Create SNS Topic As Cognito Identity - amazon-web-services

Playing around with AWS in Golang.
At the moment I use the AWS SDK front-end with Facebook as a Credentials Provider to create Identities in AWS Cognito. This works great.
I use SNS to send Push Notifications to iOS and Android, this also works great.
But I read that SNS only allows 3000 topics per User. If I understand how Cognito and SNS work (and with what I see in logs/dashboard) All Topics are created by the Role that the Cognito Identities assume. So they are all created by the same "User". So I will hit 3000 very quickly with the service in mind.
Ideally I would send AWS Credentials to my Golang back-end and there I would create Topics per Identity and confirm subscriptions.
Is it possible to create Topics per Cognito Identity, make the individual Identities the Owner of the Topic?
If so, is this a specific API call?
Or is this something that has to be set with a specific Role?

AWS doesn't typically limit things by "user" like that. The 3,000 SNS topics limit is per AWS account. This is a soft limit. You can fill out a request to have the limit raised.
Also, I'm not sure 3,000 is the default limit anymore. I can't seem to find that in any of the official documentation at this time. This is the only thing I can find, which lists a limit of 100,000 SNS topics: http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_sns

Related

Is it possible to configure AWS Cognito to send SMS messages from a different AWS account?

I want to have a script which programmatically creates an AWS account and creates a Cognito user pool within that account.
I want this user pool to support multi-factor authentication via SMS.
Cognito sends SMS messages using the SNS service. When you create a new AWS account, by default you start in the SNS sandbox, and you have to apply to AWS support to escape the sandbox.
I don't want to have to manually apply to escape the sandbox every time I run the account creation script. (I don't think it's possible to automate leaving the sandbox for multiple accounts, or for all accounts in an AWS organization?)
Therefore I would like to have a single central account which is used for sending MFA SNS messages, and I would like to configure Cognito to send those messages from this account.
Is this possible? The Cognito console prompts me to provide AWS Cognito a role to send SMS messages - if I provide a cross-account role, will Cognito automatically send messages from the desired account? Is there any other way to achieve what I want, other than rethinking my architecture and just combining my Cognito user pools into a single shared account?
You could create a custom Lambda function to deliver SMS for Cognito. This Lambda could in turn assume a role in a different AWS account and call SNS on behalf of that account, which would cause the SMS to be delivered through that account.
Currently, it is not possible to configure AWS Cognito to send SMS messages from a different AWS account. AWS Cognito is designed to be used within the same AWS account.
When you send an SMS message from your user pool, Amazon Cognito assumes an IAM role in your account. Hence in my experience, Cognito does not allow this.
More details here

How to setup toll-free number in AWS SNS instead of the default?

I am using AWS cognito to signup users and create new accounts for my users on my web-app. I authorize the user's phone number by sending a one-time-password via AWS SNS. Off-late there has been a message on my SNS dashboard which reads like this :
I am worried that cognito will stop sending one-time-passwords to users who signup on my website and because of that I might loose them. I have not done any custom setup as of now for my application. From reading through communities and aws documentation I figured I can use a toll-free number from Amazon Pinpoint instead. It fits my requirement but there is no documentation of how to plug this toll-free number into the cognito process. I have purchased a toll-free number but don't understand how to use it for sending phone verification otp. Would be great if someone could help me with this.Thanks.
Looking at the AWS documentation, you can use a Pre Sign-up Lambda Trigger. The pre sign-up Lambda function is triggered just before Amazon Cognito signs up a new user. It allows you to perform custom validation to accept or deny the registration request as part of the sign-up process. Because you can use a Lambda function, you can use custom logic within the Lambda function to meet your business requirements. This includes hooking into Pinpoint to achieve what you want to do. For more details:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html

AWS Cognito using another region to send SMS

I have got an interesting issue with Cognito Userpool in AWS. I have created user pool for managing Users' signup/signin process in Mumbai region. Cognito was able to send otp via sms during signup process successfully from Mumbai region until we hit service limit exception. Hence we requested for service limit increase via support case and they increased to amount we requested. Soon after this, all the SMSes are starting to originate from Singapore region even thought cognito user pool resides in Mumbai region. I created a support case with AWS, unfortunately they asked to go with Premium plan to help on this. I have read about this issue at multiple forums and aws doesnt seem to be giving right answer. I can simply increase service limit in Singapore region and my issue will be resolved. But I believe that issue is with AWS and they had to fix it. Anyone else faced such situation and what was your approach ?
SMS messages from Amazon Cognito user pools are routed through Amazon SNS in the same region unless noted in the following table.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
There is no way to change this internal mapping. Ideally the easiest way is to increase the SNS spending limit in the region Cognito is using.
Another option is to use this new feature:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
It is a new Lambda trigger which is not available in the console but can be added in the CLI. You could use the AWS SDK to send the CODEs via SNS in the given region. I have not done this myself but should satisfy your usecase.

Amazon Pinpoint vs. Amazon SES/SMS

I would like to send a verification code to a specific user (only one) via email or text message. I have successfully done so through Amazon SES but I have not attempted through Amazon SMS yet. I have found myself going down the rabbit hole of investigating AWS Pinpoint.
It seems to me Pinpoint is meant for mass user messaging (text/email) rather than one-of individual messaging. I'm hoping I gathered that correctly.
My question, is there an advantage/disadvantage of using Pinpoint over Amazon SES and SMS for my use case?
This may be addressed by the Pinpoint FAQ
Q: I already use Amazon SNS or Amazon SES. What do I gain by switching
to Amazon Pinpoint?
In typical Amazon SNS and Amazon SES use cases, you have to set up
your application to manage each message's audience, content, and
delivery schedule. These same features are built in to Amazon
Pinpoint. With Amazon Pinpoint, you can create message templates,
delivery schedules, highly-targeted segments, and full campaigns.
Pinpoint also appears to be able to push notifications to users through the users preferred contact mechanism. This means that you are not limited to SMS and you reach your users with activation codes through the means they want to be reached. It also allows two-way communication.
The Pinpoint homepage also says:
You can send direct messages—such as order confirmations, welcome
messages, and one-time passwords—using the console or the Amazon
Pinpoint REST API. You can also use the API to build custom
applications that deliver campaign and transactional messages across
multiple channels.
This suggest it is suitable for your uses, though it has additional mass-communication features you do not currently need.
In addition to above points mentioned by #Freiheit you can send and receive SMS messages through Amazon Pinpoint. This will help you to track user response and create surveys, reviews and quiz like scenarios.
Check this AWS Documentation link

How can I be notified [eg via email] for any change in my AWS account?

I have an AWS account that use multiple devs and teams [dev/qa/mobile].
I would like to be notified when any change takes place in my AWS account.
For example a dev launches a new instance , or a new open port is added in a security group etc and he forgets to announce it to me or the rest of the team.
I want to be fully informed for these changes in order to apply specific architecture and/or security and people tend to mess with them.
Is there any dashboard or service inside AWS that I can customise it?
Someone suggested that I should take a look in CloudTrail.
Has anyone done something like this?
The easiest way to go is to use cloudtrail with cloudwatch logs. In AWS FAQ:
Q:What are the benefits of CloudTrail integration with CloudWatch Logs?
This integration enables you to receive SNS notifications of API activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify and delete Security Groups and Network ACL’s. For examples, go to the examples section of the user guide.
Based on SNS, you can then send email through SES
I think the easier way is to use Amazon Cloudtrail service.
Cloudtrail logs any API call which is made on your AWS account. Every operation done on AWS is and API call (including instances operations as you have requested)
Here you can find more information about it
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-cloudtrail-to-send-notifications.html
I hope this helps somehow.
You can find logs of your AWS account in S3,
Find below path in S3:
s3://security-logging/AWS_/AWSLogs/AWS Account no./CloudTrail/your region/year
You can also integrate CloudTrail with SQS to send notifications.