๐Ÿ’ธ How to save thousands of dollars on AWS WAF

๐Ÿ’ธ How to save thousands of dollars on AWS WAF


4 min read

AWS WAF, the managed Web Application Firewall, is a commonly used service to secure APIs, load balancers, and applications.

But because of how the pricing model is set up for WAF, the costs can quickly spiral out of control when adhering to the AWS best practices on multi-account strategies. Namely, the cost of merely having a Web ACL created in an account is $5 per month, and then it's $1 per rule added to that Web ACL. It's a small amount for each account but snowballs as you have hundreds or thousands of accounts, which isn't uncommon in a larger organization, and before you know it, you're paying thousands of dollars just for having these rules existing.

The AWS WAF pricing page highlighting the Web ACL and Rule prices

๐Ÿ›ก๏ธ AWS Shield to the rescue

AWS Shield is a managed service that protects against DDOS attacks. The "Standard" version of Shield is free of charge, and all AWS users automatically benefit from this service. There's, however, also an "Advanced" version of this service that many might have heard about, but few actually have any hands-on experience with, as it's $3000 per month with a minimum of 12 months commitment - and there's no free tier. All accounts in the AWS Organization will benefit from the same subscription from the management account, though.

Shield Advanced offers a higher level of protection, you get access to the Shield Response Team, and a few other features. But, the somewhat unexpected key feature in this case actually lies within the pricing model:

Did you catch that? Let's look again.

Because the Amazon CloudFront Distribution is already protected under AWS Shield Advanced, there are no additional charges for AWS WAF web ACL, rule or request fees.

If a resource in an account is protected by Shield Advanced, the WAF Web ACL and Rule costs for that account are waived. But a Web ACL and its rules are not created as part of a resource; they're created individually and are then attached to a resource, so how does that actually work? It's not very intuitive, but the costs are waived for a specific Web ACL as long as at least one resource that Shield Advanced protects has the Web ACL attached.

โš ๏ธ Note that AWS Shield Advanced Data Transfer and other AWS WAF fees still apply. Managed rule groups such as Targeted Bots and Account Takeover Prevention are also not included in the Shield Advanced subscription.

What this means in practice is that if you're spending over $3000 per month on Web ACL and Rule fees, you can effectively cap those costs at $3000 and prevent them from spiraling further as your number of AWS accounts grows by subscribing to AWS Shield and enrolling your resources. And as an added bonus, you'll benefit from improved DDOS protection. Because of all this, it can be a good idea to automatically create a dummy resource that uses the Web ACL when vending new accounts - because otherwise, the fees won't be waived until a resource that does is deployed. Another important aspect is that you can use an AWS FirewallManager Policy, at no additional cost, to automatically subscribe all new accounts to Shield Advanced and protect all resources that use a WAF.

In conclusion, AWS Shield Advanced can be a game-changer when it comes to reducing the costs of AWS WAF. By protecting resources with Shield Advanced, the costs for WAF Web ACL and Rule are waived, which can save thousands of dollars for organizations with a large number of AWS accounts. While the high upfront cost of Shield Advanced may be daunting, the higher level of protection, access to the Shield Response Team, and, primarily, the cost savings on WAF can make it a fantastic hidden investment for organizations that heavily rely on AWS.

You can read more about AWS Shield Advanced here and about WAF best practices here!

Hi there, I'm Sebastian Bille! If you enjoyed this post or just want a constant feed of memes, AWS/serverless talk, and the occasional new blog post, make sure to follow me on Twitter at @TastefulElk or on LinkedIn ๐Ÿ‘‹

Elva is a serverless-first consulting company that can help you transform or begin your AWS journey for the future