AWS WAF Rate Limiting Based on Origin Response

Introduction You have a public website fronted by Amazon CloudFront that serves static files from S3. Customers access these files via direct URLs and must be able to download any file at any time without interference. At the same time, you want to stop malicious actors from crawling your entire bucket. The Challenge Goal: Prevent automated scanning of all URLs while still allowing legitimate customers unlimited downloads of the specific files they need. Constraint: No user login or authentication. Files are freely downloadable, so you cannot simply gate them behind a sign-in flow. Why Plain AWS WAF Rate Limiting Is Not Enough AWS WAF lets you define rate-limit rules keyed by source IP or by fingerprinting mechanisms such as JA3 and JA4. In theory, you could set: A low limit such as 10 requests per minute, which blocks scanners effectively but risks blocking legitimate high-throughput customers. A high limit, which lets scanners creep through, especially if attackers distribute request