AWS has introduced an invaluable feature for users of CloudFront protected by AWS WAF: CloudFront will no longer bill requests that are blocked by AWS WAF. This new feature provides enhanced financial protection, especially helpful against DDoS attacks, that generate a significant volume of requests on CloudFront.
Some additional insights:
Billing Exemptions on Blocked Requests: CloudFront does not apply billing on a request blocked by WAF, when the terminating rule action in WAF is BLOCK, regardless of the custom response configured in WAF. For example, you could configure a custom response with a 200 OK for a graceful HTML for blocked request.
Custom Error Responses: CloudFront will also not bill for custom error responses triggered by WAF’s BLOCK actions. This means if WAF blocks a request and triggers an error response configured in CloudFront, those error-handling responses won’t incur charges.
Extra Protection with Shield Advanced: Customers who are subscribed to Shield Advanced gain even more financial protection. It protects you against the costs of CloudFront requests that were not blocked by WAS WAF during a DDoS attack. It also cover other AWS services that had to scale to absorb the attack.