Yes. AWS Cognito does implement a lockout policy by default, but the policy is not public to customer due to security reasons. While I cannot provide specifics of algorithms, I would like to give you some general information about the behaviour that can be expected.

Cognito User Pools implements a throttling and backoff mechanism where supplied passwords for a given user name is found to be incorrect. In particular, Cognito itself does not disable an account automatically where N attempts takes place against a user.

After a series of consecutive failed login attempts, Cognito throws an error – “NotAuthorizedException: Password attempts exceeded” for a certain lockout period. Cognito uses a complex rule internally to determine the number of failed attempts and the duration of lockout in between the failed attempts. If an attempt to login happens again, the lockout time is exponentially increased. However, once a successful login is made after that lockout period has expired, the counter is reset. The maximum lockout time is a few minutes (this is internal to the AWS Cognito service and subject to change). These policy settings are not visible/modifiable via AWS console or AWS APIs/CLI commands, nor are they customizable on the account level.

At this point, I believe you have a general picture of the lockout policy used by Cognito so far. You may have another question in mind, “what if I want to implement something different?” For example, when user authentication is failed for 3 times, I want to lock the account for 30 minutes and unlock it automatically after that.

One sample solution is to implement some logic with the desired behavior on the client side. For example, you can use Pre Authentication Lambda trigger and Post Authentication Lambda trigger with your Cognito User pool. Firstly you can record the login attempt count of your users in a DynamoDB table with a user attribute. If the login attempt count increases a set limit, you can reject further login attempts for such users for a certain duration by using Pre-Authentication Lambda trigger. On successful authentication of the user, you can then reset the login counter for the user in the database by using Post Authentication Lambda trigger.

Please note this is just a sample solution, verifying is an essential step before implement it.