and request volume alongside your CloudFront distribution — before Bot Control doubles the line item.

  • No signup
  • Instant results
  • ~2 min

Rates reviewed

Read the full breakdownAmazon CloudFront Pricing covers billing dimensions, traps, and a 30-day cleanup plan.

Step 1 of 333%

WAF footprint

us-east-1list rates, pricing as of 2026-07-09. CloudFront/ALB/API Gateway resource charges excluded. Managed rule group marketplace fees use base $1/rule estimate. Source: AWS public pricing.

ACLs
rules
M/mo

Who This Tool Is For

Web and platform teams attaching WAF to CloudFront distributions, ALBs, or API Gateway stages.

Why We Built This Tool

WAF bills $5 per WebACL, $1 per rule, and $0.60 per million requests — managed rule groups and Bot Control stack on top fast at scale.

What Problem It Solves

  • ACL sprawl. One WebACL per distribution multiplies the $5/month base fee.
  • Rule bloat. Every managed rule group counts as rules — AWS and marketplace groups add monthly fees.
  • Request volume. High-traffic APIs pay more on inspection than on the ACL base fee.

Pair with the CloudFront calculator and CloudFront security pricing guide.

Frequently Asked Questions

How is AWS WAF priced?

WAF charges $5/month per Web ACL, $1/month per rule (including each managed rule group), and $0.60 per million requests inspected in us-east-1.

Is WAF included with CloudFront?

No. WAF is a separate service attached to CloudFront, ALB, API Gateway, or AppSync. CloudFront data transfer and request charges bill separately.

What does Bot Control add?

Bot Control adds per-request charges on top of base WAF inspection — typically ~$1.00 per million requests for the common tier, plus the rule monthly fee.

Does Shield Advanced include WAF?

Shield Advanced ($3,000/month org subscription) includes limited WAF usage on protected resources. Model Shield separately if evaluating Advanced.

How do I reduce WAF request charges?

Increase CloudFront cache hit ratio so fewer requests reach origin-side inspection. Block obvious bots at the edge with scoped rules before enabling full Bot Control.

Regional vs CloudFront-scope WebACL?

Pricing dimensions are the same; attach scope depends on resource type. Regional ACLs protect ALB/API Gateway; CloudFront-scope ACLs protect distributions globally.

100+
AWS engagements
Edge security
WAF + CloudFront designs
50+
AWS certifications