
API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions
After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.

