In AWS Cognito, the service notes that one should use Amazon SES for user pools due to the daily email limit of Cognito, as seen here. The quotas documentation shows that the maximum amount of emails sent per day is 50.
In the 'Configuring Email or Phone Verification docs', it states that there is no charge for sending verification codes to email addresses. This documentation does not explicitly bring up Cognito email quotas.
I cannot find a clear answer as to whether or not verification code emails apply to the quota. I'm trying to avoid a situation in which >50 users try to sign up in a day, but cannot receive their verification email. Can anyone clarify this? Thanks.
I've just confirmed that the limit applies to the verification emails as well. After signing up 50 users, the following message is received after user signup:
An error occurred (LimitExceededException) when calling the AdminCreateUser operation (reached max retries: 2): Exceeded daily email limit for the operation or the account. If a higher limit is required, please configure your user pool to use your own Amazon SES configuration for sending email.
Similarly if the signup occurs via the Hosted UI, except it only mentions An error was encountered with the requested page..
Worth mentioning that the Sign up still occurs, ie, the user is still created in the User Pool but no verification email is sent. Also, password recovery emails cannot be sent after this limit is reached, as the limit is shared and is per account, so applicable across all user pools in same account.
Related
Read through other SO posts, implemented the solutions, and this still seems to be an error.
My issue is simple: I'm using AWS Cognito and requiring email verification for users. However, when I get to this page:
I don't see the email, even after 2 hours. Steps I've ensured:
Enabled email verification in the Cognito console
Checked that the user email field is filled out. It is.
Enabled a domain name for my app sign up and sign in.
Tried resending the code.
I don't believe I'm over the daily quota limit for Amazon Cognito (I haven't configured it with SES), since I haven't gotten verification email today. Does anyone know why this is occuring?
I am happy with using AWS Cognito as a service for my flutter application. However, now I realize that the AWS SNS service is really pricey for usage within my country (No free tier and price is significantly higher than in the West), hence I wanted to use another 3rd party service which is cheaper to send any SMS to users. This will include Phone Number Verification during signup, Forgot Password Verification and other flows. I know that I can accomplish the phone number verification using the lambda function. However, for the forgot password flow, the only way of me changing the password is through sending a request to AWS which includes the OTP and new password.
How can I accomplish this? Can I change the user password explicitly in AWS by not going through the forgot_password flow in AWS (Meaning I send my own OTP and check the OTP myself, then updates the password), or how can I get the OTP generated by the forgot password then send it through the 3rd party SMS service?
Currently I'm working on building an email marketing system using Amazon SES. I have some problems which I have googled about for a while now but I couldn't find any clue so I decided to ask you guys here.
The first thing is I use only one Amazon account to send email, but it is limited up to 10,000 verified sending addresses or domains per region, so if I want to verify more than that I need to use different regions or Amazon accounts?
Next, is there any way can I add some custom arguments when I request to verify an email address? Because I need to check which account in my system owns that address so that no other account can use that verified address to send emails.
Any answer would be appreciated. And by the way, I'm sorry for my bad English.
Email address verification is only required while Amazon SES is in sandbox mode. This is done to prevent people creating an AWS account and using it to send spam.
From Moving out of the Amazon SES sandbox - Amazon Simple Email Service:
When your account is in the sandbox, we apply the following restrictions to your account:
You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
You can only send mail from verified email addresses and domains (also applies to Production mode)
You can send a maximum of 200 messages per 24-hour period.
You can send a maximum of 1 message per second.
You would typically only "send" from one email address, or perhaps a few to make it easier to handle replies. There should be no need for 100s or 1000s of verified 'sending' email addresses.
Once you request to move into Production mode and it is accepted, you can send to any recipients (whereas in Sandbox mode, each recipient need to be verified).
Brand new to AWS & Simple Email Service (SES) and have an app that needs to generate some email using SES. All I'm trying to do is set things up so that my app's service user (called, say, myapp-dev) has Access & Secret Keys that have permission to use SES APIs for generating emails. Furthermore I need these SES-generated emails to be sent from either no-reply#myapp.example.com which is not a valid email address, as well as hello#myapp.example.com which is a valid email address. This is because some SES emails will be alerts/notifications that end users should not respond to, and other emails will be emails that they may very well want/need to reply to.
I've already created a myapp-dev user that has AmazonSESFullAccess permissions.
Not knowing any better, I then went to the SES dashboard and clicked Manage Identities and started creating a new "SES Identity". I'm not sure if I need to do this or not (given my needs) or whether my myapp-dev user is ready to use the SES APIs as-is. Adding this new SES identity, it asked me to enter my domain and gave me the option to generate DKIM configurations for that domain. I read up quickly on DKIM and it sounds like its a way to authenticate that emails did in fact come from my domain, so it sounds like its something I'd like leverage. So I generated DKIM configs and now SES says that my new identity has a status of "pending verification".
Main concern is bolded above: with AmazonSESFullAccess permission, is my myapp-dev user ready to rock n' roll? Or will SES APIs fail/refuse to send emails until my SES identity (for my domain) is "verified"?
What do I actually need to do to change the SES identity from "pending" to "verified"? I did see a note that I needed to modify TXT and CNAME DNS records to configure DKIM with my domain, is that it? Or do I need to do something else?
Thank in advance for any and all clarification!
Found an alternate answer in this thread:
https://forums.aws.amazon.com/thread.jspa?threadID=125362
Here's what might have happened: Some domain name providers will automatically add example.com on to the end of the name/host field. So if you enter _xx.example.com, they'll "silently" change it to _xx.example.com.example.com
This is currently the case with namecheap, as I've painfully learned.....
It turned out this was my issue. Make sure to double check!
You need to wait for dns verification, can take a while.
You also need to take the Sandbox into account and open a ticket to move out from it.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
To help protect our customers from fraud and abuse and to help you
establish your trustworthiness to ISPs and email recipients, we do not
immediately grant unlimited Amazon SES usage to new users. New users
are initially placed in the Amazon SES sandbox. In the sandbox, you
have full access to all Amazon SES email-sending methods and features
so that you can test and evaluate the service; however, the following
restrictions are in effect:
You can only send mail to the Amazon SES mailbox simulator and to
verified email addresses and domains.
You can only send mail from verified email addresses and domains.
You can send a maximum of 200 messages per 24-hour period.
Amazon SES can accept a maximum of one message from your account per
second.
I'm setting up Amazon Cognito user pools as means to authenticate my users.
Cognito sends verification emails (password reset, confirm email address etc.).
Cognito uses Amazon SES for sending emails and Amazon SES is limited to 200 daily email quota per day.
I'm afraid that once I've imported all my users to Amazon Cognito, resulting with each of them receiving a couple of emails upon their next login, I'll be well over the quota and they will not be able to receive those emails.
Does anyone know whether this quota applies to automatic emails by Amazon Cognito?
Cognito has gotten a much higher sending limit than 200, you shouldn't run into issues. If you do, feel free to reach out to us via the forums/support and we can get you around that.
If you use Amazon SES for sending emails the certainly Amazon SES quota applies.
But 200 per day sounds suspiciously like SES Sandbox. In which case you're not only limited to 200 a day, but you also have to "validate" each e-mail address first before you can even start sending e-mails to that address.
So, if you want to send large number of e-mails to a wide audience as you described in the question you certainly need to move it out of sandbox.
Just test your configuration in Sandbox (so you know it's all working correctly) and then apply for quota increase. (I know, it sounds scary, but procedure is actually quite simple and straight forward.)