If you understand API Gateway as "just an HTTP proxy", you will inevitably make mistakes in your security design. In reality, API Gateway passes a request through at least five independent control layers before it reaches the backend: WAF, Resource Policy, Authorizer, Throttle, and Cache. Each layer solves a different problem, and if you misjudge which layer to use when, you either get flooded with 429s or open up an authentication-bypass vulnerability. In this file we dissect the internal working principles of each control layer and cover the edge cases DVA-C02 tests repeatedly.