AWS cognito medium security documentation change
Summary
Clarified error handling for password reset operations by differentiating between existing/nonexistent users
Security assessment
Addresses potential information leakage by preventing simulated delivery medium responses for existing users without verified recovery methods, which could help mitigate user enumeration attacks. Explicitly documents security-related error handling.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pool-managing-errors.md b/cognito/latest/developerguide/cognito-user-pool-managing-errors.md index 9f04650bf..991299e32 100644 --- a//cognito/latest/developerguide/cognito-user-pool-managing-errors.md +++ b//cognito/latest/developerguide/cognito-user-pool-managing-errors.md @@ -178 +178,8 @@ Amazon Cognito returns the following responses to user password reset operations -When a user isn't found, is deactivated, or doesn't have a verified delivery mechanism to recover their password, Amazon Cognito returns `CodeDeliveryDetails` with a simulated delivery medium for a user. The simulated delivery medium is determined by the input username format and verification settings of the user pool. +When a user isn't found, is deactivated, or doesn't have a verified delivery mechanism to recover their password. Amazon Cognito handles existing and nonexistent users differently. + + * **Existing users** \- For existing users who don't have a verified email/phone for account recovery, Amazon Cognito returns an `InvalidParameterException`. + + * **Nonexistent users** \- For nonexistent users who don't have a verified email/phone for account recovery, Amazon Cognito returns both an `InvalidParameterException` and `CodeDeliveryDetails` with a simulated delivery medium. The simulated delivery medium is determined by the input username format and verification settings of the user pool. + + +