Currently, they just 500 as an unexpected response status. Much better
would be S3's '503 Slow Down' response.
Of course, that's all dependent on where you place ratelimit in your
pipeline -- and we haven't really given clear guidance on that. I'm not
actually sure you *want* ratelimit to be after s3api and auth... but if
you *do*, let's at least handle it gracefully.
(cherry picked from commit f33c061ae92f33ea467c58749d3f15d2b1cc942c)