I've set up a CUSTOM_AUTH flow within Cognito that generates and sends OTP via sms/text and email.
Works quite well, very reliable.
However, this has got me wondering how to approach abuse / spamming.
Each time the InitiateAuth action on Cognito is triggered, an OTP is generated and sent via email or text.
This could result in abusers spamming the system, causing a lot of message to be sent and driving up costs.
Is there any way in which Cognito can be configured to prevent spamming of a CUSTOM_AUTH flow?
Alternatively I suppose rate limiting could be achieved by using some kind of persistent storage like dynamoDB. A throttling mechanism could be introduced as part of the define-auth or create-auth Lambda.