IAM Identity Center or IAM users can be locked after a certain number of failed login attempts?

As of now, neither IAM Identity Center nor IAM users have built-in functionality to lock accounts after a certain number of failed login attempts.

1. For IAM Identity Center: There is still no native feature to implement account lockouts after a specific number of failed login attempts. This limitation remains unchanged from the post you referenced. However, you can implement some mitigation strategies to enhance security:

• Enable multi-factor authentication (MFA) for users accessing the IAM Identity Center portal.
• Monitor sign-in logs and set up alerts for suspicious activity.
• Use services like Amazon GuardDuty or AWS Security Hub to detect abnormal login patterns.
• If you're using an external identity provider, you may be able to implement lockout policies there.

2. For IAM users: AWS does not provide a built-in "lockout policy" for IAM users that would automatically lock an account after a specified number of failed sign-in attempts. Instead, AWS recommends implementing a strong password policy and enabling multi-factor authentication (MFA) for enhanced security.

You can set a custom password policy for IAM users that includes:

• Minimum password length
• Password complexity requirements
• Password expiration periods

While these measures don't directly implement account lockouts, they significantly improve account security and make it more difficult for unauthorized access attempts to succeed.

For both IAM Identity Center and IAM users, it's crucial to monitor account activity, implement strong authentication practices, and use additional AWS security services to detect and respond to potential security threats.

Sources
How does the IAM Identity Center portal prevent brute-force attacks from causing AD account lockouts? | AWS re:Post
Set an account password policy for IAM users - AWS Identity and Access Management
Authentication in IAM Identity Center - AWS IAM Identity Center