问题
I am going to use AWS Cognito User Pool product as user directory for application and have several questions:
- Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
- How Cognito defends against bruteforce attack on login/password?
回答1:
After couple of hours search I found this two exceptions in source code:
TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).
HTTP Status Code: 400
TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.
In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.
I think that is how they do it.
回答2:
Yes, Cognito User Pools protects against brute force attacks by using various security mechanisms. Throttling is one of those of mechanisms. We do not share limits as they vary dynamically.
来源:https://stackoverflow.com/questions/37732970/how-aws-cognito-user-pool-defends-against-bruteforce-attacks