By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to whitelist specific phone numbers within SNS's SMS service while in production mode

0

Situation

I have a non-prod and prod accounts. The app is using the SMS functionality to validate/authenticate user via Cognito User Pool (Custom Auth Flow) by sending OTP to the mobile number. While testing sending SMS functionality within non-prod, I am in sandbox mode. Here I have specific quota and also restrictions on who I can send OTP SMS to (via sandbox feature). Once in prod, I need to request for moving the prod account out of sandbox.

Problem

Being in prod will open up the possibility to send OTP to all the numbers in the world as long as the quota is not increased. But I may want to blacklist certain numbers / countries. I am unable to find a way to configure something like that. Is there anyway I can configure this?

Attempts so far

  1. I have tried Googling and going through some stackoverflow post. They do not address this specific issues.
  2. I have tried logging several AWS support tickets and got completely irrelevant answers.
  3. I looked into AWS documentations and it covers functionality where users can "opt out" from the messages. However, this is not applicable in our case. We are not subscribing to the topic or sending marketing emails. We are using SNS to call send SMS APIs for OTP, once the user logs into the mobile application. But I still want to control and maintain blacklist/whitelist numbers.
Topics
Front-End Web & MobileSecurity, Identity, & ComplianceApplication Integration
Tags
Front-End Web & MobileAmazon CognitoAmazon Simple Notification Service (SNS)
Language
English
rahul
asked 2 years ago862 views
1 Answer
0

You can prevent SMSs from being sent to certain phonenumbers by raising an exception in the custom message lambda trigger. In the lambda you can query for example a dynamodb table that holds your list of non-allowed emails/phones and decide whether to throw the exception or not.

A common practice is also to use Cognito itself as a store for the disallowed phonenumbers and emailaddresses. If you specify that these aliases have to be unique per user Cognito will prevent the same phonenumbers and email addresses to be used for new sign-ups and emailaddress / phonenumber changes. The only thing you want to do when setting a user to disallowed is set some attribute on the user in the Cognito User Pool that you recognize in the pre-authentication lambda where you can throw an exception preventing them to log in.

profile picture
JaccoPK
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content