Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

How to prevent OTP spamming on CUSTOM_AUTH flow using SMS/Email

0

I've set up a CUSTOM_AUTH flow within Cognito that generates and sends OTP via sms/text and email. Works quite well, very reliable.

However, this has got me wondering how to approach abuse / spamming. Each time the InitiateAuth action on Cognito is triggered, an OTP is generated and sent via email or text. This could result in abusers spamming the system, causing a lot of message to be sent and driving up costs.

Is there any way in which Cognito can be configured to prevent spamming of a CUSTOM_AUTH flow?

Alternatively I suppose rate limiting could be achieved by using some kind of persistent storage like dynamoDB. A throttling mechanism could be introduced as part of the define-auth or create-auth Lambda.

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Amazon Cognito
Idioma
English
Nielssie
preguntada hace 2 años664 visualizaciones
1 Respuesta
0

Cognito now supports AWS WAF natively. So you can put AWS WAF in front of Cognito and leverage WAF's rate limiting capabilities.[1]

[1] https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cognito-enables-native-support-aws-waf/

AWS
AWS-User-7083746
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante