How to prevent OTP spamming on CUSTOM_AUTH flow using SMS/Email

I've set up a CUSTOM_AUTH flow within Cognito that generates and sends OTP via sms/text and email. Works quite well, very reliable.

However, this has got me wondering how to approach abuse / spamming. Each time the InitiateAuth action on Cognito is triggered, an OTP is generated and sent via email or text. This could result in abusers spamming the system, causing a lot of message to be sent and driving up costs.

Is there any way in which Cognito can be configured to prevent spamming of a CUSTOM_AUTH flow?

Alternatively I suppose rate limiting could be achieved by using some kind of persistent storage like dynamoDB. A throttling mechanism could be introduced as part of the define-auth or create-auth Lambda.