diff --git a/apps/emqx/src/emqx_access_control.erl b/apps/emqx/src/emqx_access_control.erl
index 3e0063bc5..6306503d7 100644
--- a/apps/emqx/src/emqx_access_control.erl
+++ b/apps/emqx/src/emqx_access_control.erl
@@ -40,10 +40,11 @@ authenticate(Credential) ->
 -spec authorize(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
       -> allow | deny.
 authorize(ClientInfo, PubSub, Topic) ->
-    case emqx_authz_cache:is_enabled() of
+    Result = case emqx_authz_cache:is_enabled() of
         true  -> check_authorization_cache(ClientInfo, PubSub, Topic);
         false -> do_authorize(ClientInfo, PubSub, Topic)
-    end.
+    end,
+    inc_acl_metrics(Result), Result.
 
 check_authorization_cache(ClientInfo, PubSub, Topic) ->
     case emqx_authz_cache:get_authz_cache(PubSub, Topic) of
@@ -51,7 +52,9 @@ check_authorization_cache(ClientInfo, PubSub, Topic) ->
             AuthzResult = do_authorize(ClientInfo, PubSub, Topic),
             emqx_authz_cache:put_authz_cache(PubSub, Topic, AuthzResult),
             AuthzResult;
-        AuthzResult -> AuthzResult
+        AuthzResult ->
+            inc_acl_metrics(cache_hit),
+            AuthzResult
     end.
 
 do_authorize(ClientInfo, PubSub, Topic) ->
@@ -65,3 +68,11 @@ do_authorize(ClientInfo, PubSub, Topic) ->
 run_hooks(Name, Args, Acc) ->
     ok = emqx_metrics:inc(Name),
     emqx_hooks:run_fold(Name, Args, Acc).
+
+-compile({inline, [inc_acl_metrics/1]}).
+inc_acl_metrics(allow) ->
+    emqx_metrics:inc('client.acl.allow');
+inc_acl_metrics(deny) ->
+    emqx_metrics:inc('client.acl.deny');
+inc_acl_metrics(cache_hit) ->
+    emqx_metrics:inc('client.acl.cache_hit').
diff --git a/apps/emqx/src/emqx_metrics.erl b/apps/emqx/src/emqx_metrics.erl
index ad1bb18ce..6401f11e2 100644
--- a/apps/emqx/src/emqx_metrics.erl
+++ b/apps/emqx/src/emqx_metrics.erl
@@ -183,6 +183,13 @@
          {counter, 'session.terminated'}
         ]).
 
+%% Statistic metrics for ACL checking
+-define(STASTS_ACL_METRICS,
+        [ {counter, 'client.acl.allow'},
+          {counter, 'client.acl.deny'},
+          {counter, 'client.acl.cache_hit'}
+        ]).
+
 %% Overload protetion counters
 -define(OLP_METRICS,
         [{counter, 'olp.delay.ok'},
@@ -439,6 +446,7 @@ init([]) ->
                             ?DELIVERY_METRICS,
                             ?CLIENT_METRICS,
                             ?SESSION_METRICS,
+                            ?STASTS_ACL_METRICS,
                             ?OLP_METRICS
                            ]),
     % Store reserved indices
@@ -584,10 +592,14 @@ reserved_idx('session.takenover')            -> 222;
 reserved_idx('session.discarded')            -> 223;
 reserved_idx('session.terminated')           -> 224;
 
-reserved_idx('olp.delay.ok')                 -> 300;
-reserved_idx('olp.delay.timeout')            -> 301;
-reserved_idx('olp.hbn')                      -> 302;
-reserved_idx('olp.gc')                       -> 303;
-reserved_idx('olp.new_conn')                 -> 304;
+reserved_idx('client.acl.allow')             -> 300;
+reserved_idx('client.acl.deny')              -> 301;
+reserved_idx('client.acl.cache_hit')         -> 302;
+
+reserved_idx('olp.delay.ok')                 -> 400;
+reserved_idx('olp.delay.timeout')            -> 401;
+reserved_idx('olp.hbn')                      -> 402;
+reserved_idx('olp.gc')                       -> 403;
+reserved_idx('olp.new_conn')                 -> 404;
 
 reserved_idx(_)                              -> undefined.