How to delete a AWS Cognito user automatically after certain time

Question

I would like to delete a non-verified user from the AWS Cognito user pool after a certain time. Is it possible to delete a Cognito user automatically?

Let's say, a user signs up from a client app with an anonymous email that might belong to someone else. If the email is not verified, I like to delete it automatically after a certain time. That way it will allow the actual owner of the email to sign up. How can I do that?

Answer 1

There isn't anything that automatically goes through your user pool and does some maintenance on individual users. One option that I think is a more scalable solution would be to create 3 Lambda functions. First is a pre sign-up lambda, that stores new users in, for example, a DynamoDB table. The flow, taken from the docs, looks like this:

Every time a user signs up store the email addresses of newly created users into a table, along with a time stamp.

In the second Lambda you'll have a post confirmation lambda that is run when people confirm their email address. That Lambda will remove any confirmed email addresses from the DynamoDB table.

Lastly, in the third Lambda, you will have a CloudWatch event run the Lambda (see this tutorial for some details on that) periodically (daily? weekly?) This is your "cleanup" Lambda. Any email addresses that remain in the DynamoDB table that are older than your cutoff for email validation will now have their Cognito user pool record removed.

I know this might sounds a bit challenging but really you can validate each Lambda on it's own and develop one at a time. The pre sign-up Lambda can be created first to put new users in. You can make sure that works and even manually remove users that haven't confirmed. The second one is actually fairly easy, just deleting a row in the table. The last one is a bit more involved, selecting all the "old" sign ups, removing them from Cognito, and then removing them from the database.

The alternative is to have a CloudWatch event run a single Lambda that loops through every user in your Cognito user pool and checks to see if they've been validated. That fine with maybe 1000 users. But what if you're super successful and have a few million users? A very high percentage of users will not need to have anything done to them but you still have to process the record.

Answer 2

You need to assign a Lambda Trigger, Lambda + Amazon EventBridge ( Cloud watch trigger)

Node Js Code:

    const AWS = require('aws-sdk');
    const cognito = new AWS.CognitoIdentityServiceProvider({region:'Region-ID'});
    const userPoolID = "User Pool ID";
    
    const getUsers = async =>{
        return await new Promise((resolve, reject)=>{
            const params = {
                UserPoolId:userPoolID,
                Filter:"cognito:user_status = \"UNCONFIRMED\"",
                Limit:10
                
            }
            cognito.listUsers(params,(err,data)=>{
                if(err){
                    reject(err)
                }else{
                    const users = data.Users
                    users.forEach(user=>deleteUser(user.Username))
                   
                }
            })
        })
    }
    
    const deleteUser = async (sub)=>{
        return await new Promise((resolve, reject)=>{
            const params = {
                UserPoolId:userPoolID,
                Username:sub
            }
            
            cognito.adminDeleteUser(params,(err,data)=>{
                if(err){
                    reject(err)
                }else{
                    resolve(data)
                }
            })
        })
    };
    
    
    const main= async (event)=>{
        return getUsers()
    }
    
    exports.handler = main