I felt that it's better to use the new console both for cost reduction and to reduce operational burden when outputting logs to CloudWatch Logs with AWS WAF's Web ACL (protection pack)
The Cost of Top Insights Section Loading Each Time You Open Web ACL in AWS Management Console
Hello, I'm nonPi (@non____97).
Have you ever wondered about the cost incurred when the Top Insights section runs every time you open a Web ACL in the AWS Management Console? I have.
The Top Insights section displayed in the Traffic Overview dashboard allows you to check more detailed information about traffic, such as URI paths and client IPs. This is available when you output Web ACL logs to CloudWatch Logs.
The information in this Top Insights section is displayed by running CloudWatch Logs Insights in the background.
From the note in the Top Insights section that says "The top insights section includes richer visualizations based on your CloudWatch logs. Loading this section incurs additional CloudWatch query costs. For more information on these costs, see CloudWatch pricing. For more information on security insights visualizations, see the AWS WAF Developer Guide," we can see that CloudWatch Logs Insights charges are incurred.
The Top Insights section is included in the Traffic Overflow dashboard.
The Traffic Overflow dashboard is the first page you navigate to when opening a Web ACL from the AWS Management Console. This means that even if you just want to check Web ACL rules or log settings, the Top Insights section loads and CloudWatch Logs Insights runs in the background.
CloudWatch Logs Insights charges based on the amount of data scanned. For Web ACLs that are configured to output all logs and handle large amounts of traffic, these charges can be concerning.
So how about the console announced at AWS re:Inforce 2025?
If the configuration has completely changed, that would be great.
Let's check it out.
Summary Upfront
- The console announced at AWS re:Inforce 2025 makes it clearer when costs are incurred for displaying the Top Insights section
- A confirmation popup appears before displaying
- Moreover, since you can now check/change rules, logs, and other settings without going through the dashboard, it's easier to reduce unnecessary Top Insights costs
- Explicit reload is required when changing to a period wider than 3 hours, or when changing rules or termination actions
- A confirmation popup appears before displaying
- The console announced at AWS re:Inforce 2025 offers a log explorer
- Easy filtering of logs through GUI
- Make good use of CloudWatch Logs field indexing
With the Traditional Console### First Access
First, let's look at the traditional console.
When accessing the Web ACL, it opens the Traffic overview tab. There is a Top Insights section here.
Since it has been opened in the past, information such as URI paths is already displayed.
When checking the CloudWatch Logs Insights execution history at this time, we can see that CloudWatch Logs Insights was executed at the moment of accessing the Web ACL from the AWS Management Console.
This is concerning.### Accessing again after changing period and termination action
I will access again after changing the period and termination action.
The default period is 3 hours, and all of the following termination actions are selected.
- Allowed
- Blocked
- Captcha
- Challenge
As described in the article below, the CloudWatch Logs Insights query in the Top Insights section is filtering by termination action.
Therefore, by creating an index for the termination action action in the CloudWatch Logs log group field indexes, we can reduce the scan amount and reduce costs.
In other words, by selecting only some termination actions, such as only Blocked, it seems possible to reduce the cost impact of CloudWatch Logs Insights running in the background.
This time, I set the period to 1 day and selected only Allowed and Blocked for termination actions.
I will access again after navigating to another page in this state.
The period and termination actions have been maintained.
In the background, CloudWatch Logs Insights was being executed.
Now, I will access again after signing out of this session.
When I did, the default period was 3 hours and all termination actions were selected.
Apparently, this filtering is reset on a per-session basis.
Therefore, it seems that we cannot use a method to reduce the CloudWatch Logs Insights costs when accessing again by narrowing down the period and termination actions.### Accessing the Top Insights section after collapsing it
What happens when you access the Top Insights section after collapsing it?
I'll access the Top Insights section after collapsing it.
At this time, I checked the execution history of CloudWatch Logs Insights, but it seems nothing was executed.
Therefore, if you're concerned about CloudWatch Logs Insights costs, it seems you can just keep the Top Insights section collapsed.
I'll sign out from this session and access it again.
It remains closed.
I confirmed from the CloudWatch Logs Insights execution history that nothing was executed.
Additionally, I tried the following access methods and the Top Insights section remained closed:
- Signing out once, clearing browser cache, and accessing again
- Accessing after switching to a different IAM role
- Accessing from a private browser
From these patterns, it seems that the Top Insights section is closed by default.
It appears that outputting logs to CloudWatch Logs doesn't necessarily mean incurring costs every time the Top Insights section is displayed.
In the case of the console announced at AWS re:Inforce 2025### Initial Access
Next, let's look at the console announced at AWS re:Inforce 2025.
Previously, you had to select Web ACLs (protection packs) from a dropdown menu for each region, but now you can view them across regions. I like this feature.
The Top Insights section can be viewed by clicking on "View dashboard" next to each protection pack.
It now asks users more clearly whether they want to display the Top Insights section with "Load Top Insights". The phrase "additional charges apply" is also highlighted in yellow.
When clicking "Load Top Insights", it displays "additional costs will be incurred". That's a user-friendly design.
After clicking "Confirm", the various Top Insights information is displayed.
Access in Other Patterns
Rather than posting screenshots for every scenario, here's a summary of the results for each pattern:
| Access Pattern | Top Insights Section Status |
|---|---|
| Reload | Displayed |
| Navigate to another screen and then return | Displayed |
| Sign out and sign back in | Displayed |
| Switch to a different IAM role | Not displayed |
| Access from an incognito browser | Not displayed |
It seems that if one user is looking at the Top Insights section with an extended time period for investigation, CloudWatch Logs Insights won't be executed in the background when another user accesses the dashboard unless they click "Load Top Insights".
Additionally, regarding the time period and end action, just like the traditional console, it resets when you sign out. Currently, every time you sign out, the traditional console is displayed anyway.### Explicit Reload Required When Changing Filtering Conditions
Another positive aspect of the new console is that when you change filtering conditions such as termination actions or rules, the Top Insights section won't update unless you explicitly reload it.
In the previous version, when you changed termination actions, the Top Insights section would update immediately. Since termination actions can be selected simultaneously but not deselected individually, this was a subtle performance cost.
For example, when changing termination action filtering from:
- Allowed
- Blocked
- Captcha
- Challenge
to:
- Captcha
- Challenge
The previous console would trigger Top Insights to load twice:
- When removing Allowed
- When removing Blocked
In the new console, when you change rules or termination actions, the Top Insights section won't update until you press the reload button next to "Hide Top Insights." This is especially valuable since the previous console didn't even allow filtering by rules.
For time periods, it seems an explicit reload is required when selecting periods longer than 3 hours.
Let's try it out.
From this state, I'll set the period to 12 hours and the rule to "GeoBlockRule".
At this point, the Top Insights section information hasn't been updated yet.
When pressing the reload button next to "Hide Top Insights," a popup appears saying "additional costs will be incurred."
After proceeding, the Top Insights loading begins and the information updates.
This is a welcome update.
By the way, the CloudWatch Logs Insights queries running in the background were as follows:
fields httpRequest.clientIp, action
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWS Account ID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as cnt by httpRequest.clientIp
| sort cnt desc
| limit 100 | limit 100
stats count(*) as cnt by concat(httpSourceName, ' | ', httpSourceId) as combined_field
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWS Account ID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| sort cnt desc
| limit 100 | limit 100
``````bash
fields httpRequest.httpMethod, action
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWSAccountID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as count by httpRequest.httpMethod
| sort count desc
| limit 100 | limit 100
fields httpRequest.uri as uri, action
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWSAccountID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as cnt by uri
| sort cnt desc
| limit 100 | limit 100
fields jsonParse(@message) as json_message , action
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWSAccountID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| unnest json_message.labels into labelsvalues
| stats count(*) as cnt by labelsvalues.name
| sort cnt desc
| limit 100 | limit 100
fields @timestamp, @message
| parse @message /\{"name":"(U|u)ser-(A|a)gent","value":"(?<userAgent>.*?)"\}/
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWSAccountID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as requestCount by userAgent
| sort requestCount desc
| limit 100 | limit 100
``````bash
fields ja4Fingerprint
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWS Account ID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as cnt by ja4Fingerprint
| sort cnt desc
| limit 100 | limit 100
fields ja3Fingerprint
| parse @message '"nonTerminatingMatchingRules":[{"ruleId":"*","action"' as nonTerminatingMatchingRules
| filter strcontains(nonTerminatingMatchingRules, 'GeoBlockRule') or terminatingRuleId == "GeoBlockRule"
| filter action in ['ALLOW','BLOCK','CHALLENGE','CAPTCHA']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWS Account ID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| stats count(*) as cnt by ja3Fingerprint
| sort cnt desc
| limit 100 | limit 100
```### Log Explorer now allows easier and more detailed log analysis
When clicking on a value displayed in the Top Insights section, you'll see "View in Log Explorer".
When you click this, it extracts logs corresponding to the selected value.
You can also filter using multiple conditions.
This makes it possible to easily narrow down communications using the GUI. Very convenient.
Behind the scenes, CloudWatch Logs Insights is properly being executed.
Here is the query that was executed when filtering with multiple conditions earlier:
```bash
fields timestamp, action, httpRequest.host as host, httpRequest.uri as uri, httpRequest.httpMethod as httpMethod, httpRequest.clientIp as clientIp, httpRequest.country as country, terminatingRuleId, httpSourceName, httpSourceId, concat(httpSourceName, ' | ', httpSourceId) as resourceDetails, ja3Fingerprint, ja4Fingerprint, @message | parse @message '"name":"User-Agent","value":"*"' as userAgent
| filter action in ['BLOCK']
| filter webaclId in ['arn:aws:wafv2:us-east-1:<AWS account ID>:global/webacl/website/84a704a7-6965-44af-887e-d196dcd881ac']
| filter timestamp > 1757188173
| filter httpRequest.httpMethod = 'GET'
| filter httpRequest.country = 'US'
| sort timestamp desc
| limit 500 | limit 500
When using Log Explorer, you'll want to make effective use of field indexing to reduce costs.### Checking Locations for Each Configuration Value
As the console has been updated, I'm interested in where to find each configuration value.
So I've organized the locations for checking various Web ACL configuration values in the new console.
| Item | Check Location | Notes |
|---|---|---|
| Name | Resources and protection packs |
Web ACL (protection pack) name |
| Description | Resources and protection packs-<protection pack name>-Description |
Web ACL (protection pack) description |
| Resource type | Resources and protection packs-<protection pack name>-Scope |
Select CloudFront (Global) and Regional under Regional scope to display all Web ACLs (protection packs) without changing screens |
| Region | Resources and protection packs-<protection pack name> |
Region where the Web ACL (protection pack) exists |
| Associated AWS resources | Resources and protection packs-<protection pack name> View and edit next to "Resources"-Manage resources |
Resources to associate with the Web ACL (protection pack) |
| Body size limit | Resources and protection packs-<protection pack name> View and edit next to "Resources"-Body size limit |
Maximum inspection size when inspecting request bodies |
| Rules | Resources and protection packs-<protection pack name> View and edit next to "Resources" |
Rules to set for the Web ACL (protection pack) |
| WCUs used by your web ACL | Resources and protection packs-<protection pack name>-Capacity |
WCUs usage |
| Default action | Resources and protection packs-<protection pack name>-Default action |
Processing when no rules match |
| CAPTCHA Immunity time | Resources and protection packs-<protection pack name>-Default immunity time under CAPTCHA |
Period during which CAPTCHA tokens can be used |
| Challenge Immunity time | Resources and protection packs-<protection pack name>-Default immunity time under Challenge |
Period during which Challenge tokens can be used |
| Token domain list | Resources and protection packs-<protection pack name>-Token domains |
Domains sending requests that AWS WAF accepts |
| Custom response bodies | Resources and protection packs-<protection pack name>-Custom response bodies |
Custom response bodies |
| Sampled requests | Resources and protection packs-<protection pack name> View and edit next to "Logging settings"-Sampled requests |
Whether to retain samples of web requests that match rules |
| Sampled requests for web ACL default actions | Resources and protection packs-<protection pack name> View and edit next to "Logging settings"-Sampled requests under Sampled requests for protection pack default actions |
Whether to retain samples of web requests processed by default actions Can be explicitly specified by toggling Enabled for Default action under Enable sampled requests including exclusions |
| Logging | Resources and protection packs-<protection pack name> View and edit next to "Logging settings"-Logging under Status |
Enabling logs |
| Logging destination | Resources and protection packs-<protection pack name> View and edit next to "Logging settings"-Logging under Logging destination |
Specify S3 bucket/CloudWatch Logs/Data Firehose as the log output destination |
| Default log filter behavior | Resources and protection packs-"View and edit" next to "Logging configuration" in <protection pack name>-Data protection settings in Default log filter behavior |
Default log output behavior |
Let's Get Familiar with the New Console
I introduced that when outputting logs to CloudWatch Logs with AWS WAF Web ACL (protection pack), it's better to use the new console both for cost reduction and to reduce operational burden.
Personally, I think the log explorer is great. From now on, I'll actively use the new console.
I hope this article helps someone.
That's all from Cloud Business Division, Consulting Department, nonpi (@non____97)!
