Recently I have been working with AWS API gateway where I created an API and protected it with API key and Cognito (OAuth).

One day I found that my API has been accessed 10K times which failed because of attacker didn’t had the access to it.

My question is : Does Amazon charge for such api calls which are unauthorized? If they charge then how to protect it. As I understand even if I put WAF in front it my API url will still be exposed ….

Any help is appreciated…

If you protect your endpoint with the following authorization types: AWS_IAM, CUSTOM, and COGNITO_USER_POOLS, API Gateway will not be charged for failed requests. Please reference the Pricing Documentation. Also reference Secure AWS API Gateway with Lambda Integration