- Newest
- Most votes
- Most comments
Hi, As Joseeee rightly mentioned, if you are unsure how it got created and when etc, it is very likely that it was created along with other resources (ex. CloudFront) and got deleted while deleting those resources (if used CloudFormation or other automation tools). The easiest and best way to find out what happened and how, is to search "CloudTrail Event History" for WebACL creation and deletion. Let me help step by step:
- Navigate to CloudTrail service -> click on "Event History" in the left navigation pane.
- Select "Event name" from the drop down, and write "CreateWebACL" in the field, as shown in image below.
The CloudTrail Event History, by default, keep records for past 90 days only. If you were charged only for past 2 months, then it is possible we will see the "CreateWebACL" calls in the CloudTrail Event History. If the WebACL was created prior to 90 days, we will see nothing here.
Once the above is done, and if you see an event there, it proves that the WebACL was created. The event will also show you who created the WebACL, and when. That way, you will understand how the WebACL was created, and hence the charges.
Now, if you do not see anything above, lets follow the steps below.
- Navigate to CloudTrail service -> click on "Event History" in the left navigation pane.
- Select "Event name" from the drop down, and write "DeleteWebACL" in the field, as shown in image below.
Here you will highly likely see some events, as you do not have any WebACLs in the Global region right now (I can see in the screenshot you shared), and you are seeing charges till date (falls within 90 days). This will prove that the WebACL was present and it was deleted recently. Since it is deleted, you would not be charged after when it was deleted.
Also, to clarify, the charges are for AWS WAF latest (as it shows v2 in the bills). I can see that you were charged for "requests" as well in the month of August, it is possible that the WebACL would have been associated with a CloudFront Distribution that was created around that time. How did you create the CloudFront distribution (manually using console OR CloudFormation OR some other automation)? Have you deleted/removed any CloudFront distribution in past few days? You might want to review those steps/scripts etc.
Lastly, if following above steps do not provide any leads, I would suggest to raise a case with the Billing team. They have tools in place to see why you were charged, and can take necessary actions.
I hope it helps.
**If the answer is helpful, please click "Accept Answer" and upvote it. **
-
Thanks @Mayank Patel for your reply, I tried it your way, in the first step I don't see nothing here
-
I tried the second step and saw that WebACL already existed and it had been deleted recently, but I looked at the payment fee and saw that it was still increasing by the hour.
- Continue I check with the keyword "ListCloudFrontOriginAccessIdentities" then I found this, what should I do next?
-
This confirms that you had a WebACL present till 3rd Oct (which is now deleted) and hence you were seeing the charges. If you are still being charged (after deleting) then I would strongly recommend to raise a support case with the billing team as a next action.
If you are unsure about how to raise a support case, please follow the steps provided in the below document.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case
Please select "Account and billing" option while creating the case.
I hope it helps.
It's very likely another service you're using created this on your behalf during the setup (ie. Cloudfront).
If it's not showing in this page, can you try clicking on the Switch to AWS WAF Classic link on the left hand side? You want to make sure that any policy under the AWS WAF Classic are removed as well.
If you have already removed it, look in Cost Explorer for the daily usage/cost of AWS WAF. This can help identify if the service is still running and you'll accrue additional charges on a day to day basis.
I believe support may be able to help you identify where this resource is as well.
Hi @joseeee I try clicking on the Switch to AWS WAF Classic link on the left hand side but there are no ACLs
But I see the service is still active (I can't find where it works to remove it) and accumulating additional charges daily
I don't know if you have solved this or not. But I have the same issue, turns out I have cloudfront distribution to serve my static site from S3. In the General Settings, there is Security - WAF that turns out enable when i setup the cloudfront.
Relevant content
- asked 3 months ago
- asked a year ago
- asked a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
Please open a support ticket through AWS Support, as it's not safe for you to reveal your account detail in public. Support team should be able to find the resource and help you close it down.