AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-07-25 · Security-related medium

File: cognito/latest/developerguide/quotas.md

Summary

Added rate limiting documentation and updated API references for login branding

Security assessment

Added bulk request-rate limits (IP/app client/domain quotas) helps prevent abuse and DDoS attacks. New security controls documentation for authentication systems.

Diff

diff --git a/cognito/latest/developerguide/quotas.md b/cognito/latest/developerguide/quotas.md
index 18b856b32..a6cce6e20 100644
--- a//cognito/latest/developerguide/quotas.md
+++ b//cognito/latest/developerguide/quotas.md
@@ -225 +225 @@ Category | Description | Default quota (RPS) | Adjustable
-  * Token refresh with `InitiateAuth` or [Token endpoint](./token-endpoint.html)
+  * Token refresh with `InitiateAuth` or the [token endpoint](./token-endpoint.html)
@@ -229 +229 @@ Category | Description | Default quota (RPS) | Adjustable
-  * Hosted UI sign-in and MFA in [authorization-code or implicit grants](./federation-endpoints-oauth-grants.html)2
+  * Managed login or classic hosted UI sign-in and MFA in [authorization-code or implicit grants](./federation-endpoints-oauth-grants.html)2
@@ -348,0 +349,2 @@ Category | Description | Default quota (RPS) | Adjustable
+  * [DescribeManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html)
+  * [DescribeManagedLoginBrandingByClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html)
@@ -373,0 +376,3 @@ Category | Description | Default quota (RPS) | Adjustable
+  * [CreateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html)
+  * [UpdateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html)
+  * [DeleteManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteManagedLoginBranding.html)
@@ -393 +398 @@ Category | Description | Default quota (RPS) | Adjustable
-2 Each hosted UI operation during sign-in contributes one request to the quota. For example, a user who signs in and provides an MFA code contributes 2 requests. Token redemption in authorization-code grants is subject to an additional quota allocation at the same rate as your quota in the `UserAuthentication` category.
+2 Each managed login or classic hosted UI operation during sign-in contributes one request to the quota. For example, a user who signs in and provides an MFA code contributes 2 requests. Token redemption in authorization-code grants is subject to an additional quota allocation at the same rate as your quota in the `UserAuthentication` category.
@@ -396,0 +402,10 @@ Category | Description | Default quota (RPS) | Adjustable
+### Bulk request-rate limits for user pool domains
+
+The following quotas apply to the overall volume of requests to a user pool domain.
+
+Operation | Description | Default quota (RPS) | Adjustable  
+---|---|---|---  
+Per IP | Volume of requests from one IP address | 300 | No  
+Per app client | Volume of requests for one app client ID | 300 | No  
+Per domain | Overall volume of requests for the services of one user pool domain | 500 | No  
+  
@@ -425 +440,3 @@ The following tables indicate default resource quotas, and whether they're adjus
-**Amazon Cognito user pools resource quotas**
+### Amazon Cognito user pools resource quotas
+
+The following quotas describe the maximum number or length of items that you can create in user pools.
@@ -462 +479,3 @@ Groups per user pool | 10,000 | No | N/A
-**Amazon Cognito user pools session validity parameters**
+### Amazon Cognito user pools session validity parameters
+
+The following quotas describe the available settings for the duration of authentication artifacts and user sessions in user pools.
@@ -472 +491,3 @@ Authentication session token | 3 minutes – 15 minutes
-**Amazon Cognito user pools code security resource quotas (non-adjustable)**
+### Amazon Cognito user pools code security resource quotas (non-adjustable)
+
+The following quotas describe the available time periods related to codes for sign-in, sign-up, and password reset.
@@ -489 +510,3 @@ Maximum number of `VerifyUserAttribute` requests per user per hour | 15
-**Amazon Cognito user pools user import job resource quotas**
+### Amazon Cognito user pools user import job resource quotas
+
+The following quotas describe the resources and limits available to user import jobs.
@@ -498 +521,3 @@ Maximum number of users per CSV file | 500,000 | No | N/A
-**Amazon Cognito identity pools (federated identities) resource quotas**
+### Amazon Cognito identity pools (federated identities) resource quotas
+
+The following quotas describe the maximum number or length of items that you can create in identity pools.
@@ -511 +536,3 @@ Role-based access control (RBAC) rules | 25 | No | N/A
-**Amazon Cognito Sync resource quotas**
+### Amazon Cognito Sync resource quotas
+
+The following quotas describe the maximum number or length of items that you can create in Amazon Cognito Sync.