Pricing for Amazon Network Firewall logging

You are charged for Amazon CloudWatch vended logs, on top of the basic charges for using Network Firewall. Additionally, you incur charges when querying logs, whether through CloudWatch and or through Amazon Athena for logs stored in Amazon S3. Vended logs are specific Amazon service logs published by Amazon on your behalf at volume discount pricing.

Your logging costs can vary depending on factors such as the destination type that you choose and the amount of data that you log. For example, flow logging sends logs for all of the network traffic that reaches your firewall's stateful rules, but alert logging sends logs only for network traffic that your stateful rules drop or explicitly alert on.

Review the following resources to understand the pricing considerations for using firewall logs:

For information about CloudWatch vended log pricing, see Logs on the Amazon CloudWatch pricing page.
For information about Network Firewall pricing, see Network Firewall pricing.
For information about Amazon S3 pricing, see Amazon S3 pricing.
For information about Amazon Athena pricing, see Amazon Athena pricing.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Permissions to configure logging

Firewall logging destinations