Too Long; Didn't Read
When you deploy an API to API Gateway, throttling is enabled by default in the stage configurations. By default, every method inherits its throttling settings from the stage. This means that, as an attacker, I only need to attack one public endpoint, I can bring down not just the API in question, but all your APIs in the entire region. The problem is that one method is allowed to inflict maximum damage to the whole region. This is a problem that really needs to be addressed at the platform level. The solution is simple, but the challenge is in governance.