AWS announces CloudFront Security Savings Bundle

Starting February 5th 2021 AWS has launched a new savings plan for Amazon CloudFront – the CloudFront Security Savings Bundle. This flexible, self-service pricing plan allows customers to save up to 30% on their CloudFront bill in exchange for making a commitment to a dollar amount of monthly spend for a 1 year term. 

Additionally, up to 10% of your commitment can be applied against usage for AWS WAF (Web Application Firewall). 

AWS provides an example of what this means with this breakdown:

“Making a commitment of $100 of CloudFront usage per month would cover $142.86 worth of CloudFront usage for a 30% savings compared to standard rates. Additionally, up to $10 of AWS WAF usage is included to protect your CloudFront resources at no additional charge each month  (up to 10% of your CloudFront commitment).  Standard CloudFront and AWS WAF charges apply to any usage above what is covered by your monthly spend commitment.  As your usage grows, you can buy additional savings bundles to obtain discounts on incremental usage.“

Quick sense check on these percentages if you’re thinking “Isn’t 30% of $100 only $30?” – the discount works as a reduction percentage on your spend, not of your commitment amount. So 30% of $142.86 is $42.86 on a $100 commitment.  

Many will see the clear similarity to Savings Plans and Reserved Instance discount mechanisms. Here the offering is a simple 30% discount on usage for a period of 1 year. Like Savings Plans, you can ‘top-up’ a Security Bundle commitment by taking out additional plans as your usage increases. 

What Usage is covered by a CloudFront Security Savings Bundle?

30% Savings will be applied to the following usage types (up to your commitment amount):

  • Data Transfer Out
  • Data Transfer to Origin
  • HTTP/S request fees
  • Field Level Encryption Requests
  • Origin Shield
  • Invalidations
  • Dedicated IP Custom SSL (That’s the non-SNI version that costs $600/month currently)
  • Lambda@Edge

Usage and corresponding spend above your commitment will be charged at usual rates. 

Web Application Fireball (WAF) Usage

As mentioned, up to 10% of WAF usage applied to CloudFront resources is included. If you don’t use WAF, this is fine, but if you do and you have variable CloudFront usage, the fact that this is included in a portion of the discount makes it more likely you’ll be fully utilising your commitment at all times. 

Also be aware that managed WAF rules purchased through the AWS Marketplace are not covered by the Savings Bundle. 

AWS Organizations and Consolidated BIlling

Organization administrators will be reassured to know that CloudFront Security Savings Bundle supports the standard consolidated billing model. A commitment can be purchased in any Organisation account and the discount is applied to the top-level consolidated bill at the payer account. Additionally, Savings Bundles will be automatically shared across accounts (where credit-sharing is enabled) to ensure utilisation is maximised. 

The discounts will appear on your bill under the CloudFront and WAF portions of your bill as credits to offset your standard usage charges. 

CloudFront Custom Pricing Agreements

You might be aware that AWS allows for negotiated Custom Pricing for CloudFront usage. In return for a commitment of yearly data transfer to CloudFront, you can secure favourable discounts (per region) of CloudFront transfer and request costs.

A typical example, in return for a commitment of 500TB of Regional Data Transfer out, you might get a reduction from $0.085 per GB to $0.06 GB or lower (typically operating on a sliding scale). The big caveat of any such agreement is that if you don’t hit your transfer commitment, you’ll be obligated to pay the difference in transfer charges. Just something to be aware of! Reach out to your AWS Technical Account Manager for more details (and accurate discounts!). 

Anyway – Savings Bundles conflict with these Custom Pricing Agreements so currently you will have to choose between one or the other. 

AWS Budgets and Cost Alerting for CloudFront Security Savings Bundle

Most good organizations will already have a robust cost-alerting process in place. Utilizing AWS Budgets, you can set a Cost and Usage alert when your actual or forecasted charges exceed the threshold for a given service – notified via email or SNS. 

For Savings Bundles, you can create a CloudFront-specific AWS Budget that alerts when the on-demand usage exceeds that covered by your Savings Bundle commitment. 

In the previous example of a $100 commitment, this would be an alert for CloudFront that notifies you when you spend more than $142.86 on-demand. Any spend above this would not be discounted. 

If you find yourself constantly setting off such an alarm, or setting it off only halfway through the month, this would be a sure sign that you can afford to increase your Savings Bundle commitment. Pleasingly, Savings Bundle includes an ‘auto-renew’ feature to ensure you’ll never forget to renew manually – this has always been a burden for Reserved Instances!

How do I buy an Amazon CloudFront Security Savings Bundle?

With no API-support at present, the only way to purchase a new Amazon CloudFront Savings Bundle is via the AWS console:

Head to the Amazon CloudFront console, and you’ll see the menu has a new section entitled Savings Bundle at the bottom:

Clicking on ‘Purchase’ will take you to a ‘Recommendations and Estimated Savings’ screen with two tabs. 

CloudFront Savings Bundle Menu

The first is ‘Historical Usage’, designed to look at your previous CloudFront spend and make a commitment recommendation. Here I find the first issue with the offering – it says insufficient data. I tested this in an Organisation spending about $1 a month in CloudFront, and another spending $100 going back years – both in the child account and at the Organisation top level, it insisted there was no data. Either the spend needs to be much larger than this, or this feature is broken at the time of writing. 

The second tab is ‘Calculator’ where in lieu of an automatic recommendation, you can specify your usage in different regions to try to calculate your spend and thereby make a recommendation. This requires a lot of work and is limited, as specified on the console:

It assumes all requests will be via HTTPS and it does not include data transfer out to origin, invalidations, Lambda@Edge usage, or any additional billed usage. Estimated WAF charges includes 1 WebACL, 2 rules, and requests associated with CloudFront usage

CloudFront Savings Bundle Calculator

Even with this in mind, this transfer data is quite hard to come by. CloudFront provides Usage Reports in the console, but this is for the specific account you’re logged into and doesn’t span the whole Organisation when examined at the Master Payer level. 

The next place to look is the AWS Cost Explorer, and after some investigation the best way to filter the data is by Usage Type Group with the following types of Data Transfer for CloudFront

Cost Explorer Usage Type Group

Or alternatively by Usage Type (both will show the same overall usage):

Cost Explorer Usage Type

If you then Group By ‘Region’ on this view, you’ll get a region-based breakdown of GB data transfer in CloudFront. 

My only issue is that I can’t get this to agree with the Data Transfer shown in a CloudFront usage report, which is far greater in terms of GB transfer. Whilst I’m checking with AWS on what the canonical reference data and filter type is to use (and I’ll update here afterwards), suffice to say that putting in an accurate number here for the calculator is difficult. Unless I’m being stupid (always an acknowledged possibility) finding the right figures to put in here is going to be hard without a reliable reference point. Here the ‘Historical Usage’ feature actually working would be a benefit!

All it really boils down to though is how much dollar spend you want discounted per month, and if you were spending $500 on CloudFront then you’d be pretty confident that a $250 Savings Bundle would cover a decent portion of your usage even if you weren’t checking any other data. 

When you proceed through to purchase, you’ll see a screen like this with a nice summary: 

CloudFront Savings Bundle Options


Amazon CloudFront Security Savings Bundle looks like a great addition to the growing list of savings and discounting products offered by AWS. Prior to this the best discount that could be achieved was with a Custom Pricing Agreement, which typically necessitates a massive amount of data transfer to even be eligible to apply. This is scoped much better towards organisations of any size, and the ‘top-up’ nature of Savings Bundles (and Savings Plans in other areas of AWS) makes it a real no-brainer to pick one up if you’ve got any level of predictable usage in CloudFront for the next year. 

TL;DR: Looks great – but needs a couple of improvements to help you calibrate the correct level of commitment. 


Like this article? Follow us →

Recent Articles

Related Stories