Rate Limiting: Token Bucket vs Leaky Bucket on AWS WAF and API Gateway

Cloud Architecture Jun 12, 2026 Palaniappan P 1 min read

Quick summary: Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.

Key Takeaways

Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense
June 2026: Layer edge (CloudFront + WAF), API (Gateway throttling), and app (ElastiCache token bucket) limits—attackers hit the cheapest layer first
What to do this week 1
Set account-level API Gateway throttle guardrails
2

Table of Contents

June 2026: Layer edge (CloudFront + WAF), API (Gateway throttling), and app (ElastiCache token bucket) limits—attackers hit the cheapest layer first.

Algorithms

Algorithm	Behavior	AWS analog
Token bucket	Allows bursts up to bucket size	API GW burst limits
Leaky bucket	Smooth output rate	WAF steady rate-based rule
Fixed window	Simple counter per minute	WAF classic rate rule

Opinionated take: Combine WAF IP rate limit with per-API-key usage plan—do not rely on Lambda concurrency alone.

What to do this week

Set account-level API Gateway throttle guardrails.
Add WAF rate rule on /login and expensive GraphQL paths.
Implement app-level bucket in Redis for partner APIs.

What this guide doesn’t cover

API Gateway REST vs HTTP—canonical API Gateway post.

Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Article Info

Updated this month

Cloud Architecture
Jun 12, 2026
1 min read
Palaniappan P

**June 2026**: Layer **edge** (CloudFront + WAF), **API** (Gateway throttling), and **app** (ElastiCache token bucket) limits—attackers hit the cheapest layer first.

## Algorithms

| Algorithm    | Behavior                        | AWS analog                 |
| ------------ | ------------------------------- | -------------------------- |
| Token bucket | Allows bursts up to bucket size | API GW burst limits        |
| Leaky bucket | Smooth output rate              | WAF steady rate-based rule |
| Fixed window | Simple counter per minute       | WAF classic rate rule      |

**Opinionated take:** Combine **WAF IP rate limit** with **per-API-key usage plan**—do not rely on Lambda concurrency alone.

## What to do this week

1. Set account-level API Gateway throttle guardrails.
2. Add WAF rate rule on `/login` and expensive GraphQL paths.
3. Implement app-level bucket in Redis for partner APIs.

## What this guide doesn't cover

API Gateway REST vs HTTP—[canonical API Gateway post](/blog/aws-api-gateway-patterns-rest-http-websocket/).

Ask AI

ChatGPT Claude Perplexity Gemini

Need AWS Help?

Our certified AWS architects can help you implement the solutions discussed in this article.

Talk to an AWS Expert

Related AWS Services

Work with our certified AWS architects to implement the strategies covered in this article.

AWS Architecture Review

Well-Architected Framework review covering reliability, performance, security, and operational excellence.

Learn more

AWS Serverless

Design and build event-driven serverless systems using Lambda, API Gateway, Step Functions, and DynamoDB.

Learn more

AWS Migration

Migrate workloads from on-premises, GCP, Azure, or legacy hosting to AWS with minimal downtime.

Learn more

Recommended Reading

Explore All Articles »

OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway

Cloud Architecture

Jun 12, 2026 1 min

OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway

Local JWT validation is fast until revocation lags bite you. When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz.

gRPC, GraphQL, Protobuf, and API Contracts on AWS

Cloud Architecture

Jun 12, 2026 1 min

gRPC, GraphQL, Protobuf, and API Contracts on AWS

Protobuf on the wire saves bytes; GraphQL saves round trips until resolvers N+1 your Aurora cluster. ALB gRPC, AppSync, and consumer-driven contracts with Pact.

AWS API Gateway Patterns: REST, HTTP, and WebSocket APIs

Cloud Architecture

Feb 14, 2026 7 min

AWS API Gateway Patterns: REST, HTTP, and WebSocket APIs

Three API types, three pricing models, three authentication patterns — and the wrong choice baked into your URL design for years. A decision guide for picking REST vs HTTP vs WebSocket APIs, with the throttling and caching configs that decide your monthly bill.

Modern Web Transport on AWS: TCP Congestion, HTTP/2, HTTP/3, and QUIC

Cloud Architecture

Jun 12, 2026 2 min

Modern Web Transport on AWS: TCP Congestion, HTTP/2, HTTP/3, and QUIC

Packet loss on mobile networks still punishes HTTP/1.1 head-of-line blocking—but HTTP/3 only helps if CloudFront terminates QUIC and your origin connection pools are sized for multiplexed streams. This guide connects Reno, Cubic, BBR, HPACK, and QUIC to ALB and CloudFront decisions.

AI & assistant-friendly summary

Summary

Key Facts

Entity Definitions

Related Content

Algorithms

What to do this week

What this guide doesn’t cover

Related AWS Services

AWS Architecture Review

AWS Serverless

AWS Migration

Recommended Reading

OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway

gRPC, GraphQL, Protobuf, and API Contracts on AWS

AWS API Gateway Patterns: REST, HTTP, and WebSocket APIs

Modern Web Transport on AWS: TCP Congestion, HTTP/2, HTTP/3, and QUIC