Basic AWS rate limiting

[furious-luke]

There are two kinds of rate limiting I'll apply. The first is an API/stage level general rate limiting, regardless of IP address. This should cover development scenarios, where we just don't want to accidentally spend too much money, and is all I really need for this round.

The second approach is based on user IP address limiting. This one is more robust, but also costly. Will add a second issue for this version (#39).

Looks like "usage plans" are the mechanisms of choice. See more here.