But it’s far from a foolproof system.įor starters, it won’t protect you from DDOS attacks from even a small botnet with thousands of hosts. This is sufficient to repel basic DOS attacks where all the requests originate from a handful of IP addresses. With AWS WAF, you can create rate-based rules that rate limits at the IP level. You can do this in the API Gateway stage settings. You can configure WAF rules for both API Gateway as well as CloudFront. Given that many organizations run their entire production environment out of a single AWS region and account, this is a risk you can’t afford to ignore. Effectively rendering your entire system unavailable. I can bring down not just the API in question, but all your APIs in the entire region. It also means that, as an attacker, I only need to DOS attack one public endpoint. As a result, ALL your APIs in the entire region share a rate limit that can be exhausted by a single method. However, the default method limits – 10k req/s with a burst of 5000 concurrent requests – matches your account level limits. Having built-in throttling enabled by default is great. When you deploy an API to API Gateway, throttling is enabled by default in the stage configurations.īy default, every method inherits its throttling settings from the stage.
0 Comments
Leave a Reply. |