How to apply ip based rate limiting in AWS serverless

Question

Let's say I am running a serverless REST API in AWS. I therefore have my REST API implemented in an AWS lambda and the lambda is exposed over HTTP using an API Gateway or an Application Load Balancer. Then, I want to protect my API from potential hackers that use too intensively my API. I therefore want to limit the API calls frequency by IP address of caller.

I see that this can be done with AWS WAF using a rate based rule. When reading the documentation, the minimum threshold is 2000 calls by 5 minutes. This is about 7 calls by second. This is a little too big for our standards. Furthermore, it is not possible to specify a limit by minute, hour, day, etc. So it is pretty limited.

Are there any other alternative than AWS WAF rate based rule to achieve IP based rate limiting?

Answer 1

AWS now has introduced new rate limiting for WAF. (100 requests in 5 minutes)

https://aws.amazon.com/about-aws/whats-new/2019/08/lower-threshold-for-aws-waf-rate-based-rules/

Also, you can apply rate limit on API gateway itself:

https://cloudonaut.io/customized-rate-limiting-for-api-gateway-by-path-parameter-query-parameter-and-more/

This is not IP based but still useful to stop unnecessary requests.