TL;DR: WAF has two walls: a 1,500-WCU capacity ceiling per web ACL and $1/month per rule. Teams hit both the same way — adding one rule per bad IP, per bot user-agent, per blocked path. The fix is structural: an IP Set (10k addresses, one rule), a Regex Pattern Set (all your patterns, one rule), and combined AND/OR conditions. Same security posture; typical audits recover 50–70% of WCUs and rule fees.
The numbers
- Fees: $5/month per web ACL + $1/month per rule + $0.60/M requests. Fifty hand-rolled rules = $50/month forever, per ACL, per environment.
- WCU weights: single IP match or geo-block ≈ 1; a regex rule can be 10+; managed groups are heavy — Core Rule Set ~700, Known Bad Inputs ~200, SQL Database ~200.
- Field examples: an API team at 1,480/1,500 WCUs consolidated down to 620 in a weekend (rule fees −60%); an e-commerce site replaced 80 bot-user-agent rules ($80/month) with one Pattern Set rule ($1/month).
Do this
-
Audit the shape of your rules: any set differing only by a literal IP, path, or user-agent string is one Set + one rule in disguise.
-
Collapse IPs into an IP Set (up to 10,000 CIDRs), referenced by a single rule; update the Set from Terraform or a threat-feed Lambda without ever touching the rule again.
-
Collapse string matches into a Regex Pattern Set — the biggest win on bot-fighting workloads accumulating per-signature rules.
-
Merge same-intent conditions: "block
/adminfrom outside the US" is one combined rule, not two. Litmus test: if the intent fits one English sentence, it's one rule. -
Prune managed rule groups to your actual stack — a JSON API doesn't need the WordPress rules; each unneeded group burns 25–700 WCUs.
-
Test consolidations in
countmode for a day or two before flipping toblock; compare CloudWatch match counts against the old rules to catch too-broad or too-narrow regexes. -
Quarterly: delete dead rules — anything with zero matches in 90 days, after confirmation.
Gotchas
- Don't over-consolidate. Rules with different actions (block vs count vs rate-limit), different logging/labeling needs, or genuinely different intent stay separate — merging them obscures what fired and why.
- Managed groups count against your 1,500 WCUs — stacking three popular ones spends half the ceiling before your first custom rule.
- Regex is the WCU hog: if you're near the ceiling, audit regex rules first.
- WAF logs can quietly become your biggest log stream — pair this cleanup with CloudWatch Logs retention.
Skip this if
- You run under ~10 custom rules that are already Set-backed — you're healthy; keep the discipline.
- Your only WAF content is managed rule groups — then the lever is which groups, not consolidation.
- The spend concern is CloudFront+WAF fees overall — that's the Security Savings Bundle on top of (not instead of) clean rules.