← All guidesAWS Cognito guide · Python (Lambda)

Block disposable email signups in AWS Cognito

Attach a Lambda to the `PreSignUp` trigger of your Cognito User Pool. The Lambda runs synchronously and can throw to reject before the user record is written.

The code

# lambda_function.py
# Cognito User Pool → Triggers → Pre sign-up → attach this Lambda.
# Set CDE_KEY in Lambda environment variables.
import os, urllib.request, urllib.parse, json

def is_disposable(email: str) -> bool:
    try:
        url = "https://api.checkdisposable.email/v1/check?" + urllib.parse.urlencode({"email": email})
        req = urllib.request.Request(url, headers={
            "Authorization": "Bearer " + os.environ["CDE_KEY"],
        })
        with urllib.request.urlopen(req, timeout=3) as resp:
            return json.loads(resp.read()).get("is_disposable") is True
    except Exception:
        return False  # fail open

def lambda_handler(event, context):
    email = event.get("request", {}).get("userAttributes", {}).get("email", "")
    if email and is_disposable(email):
        raise Exception("PreSignUp failed: Please use a real email address.")
    return event

Notes

Cognito surfaces the exception message: The string you raise becomes the error returned to the client SDK. Cognito strips the "PreSignUp failed:" prefix and shows the rest — keep it user-friendly.
Cold-start latency: Lambdas in this trigger are billed and run synchronously in the signup flow. Use a 3-second urllib timeout (above) so a cold start + slow API doesn't cascade into a 30-second signup hang.
Federation: PreSignUp also fires when a user federates in for the first time via SAML / OIDC / social. One trigger covers password signup + Google + Apple + your IdP.

Get a free API key

500 checks/month, no credit card. No credit card. 30 seconds.