AWS Cloud Financial Management

How to estimate your AWS WAF and AWS Shield Advanced cost?

This blog post is contributed by Benjamin Lecoq, AWS Senior Technical Account Manager

Most of our cost management blog posts focus on sharing best practices for managing and optimizing your overall AWS usage and spend. In this post, we will narrow our scope to talk about how you can estimate your spend on your AWS security products.

Protecting your web applications from common web exploits is of the essence for intellectual and information security. However, it can be costly to protect your web applications without understanding and effective cost management. AWS provides a variety of security services, including AWS WAF, AWS Firewall Manager, and AWS Shield Advanced. Together, these services form a comprehensive security solution for your web application protection.

With AWS WAF, you can create security rules to block common attack patterns. You can centrally automate and simplify AWS WAF rules using AWS Firewall Manager. AWS Shield Advanced is a comprehensive application security suite that tailors detection based on your application traffic patterns, provides detailed attack reporting, and gives access to dedicated support from the DDoS Response Team (DRT). It allows you to group resources into protection groups to baseline traffic by application rather than resource, and provides proactive engagement from the response time when an attack is detected.

If you want granular control over your resource protection, AWS WAF alone is the right choice. If you want to use AWS WAF across accounts, accelerate your AWS WAF configuration, and/or automate protection of new resources, we’d recommend using AWS Firewall Manager with AWS WAF.

Finally, if your websites are highly visible and are prone to frequent DDoS attacks, you should consider purchasing additional features that AWS Shield Advanced provides. Read more about how to choose from AWS WAF, AWS Firewall Manager, and AWS Shield Advanced from this documentation.

Now let’s look at the pricing structure of AWS Shield.

AWS Shield Advanced is a paid service that comprises of two pricing components:

  • A Monthly Fee
  • Data Transfer Out (DTO) Usage Fees of your protected resources

The monthly fee is a fixed price, yet the Data Transfer Out usage fees vary depending on your usage. The goal of this post is to show how you can evaluate your current DTO usage fee in order to know in advance how much you will pay for AWS Shield Advanced and proactively adjust your usage if needed.

Here are the frequently asked questions from our customers on this topic.

Question 1: AWS Shield Advanced seems to be a product I could benefit from, however, since part of the price is based on the Data Transfer Out (DTO) usage fee, which varies month to month.  I’m struggling to forecast how much exactly the product is going to cost me.

Question 2: I’m using AWS WAF today to protect my environment. According to the AWS Shield Advanced pricing, once I enable AWS Shield Advanced for a given resource, I will stop paying for AWS WAF for this specific resource, since it is included in AWS Shield Advanced product price. I would like to know in this case how much I will save on my AWS WAF bill.

In order to generate an estimate, you will need to explore cost and usage data available in AWS Cost and Usage Report. Please read this user guide “Creating Cost and Usage Reports” that explains how to enable it.

While you create your Cost and Usage Report, don’t forget to select “Include resource IDs” as stated in the above mentioned user guide otherwise you will miss the column ‘line_item_resource_id’ from the report and we will need it later in the article.

Once you have enabled your “AWS Cost and Usage Report” (CUR) you need to integrate it with Athena in order to further explore your usage information. Follow the instructions in this user guide “Setting up Amazon Athena integration”.

Once CUR is enabled and integrated with  Athena, you can now run the following query to get the current usage of the resource you would like to protect, in case you are considering using AWS Shield Advanced for instructions on how to queries using Amazon Athena, please read this user guide.

1) Estimate my AWS Shield Advanced monthly cost based on my current resources usage

This is the query you need to run in Athena. What this query does is to extract the DTO (Data Transfer Output) usage for a given month in the past that you would rather use AWS Shield Advanced to protect.

SELECT 
  product_product_name AS Product,
  line_item_resource_id AS ResourceID,
  ROUND(SUM(CAST(line_item_usage_amount AS double)),0) AS DTO,
  pricing_unit AS Unit
FROM 
  cur_YourPayerAccountIdHere_202009
WHERE
  product_product_name IN ('Elastic Load Balancing','Amazon Elastic Compute Cloud','Amazon CloudFront')
  AND product_product_family = 'Data Transfer'
  AND product_transfer_type IN ('AWS Outbound','CloudFront Outbound')
  AND line_item_resource_id IN ( -- Please enter here the ARNs)
    'arn:partition:service:region:account-id:resource-id1',
    'arn:partition:service:region:account-id:resource-id2')
GROUP BY
  product_product_name,
  line_item_resource_id,
  pricing_unit
 
        
You need to change the parameters in bold to match your environment. cur_YourPayerAccountIdHere_202009: Here you need to refer to the name of your Athena table in CUR for the month in which you want to evaluate consumption And also arn:partition:service:region:account-id:resource-id1, arn:partition:service:region:account-id:resource-id2: Here you need to provide the list of resources for which you need to evaluate the previous consumption in terms of DTO (ELB, ElasticIP, CloudFront) Results will be similar to this With these data, you will then refer to the AWS Shield Advanced Pricing Page to get an estimate. 2) Estimate how much you will save when you stop paying for AWS WAF, and instead using AWS Shield Advanced First thing, you need to do is to identify which current Web Access Control List (Web ACL) is protecting your resource. The next step is to get the ID of this Web ACL. In order to do this, go into your WAF console and check your WebACL ID. You will need to specify the ID in the following query.
SELECT 
  line_item_resource_id AS ResourceID,
  SUM(CAST(line_item_unblended_cost AS decimal(16,8))) AS TotalSpend
FROM 
  cur_YourPayerAccountIdHere_202009
WHERE
  product_product_name = 'AWS WAF'
  AND line_item_resource_id like '%AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE%'
GROUP BY
  line_item_resource_id

You need to change the parameters in bold to match your environment.

cur_YourPayerAccountIdHere_202009: Here you need to refer the name of your Athena table in CUR for the month on which you want to evaluate consumption

And also

AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE: Here you need to provide the list of WebACL ID

Results will be similar to this

Conclusion

Now that you know how to estimate the cost to protect your resources with AWS Shield Advanced, you will be able to balance more efficiently between the extra protection and services brought by this new technology and the cost incurred by this feature.

 

Benjamin Lecoq

Benjamin Lecoq

Benjamin Lecoq is a Principal Technical Account Manager at AWS with more than 20 years of industry experience, one of his main focus is to help AWS Enterprise Customers to ensure their AWS environments remain operationally healthy whilst reducing cost and complexity. In his previous work experience he has been a Service Delivery manager, Support Business Unit Manager and Reverse Engineering expert.

Bowen Wang

Bowen Wang

Bowen is a Principal Product Marketing Manager for AWS Billing and Cost Management services. She focuses on enabling finance and business leaders to better understand the value of the cloud and ways to optimize their cloud financial management. In her previous career, she helped a tech start up enter the Chinese market.