Let's say I am running a serverless REST API in AWS. I therefore have my REST API implemented in an AWS lambda and the lambda is exposed over HTTP using an API Gateway or an Application Load Balancer. Then, I want to protect my API from potential hackers that use too intensively my API. I therefore want to limit the API calls frequency by IP address of caller.
I see that this can be done with AWS WAF using a rate based rule. When reading the documentation, the minimum threshold is 2000 calls by 5 minutes. This is about 7 calls by second. This is a little too big for our standards. Furthermore, it is not possible to specify a limit by minute, hour, day, etc. So it is pretty limited.
Are there any other alternative than AWS WAF rate based rule to achieve IP based rate limiting?
AWS now has introduced new rate limiting for WAF. (100 requests in 5 minutes)
https://aws.amazon.com/about-aws/whats-new/2019/08/lower-threshold-for-aws-waf-rate-based-rules/
Also, you can apply rate limit on API gateway itself:
This is not IP based but still useful to stop unnecessary requests.