Product owner and security engineering decided that lockout is not required as MFA is already implemented. Lambda functions providing controls for NIST 800-53 AC-7: Unsuccessful Login Attempts - View it on GitHub