CloudFront Flat-Rate Pricing: AWS Hosting Without Billing Surprises
- 07 Feb, 2026
Hosting a personal site or a small business application on AWS has always offered powerful control: full infrastructure-as-code (Terraform), enterprise-grade security, and a unified ecosystem. However, for years, this power came with a terrifying catch: the open-ended bill.
The traditional pay-as-you-go model meant that a single aggressive bot, a sudden viral post, or a DDoS attack could drive costs up indefinitely. This “Denial of Wallet” risk is real. In 2025 alone, we saw a startup hit with a $120,000 bill in 72 hours on AWS, and a similar incident costing $100,000 in 4 hours on GCP. The rise of AI scrapers has only amplified this, with some sites reporting 20 million monthly requests solely from AI bots.
Managing this risk usually requires serious architectural work: terminating traffic at the edge, configuring WAFs to block or throttle aggressively, implementing strict caching, or integrating with third-party services like Cloudflare.
I faced this exact dilemma when building this site. I wanted the versatility of AWS, managing everything via Terraform and keeping my app subdomains unified under one provider, but I didn’t want the anxiety of an uncapped bill looming over a personal project.
Fortunately, AWS now has an option that mitigates this risk without the complexity overhead.
Launched in November 2025, CloudFront’s Flat-Rate Pricing Plans finally bring predictable, capped costs to AWS. These plans offer fixed monthly pricing with zero overage charges. Traffic beyond your allowance is throttled, not billed. Even better: the free tier is more than enough for all my needs.
What Are CloudFront Flat-Rate Plans?
Flat-Rate plans are a fixed-price alternative to the traditional pay-as-you-go CloudFront model. Launched in late 2025, they change the AWS value proposition for smaller projects: you pay a capped monthly fee (or nothing at all), and AWS absorbs the volatility.
As of February 2026, the four tiers are:
| Feature | Free | Pro | Business | Premium |
|---|---|---|---|---|
| Monthly Cost | $0 | $15 | $200 | $1,000 |
| Data Transfer | 100 GB | 50 TB | 50 TB | 50 TB |
| Requests | 1 Million | 10 Million | 125 Million | 500 Million |
| S3 Storage Credit | 5 GB | 50 GB | 1 TB | 5 TB |
| WAF Rules | 5 | 25 | 50 | 75 |
| Route53 Zone | Included | Included | Included | Included |
| Overage Charges | None | None | None | None |
The “No Overage” Guarantee
Unlike standard AWS services where you pay as you go—and where enforcing budget limits is honestly harder than it should be, Flat-Rate plans feature hard price caps.
All tiers include essential infrastructure: Route53 DNS, Shield Standard (DDoS protection), TLS certificates, and a managed WAF. When traffic exceeds the plan’s quota, AWS responds by “degrading performance.” The exact degradation behavior is undocumented, but AWS mentions that it may include serving traffic from fewer or more distant edge locations, reducing throughput, or throttling.
For a personal website or a small app, this is a welcome tradeoff: better a slow site than a scary bill.
An AWS account can contain up to 100 CloudFront Pricing Plans, but only 3 of those can be free. Each Flat-Rate plan can manage exactly one apex domain and its subdomains.
The Tradeoffs
Every pricing model has tradeoffs. The Flat-Rate model trades configuration flexibility for cost predictability and simplicity. Some of these constraints are well-documented; others I discovered during migration.
Constraints and Limitations
The Flat-Rate plans come with a specific set of architectural restrictions. The full list is in the AWS documentation, and here are the most impactful:
- No Lambda@Edge: You cannot use Lambda@Edge for complex request processing (e.g., advanced auth, A/B testing). However, CloudFront Functions are supported for lighter tasks like header manipulation.
- No Staging Distributions: You cannot create a staging distribution to test changes before going live.
- No Real-time Logs: Real-time logging to Kinesis is unavailable. You are limited to standard access logs delivered to S3, which have a delivery delay.
- Modern Configs Only: Legacy features like
ForwardedValues(replaced by Cache Policies) and Origin Access Identity (replaced by Origin Access Control / OAC) are not supported.
Practical Experience
Beyond the documentation, I discovered a few nuances while deploying my site via Terraform:
- Managed Cache Policies Only: Custom cache policies are not allowed. You must use AWS-managed policies. I opted for
Managed-CachingOptimized(658327ea-f89d-4fab-a63d-7e88639e58f6), which works well for static sites. - No Price Class Control: You cannot set
price_class(e.g.,PriceClass_100). AWS automatically manages edge location selection based on the Flat-Rate tier. - WAF Constraints: A valid AWS WAF web ACL must remain associated with the distribution at all times. This WAF cannot be shared with other distributions and cannot be managed by AWS Firewall Manager. While it is possible to configure a custom WAF (within the plan’s rule limits), I was content with the default configuration, so I used Terraform’s lifecycle rule
ignore_changes = [web_acl_id]to delegate creation and control to AWS.
Why Not Just Use Cloudflare Pages?
A common counter-argument is: “Why not just host the static site on Cloudflare Pages (which is free) and keep the backend on AWS?”
In fact, I was about to deploy exactly that setup when I learned about the Flat-Rate plans and decided to give it a go. Using Cloudflare Pages is a perfectly valid approach, but I ended up preferring a full-AWS setup after considering:
- DNS Fragmentation: If Cloudflare manages the root DNS, every new app subdomain requires cross-provider coordination: DNS in Cloudflare, backend in AWS, ACM validation records in Cloudflare.
- Simpler IaC: The entire stack lives in a single Terraform state file with a single provider. No need to manage two providers or sync state between them.
- Simpler Operations: One bill, one console, and one set of logs.
TL;DR: What You Give Up vs. What You Get
| You Give Up | You Get |
|---|---|
| Lambda@Edge (Complex edge logic) | Peace of Mind (No billing surprises) |
| Custom Cache Policies | DDoS Protection (Shield Standard included) |
| Real-time Logs | WAF & DNS (Included in the price) |
| Staging Environments | Unified Stack (Everything in AWS) |
Cost Comparison
The real value of the Flat-Rate plans is that they act as an insurance policy against traffic spikes. Here is how the costs break down for a moderately successful personal site.
Scenario A: Steady State (200 visits/day)
For a typical personal site or portfolio with low traffic, the cost difference is negligible.
| Cost Item | Pay-as-you-go | Flat-Rate Free |
|---|---|---|
| CloudFront (Data + Requests) | $0 (Free Tier) | $0 (Flat-Rate Free) |
| Route53 Hosted Zone | $0.50 | $0 (Included) |
| Route53 Queries | ~$0.01 | $0 (Included) |
| S3 (Storage + Requests) | ~$0.10 | ~$0.10 |
| WAF | Not included | Included (5 rules) |
| Monthly Total | ~$0.61 | ~$0.10 |
Verdict: At low traffic levels, both pricing options can easily cover the traffic, and you only save the $0.50 monthly Route53 hosted zone fee, which is included in Flat-Rate Free.
Scenario B: Under Attack (100M Requests, 10TB Data)
This is where the Flat-Rate model shines.
| Cost Item | Pay-as-you-go | Flat-Rate Free |
|---|---|---|
| CloudFront Requests | ~$90.00 | $0 (Throttled) |
| Data Transfer | ~$783.00 | $0 (Throttled) |
| WAF Charges | Variable | $0 |
| Total Bill | ~$873.00+ | $0.00 |
Verdict: Under the pay-as-you-go model, you owe AWS nearly $900. Under the Flat-Rate plan, your site performance degrades, but your bill remains a few cents.
The Fine Print: Lower Allowances
There is one important nuance to catch: the Flat-Rate Free Tier has lower limits than the standard AWS Free Tier.
- Standard Free Tier: 1 TB data, 10M requests.
- Flat-Rate Free Tier: 100 GB data, 1M requests.
However, 100 GB is still substantial. If you legitimately outgrow this, the Pro Plan ($15/month) bumps you up to 50 TB.
Technical Implementation
If you want to get up and running fast, you can use the terraform-aws-cloudfront-flat-rate module. It deploys a completely free S3 static website with Flat-Rate billing, including the S3 bucket, CloudFront distribution, ACM certificate, and Route53 zone. It can also be used to deploy a Flat-Rate distribution hooked to any suitable origin, such as an API Gateway or Load Balancer.
For a complete code tutorial and walkthrough, see Deploying a Static Site with CloudFront Flat-Rate and Terraform. It walks through each resource—S3 bucket, OAC, ACM certificate, CloudFront distribution, Route53—with explanations of why each setting is what it is.
Conclusion
CloudFront’s flat-rate free plan solves a real problem: it lets you host on AWS with full infrastructure control and zero risk of surprise billing. The constraints and limitations are manageable and worthwhile for the vast majority of personal sites and low-traffic applications.
For me, it was the missing piece that made S3 + CloudFront competitive with free hosting platforms. I get Terraform-managed infrastructure, subdomain flexibility for future apps, WAF and DDoS protection included, and a hard cost ceiling. The only ongoing cost is S3 request charges, which come to about $0.10/month at normal usage.
If you’re considering the same setup, start with the step-by-step tutorial or grab the Terraform module and deploy in minutes.