By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Preventing fake cognito sing ups

0

How to prevent fake user signups with Cognito? If some malicious actor sends fake user singup requests to the UserPool endpoint they can do it at the rate of 50 req/s (default quota). It takes only 1000 seconds (17 minutes) for them to exhaust the free tier - because each sign up is treated as MAU. If they continue to create fake account our organization will be billed a lot of money.

How to the limit number of daily signups? Or not count signups as MAUs?

Topics
Security, Identity, & ComplianceCloud Financial Management
Tags
Amazon CognitoAWS BillingPricingDDOS Protection
Language
English
rePost-User-2578639
asked a year ago474 views
3 Answers
0

Hi, You can prevent fake account sign-ups in real time with AI using Amazon Fraud Detector. Please refer to the link for more information.

AWS
AWS-User-4371564
answered a year ago
  • rePost-User-2578639
    a year ago

    Thanks but this solution is overly complex for such a simple requirement as limiting the number of sign ups

0

Hi

You can hook a pre signup lambda https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html where you can then perform validation such is checking the amount of daily signup from a DynamoDB table for instance, which has a counter incremented for any successful sign up.

Hope it helps ;)

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • jjshen
    21 days ago

    Hi Antonio, I've been working on implementing the advice you shared, which involves integrating Pre-Signup Lambda Triggers into my Cognito user pool. The logic implemented by lambda is: if the number of users in the userpool exceeds 3, an exception will be thrown and signup will stop. Given that my user pool already contains three users, I proceeded to attempt the addition of a new user through my Vue application. I think the Pre-Signup Lambda Triggers did work, because I truly received an exception in my browser. But the new user are still added in to my userpool with their confirmation status marked as "confirmed". Could you give me some information about what‘s wrong with my code? ========Lambda Code============= import json import boto3 def lambda_handler(event, context):

    TODO implement

    cognito_client = boto3.client('cognito-idp') user_pool_id = 'ap-northeast-1_******' response = cognito_client.list_users( UserPoolId=user_pool_id, AttributesToGet=[], Limit=0 ) user_count = len(response['Users'])

    if user_count >= 3: raise Exception("Stop signup: the number of accounts is over 3") else: return event

0

Hi, I'm also facing this problem. I think one way to solve this problem is to use a database to record the number of registered users. If it exceeds the range, the registration function will be stopped. Did you find a better solution to solve this problem?

jjshen
answered 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content