> Can't you do a captcha with the WAF? I'm pretty sure that's an option on AWS
You can.
I know because our information security office did it to all of our web endpoints. Which are mostly API endpoints. Without telling anyone involved with individual apps, before or even, until specific complaints got to them, after doing it.
I feel your pain. It's stuff like that that just makes you know, they not only have no idea what they're doing, the level of agency and access they have mean it's just a question of when they finally accidentally something big on fire one day - and whether you'll be able to make it out unscathed with eg just some lost sleep.
You can.
I know because our information security office did it to all of our web endpoints. Which are mostly API endpoints. Without telling anyone involved with individual apps, before or even, until specific complaints got to them, after doing it.