How AWS charged me for Cloudfront and WAF?

CloudFront and WAF have charges for legitimate (i.e. proper, well-formed HTTP) requests. It's (generally) not possible to know whether a request is part of a DDoS attack or not without parsing the request first. True, you could filter by known bad IP address but any sophisticated attack is most probably going to come from a range of addresses that are not (nor not completely) in a list of bad IP addresses.

The advantage of using CloudFront as that first layer of DDoS protection is that it is generally much less expensive than scaling up your EC2 instances to deal with the volume of requests. CloudFront is also able to handle a lot more requests in the time it takes EC2 instances to scale meaning that valid requests are still served while the DDoS is ongoing.

If we look at (say) 40 million requests to CloudFront with reference to the pricing page: 10 million of those are free each month. For the 30 million remaining requests; those are US$0.01 per 10,000 HTTPS requests (HTTP requests are less expensive) which is US$30 per month. I'm reasonably sure that to handle those requests you would need more than $30 of EC2 instances.

Note that CloudFront also charges for the data that is returned to the client as a response so the less that is sent, the better.

WAF charges are also per request at US$0.60 per million - for 40 million requests: US$24.