Optimizing Tier 2 WAF Costs (Current Spend: $1000/month)

Hi everyone,

I'm reaching out for advice on optimizing the cost associated with my Tier 2 AWS WAF configuration. My current monthly bill is around $1,000, which seems high for my needs.

My Setup:

WAF Tier: Tier 2 Request Volume: 825586 requests per month

WAF Tier: Tier 1 Request Volume: 34189 requests per month

Current Web ACLs:

We have a total of 5 Web ACLs deployed across development, staging, and production environments. These Web ACLs share some custom rules: jQuery-File-Upload_php Whitelist Whitelisted_IPs Blacklist FenceAllowed BlockIPv4Requests GeoFence Additionally, they leverage the following AWS Managed Rule Sets: AWS-AWSManagedRulesSQLiRuleSet AWS-AWSManagedRulesCommonRuleSet AWS-AWSManagedRulesWordPressRuleSet (if applicable) AWS-AWSManagedRulesPHPRuleSet (if applicable) AWS-AWSManagedRulesKnownBadInputsRuleSet AWS-AWSManagedRulesAmazonIpReputationList AWS-AWSManagedRulesAnonymousIpList AWSManagedRulesLinuxRuleSet (if applicable)

Cost Reduction Strategies: I've been exploring cost-saving techniques and found resources suggesting:

Traffic Analysis: Differentiate legitimate traffic from potential attacks to focus WAF inspection on critical areas. Rule Set Optimization: Review and potentially remove redundant or overly broad rules that might be unnecessarily inspecting requests. WCUs and Rule Complexity: Evaluate if Tier 1 could be sufficient if my rules don't require high capacity or body inspection.

My Questions: Additional Strategies: Are there other effective cost optimization strategies for Tier 2 WAF that I might be overlooking? Tier 1 vs. Tier 2: Considering my current setup, would migrating to Tier 1 be a viable option without significantly compromising security? Alternative Solutions: Are there cost-effective alternatives for basic web application security if WAF seems like overkill for my use case?

I appreciate any insights or recommendations the community can offer.

Thanks!