AWS cognito medium security documentation change
Summary
Added rate limiting documentation and updated API references for login branding
Security assessment
Added bulk request-rate limits (IP/app client/domain quotas) helps prevent abuse and DDoS attacks. New security controls documentation for authentication systems.
Diff
diff --git a/cognito/latest/developerguide/quotas.md b/cognito/latest/developerguide/quotas.md index 18b856b32..a6cce6e20 100644 --- a//cognito/latest/developerguide/quotas.md +++ b//cognito/latest/developerguide/quotas.md @@ -225 +225 @@ Category | Description | Default quota (RPS) | Adjustable - * Token refresh with `InitiateAuth` or [Token endpoint](./token-endpoint.html) + * Token refresh with `InitiateAuth` or the [token endpoint](./token-endpoint.html) @@ -229 +229 @@ Category | Description | Default quota (RPS) | Adjustable - * Hosted UI sign-in and MFA in [authorization-code or implicit grants](./federation-endpoints-oauth-grants.html)2 + * Managed login or classic hosted UI sign-in and MFA in [authorization-code or implicit grants](./federation-endpoints-oauth-grants.html)2 @@ -348,0 +349,2 @@ Category | Description | Default quota (RPS) | Adjustable + * [DescribeManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html) + * [DescribeManagedLoginBrandingByClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html) @@ -373,0 +376,3 @@ Category | Description | Default quota (RPS) | Adjustable + * [CreateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html) + * [UpdateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html) + * [DeleteManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteManagedLoginBranding.html) @@ -393 +398 @@ Category | Description | Default quota (RPS) | Adjustable -2 Each hosted UI operation during sign-in contributes one request to the quota. For example, a user who signs in and provides an MFA code contributes 2 requests. Token redemption in authorization-code grants is subject to an additional quota allocation at the same rate as your quota in the `UserAuthentication` category. +2 Each managed login or classic hosted UI operation during sign-in contributes one request to the quota. For example, a user who signs in and provides an MFA code contributes 2 requests. Token redemption in authorization-code grants is subject to an additional quota allocation at the same rate as your quota in the `UserAuthentication` category. @@ -396,0 +402,10 @@ Category | Description | Default quota (RPS) | Adjustable +### Bulk request-rate limits for user pool domains + +The following quotas apply to the overall volume of requests to a user pool domain. + +Operation | Description | Default quota (RPS) | Adjustable +---|---|---|--- +Per IP | Volume of requests from one IP address | 300 | No +Per app client | Volume of requests for one app client ID | 300 | No +Per domain | Overall volume of requests for the services of one user pool domain | 500 | No + @@ -425 +440,3 @@ The following tables indicate default resource quotas, and whether they're adjus -**Amazon Cognito user pools resource quotas** +### Amazon Cognito user pools resource quotas + +The following quotas describe the maximum number or length of items that you can create in user pools. @@ -462 +479,3 @@ Groups per user pool | 10,000 | No | N/A -**Amazon Cognito user pools session validity parameters** +### Amazon Cognito user pools session validity parameters + +The following quotas describe the available settings for the duration of authentication artifacts and user sessions in user pools. @@ -472 +491,3 @@ Authentication session token | 3 minutes – 15 minutes -**Amazon Cognito user pools code security resource quotas (non-adjustable)** +### Amazon Cognito user pools code security resource quotas (non-adjustable) + +The following quotas describe the available time periods related to codes for sign-in, sign-up, and password reset. @@ -489 +510,3 @@ Maximum number of `VerifyUserAttribute` requests per user per hour | 15 -**Amazon Cognito user pools user import job resource quotas** +### Amazon Cognito user pools user import job resource quotas + +The following quotas describe the resources and limits available to user import jobs. @@ -498 +521,3 @@ Maximum number of users per CSV file | 500,000 | No | N/A -**Amazon Cognito identity pools (federated identities) resource quotas** +### Amazon Cognito identity pools (federated identities) resource quotas + +The following quotas describe the maximum number or length of items that you can create in identity pools. @@ -511 +536,3 @@ Role-based access control (RBAC) rules | 25 | No | N/A -**Amazon Cognito Sync resource quotas** +### Amazon Cognito Sync resource quotas + +The following quotas describe the maximum number or length of items that you can create in Amazon Cognito Sync.