AWS cognito medium security documentation change
Summary
Modified API behavior description to alternate between simulated responses and errors for account recovery
Security assessment
The change adjusts error handling to prevent consistent responses that could leak user existence or contact information, mitigating potential enumeration attacks. This addresses an information disclosure risk.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pool-managing-errors.md b/cognito/latest/developerguide/cognito-user-pool-managing-errors.md index 9f04650bf..540df1ef7 100644 --- a//cognito/latest/developerguide/cognito-user-pool-managing-errors.md +++ b//cognito/latest/developerguide/cognito-user-pool-managing-errors.md @@ -30 +30 @@ When this property has a value of `ENABLED`, your app client doesn't disclose th - * Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium, instead of a partial representation of a user's contact information. + * The behavior of Amazon Cognito account confirmation and password recovery APIs alternates between returning a response indicating a code was sent to a simulated delivery medium and returning an `InvalidParameterException` error.