Reputation: 11
Is there a way to lock users if they sign-in too many times in a short period in AWS Cognito?
Can i implement the solution using cloudwatch?
I looked into AWS cloudwatch but I could only set up metrics for logins in general, not per user. Or should i use lambda triggers and RDS to count the user's login attempts?
Upvotes: 0
Views: 90
Answers (1)
Reputation: 308
Cloudwatch as a service can only document your trigger. Like you mentioned, you could count occurences of violation as Metric and subsequently send an event beyond a predetermined threshold.
I have made positive experiences with Lambda triggers. You can easily implement this using the pre- and postAuthentication trigger. There is a related question and answer that sketches the solution:
in Pre-authentication (fired before successful authentication), look up the user (since the user is not authenticated, using adminGetUser, and increment a custom attribute with adminUpdateUserAttributes. If the incremented value is greater than your allowed number of login failures, then disable the user using adminDisableUser. In Post-authentication (fired after successful login), reset the custom attribute to zero.
Note that this might not be necessary if you want to avoid brute force attacks since AWS has built-in protection / rate limiting for the Cognito login endpoints.
Upvotes: 1
Related Questions
- Is there a way to list all resources in AWS
- How to restrict AWS Cognito users from taking certain actions?
- Can't push image to Amazon ECR - fails with "no basic auth credentials"
- AWS Lambda RDS too many connections
- Aws cognito add predefined users
- Can you migrate AWS Cognito users between user pools?
- aws cognito pool with multiple sign in options
- AWS Cognito Users + Relational Database Table. How to query/integrate both?
- AWS Cognito - How to update developer authenticated users token?