AWS Firewall Manager pricing

Pricing overview

AWS Firewall Manager handles six types of protection policies - AWS WAF, AWS Shield, Amazon VPC security groups, AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall and Third-party firewalls. AWS Firewall Manager protection policies are priced with a monthly fee per region (see pricing below)

For AWS Network Firewall protection policies, AWS Firewall Manager has these main pricing components:

  • AWS Firewall Manager protection policy - Monthly fee per Region.
  • AWS Network Firewall endpoints - Those created by Firewall Manager will be charged based on current pricing. For more details, see AWS Network Firewall pricing.
  • AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing.

You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

For AWS WAF protection policies, AWS Firewall Manager has these main pricing components:

  • AWS Firewall Manager protection policy - Monthly fee per Region.
  • AWS WAF WebACLs or Rules - Those created by Firewall Manager will be charged based on current pricing. For more details, see AWS WAF pricing.
  • AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing.

If you are an AWS Shield Advanced customer:

For AWS Shield Advanced customers, AWS Firewall Manager protection policy is included at no additional charge. Shield Advanced customers will be charged for the AWS Config rules created to monitor any changes in resource configurations. For more details, check the AWS Shield pricing and AWS Config pricing.

AWS Shield protection policies can be created using AWS Firewall Manager only for Shield Advanced users. The price is included in the AWS Shield Advanced subscription at no additional cost. In addition, the pricing components are as follows:

• AWS Shield Advanced Data Transfer Out Usage Fees: For more details, see AWS Shield pricing

• AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing

For Amazon VPC security group protection policies, AWS Firewall Manager has these main pricing components:

• AWS Firewall Manager protection policy - Monthly fee per Region.

• AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing.

You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

For Amazon Route 53 Resolver DNS Firewall protection policies, AWS Firewall Manager has these main pricing components:

  • AWS Firewall Manager protection policy - Monthly fee per Region.
  • Route 53 Resolver DNS Firewall charges- Rule groups created by Firewall Manager will be charged based on current pricing. For more details, see Route 53 Resolver DNS Firewall pricing.
  • AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing.

You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

For Third-party firewall protection policies, AWS Firewall Manager has these main pricing components:

  • AWS Firewall Manager protection policy - Monthly fee per Region.
  • Third-party firewall charges – Pricing information for Third-Party Firewalls are available on the AWS Marketplace Page.
  • AWS Config Rules - Those rules created by Firewall Manager to monitor changes in resource configurations are charged based on current pricing. For more details, see AWS Config pricing.

You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

Note: Some regions have per policy price > $100, please use regions drop down to obtain the price

AWS Firewall Manager pricing for customers

AWS Network Firewall protection policy


All public regions

AWS WAF protection policy


All public regions
Global (Amazon CloudFront locations)

AWS Shield Advanced protection policy


All public regions

Included for Shield Advanced customers. No charge per policy per Region

Global (Amazon CloudFront locations)

Included for Shield Advanced customers. No charge per policy per Region

  • AWS WAF WebACLs or Rules created by Firewall Manager - Included. No additional charge.
  • AWS Config rules created by Firewall Manager - See AWS Config pricing
  • AWS Shield Advanced - See AWS Shield pricing

Amazon VPC security group protection policy


All public regions

Amazon Route 53 Resolver DNS Firewall protection policy


All public regions

Third-party firewall protection policy


Fortinet

All public regions
Palo Alto

All public regions

Pricing examples

AWS WAF

Pricing example 1: AWS Firewall Manager policy with 1 account

Let’s assume you created a new protection policy for an Organization not subscribed to Shield Advanced with 1 AWS Account.

  • AWS Firewall Manager charges $100 per month for the policy.
  • In addition, AWS Firewall Manager creates two AWS Config rules per policy, per account. Let's assume that there are 100 configuration item (CI) changes across all resources per month, for a total of $0.30 (100 x $0.003) per month. In addition, let's assume there are 100 rule evaluations, resulting in $0.10 (100 x $0.001, where the first 100,000 evaluations are $0.001 each). The total AWS Config charges will be $0.40 per month ($0.30 + $0.10).
  • AWS Firewall Manager also creates a single AWS WAF WebACL and Rule, at a cost of $5 per WebACL per month and $1 per Rule per month.
  • At the end of the month your total charges will be $106.40 ($100 for AWS Firewall Manager, $0.40 for AWS Config and $6 for AWS WAF).
Item Qty Accounts $/month Monthly total
Protection Policy 1 1 $100.00 $100.00
AWS Config Configuration Item 100 1 $0.0030 $0.30
AWS Config rule evaluations 100 1 $0.001 $0.10
WAF WebACL 1 1 $5.00 $5.00
WAF Rule 1 1 $1.00 $1.00
Total       $106.40 per month

Pricing example 2: AWS Firewall Manager policy with 7 accounts

Let's assume you created a new protection policy for an Organization not subscribed to Shield Advanced with 7 AWS Accounts.

  • AWS Firewall Manager charges are $100 per month for (1) policy.
  • In addition, AWS Firewall Manager creates (2) AWS Config rules per policy, per account. Let's assume there are a total of 10,000 Config item changes across all accounts, accounting for $30 (10,000 x $0.003). In addition, let's assume there are 10,000 rule evaluations, resulting in $10 (10,000 x $0.001, where the first 10,000 evaluations are $0.001 each).
  • The total AWS Config charges are $40 per month ($30 + $10).
  • AWS Firewall Manager creates one AWS WAF WebACL and one Rule per account. Each WebACL costs $5 per month and Each Rule costs $1 per month, for a total of $42 per month = ($5 WebACL + $1 Rule) X 7 Accounts.
  • At the end of the month your charges will be a total of $182 ($100 for AWS Firewall Manager + $40 for AWS Config + $42 for AWS WAF).
Item Qty Accounts $/month Monthly total
Protection Policy 1 7 $100.00 $100.00
AWS Config Configuration Item 10,000 7
$0.0030 $30.00
AWS Config rule evaluations 10,000 7 $0.0010 $10.00
WebACL 1 7
$5.00 $35.00
WAF Rule 1 7
$1.00 $7.00
Total       $182.00 per month

Pricing example 3: AWS Firewall Manager policy with 7 accounts, with Shield Advanced

Let's assume the same scenario as example 2, and in addition you have subscribed to Shield Advanced. For more details, see AWS Shield pricing.

  • In that case, AWS Firewall Manager charges are $0 per month.
  • Further, your charges for AWS WAF are $0 per month.
  • In addition, AWS Firewall Manger creates (2) AWS Config rules per policy, per account. Let's assume there are a total of 10,000 Config item changes across all accounts, accounting for $30 (10,000 x $0.003). In addition, let's assume there are 10,000 rule evaluations, resulting in $10 (10,000 x $0.001, where the first 100,000 evaluations are $0.001 each). Your charges for the AWS Config rules are $40 per month.
  • So, at the end of the month, your total monthly charges will be $40.
Item Qty Accounts $/month Monthly total
Protection Policy 1 7 $0.00 $0.00
AWS Config Configuration Item 10,000 7
$0.0030 $30.00
AWS Config rule evaluations 10,000 7 $0.0010 $10.00
WebACL 1 7
$0.00 $0.00
WAF Rule 1 7
$0.00 $0.00
Total       $40.00 per month

VPC Security Groups

Pricing example 4: AWS Firewall Manager Policy with 10 Accounts and not subscribed to Shield Advanced

Let’s assume you created a new FMS common policy that creates VPC Security Groups to secure EC2 instances across 10 AWS Accounts in your Organization. You are not subscribed to Shield Advanced.

  • AWS Firewall Manager charges $100 per month for the policy.
  • In addition, AWS Firewall Manager creates two AWS Config rules per policy, per account. Let’s assume that there are 100 configuration item (CI) changes across all resources per month, for a total of $0.30 (=100 * $0.003) per month. In addition, let’s assume there are 100 rule evaluations, resulting in $0.10 (=100 * $0.001, where the first 100,000 evaluations are $0.001 each.) The total AWS Config charges will be $0.40 per month ($0.3 + $0.1).
  • At the end of the month your total charges will be $100.40 ($100 for AWS Firewall Manager and $0.4 for AWS Config).
Item Qty Accounts $/month Monthly total
Protection Policy 1 10 $100.00 $100.00
AWS Config Configuration Item  100 10 $0.0030 $0.30
AWS Config rule evaluations 100 10 $0.001 $0.10
Total       $100.40 per month

Pricing example 5: AWS Firewall Manager Policy with 10 Accounts and subscribed to Shield Advanced

Let’s assume you created a new FMS audit policy that audits VPC Security Groups on EC2 instances across 10 AWS Accounts in your Organization. You are subscribed to Shield Advanced.

  • AWS Firewall Manager charges $100 per month for the policy.
  • In addition, AWS Firewall Manager creates two AWS Config rules per policy, per account. Let’s assume that there are 100 configuration item (CI) changes across all resources per month, for a total of $0.30 (=100 * $0.003) per month. In addition, let’s assume there are 100 rule evaluations, resulting in $0.10 (=100 * $0.001, where the first 100,000 evaluations are $0.001 each.) The total AWS Config charges will be $0.40 per month ($0.3 + $0.1).
  • At the end of the month your total charges will be $100.40 ($100 for AWS Firewall Manager and $0.4 for AWS Config).
Item Qty Accounts $/month Monthly total
Protection Policy 1 10 $100.00 $100.00
AWS Config Configuration Item  100 10 $0.0030 $0.30
AWS Config rule evaluations 100 10 $0.001 $0.10
Total       $100.40 per month

AWS Network Firewall

Pricing example 6: AWS Firewall Manager Policy with 10 Accounts

Let’s assume you created a new Firewall Manager policy that creates AWS Network Firewalls endpoints in each of the 10 VPCs across 10 different AWS Accounts in your Organization. Assume each endpoint is active for one month (30 days) and a 2,500 GB are processed per month per endpoint

  • AWS Firewall Manager charges $100 per month for the policy.
  • AWS Network Firewall charges $0.395 per endpoint hour and $0.065 per GB processed. Based on the stated assumptions, this would result in a total charge of $4,469.00 ($284.40 (endpoint hour charges/month) + $162.50 (GB processing charges/month)) X 10 endpoints.
  • In addition, AWS Firewall Manager creates two AWS Config rules per policy, per account. Let’s assume that there are 100 configuration item (CI) changes across all resources per month, for a total of $0.30 (=100 * $0.003) per month. In addition, let’s assume there are 100 rule evaluations, resulting in $0.10 (=100 * $0.001, where the first 100,000 evaluations are $0.001 each.) The total AWS Config charges will be $0.40 per month ($0.3 + $0.1).
  • At the end of the month your total charges will be $4,569.40 ($100 for AWS Firewall Manager, $0.4 for AWS Config, and $4,469.00 for AWS Network Firewall).
Item Qty Accounts $/month Monthly total
Protection Policy 1 10 $100 $100
AWS Config Configuration Item 100 10 $0.0030 $0.30
AWS Config rule evaluations 100 10 $0.001 $0.10
AWS Network Firewall 10 10 $446.9 $4,469.00
Total       $4,569.40 per month

Amazon Route 53 Resolver DNS Firewall

Pricing example 7: AWS Firewall Manager policy for Route 53 Resolver DNS Firewall with 10 accounts in scope
 

Assume you create a new Firewall Manager Policy that creates Amazon Route 53 Resolver DNS Firewall rule group associations in each of the 10 VPCs across 10 different AWS Accounts in AWS Organizations. Also assume that the rule group associations use a centrally-shared domain list that contains 30,000 domain names that these rule groups use for DNS traffic filtering. Assume the firewall is active for one month (30 days) and each VPC has an average query volume of 10 queries per second.

  • AWS Firewall Manager charges $100 per month for the policy.
  • In addition, AWS Firewall Manager creates two AWS Config rules per policy, per account. Let’s assume that there are 100 configuration item (CI) changes across all resources per month, for a total of $0.30 (=100 * $0.003) per month. In addition, let’s assume there are 100 rule evaluations, resulting in $0.10 (=100 * $0.001, where the first 100,000 evaluations are $0.001 each.) The total AWS Config charges will be $0.40 per month ($0.3 + $0.1).
  • DNS Firewall charges $0.60 per MM queries processed, and $0.0005 per domain name stored per month. Based on the stated assumptions this would result in charges of $1570.20. (10 VPCS * 10 Accts * 10 queries per second = 1,000 queries * 86, 400 seconds per day * 30 days = 2,592,000,000 queries per month *$0.60 per MM queries = $1,555.20 per month for query charges + 30,000 domains *0.0005 per domain = $15 per month for domain charges)
At the end of the month your total charges will be $1,670.60 ($100 for AWS Firewall Manager, $0.4 for AWS Config, and $1570.20 for Amazon Route 53 Resolver DNS Firewall).
Item Qty Accounts $/month Monthly total
Protection Policy 1 10 $100 $100
AWS Config Configuration Item 100 10 $0.0030 $0.30
AWS Config rule evaluations 100 10 $0.001 $0.10
Amazon Route 53 Resolver DNS Firewall 10 10 $1570.20 $1570.20
Total       $1,670.60 per month

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote