Hey Ali, a nice riddle you have there. Aside from bug (feature?) where public companies aren’t filtered by ID there’s a bunch of things that aren’t a security threat as such but can be exploited to stop app from operating. So here goes:

  • Scan goes through the whole table every time and with 5 reads/s you will saturate that very quickly. The SDK however would attempt an exponential backoff with default timeout, so the function will start timing out
  • API has default rate limits of 10k requests per second, so using that and 3s timeout one can consume all of your account lambda scalability (default 1000 concurrent executions)

A good way to solve it would be limiting rates of anonymous calls per client conservatively and/or adding some auth. Also I’d avoid Scan and indexed table in a way that Query would return the results desired. One other consideration is how long Dynamo call takes and if behavior of the SDK calling Dynamo needs changing.

Team Lead at Autogrow