Introduction to AWS WAF Pricing
This article outlines the pricing structure for various AWS WAF features, including the following:
Web Access Control List (Web ACL)
Requests
Rules
Intelligent Threat Mitigation
Account Takeover
Bot Control
By understanding the pricing structure of these features, you can plan and budget accordingly to use AWS WAF effectively.
It also includes a bonus section comparing a traditional WAF (AWS WAF) and a contemporary WAF (open-appsec WAF).
Stick to the end to read this!
How Are the AWS WAF Resources Priced?
AWS WAF pricing isn't fixed; instead, it's based on three factors that have been discussed below. These factors primarily include the number of access control lists that you create and the number of rules that you add per web ACL. It also takes into account the number of web requests that your web app receives and the number of add-ons per web content list.
Web ACL: It is a container for (both custom and managed) rules, which can define conditions for allowing, blocking, or monitoring web traffic to and from your web application. Each rule in a web ACL defines how to inspect an HTTP request and the course of action that must be taken when a request meets the inspection criteria. Cost: AWS WAF ACL costs $5.00 per month (prorated hourly).
Rule: AWS WAF rules define conditions for which incoming traffic will be allowed, blocked, or counted. You can define them to inspect incoming traffic for the following: - Malicious Scripts - Country - Geographical Location of the Incoming Request - Length of a Specified Part of the Request Furthermore, AWS WAF rules can either be managed (pre-configured and pre-defined to block common attack patterns) or custom (allowing you to create rules to specify how incoming traffic should be handled). Cost: Rules cost $1 per month (prorated hourly).
Request: AWS WAF inspects each incoming request and evaluates it against the rules you have defined to determine if it should be allowed to pass through or be blocked. Cost: AWS WAF charges $0.6 per one million inspected requests.
Note that you will be charged an additional $1 per month for every rule group you add to the web ACL (the charge will be prorated hourly).
In addition to this, AWS WAF has a threat intelligence section where it offers advanced protection from attacks through services like account takeover and bot control. It is important to note that utilization of intelligent threat mitigation entails additional charges.
AWS WAF Bot Control: With the AWS Bot Control feature, you can monitor and block bots, such as: - Scrapers - Crawlers - Scanners - Search Engines It has a dashboard that shows you how much of your app's traffic is coming from bots and takes appropriate security actions using the Bot Control managed rule group, which has been added to your web ACL. The Bot Control managed rule group provides two protection levels that you can choose from: Common Bot Control and Targeted Bot Control.
Common Bot Control: It adds labels to self-identifying bots and protects your web app using traditional bot techniques. Cost: This costs $1 per million inspected requests, $0.4 per one thousand analyzed captcha attempts, and $0.4 per ten thousand served challenge responses.
Targeted Bot Control: This option adds detection for advanced bots that don’t self-identify, using methods such as fingerprinting, browser interrogation, and behavior heuristics to identify suspicious bot traffic, and then implements traditional bot mitigation techniques. Cost: This costs $10 per one million inspected requests, but the analyzed captcha requests and served challenge responses are free.
AWS WAF Account Takeover and Fraud Control: Account takeover is an application security attack where an attacker gains unauthorized access to a user's account and uses it to perform malicious actions. Account takeover can be done using stolen credentials or by guessing the victim's password. Not only is an attacker likely to steal money, information, and services, but they might also change the user's password or even pretend to be the victim to gain access to their other accounts. To prevent this, AWS WAF offers this security feature to detect and prevent malicious takeover attempts on your app's login page. It uses the Account Takeover Prevention managed rule group to manage and label requests that might be part of malicious account takeover attempts. The rule group inspects login attempts to your app's login page. In addition to this, it also has a regularly updated stolen credential database containing leaked credentials found on the dark web. It checks email and password combinations against its stolen credential database and parses data by IP address and client session to detect and block clients that send suspicious requests. Cost: To use the AWS WAF Fraud Control, you can pay a $10 monthly subscription fee and $1 per thousand requests, from ten thousand to up to two million requests.
Note: you can use the pricing calculator to estimate how much it will cost to protect your web application using the AWS WAF. If you’re using its Bot feature, you won’t be charged for the first 10 million requests it analyzes per month, and if you’re using Fraud Control, your first ten thousand requests will be analyzed for free.
Bonus
Are you looking for a way to block web attacks on your web apps before they happen? Look no further, as open-appsec uses two machine learning algorithms to detect and preemptively block threats. Not only has the code been published on GitHub, but the effectiveness of its WAF has also been successfully proven in numerous tests by third parties. Hence, try open-appsec in the Playground today!
Traditional WAF vs. Contemporary WAF – AWS vs. open-appsec
Factors | AWS WAF | open-appsec WAF |
Type of System Configuration | Not available. | Declarative configuration. |
DDoS Prevention | Uses a URL-specific rate-based rule to protect against DDoS attacks | Uses machine learning algorithms to preemptively detect malicious bots by comparing the history of benign requests against known malicious bot traits |
Web Latency | Doesn’t increase web latency. | No instances of increased web latency. |
Web Attack Protection Features | Protects web apps against attacks using the AWS ACL and managed and custom rules | Uses online and offline machine learning algorithms to protect against known and new attacks |
Maintenance Complexity | Complex system maintenance procedure because of its signature-based authentication approach | Easy system maintenance due to the absence of threat signatures, rules, and exceptions for web application protection |
False Positives | Some false positive detections | Zero cases of false positives |
Open-Source | Not an open-source | Open-source |
Free Version | Won’t be charged for the first 10 million requests it analyzes per month in its Bot feature, and first ten thousand using Fraud Control | Free but has a paid premium version |
Pricing Plans | Pricing is based on web ACL, rule, and request | Offers three pricing plans:
|
Zero-day Prevention | No effective zero-day prevention feature. | Uses machine learning algorithms and threat prevention techniques to identify and mitigate zero-day attacks |
WAF Community and Customer Service | Has a large community of users | Has a small community of users (makes it easier and faster to get solutions) |
Machine-Learning App Security Approach | Not available | Uses machine learning algorithms to ensure the security of your web apps |
Intrusion Prevention System | Not available | Uses Snort 3.0 engine |
Conclusion
AWS WAF and open-appsec WAF are two different web application firewall solutions that employ different approaches to provide security for web applications. AWS WAF relies on a rules-based system and signatures to detect and prevent malicious traffic, while open-appsec WAF uses machine learning algorithms, anomaly detection, and behavioral analysis to protect against known and unknown web attacks. Try open-appsec in the Playground today.
Frequently Asked Questions
How much does a WAF cost per hour?
The cost of a WAF can vary depending on the vendor, the level of protection needed, and the deployment model (cloud-based or on-premise). Typically, cloud-based WAF services are priced based on the volume of traffic, the number of protected applications, and the level of security required. Hence, prices can range from a few cents to several dollars per hour, depending on the provider and the specific features you need.
It's best to research different vendors and pricing models to determine the cost of a WAF that meets your specific needs.
Is AWS WAF included in AWS Shield?
Yes, AWS WAF is included in AWS Shield Advanced.
AWS Shield Standard is a free service that provides basic protection against common DDoS attacks for all AWS customers. On the other hand, AWS Shield Advanced is a paid service offering more advanced protection against complex DDoS attacks and access to AWS WAF.
How much is Barracuda WAF?
Barracuda WAF offers a free trial but doesn't provide any pricing information on its website.
How do I reduce AWS WAF costs?
To reduce AWS WAF costs, use it with AWS Shield Advanced, as there are no additional charges. Also, apply scope-down statements to limit the rules analyzed. You can do this by assigning bot control rules to specific pages only to reduce the cost of running it across your entire web application.
