AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-08-13 · Security-related medium

File: cognito/latest/developerguide/cognito-user-pool-managing-errors.md

Summary

Modified API behavior description to alternate between simulated responses and errors for account recovery

Security assessment

The change adjusts error handling to prevent consistent responses that could leak user existence or contact information, mitigating potential enumeration attacks. This addresses an information disclosure risk.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pool-managing-errors.md b/cognito/latest/developerguide/cognito-user-pool-managing-errors.md
index 9f04650bf..540df1ef7 100644
--- a//cognito/latest/developerguide/cognito-user-pool-managing-errors.md
+++ b//cognito/latest/developerguide/cognito-user-pool-managing-errors.md
@@ -30 +30 @@ When this property has a value of `ENABLED`, your app client doesn't disclose th
-  * Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium, instead of a partial representation of a user's contact information.
+  * The behavior of Amazon Cognito account confirmation and password recovery APIs alternates between returning a response indicating a code was sent to a simulated delivery medium and returning an `InvalidParameterException` error.