Amplify CLI authentication with Cognito user pools currently has two main modes, signin with username or with email. In the former case email uniqueness as a required user attribute is not being enforced.

Cognito service by itself supports the "Also allow sign in with verified email address" option (AWS Console, User Pool Attributes-section) but it can be set only upon user pool creation (i.e. can not be modified later - checkboxes are disabled). Is it possible to enforce no duplicate emails within the user pool while allowing users to authenticate with username or with email?

To summarize, my use case requires:

• Verifying/enforcing email attribute uniqueness at the Cognito level when signing up users via Amplify's Auth.SignUp;
• Keeping username-based login but allowing users to login with their email as well (that is, Auth.SignIn with email or username supplied as the username-argument).

Check out Cognito Lambda Triggers.

The pre sign-up trigger should meet your use case.

You can create a custom lambda where you can define the logic of enforcing unique email address. You then register this lambda with Cognito, so it will get called before signup and give you the chance to deny signup if the email already exists.

To check if a user already exists with the same email, you can use Cognito's ListUsers API with a filter set to email address = signup request's email address. If any results are returned, deny the signup request.

When you add the user pool with amplify add auth choose 'Username' as the method with which you want users to sign in when prompted.

If you aren't prompted with this choice, you might need to try amplify add auth again but this time choose Manual configuration when prompted at the beginning.

Once you've completed the entire auth set up via amplify add auth, BEFORE you run amplify push for the first time, run amplify override auth.

This creates a new override.ts file which you can edit with AWS CDK code to customise your Cognito resources beyond the abilities the CLI allows.
You can find the override.ts file at:
amplify\backend\auth\<your_app_name>\override.ts

Inside the override file, add the following line into the empty function that's made for you:
resources.userPool.aliasAttributes = ['email'];

Now you can save the file, and run amplify push and hopefully your new user pool will show in the AWS Console that you've successfully configured it to allow user name and email sign in together.

You have to make sure you write the override code before amplify push or your user pool will be created in the cloud, and attempting to override this sign in functionality after the user pool has been created throws an error as it's read only.

If you find yourself in that position, you'll need to create a new user pool, you can't modify the existing one.

Check out Cognito Lambda Triggers.

The pre sign-up trigger should meet your use case.

You can create a custom lambda where you can define the logic of enforcing unique email address. You then register this lambda with Cognito, so it will get called before signup and give you the chance to deny signup if the email already exists.

To check if a user already exists with the same email, you can use Cognito's ListUsers API with a filter set to email address = signup request's email address. If any results are returned, deny the signup request.