API Gateway Rate Limiting in AWS

What this problem means

Your API runs on AWS. You need rate limiting to prevent abuse. API Gateway has built-in throttling—you can set limits per API, per stage, or per API key. No application code changes needed.

Why this matters

- Abuse prevention: Rate limiting slows down scrapers and attackers.

- Cost control: Fewer abusive requests = lower Lambda and downstream costs.

- Built-in: No need to implement rate limiting in your application.

Real-world example

A startup had an API with no rate limits. A script was written to automate millions of requests. They added API Gateway throttling—1000 requests per second per account, 100 per second per API key—in the console. Abuse dropped by 90%. No code deployment.

How to fix it

1. Account-level throttling: In API Gateway, set default throttle (e.g., 1000 req/s, 10000 req/day).

2. Usage plans: Create plans (e.g., Free: 100 req/day, Pro: 10000 req/day). Attach to API keys.

3. Per-key limits: Tie usage plans to API keys. Each key gets its own quota.

4. Per-method limits: Override per endpoint if needed.

5. Monitor: Use CloudWatch to see throttling and 429 responses.

Tools and configurations

- API Gateway: Throttling settings, usage plans.

- API keys: Attach to usage plans for per-key limits.

- CloudWatch: Monitor throttle and 429 metrics.

Common mistakes

- Setting limits too low (blocks legitimate users).

- No monitoring—not knowing if throttling is working.

- Only account-level limits (per-key is better for multi-tenant).

Quick checklist

- [ ] Set account-level throttle (e.g., 1000 req/s)

- [ ] Create usage plans for different tiers

- [ ] Attach API keys to usage plans

- [ ] Monitor for 429 and throttle metrics

- [ ] Adjust limits based on usage