How to throttle AWS Lambda or API Gateway by IP?

Unfortunately if you have a requirement of I want to prevent abuse of these endpoints to something really low, like 1 request every 5 seconds for a given public IP. then AWS WAF will not be suitable.

The minimum threshold you can set for a WAF rate based rule is 2000 requests in a 5 minute period.

If you want to implement aggressive rate based rules based on IP, you will need to write your own solution that either:

• Inspects the CloudFront access logs and retroactively bans bad IPs
• Use Lambda@Edge to evaluate requests in real time + ban accordingly

What might be more appropriate for your use case is using throttling on an API stage, but not based on IP. What you can do is set a maximum number of requests per second on average, and have the API return a 429, too many requests, when that number is exceeded. You can be really aggressive with this, or more relaxed by using a decimal value:

From AWS Announces Rate-Based Rules for AWS WAF:

AWS today announced Rate-based Rules for AWS WAF. This new rule type protects customer websites and APIs from threats such as web-layer DDoS attacks, brute force login attempts and bad bots. Rate Based Rules are automatically triggered when web requests from a client exceed a certain configurable threshold.

With Rated-based Rules customers can also block future requests from a client trying to send large volume of requests to certain parts of their website like the login page. Customer can also integrate this new rule with CloudWatch Alarms and AWS Lambda to take custom action on clients making unusually high calls against their API endpoints. Customers can also use Rate-Based Rules to mitigate unwanted bots by combining the Rate-based rule with a condition to identify specific malicious user agents’ associated with bad bots.