top of page

AWS WAF Pricing: Tips and Best Practices for Cost Optimization

Introduction to AWS WAF Pricing

This article outlines the pricing structure for various AWS WAF features, including the following:

  • Web Access Control List (Web ACL)

  • Requests

  • Rules

  • Intelligent Threat Mitigation

  • Account Takeover

  • Bot Control

By understanding the pricing structure of these features, you can plan and budget accordingly to use AWS WAF effectively.

It also includes a bonus section comparing a traditional WAF (AWS WAF) and a contemporary WAF (open-appsec WAF).

Stick to the end to read this!

How Are the AWS WAF Resources Priced?

AWS WAF pricing isn't fixed; instead, it's based on three factors that have been discussed below. These factors primarily include the number of access control lists that you create and the number of rules that you add per web ACL. It also takes into account the number of web requests that your web app receives and the number of add-ons per web content list.

  • Web ACL: It is a container for (both custom and managed) rules, which can define conditions for allowing, blocking, or monitoring web traffic to and from your web application. Each rule in a web ACL defines how to inspect an HTTP request and the course of action that must be taken when a request meets the inspection criteria. Cost: AWS WAF ACL costs $5.00 per month (prorated hourly).

  • Rule: AWS WAF rules define conditions for which incoming traffic will be allowed, blocked, or counted. You can define them to inspect incoming traffic for the following: - Malicious Scripts - Country - Geographical Location of the Incoming Request - Length of a Specified Part of the Request Furthermore, AWS WAF rules can either be managed (pre-configured and pre-defined to block common attack patterns) or custom (allowing you to create rules to specify how incoming traffic should be handled). Cost: Rules cost $1 per month (prorated hourly).

  • Request: AWS WAF inspects each incoming request and evaluates it against the rules you have defined to determine if it should be allowed to pass through or be blocked. Cost: AWS WAF charges $0.6 per one million inspected requests.

Note that you will be charged an additional $1 per month for every rule group you add to the web ACL (the charge will be prorated hourly).

In addition to this, AWS WAF has a threat intelligence section where it offers advanced protection from attacks through services like account takeover and bot control. It is important to note that utilization of intelligent threat mitigation entails additional charges.

  • AWS WAF Bot Control: With the AWS Bot Control feature, you can monitor and block bots, such as: - Scrapers - Crawlers - Scanners - Search Engines It has a dashboard that shows you how much of your app's traffic is coming from bots and takes appropriate security actions using the Bot Control managed rule group, which has been added to your web ACL. The Bot Control managed rule group provides two protection levels that you can choose from: Common Bot Control and Targeted Bot Control.

  • Common Bot Control: It adds labels to self-identifying bots and protects your web app using traditional bot techniques. Cost: This costs $1 per million inspected requests, $0.4 per one thousand analyzed captcha attempts, and $0.4 per ten thousand served challenge responses.

  • Targeted Bot Control: This option adds detection for advanced bots that don’t self-identify, using methods such as fingerprinting, browser interrogation, and behavior heuristics to identify suspicious bot traffic, and then implements traditional bot mitigation techniques. Cost: This costs $10 per one million inspected requests, but the analyzed captcha requests and served challenge responses are free.

  • AWS WAF Account Takeover and Fraud Control: Account takeover is an application security attack where an attacker gains unauthorized access to a user's account and uses it to perform malicious actions. Account takeover can be done using stolen credentials or by guessing the victim's password. Not only is an attacker likely to steal money, information, and services, but they might also change the user's password or even pretend to be the victim to gain access to their other accounts. To prevent this, AWS WAF offers this security feature to detect and prevent malicious takeover attempts on your app's login page. It uses the Account Takeover Prevention managed rule group to manage and label requests that might be part of malicious account takeover attempts. The rule group inspects login attempts to your app's login page. In addition to this, it also has a regularly updated stolen credential database containing leaked credentials found on the dark web. It checks email and password combinations against its stolen credential database and parses data by IP address and client session to detect and block clients that send suspicious requests. Cost: To use the AWS WAF Fraud Control, you can pay a $10 monthly subscription fee and $1 per thousand requests, from ten thousand to up to two million requests.

Note: you can use the pricing calculator to estimate how much it will cost to protect your web application using the AWS WAF. If you’re using its Bot feature, you won’t be charged for the first 10 million requests it analyzes per month, and if you’re using Fraud Control, your first ten thousand requests will be analyzed for free.


Are you looking for a way to block web attacks on your web apps before they happen? Look no further, as open-appsec uses two machine learning algorithms to detect and preemptively block threats. Not only has the code been published on GitHub, but the effectiveness of its WAF has also been successfully proven in numerous tests by third parties. Hence, try open-appsec in the Playground today!

Traditional WAF vs. Contemporary WAF – AWS vs. open-appsec



open-appsec WAF

Type of System Configuration

Not available.

Declarative configuration.

DDoS Prevention

Uses a URL-specific rate-based rule to protect against DDoS attacks

Uses machine learning algorithms to preemptively detect malicious bots by comparing the history of benign requests against known malicious bot traits

Web Latency

Doesn’t increase web latency.

No instances of increased web latency.

Web Attack Protection Features

Protects web apps against attacks using the AWS ACL and managed and custom rules

Uses online and offline machine learning algorithms to protect against known and new attacks

Maintenance Complexity

Complex system maintenance procedure because of its signature-based authentication approach

Easy system maintenance due to the absence of threat signatures, rules, and exceptions for web application protection

False Positives

Some false positive detections

Zero cases of false positives


Not an open-source


Free Version

Won’t be charged for the first 10 million requests it analyzes per month in its Bot feature, and first ten thousand using Fraud Control

Free but has a paid premium version

Pricing Plans

Pricing is based on web ACL, rule, and request

Offers three pricing plans:

  • Free community edition

  • Pay-as-you-go plan for every 1 million HTTP requests it monitors and analyzes for the Premium Plan

  • Annual payment per 100 million HTTP requests for the Enterprise Plan

Zero-day Prevention

No effective zero-day prevention feature.

Uses machine learning algorithms and threat prevention techniques to identify and mitigate zero-day attacks

WAF Community and Customer Service

Has a large community of users

Has a small community of users (makes it easier and faster to get solutions)

Machine-Learning App Security Approach

Not available

Uses machine learning algorithms to ensure the security of your web apps

Intrusion Prevention System

Not available

Uses Snort 3.0 engine


AWS WAF and open-appsec WAF are two different web application firewall solutions that employ different approaches to provide security for web applications. AWS WAF relies on a rules-based system and signatures to detect and prevent malicious traffic, while open-appsec WAF uses machine learning algorithms, anomaly detection, and behavioral analysis to protect against known and unknown web attacks. Try open-appsec in the Playground today.

Frequently Asked Questions

How much does a WAF cost per hour?

The cost of a WAF can vary depending on the vendor, the level of protection needed, and the deployment model (cloud-based or on-premise). Typically, cloud-based WAF services are priced based on the volume of traffic, the number of protected applications, and the level of security required. Hence, prices can range from a few cents to several dollars per hour, depending on the provider and the specific features you need.

It's best to research different vendors and pricing models to determine the cost of a WAF that meets your specific needs.

Is AWS WAF included in AWS Shield?

Yes, AWS WAF is included in AWS Shield Advanced.

AWS Shield Standard is a free service that provides basic protection against common DDoS attacks for all AWS customers. On the other hand, AWS Shield Advanced is a paid service offering more advanced protection against complex DDoS attacks and access to AWS WAF.

How much is Barracuda WAF?

Barracuda WAF offers a free trial but doesn't provide any pricing information on its website.

How do I reduce AWS WAF costs?

To reduce AWS WAF costs, use it with AWS Shield Advanced, as there are no additional charges. Also, apply scope-down statements to limit the rules analyzed. You can do this by assigning bot control rules to specific pages only to reduce the cost of running it across your entire web application.


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page