Logo officiel d'AWS Web Application Firewall

AWS Web Application Firewall

by Amazon Web Services

4.3
WAFPlanet Rating

Native AWS WAF with pay-per-use pricing starting at $5/mo per Web ACL, $1/rule, and $0.60 per million requests. Protects CloudFront, ALB, and API Gateway workloads.

Visit Website Documentation View Pricing
Company: Amazon Web Services
Pricing: Pay-per-use (rules + requests)
Founded: 2006

Overview

AWS WAF is Amazon Web Services' cloud-native web application firewall, designed to protect applications running on AWS infrastructure. It integrates seamlessly with Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync.

AWS WAF Pricing in 2026

AWS WAF uses a component-based pricing model with three charges: $5.00 per Web ACL per month, $1.00 per rule per month, and $0.60 per million requests. There's no minimum fee and no upfront commitment.

For a typical small site processing 1 million requests/month with 10 rules, that works out to roughly $15.60/month. A medium site at 50 million requests/month with 20 rules and 2 managed rule groups runs about $115/month. High-traffic sites at 500 million requests/month can expect $500+/month depending on rule complexity.

Watch out for add-on costs: Bot Control adds $10/month plus $1/million requests, AWS Shield Advanced is $3,000/month for DDoS protection, and managed rule groups from the AWS Marketplace typically run $20-40/month each. CloudFront data transfer charges are separate.

The pay-per-use model works well for variable traffic but can lead to surprises during traffic spikes or DDoS attacks. If you want predictable monthly bills, a flat-rate WAF like Cloudflare might be a better fit.

Ratings Breakdown

Ease of Use 3.5/5
Value for Money 4.0/5
Customer Support 4.0/5
Features 4.5/5

Key Features

AWS Managed Rules

Pre-configured rule groups maintained by AWS and AWS Marketplace sellers for common threats.

Custom Rules

Build your own rules using conditions like IP addresses, HTTP headers, URI strings, and more.

Rate-Based Rules

Automatically block IPs that exceed defined request thresholds.

Bot Control

Managed rule group for detecting and managing bot traffic (additional cost).

Fraud Control

Account takeover prevention and creation fraud detection for login/signup pages.

Firewall Manager Integration

Centrally configure and manage WAF rules across multiple AWS accounts.

Pros & Cons

Pros

  • Native AWS integration

    Seamless integration with AWS services - deploy alongside your infrastructure with CloudFormation or Terraform.

  • Pay-per-use pricing

    Only pay for what you use - great for variable traffic patterns and cost optimization.

  • AWS Managed Rules

    Pre-built rule groups for common threats including OWASP, known bad inputs, and bot control.

  • Highly scalable

    Automatically scales with your AWS infrastructure without capacity planning.

  • Centralized management

    Use AWS Firewall Manager to deploy WAF rules across multiple accounts and resources.

Cons

  • AWS-only deployment

    Cannot protect applications outside of AWS infrastructure.

  • Complex pricing model

    Pay-per-use can lead to unexpected costs; requires monitoring and budgeting.

  • Steeper learning curve

    Requires AWS knowledge and understanding of WAF concepts to configure effectively.

  • Limited managed rules on base tier

    Many useful managed rule groups (like Bot Control) cost extra.

Pricing

Pricing model: Pay-per-use (rules + requests)

Small (1 ACL, 10 rules)

$15/month + $0.60/M requests

Typical small deployment with 1 Web ACL and 10 managed rules

  • 1 Web ACL ($5/mo)
  • 10 rules ($10/mo)
  • Request-based pricing

Medium (2 ACL, 25 rules)

$35/month + $0.60/M requests

Medium deployment with 2 Web ACLs and 25 managed rules

  • 2 Web ACLs ($10/mo)
  • 25 rules ($25/mo)
  • Bot Control ready

Large (5 ACL, 50 rules)

$75/month + $0.60/M requests

Large deployment with multi-account WAF management

  • 5 Web ACLs ($25/mo)
  • 50 rules ($50/mo)
  • Firewall Manager recommended

Our Verdict

AWS WAF is the natural choice for organizations running applications on AWS. Its deep integration with AWS services and infrastructure-as-code support makes it easy to deploy alongside your applications.

Pricing starts low (around $15/month for small sites) but scales with usage. The component-based model ($5/Web ACL + $1/rule + $0.60/million requests) rewards optimization but can surprise you during traffic spikes. Budget-conscious teams should monitor costs closely or consider flat-rate alternatives for high-traffic sites.

Our verdict: Best WAF for AWS-native applications, especially when using infrastructure as code. The pricing model works well if you already understand your traffic patterns.

CVE Coverage

AWS Web Application Firewall can detect and block attacks matching 111K+ known CVEs based on its supported rule sets.

14K+
Critical
26K+
High
45K+
Medium
1.7K+
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
45K+ CVEs
SQL Injection High
19K+ CVEs
Improper Input Validation Medium
12K+ CVEs
Path Traversal High
9.1K+ CVEs
Code Injection Medium
6.5K+ CVEs
OS Command Injection High
5.9K+ CVEs
Unrestricted File Upload Medium
4.1K+ CVEs
Command Injection High
3.6K+ CVEs
Insecure Deserialization Medium
2.7K+ CVEs
Server-Side Request Forgery (SSRF) Medium
2.7K+ CVEs
Open Redirect Medium
1.5K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs
PHP Remote File Inclusion High
1.1K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-49294 UNKNOWN
CVE-2026-20262 MEDIUM
CVE-2026-9863 UNKNOWN
CVE-2026-9862 UNKNOWN
CVE-2025-15659 UNKNOWN
CVE-2025-15658 UNKNOWN
CVE-2026-52704 UNKNOWN
CVE-2019-25746 HIGH
CVE-2018-25436 CRITICAL
CVE-2016-20084 HIGH
Browse all CVEs →

Frequently Asked Questions

How much does AWS WAF cost per month?

AWS WAF pricing has three components: $5.00 per Web ACL per month, $1.00 per rule per month, and $0.60 per million requests processed. A small deployment with 1 Web ACL, 10 rules, and 1 million requests costs about $15.60/month. Mid-size deployments typically run $100-200/month. There are no minimum fees or upfront commitments.

How does AWS WAF pricing per million requests work?

AWS WAF charges $0.60 per million web requests inspected, regardless of which rule matched. This is on top of the base costs for Web ACLs ($5/each/month) and rules ($1/each/month). So if your site handles 50 million requests per month, the request charge alone is $30. Bot Control adds an extra $1.00 per million requests on top of that.

Does AWS WAF have a free tier?

AWS WAF does not have a permanent free tier. New AWS accounts get 12 months of AWS Free Tier benefits, but WAF is not included. You pay from the first Web ACL and first request. If you need free WAF protection, consider Cloudflare's free plan or open-source options like ModSecurity.

What does AWS Shield Advanced cost on top of AWS WAF?

AWS Shield Advanced costs $3,000 per month with a 1-year commitment, plus data transfer fees during DDoS attacks. It includes enhanced DDoS protection, 24/7 DDoS Response Team access, and cost protection (AWS credits back charges from DDoS-related scaling). Most small to mid-size deployments don't need Shield Advanced.

Can AWS WAF protect non-AWS applications?

AWS WAF can only directly protect AWS resources (CloudFront, ALB, API Gateway). However, you could route external traffic through CloudFront to gain WAF protection, though this adds complexity and latency.

How does AWS WAF pricing compare to Cloudflare?

AWS WAF uses pay-per-use pricing while Cloudflare has fixed monthly tiers ($0/20/200/custom). For sites under 5 million requests/month, AWS WAF is often cheaper. Above that, Cloudflare's flat rate becomes better value because you don't pay per request. See our full Cloudflare vs AWS WAF comparison.

Ready to try AWS Web Application Firewall?

Visit the website to learn more or request a demo.

Visit Website View Pricing