Can I throw custom error message from pre authentication trigger lambda and display the error message on Hosted UI sign in page?

Unfortunately, it is not possible to directly display a custom error message from the pre-authentication Lambda trigger on the Cognito hosted UI sign-in page. However, there are a few alternative approaches you can consider:

1. Use a custom UI instead of the hosted UI. With a custom UI, you have full control over error message display and can integrate directly with Cognito APIs to handle authentication and error scenarios.
2. Implement a custom error page. You can configure Cognito to redirect to a custom error page when authentication fails. On this page, you can implement logic to check for specific error conditions and display appropriate messages.
3. Use the post-authentication trigger in combination with pre-authentication. In the pre-authentication trigger, you can set a custom attribute on the user to indicate they are blocked. Then, in the post-authentication trigger, you can check this attribute and deny access if necessary. This approach allows you to use Cognito's built-in error handling for denied access.
4. Leverage Cognito's built-in account locking feature instead of implementing it in Lambda. Cognito can automatically lock accounts after a specified number of failed attempts, which will display a more user-friendly message on the hosted UI.
5. Cognito does allow some level of error message customization through the AWS Console or API. You might be able to repurpose an existing error message to fit your needs.