Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Cognito User Pools and AWS WAF: Fraud Control Alternatives
I'm using AWS WAF to protect my Cognito User Pool, but I've noticed that I can't enable WAF Fraud Control features (ATP and ACFP) for my user pool. Are there any alternative ways to achieve similar protection against account takeover and account creation fraud within Cognito or using other AWS services?
- Newest
- Most votes
- Most comments
Cognito is a managed service, operating within its managed capabilities. Like written in our blog post Protect your Amazon Cognito user pool with AWS WAF, you can take advantage of Cognito's advanced security features to detect and block the use of credentials that have been compromised elsewhere, to detect unusual sign-in activity, then prompt users for additional verification or block sign-ins. There’s an overlap with ATP features here.
For these advanced security controls, there are Android, iOS and JS SDKs available. Alternatively, you can integrate AWS Amplify's Auth module with your application, which is using the same SDK internally. Cognito’s pricing is based on monthly active users, so this may be interesting for you when compared with WAF’s pricing model.
To sum up: if you’re using Cognito today, enable WAF features like rate limiting, and other rule sets mentioned in the blog post, without Fraud Control + advanced security on Cognito. If you manage users yourself, and you’re interested in using WAF to protect that self-hosted endpoint, feel free to use ATP/ACFP.
Relevant content
- asked 3 months ago
- asked 5 months ago
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
