Salesforce does not recommend username-password flows.
To make it more secure, improve to adopt "OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration" or similar.
Some flows have important security considerations. For example, when using the web server flow, you must store the client secret securely. We recommend avoiding the user-agent and username-password flows because they transmit credentials. Instead, choose a flow that frees the app from having to manage, store, and protect credentials.
Salesforce does not recommend username-password flows. To make it more secure, improve to adopt "OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration" or similar.
https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_flows.htm&type=5
Current grant_type
https://github.com/amazon-connect/amazon-connect-salesforce-lambda/blob/34cb6a091ccead23ec4dc71672a37da5e563c7d3/sam-app/lambda_functions/salesforce.py#L53
Manual
Additionally, An addition should be added to the manual on how to block it. https://help.salesforce.com/s/articleView?id=sf.remoteaccess_disable_username_password_flow.htm&type=5