How to prevent OTP spamming on CUSTOM_AUTH flow using SMS/Email

0

I've set up a CUSTOM_AUTH flow within Cognito that generates and sends OTP via sms/text and email. Works quite well, very reliable.

However, this has got me wondering how to approach abuse / spamming. Each time the InitiateAuth action on Cognito is triggered, an OTP is generated and sent via email or text. This could result in abusers spamming the system, causing a lot of message to be sent and driving up costs.

Is there any way in which Cognito can be configured to prevent spamming of a CUSTOM_AUTH flow?

Alternatively I suppose rate limiting could be achieved by using some kind of persistent storage like dynamoDB. A throttling mechanism could be introduced as part of the define-auth or create-auth Lambda.

asked 2 years ago619 views
1 Answer
0

Cognito now supports AWS WAF natively. So you can put AWS WAF in front of Cognito and leverage WAF's rate limiting capabilities.[1]

[1] https://aws.amazon.com/about-aws/whats-new/2022/08/amazon-cognito-enables-native-support-aws-waf/

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions