We Blocked the DDoS, Then the CloudWatch Bill Arrived
We Blocked the DDoS, Then the CloudWatch Bill Arrived TL;DR: AWS Shield Advanced protects against DDoS-related scaling costs, but WAF log costs are not covered. When a customer said “I need to keep logs but reduce costs,” I proposed three incremental steps: (1) switch log destination to Data Firehose for ~8.5x cost reduction, (2) apply a WAF Logging Filter to DROP logs by DDoS label, (3) if logs …