eli-537 amending rate limit

eddalmond1 · eddalmond1 · commit bcef36f91ffe · 2026-03-03T09:57:46.000Z
diff --git a/infrastructure/stacks/api-layer/waf.tf b/infrastructure/stacks/api-layer/waf.tf
@@ -105,7 +105,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {
 
     statement {
       rate_based_statement {
-        limit              = 2000 # Requests per 5-minute period per IP
+        limit              = 300000 # 1000 TPS - we should tie this to other rate limits
         aggregate_key_type = "IP"
       }
     }
diff --git a/infrastructure/stacks/api-layer/waf_alarms.tf b/infrastructure/stacks/api-layer/waf_alarms.tf
@@ -98,17 +98,20 @@ resource "aws_cloudwatch_metric_alarm" "waf_bad_inputs_blocks" {
 }
 
 # Alarm for rate limit violations (overall)
+# Rate limit is set to 300,000 req/5min (1000 TPS headroom over 500 TPS peak).
+# Any block at this threshold is a serious incident - a single IP would need to exceed
+# 300k requests in 5 minutes, which indicates a runaway or compromised proxy.
 resource "aws_cloudwatch_metric_alarm" "waf_rate_limit_blocks" {
   count               = local.waf_enabled ? 1 : 0
   alarm_name          = "WAF-RateLimit-Blocks-${local.workspace}"
-  alarm_description   = "Alerts when requests are rate-limited (potential DDoS)"
+  alarm_description   = "Alerts when requests are rate-limited - at 300k/5min limit this indicates a runaway or compromised proxy"
   comparison_operator = "GreaterThanThreshold"
-  evaluation_periods  = 2
+  evaluation_periods  = 1
   metric_name         = "BlockedRequests"
   namespace           = "AWS/WAFV2"
   period              = 300
   statistic           = "Sum"
-  threshold           = 50 # Alert after 50 rate-limited requests
+  threshold           = 1 # Any block at this limit is a serious incident
   treat_missing_data  = "notBreaching"
 
   dimensions = {
@@ -174,7 +177,7 @@ resource "aws_cloudwatch_metric_alarm" "waf_all_requests_high" {
   namespace           = "AWS/WAFV2"
   period              = 300
   statistic           = "Sum"
-  threshold           = 10000 # Adjust based on expected traffic
+  threshold           = 300000 # 2x peak (500 TPS = 150k/5min); alert above 300k/5min
   treat_missing_data  = "notBreaching"
 
   dimensions = {

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {`
`105`	`105`
`106`	`106`	`statement {`
`107`	`107`	`rate_based_statement {`
`108`		`- limit = 2000 # Requests per 5-minute period per IP`
	`108`	`+ limit = 300000 # 1000 TPS - we should tie this to other rate limits`
`109`	`109`	`aggregate_key_type = "IP"`
`110`	`110`	`}`
`111`	`111`	`}`