AWS WAF Pricing Strategy: ACL Sprawl, Rule Cost, and Request Tier Math

WAF rarely appears in the top three line items on an AWS bill, which is why it gets ignored until annual review. By that point, the average enterprise is paying for 30 to 200 Web ACLs configured per-distribution with significant rule duplication, and the recoverable spend is real. This piece is the playbook we apply when WAF surfaces in security cost audits ahead of EDP renewals.

AWS WAF pricing breakdown

WAF (v2 / WAFv2) in 2026 prices on three dimensions:

• Web ACL. $5/month per ACL.
• Rules. $1/month per rule within an ACL. Managed rule groups count as multiple rules.
• Requests. $0.60 per million requests inspected.

AWS Managed Rules and Marketplace Managed Rules have additional monthly fees, typically $1 to $20/month per managed rule group, plus per-request fees of $0.20 to $1.00 per million.

Where the bill actually lives

For a typical $80M AWS spend customer:

The pattern: managed rules and request inspection dominate. ACL count is a multiplier on rule cost; if each of 50 ACLs has the same 20 rules, that is 1,000 rule-months even though the underlying rule logic is identical.

The seven optimisations

1. Consolidate ACLs

The default architecture from AWS is one ACL per CloudFront distribution or per ALB. For multi-distribution sites, this multiplies billing without adding security value. A single ACL can be attached to multiple CloudFront distributions or multiple ALBs.

Quick win: 50 ACLs collapsed to 5 by attaching shared ACLs to multiple resources cuts the ACL line item by 90%.

2. Use rule groups, not duplicated rules

If you have 30 ACLs each containing the same 20 rules, that is 600 rule-months. Refactoring to a single Rule Group containing the 20 rules, referenced by all 30 ACLs, drops you to 30 rule-months (one reference per ACL) plus the Rule Group itself.

Caveat: AWS Managed Rule Groups (the ones AWS sells) count as multiple rules internally. Marketplace Managed Rule Groups count their own internal rules toward the count.

3. Evaluate Marketplace Managed Rules ROI

F5, Imperva, Fortinet, and others sell Marketplace Managed Rule Groups at $1,000 to $5,000+ per month each. For most customers, the AWS Managed Rule Groups (Core Rule Set, Known Bad Inputs, SQL Database, Linux OS, etc.) cover 80 percent of the protection at a fraction of the cost.

Audit: are the Marketplace rules firing on actual traffic? If they are configured but never matching, they are not adding value.

4. Apply request sampling

WAF can sample requests for inspection rather than evaluating every request. For very high-volume sites (above 1B requests/month), sampling cuts request inspection cost by the sampling ratio.

Caveat: sampling reduces detection coverage proportionally. For PCI-scope traffic, do not sample. For static content or low-risk APIs, 1-in-10 sampling is reasonable.

5. Layer WAF before CloudFront, not at ALB

WAF attached to CloudFront inspects requests at the edge. WAF attached to ALB inspects requests at the load balancer in your region. The pricing is the same, but the architectural difference matters: edge-attached WAF blocks traffic before it consumes CloudFront data transfer.

Cost angle: blocked requests at the edge do not generate CloudFront egress. For high-attack-volume sites, this can be a meaningful indirect saving.

6. Consolidate Bot Control configuration

AWS Bot Control is a separate managed rule group at $10/month per ACL plus $1 per million requests. For multi-ACL estates, this is duplicated cost. Bot Control behaviour is consistent across distributions, so configure once and share via rule group references.

7. Use Shield Advanced's bundled WAF

Shield Advanced (at $3,000/month) includes AWS WAF at no extra charge. For customers already paying for Shield Advanced, the WAF line item should be zero. Most are billed for both.

Audit your billing to confirm Shield Advanced is correctly applying the WAF inclusion.

WAF Capacity Units

WAFv2 introduced Web ACL Capacity Units (WCUs) to limit rule complexity per ACL. Each ACL has a default 1,500 WCU budget, expandable to 5,000 WCU. WCU is a complexity metric, not a billing metric, but it constrains rule design and indirectly affects cost.

If your ACL hits the WCU limit, you may be forced to split into multiple ACLs, multiplying the per-ACL fee. Plan rule complexity to fit within a single ACL where possible.

Multi-region and global WAF

WAF for CloudFront is global; WAF for ALB and API Gateway is regional. Multi-region deployments mean separate ACLs per region, multiplying the ACL count.

Consolidation tactic: put all customer-facing traffic behind CloudFront and use a single global ACL. Internal regional ALBs can share a regional ACL per region.

WAF logging cost

WAF logs can be sent to CloudWatch Logs, S3, or Kinesis Data Firehose. CloudWatch Logs is the most expensive at $0.50/GB ingestion. S3 is the cheapest at $0.023/GB storage. Firehose adds processing cost but supports buffering and transformation.

For high-traffic ACLs, WAF logs can be the third-largest line item after ACL and rule fees. Default to S3 with a 30-day retention lifecycle policy.

EDP overlay

WAF negotiable items in an EDP:

• Per-ACL fee waiver at high ACL count.
• Per-rule fee tiered above 100 rules.
• Request inspection volume tier below $0.60 per million at high volume.
• Bundled Shield Advanced plus WAF pricing.
• Marketplace rule group discount (AWS receives a portion of these fees).

When to use third-party WAF

Cloudflare, Fastly, and Akamai all offer WAF as part of their edge platforms, often at competitive pricing for customers already using those CDNs. The TCO comparison depends on:

• CDN spend on the third-party platform (often replaces CloudFront).
• Migration cost for existing WAF rule sets.
• Operational integration cost (logs, alerts, SOC workflows).
• Compliance attestations (PCI, SOC 2, FedRAMP).

For customers with $20M+ AWS spend and significant CloudFront usage, native AWS WAF is usually the right answer. For customers with $1M to $10M AWS spend and aggressive CDN cost optimisation, third-party WAF may save.

Action checklist

1. Inventory every Web ACL with rule count and request volume.
2. Identify candidate consolidations (multiple ACLs with identical rules).
3. Audit Marketplace Managed Rule firing rates; remove rules with zero matches.
4. Move WAF logs from CloudWatch Logs to S3 with lifecycle policies.
5. Confirm Shield Advanced WAF inclusion is correctly billed.
6. Migrate ALB WAF to CloudFront-attached WAF where possible.
7. Scope WAF in your next EDP cycle.
8. Contact our advisory team for a WAF audit benchmarked against $2.4B+ of reviewed AWS spend.

See our AWS security cost strategy pillar, Shield Advanced vs Standard piece, and CloudFront pricing optimization guide for the full picture.

WAF Bot Control deep-dive

AWS WAF Bot Control is a managed rule group focused on automated traffic. Pricing is $10/month per ACL plus $1 per million inspected requests.

Bot Control's two tiers:

• Common Bots tier. Detects well-known bot signatures (search engines, monitoring tools, scrapers). Free signature updates.
• Targeted Bots tier. Adds detection for sophisticated bots, including challenge-response and CAPTCHA fallback. Extra per-request cost.

For most enterprises, Common Bots tier is adequate. Targeted Bots is justified only for fraud-sensitive industries (e-commerce checkout, financial trading APIs, ticketing).

CAPTCHA and Challenge actions

WAF supports CAPTCHA and Challenge actions on suspect requests. Each CAPTCHA presentation costs approximately $0.40 per 1,000. Each Challenge (silent browser fingerprint validation) costs approximately $0.05 per 1,000.

At a high-bot-volume site, CAPTCHA and Challenge can become the second-largest WAF line item after request inspection. Use sparingly: trigger only on high-confidence bot patterns, not on every suspect request.

Account Takeover Prevention (ATP)

ATP is a WAF managed rule group focused on credential stuffing and brute-force login attacks. Pricing: $10/month per ACL plus $1 per million login requests inspected.

Decision: enable ATP on login endpoints only, not on every ACL. Misconfiguration of ATP can block legitimate user login flows, so test in count-only mode for 30 days before switching to block mode.

Account Creation Fraud Prevention

Newer managed rule group focused on fake account registration. Same pricing structure as ATP. Enable on registration endpoints only.

WAF SDK integration costs"

The AWS WAF JavaScript SDK and mobile SDKs (Android/iOS) provide client-side challenge tokens. Tokens reduce false positives but require client code integration.

No direct AWS charge for the SDK, but the indirect cost of mobile app version compatibility and SDK update tracking is real. For organisations using the SDK across mobile and web, the engineering investment is meaningful.

WAF rate-based rules at scale

Rate-based rules count toward your ACL's rule count but require additional Capacity Units (WCUs). Each rate-based rule typically consumes 2 WCUs.

For ACLs already near the 1,500 WCU default limit, adding rate-based rules may force upgrade to the 5,000 WCU tier, which carries no extra direct charge but indicates rule complexity worth refactoring.

Logging the right things"

WAF logging configuration heavily affects cost. Default behaviour logs every request, including allowed ones, to your chosen destination.

Optimisations:

• Log only blocked and counted requests (not allowed). Cuts log volume by 95%+.
• Use S3 destination with lifecycle policies (Glacier after 30 days, delete after 1 year).
• Configure sampled logging at 1% to 10% for high-volume sites.
• Use Kinesis Firehose for transformation and routing to multiple destinations.