Lambda functions have a publicly accessible URL-based invocation. While I’ve put some restrictions on access through HTTP headers, I worry still that a malicious actor could drive up my request counts so that I get charged lots of $$$. What’s to prevent this? I don’t want to jump to the next plan level automatically.