This application demostrates how to implement Amazon Fraud Detector along with Amazon Cognito User Pools with customized auth flows and utilizing Cognito Lambda triggers to implement friction in the registration process for users whose fraud risk score is medium.
For fraud risk scores low, users will be registered and confirmed automatically to the Cognito User Pool. For fraud risk score high the PreSignUp Lambda trigger will prevent the user from sign up.
This project contains AWS Cloud Development Kit (CDK) application that deploys all the AWS resources necessary to implement a real-time fraud detection system using Amazon Cognito's custom auth workflow.
- An AWS Account.
- Install
nodeand Node Package Manager (npm) - Download and install AWS CDK CLI in your local machine.
- Access to an AWS account with administrator or PowerUser (or equivalent) AWS Identity and Access Management (IAM) role policies attached with permissions for Amazon Fraud Detector, Cognito, Lambda, Amazon DynamoDB, Amazon API Gateway, and Amazon Pinpoint.
- Build an Amazon Fraud Detector Model
- Create a detector to generate real-time fraud predictions
- Clone this repository and change directory
git clone <repo_url> afd-cognito-demo
cd afd-cognito-demo- Install the required CDK Modules
npm install --save- Update the
.envfile with the necessary information. You will need to provide the AWS account number and region you wish to deploy this application to. You will also need information about Amazon Fraud Detector' detector name, version, event type name and entity type names that you created as part of the pre-requisites. For example
AWS_ACCOUNT_NUMBER=111122223333
AWS_REGION=us-east-1
AFD_DETECTOR_NAME=sample_detector
AFD_DETECTOR_VERSION=1
AFD_EVENT_TYPE=sample_registration
AFD_ENTITY_TYPE=sample_customer- Confiure IAM policies in the
config/policies.jsonfile. This CDK project creates Lambda functions. In order for the Lambda functions to be able to access other AWS resources, such as Amazon Fraud Detector, Cognito User Pool, and DynamoDB table, it needs an IAM Role with the required permissions. You should add policy names in thepolicies.jsonfile so that the CDK project can create the IAM Role with the policies.
{
"policy_names":[
"policy-name-1",
"policy-name-2",
"policy-name-2"
]
}For the purposes of this project the following AWS Managed policies are sufficient.
service-role/AWSLambdaVPCAccessExecutionRole
AmazonCognitoPowerUser
AmazonDynamoDBFullAccess
AmazonFraudDetectorFullAccessPolicy
⚠️ Some of the policies specified above can be more permissive than desired. Please exercise caution and follow principles of least privileges while creating IAM Roles for your AWS resources.
- Bootstrap the CDK project by replacing the
<account_number>and<region>with your AWS account number and region where you wish to deploy the project.
cdk bootstrap aws://<account_number>/<region>- Synthesize an AWS Cloudfromation template from the CDK project
cdk synth --all- Deploy the CDK Project
cdk deploy --all- (Optional) If you have already deployed this CDK app but have made new changes, you can run the command below to see the changes
cdk diffTo avoid incurring future charges, delete the resources created for the solution.
cdk destroy --allSee CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.