How to delete a AWS Cognito user automatically after certain time

Question

I would like to delete a non-verified user from the AWS Cognito user pool after a certain time. Is it possible to delete a Cognito user automatically?

Let's say, a user signs up from a client app with an anonymous email that might belong to someone else. If the email is not verified, I like to delete it automatically after a certain time. That way it will allow the actual owner of the email to sign up. How can I do that?

Answer 1

You need to assign a Lambda Trigger, Lambda + Amazon EventBridge ( Cloud watch trigger)

Node Js Code:

    const AWS = require('aws-sdk');
    const cognito = new AWS.CognitoIdentityServiceProvider({region:'Region-ID'});
    const userPoolID = "User Pool ID";
    
    const getUsers = async =>{
        return await new Promise((resolve, reject)=>{
            const params = {
                UserPoolId:userPoolID,
                Filter:"cognito:user_status = \"UNCONFIRMED\"",
                Limit:10
                
            }
            cognito.listUsers(params,(err,data)=>{
                if(err){
                    reject(err)
                }else{
                    const users = data.Users
                    users.forEach(user=>deleteUser(user.Username))
                   
                }
            })
        })
    }
    
    const deleteUser = async (sub)=>{
        return await new Promise((resolve, reject)=>{
            const params = {
                UserPoolId:userPoolID,
                Username:sub
            }
            
            cognito.adminDeleteUser(params,(err,data)=>{
                if(err){
                    reject(err)
                }else{
                    resolve(data)
                }
            })
        })
    };
    
    
    const main= async (event)=>{
        return getUsers()
    }
    
    exports.handler = main

Answer 2

Another way to do this is to sync your UserPool with an external database such as DyanmoDB, which does support the concept of a TTL. When users are not confirmed a TTL attribute exists such as (30 days). If a user does confirm themselves you can remove the TTL attribute an their entry wont get deleted.

To sync the delete operation back to your UserPool you can enable DynamoDB streams, and listen for delete operations, and then call the delete user in the Cognito API.

I don't know if you can simply do a CloudWatch rule as this may require you to scan through all users, if you cannot search by the created at date.

You need to consider your architecture as well, if you really need to do this, and if so, will you have many users being deleted suddenly? Then you will need to throttle delete calls with a queue etc. If you don't have many users, maybe you can paginate through them and avoid needing to stand up a database and streams which will cost you money.

Answer 3

There isn't anything that automatically goes through your user pool and does some maintenance on individual users. One option that I think is a more scalable solution would be to create 3 Lambda functions. First is a pre sign-up lambda, that stores new users in, for example, a DynamoDB table. The flow, taken from the docs, looks like this:

Every time a user signs up store the email addresses of newly created users into a table, along with a time stamp.

In the second Lambda you'll have a post confirmation lambda that is run when people confirm their email address. That Lambda will remove any confirmed email addresses from the DynamoDB table.

Lastly, in the third Lambda, you will have a CloudWatch event run the Lambda (see this tutorial for some details on that) periodically (daily? weekly?) This is your "cleanup" Lambda. Any email addresses that remain in the DynamoDB table that are older than your cutoff for email validation will now have their Cognito user pool record removed.

I know this might sounds a bit challenging but really you can validate each Lambda on it's own and develop one at a time. The pre sign-up Lambda can be created first to put new users in. You can make sure that works and even manually remove users that haven't confirmed. The second one is actually fairly easy, just deleting a row in the table. The last one is a bit more involved, selecting all the "old" sign ups, removing them from Cognito, and then removing them from the database.

The alternative is to have a CloudWatch event run a single Lambda that loops through every user in your Cognito user pool and checks to see if they've been validated. That fine with maybe 1000 users. But what if you're super successful and have a few million users? A very high percentage of users will not need to have anything done to them but you still have to process the record.