How AWS Cognito User Pool defends against bruteforce attacks
I am going to use AWS Cognito User Pool product as user directory for application and have several questions:
- Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
- How Cognito defends against bruteforce attack on login/password?
Answer
After couple of hours search I found this two exceptions in source code:
TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).
HTTP Status Code: 400
TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.
In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.
I think that is how they do it.