How does the IAM Identity Center portal prevent brute-force attacks from causing AD account lockouts?

Your concern about account lockouts due to brute force login attempts on the IAM Identity Center portal is valid. Since the portal is internet-facing, it could potentially be subjected to such attacks.

A few things you can do to help mitigate this risk:

1. Enable multi-factor authentication (MFA) for administrative users who access the portal. This adds an extra layer of security beyond just a password.

2. Monitor sign-in logs and alerts from IAM Identity Center and Active Directory for any suspicious activity. This can help detect brute force attempts early.

3. Use threat detection services like Amazon GuardDuty or AWS Security Hub to monitor for abnormal login patterns that could indicate a brute force attack.

4. Consider implementing rate limiting on the IAM Identity Center portal to restrict the number of failed login attempts within a certain time period. This can help prevent account lockouts.

5. Make sure your Active Directory password policies are properly configured to restrict weak, reused or predictable passwords. Stronger passwords raise the bar for attackers.

6. Use a web application firewall or AWS WAF to filter and block traffic patterns typical of brute force attacks at the network layer, before it even reaches the portal.

Sources [1] [Manage your identity source - AWS IAM Identity Center] (https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) [2] [Using Active Directory as an identity source - AWS IAM Identity Center] (https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-ad.html) [3] [Manage identities in IAM Identity Center - AWS IAM Identity Center] (https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-sso.html)