Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Prevent user existence errors enabled but still receiving UsernameExistsException on sign-up

0

Hello,

I have enabled the Prevent user existence errors setting on my Cognito User Pool App Client.

However, when I run the sign-up command using AWS CLI for a username that already exists, I still receive the following error:

An error occurred (UsernameExistsException) when calling the SignUp operation: User already exists

Could you please help me understand why this is happening and how to ensure the setting works as expected to prevent revealing user existence?

Thank you for your assistance.

Best regards, Zeljko Markovic

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
Amazon CognitoAWS Command Line InterfaceAWS Identity and Access ManagementAWS Management ConsoleIAM Policies
Language
English
asked a year ago175 views
3 Answers
0

Hi Zeljko — This is a good one — I’ve noticed this too. From my understanding, that setting mainly affects the error returned to the frontend (so it won’t leak user info in the response), but doesn’t change the behavior in the AWS CLI directly. Maybe AWS Support can clarify if this is expected for CLI calls?

answered a year ago
0

Thank you for the answer!

According to the documentation:

Prevent error messages that reveal user existence - Amazon Cognito will respond to sign-in requests for nonexistent users with a generic message stating that either the user name or password was incorrect. This helps guard against credential-guessing attacks, providing additional security for your user pool.

My application performs periodic security scans, and one of them previously reported a vulnerability where the sign-up endpoint leaks the existence of users via a UsernameExistsException.

After some research, I discovered that enabling the prevent_user_existence_errors flag on the Cognito User Pool App Client should suppress this and return a generic error instead. I enabled this setting, and the explicit error did disappear at that time.

However, I recently started seeing the same UsernameExistsException again when performing sign-up using the AWS CLI:

aws cognito-idp sign-up \
  --client-id <client-id> \
  --username existing.user.com \
  --password 'Test123!' \
  --region eu-central-1

Despite the setting still being enabled, Cognito is again exposing user existence. No changes were made to the user pool or app client configuration since the setting was applied.

Thank you again for your time—I’ll contact AWS Support if no one has further insight into this behavior.

answered a year ago
0

Great question — and yes, this is a common point of confusion.

The prevent_user_existence_errors setting only applies to sign-in (InitiateAuth) and forgot password flows, not the sign-up API. That means when you try to register a user with an existing username, Cognito will still return a UsernameExistsException, even if the setting is enabled.

It’s definitely counterintuitive, but it’s expected behavior — the setting helps mask existence only for authentication attempts, not when creating new users. So your CLI test isn’t misconfigured — it’s just outside the scope of that protection.

Hope that helps clarify!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content