Costs for Running a Static Website on S3
Towards the end of 2022, several large companies, Meta being one of the well-known, called out the year 2023 to become “The Year of Efficiency”. We have been able to observe the implementation of this strategy shift until recently in the project postings on different IT freelancer portals searching for FinOps Engineers. They should fill the role to serve initiatives with the goal to cut down on cloud costs and/or SaaS subscription costs that were not crucial for running the business, aiming for greater cost efficiency.
So if the tech giants and the rest of the industry do it maybe it’s time to clean out the own closet and review existing cloud costs. 😉 This as inspiration, I decided to review the costs associated with my very own static website which I host on S3. 💸
Further, about a year ago, I wrote down the challenges of running a static S3 based website where I owe an answer concerning the overall costs. Back then, I covered all the components that are necessary from my perspective to run it in a somewhat professional way in addition to the obvious S3 bucket. By “somewhat professional”, I mean crucial components like custom domain, a content delivery network (CDN) for achieving solid response time, and presenting valid SSL host certificate to adherence to security standards.
In this post we will analyze the costs of the existing solution using the AWS Billing Dashboard.
So what are actually the costs of running such a static website on AWS? Before we continue, let’s briefly revisit the stack of technical components showing the different AWS services and their contribution to the overall solution so that we can later judge the costs of each.
Tech stack
The users access the website through their browser where the request is directed to CloudFront, a CDN service. Before serving the content, CloudFront consults the WebACL (web access control list) of the Web Application Firewall (WAF) to check for any malicious patterns in the request. If the request passes the WAF checks it then goes through a CloudFront Function executing a small content transformation to ensure website navigation works for the user. Once executed, CloudFront fetches the required content from the S3 Bucket, where the static website files (like HTML, CSS, and JS) are hosted. Additionally, CloudFront communicates with AWS Route 53, the DNS service, to resolve domain names and direct traffic appropriately. This entire flow ensures that the user receives the website content quickly, securely, and efficiently.
Cost Analysis
So now let’s have a closer look at the costs, how they are made up, and maybe identify some of the cost drivers:
(Screenshot from AWS Billing Dashboard taken Oct 12, 2023)
The screenshot of the Billing Dashboard shows average costs of $ 6.96 per month but what is more interesting is the fact that largest fraction (blue bar in the chart) goes to the WAF. In order to find out the pricing details of the service, let’s have a look at the official WAF Pricing Site from AWS for region Europe:
+----------------+--------------------------------------------------------------------------------------+
| Resource Type | Price |
+----------------+--------------------------------------------------------------------------------------+
| Web ACL | $5.00 per month (prorated hourly) |
| Rule | $1.00 per month (prorated hourly) |
| Request | $0.60 per 1 million requests (for inspection up to 1500 WCUs and default body size*) |
+----------------+--------------------------------------------------------------------------------------+
(Source: AWS Pricing for eu-central-1 region as of 2023-10-12)
A closer look at the pricing table reveals that the monthly costs are composed of $ 5.00 per WebACL deployment, plus $ 1.00 for every WAF rule, plus some usage-based cost component in case the number of requests exceeds 1 Mio.
In my case, I have deployed one WebACL and one rule configured, so $ 5.00 + $ 1.00 adding up to $ 6.00.
The one rule handles a deficit of the Cloudfront Service namely blocking the public access to the auto-generated Cloudfront URL looking something like this "yourwebsite.cloudfront.net". (details again in this post).
But what a about the remaining $ 0.96? Can we allocate something to usage based cost components of the WAF?
*
The timeline chart shows some increased usage in September with a peak a bit over 150 views on 23th of September. Not sure if the unit “views” in this diagram directly translate to the unit “number of request” mentioned pricing components but still far away from exceeding a threshold of the 1 Mio requests.
Having finished the observation of the WAF costs, the costs from the other services like S3, Cloudfront, Route53 with $0.96 are so little at the moment that we will just neglect an in depth analysis. Ready to move on.
Now what?
Now, how to decide what is really needed to “keep the business running”? And how to cut the costs of everything that is not needed?
The technical minimum to serve the users with the content is the S3 bucket. But without Route53, SSL backed custom domain name, and Cloudfront CDN the website would be slow and not secure. So these are the components that are needed to run the website in a somewhat professional way. As S3, Route53, Cloudfront, and the other services not even make up one dollar there is not much to leverage.
However, with the pricing structure of the AWS WAF service being as it is I end up paying $6.00 per month only for one little tiny WAF rule to block access to the Cloudfront endpoint. “Security just has its price!”, could be an argument, but does it really increase security? While blocking access of the Cloudfront endpoint with the WAF rule reduces indeed the attack vector of the website, leaving it open does not really make the thing less secure either. Therefore one could argue that it is more or less a cosmetic action.
So should I get rid of the WebACL? To my knowledge there is no technical alternative to disable the Cloudfront endpoint other than a WAF rule; nevertheless I will rethink the need for the WebACL especially considering the price I pay for this small value that I get form it.
Or to put it short and simple: Is the $ 6.00 Dollar WebACL really worth it? In my situation the answer is probably a “No”.
Some general advice on WAF
(source: Youtube: Silly Symphony - The Three Little Pigs )
Now that we have looked at one specific case, we can try to derive some general advice to decide whether to install a WAF or not. Maybe trying to answer the following question to yourself can help:
-
How much protection do you really need with your static website or also other web services?
-
How much of an attractive target for malicious requests is your service? This influences the likelihood that it actually happens?
-
Is the damage that a malicious request or set of requests can cause worth the monthly costs you pay for the WAF protection (Think of it similar to an insurance fee)?
Therefore please keep in mind in what context you are with your use case and decide accordingly as the degree of security measures is - like most things - a matter of weighing costs. Taking it from the other perspective, doing it without a WAF means living with a certain risk. So you need to get a feeling for how likely the risk is to occur (Probabilities of occurrence) and the costs of the damage in case the risk materializes.
Conclusion and Summary
Removing the WAF rule could leverage 6$ which represents a 86% cost saving and should allow me to run the website for $0.96 given the access and usage patterns stay the same. 🤯 This bears major savings potential and a price that might be hard to beat by any competitor offering static website hosting solutions (e.g. Azure, Netlify, Google, Github Pages, Vercel, etc.).
Again, we are just talking about a semi-professional static blogging website. The discussion may seem a bit over the top for this tiny use case, however you would have to go through similar thought processes (just at a different price dimensions and higher complexity) in bigger organizations to leverage cloud costs savings. Therefore please consider this post as inspiration and maybe a reminder to review your cloud costs and to think about the value you get for the money you pay, be it for your small private project or at work in your organization.
Happy FinOps and a wonderful “Year of efficiency!” 🤑
* Observation of the usage statistics in cloudfront also shows one thing: Basically, no one is visiting the website. 😅🥲🫢 …which is fine. I launched it in parallel with starting my freelancer activity mainly with the intention to be able to fill in the blank “website” in the different forms when signing in on these freelancer portals.