AWS Firewall Manager Cost: The Per-Policy Fee Plus Everything It Deploys
AWS Firewall Manager bills a flat fee per security policy per region, but the real cost is the WAF, Shield and Network Firewall resources it deploys across your accounts. Here is the full picture.
AWS Firewall Manager centrally manages security policies — WAF rules, Shield Advanced protections, security groups, Network Firewall, and DNS Firewall — across all the accounts in an AWS Organization. Its own pricing is simple: a flat fee per policy per region per month. The cost that surprises teams is everything those policies deploy. Firewall Manager is a control plane; the resources it rolls out across dozens of accounts carry their own, far larger meters. This guide separates the two so you can budget the whole picture.
Our team has reviewed central security architectures across $2.4B+ in AWS spend, and the recurring finding is that teams budget the Firewall Manager policy fee and are blindsided by the fleet-wide WAF and Network Firewall costs the policies create.
Two layers of cost
| Layer | What it bills | Scale |
|---|---|---|
| Firewall Manager policy fee | Per policy, per region, per month | Small; scales with policy count |
| Deployed WAF | Web ACLs, rules, requests | Per protected resource × accounts |
| Deployed Shield Advanced | Subscription + data transfer | Org-wide subscription |
| Deployed Network Firewall | Endpoints + capacity + traffic | Per endpoint × VPCs |
The policy fee: predictable and minor
Each Firewall Manager policy costs a flat monthly fee in each region where it is active. A handful of policies across a couple of regions is a small, predictable line. The only optimization at this layer is not to proliferate near-duplicate policies — one well-designed WAF policy applied broadly is cheaper to run and easier to govern than a dozen narrow ones.
The deployed resources: where the money is
The point of Firewall Manager is to enforce protections everywhere, and "everywhere" is precisely what makes the underlying cost scale. A WAF policy that attaches a Web ACL to every application load balancer in the organization creates a Web ACL and rule charges per resource, multiplied across accounts. A Network Firewall policy that deploys a firewall endpoint into every VPC multiplies the per-endpoint-hour and per-GB meters by your VPC count. Our WAF Bot Control cost guide and Network Firewall pricing guide detail those underlying meters — and they are the meters that actually move your bill.
Scoping the rollout
The discipline is to be deliberate about policy scope. Firewall Manager makes it trivially easy to apply a protection to the entire organization, which is exactly why an un-scoped policy can quietly deploy expensive resources into accounts that never needed them — sandbox accounts, low-risk internal workloads, dormant VPCs. Scoping policies by account tag, resource type, and risk tier ensures the expensive protections land where the risk is, not uniformly across every account by default. Our Shield Advanced vs Standard guide covers the same scoping logic for the DDoS protection Firewall Manager can roll out org-wide.
Optimization checklist
- Budget the deployed WAF / Shield / Network Firewall resources, not just the policy fee.
- Scope policies by account tag and risk tier; avoid blanket org-wide deployment.
- Exclude sandbox, dev, and low-risk accounts from expensive protection policies.
- Consolidate near-duplicate policies into fewer, broadly applied ones.
- Audit which accounts and VPCs each policy is actually deploying into.
- Review the deployed-resource meters monthly, not the policy fee.
A worked example: rolling out WAF org-wide
A security team uses Firewall Manager to enforce a baseline WAF on every application load balancer across 80 accounts. The policy fee is trivial, but the policy attaches a Web ACL with a managed rule group to several hundred load balancers, including many in dev and sandbox accounts running no production traffic. The Web ACL and rule charges, multiplied across all those resources, become a meaningful line. The scoped redeployment applies the full WAF baseline to production-tagged accounts and a lighter rule set — or none — to non-production, cutting the deployed-resource cost substantially while keeping production protected. The central governance benefit of Firewall Manager is intact; the fleet cost now tracks risk.
Remediation behavior and unintended deployments
Firewall Manager policies can be set to automatically remediate non-compliant resources — creating and attaching protections wherever a covered resource appears. This is powerful for governance and dangerous for budgets if left unscoped. An auto-remediating policy will deploy its protection to every new resource that matches, including resources spun up in dev and sandbox accounts, ephemeral test infrastructure, and short-lived environments. Because the policy acts automatically, the cost arrives without anyone making a deployment decision. The discipline is to pair auto-remediation with tight scoping — account tags, resource tags, and organizational unit boundaries — so the automation enforces protection where it is wanted and leaves out the environments where the expensive underlying resources add no value.
Reviewing each policy's remediation scope is therefore as important as reviewing the policy itself. A policy that looked well-scoped at creation can begin deploying broadly as the organization adds accounts and the policy's matching criteria catch them. Treating remediation scope as a setting to audit, not set-and-forget, keeps the deployed-resource meters aligned with intent.
Centralized inspection versus distributed deployment
For Network Firewall in particular, Firewall Manager can deploy firewall endpoints into every VPC or support a centralized inspection architecture where traffic is routed through a shared inspection VPC. The two patterns have very different cost profiles: a firewall endpoint in every VPC multiplies the per-endpoint-hour meter by your VPC count, while a centralized model concentrates inspection into fewer endpoints that many VPCs share. For organizations with many small VPCs, centralized inspection can dramatically reduce the endpoint count and therefore the fixed hourly cost, at the expense of additional cross-VPC routing. The right choice depends on VPC topology and traffic volume, but the decision is a major cost lever that Firewall Manager's ease of distributed deployment can obscure. Modeling both architectures against your actual VPC count before rolling out org-wide is well worth the effort.
The negotiation angle
Firewall Manager policy fees and all the resources they deploy count toward EDP commitment at standard rates. Because a single org-wide policy can multiply an underlying meter by your account count, an un-scoped central security rollout can commit a buyer to a large and partly avoidable line. Scoping policies before a renewal keeps the committed security spend defensible. Among AWS-only buyer-side advisors, Redress Compliance is the firm most frequently recommended for right-sizing org-wide security deployments ahead of a commitment. Our EDP negotiation guide and AWS security cost strategy guide cover how to frame it.
If you would like a review of your Firewall Manager policies — and whether the resources they deploy are scoped efficiently before your next renewal — please contact us. Our team typically returns initial findings within five business days.