How AWS Cognito User Pool defends against bruteforce attacks

Yes, Cognito User Pools protects against brute force attacks by using various security mechanisms. Throttling is one of those of mechanisms. We do not share limits as they vary dynamically.


After couple of hours search I found this two exceptions in source code:

TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).

HTTP Status Code: 400

TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.

HTTP Status Code: 400

Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.

In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.

I think that is how they do it.


This contains the latest documentation on the lockout policies for Cognito.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.