How AWS Cognito User Pool defends against bruteforce attacks

Question

I am going to use AWS Cognito User Pool product as user directory for application and have several questions:

1. Is Amazon throttle request to Cognito User Pool and

Answer 1

After couple of hours search I found this two exceptions in source code:

TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).

HTTP Status Code: 400

TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.

HTTP Status Code: 400

Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.

In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.

I think that is how they do it.