How to set quota for CORS preflight requests with AWS API Gateway

To enforce a quota on OPTIONS requests, create a web ACL in AWS WAF & associate it to a stage of your API in API Gateway. Add a rate-based rule in the web ACL that blocks all OPTIONS requests beyond the rate limit you specify. Rules in web ACLs can be configured specifically for this, as shown below:

For a screenshot-guided tutorial of this entire process, see my blog post.

You are not paying for any unauthorized calls to API-Gateway. AWS is picking up this charge. You are paying after the request is authorized and only if it does not exceed your usage plan.

So if somebody is doing a DDOS on your API without authentication it is free of charge.

If somebody is doing a DDOS with a valid api key you will only pay until your usage plan is exceeded.

Find more information here.

• Requests are not charged for authorization and authentication failures.

• Calls to methods that require API keys are not charged when API keys are missing or invalid.

• API Gateway-throttled requests are not charged when the request rate or burst rate exceeds the preconfigured limits.

• Usage plan-throttled requests are not charged when rate limits or quota exceed the preconfigured limits.

So make sure to have authentication enabled on your API and a usage plan in place for all the authenticated requests.