---
title: Rate Limiting: Token Bucket vs Leaky Bucket on AWS WAF and API Gateway
description: Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.
url: https://www.factualminds.com/blog/rate-limiting-token-bucket-leaky-bucket-aws-waf-apigw/
datePublished: 2026-06-12T00:00:00.000Z
dateModified: 2026-06-12T00:00:00.000Z
author: Palaniappan P
category: Cloud Architecture
tags: engineering-guide, api-gateway, security, aws
---

# Rate Limiting: Token Bucket vs Leaky Bucket on AWS WAF and API Gateway

> Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.

**June 2026**: Layer **edge** (CloudFront + WAF), **API** (Gateway throttling), and **app** (ElastiCache token bucket) limits—attackers hit the cheapest layer first.

## Algorithms

| Algorithm    | Behavior                        | AWS analog                 |
| ------------ | ------------------------------- | -------------------------- |
| Token bucket | Allows bursts up to bucket size | API GW burst limits        |
| Leaky bucket | Smooth output rate              | WAF steady rate-based rule |
| Fixed window | Simple counter per minute       | WAF classic rate rule      |

**Opinionated take:** Combine **WAF IP rate limit** with **per-API-key usage plan**—do not rely on Lambda concurrency alone.

## What to do this week

1. Set account-level API Gateway throttle guardrails.
2. Add WAF rate rule on `/login` and expensive GraphQL paths.
3. Implement app-level bucket in Redis for partner APIs.

## What this guide doesn't cover

API Gateway REST vs HTTP—[canonical API Gateway post](/blog/aws-api-gateway-patterns-rest-http-websocket/).

---

*Source: https://www.factualminds.com/blog/rate-limiting-token-bucket-leaky-bucket-aws-waf-apigw/*