I'm curious about using API Gateway resource policies to only allow a subset of IPs to access it. I am wondering, if someone outside of this IP range would spam the endpoint, would that still incur costs or do you only pay for "non-rejected" requests?
would that still incur costs or do you only pay for "non-rejected" requests?
You do not pay for rejected requests. I have worked with the developers to confirm the code that triggers the charges executes only after the request gets past the access controls