Search code examples
amazon-web-servicesamazon-cognito

How AWS Cognito User Pool defends against bruteforce attacks

I am going to use AWS Cognito User Pool product as user directory for application and have several questions:

  1. Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
  2. How Cognito defends against bruteforce attack on login/password?
Solution

  • After couple of hours search I found this two exceptions in source code:

    TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).

    HTTP Status Code: 400

    TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.

    HTTP Status Code: 400

    Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.

    In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.

    I think that is how they do it.