How to guarantee preferred_username unicity on amazon-cognito?

Question

I am using a single table to store all my data in dynamodb as such:

Partion Key (PK)	Sorting Key (SK)	Attributes
USER#gijoe	PROFILE#gijoe	{ name: "G.I", lastName: "Joe" }
USER#gijoe	CARD#first-card	{ name: "King", picture: "./king.png" }

I am using the preferred_username as a part of the Partition Key, and thus need it to be unique to avoid colliding user data.

How can I garantee that two users in my User Pool cannot have matching preferred_username ?

Edit: The answer from @Lukas did it. Note that it required me to drop and recreate my cloudformation stack, which is why it failed on my first tries. Now when I try to edit the preferred_username I get the error I was looking for:

{
  "message": "Already found an entry for the provided username.",
  "code": "AliasExistsException",
  "time": "2021-01-19T09:36:47.874Z",
  "requestId": "7b52dbc2-58c5-4354-aa51-66d4dc7472a0",
  "statusCode": 400,
  "retryable": false,
  "retryDelay": 85.84051584672932
}

Answer 1

username is unique within single pool. Same with alias. preferred_username may be configured as username alias.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

Key take aways:

Developers can use the preferred_username attribute to give users a username that they can change. For more information, see Overview of Aliases.

The username must be unique within a user pool. A username can be reused, but only after it has been deleted and is no longer in use.

You can allow your end users to sign in with multiple identifiers by using aliases.

The preferred_username attribute provides users the experience of changing their username, when in fact the actual username value for a user is not changeable. If you want to enable this user experience, submit the new username value as a preferred_username and choose preferred_username as an alias. Then users can sign in with the new value they entered. If preferred_username is selected as an alias, the value can be provided only when an account is confirmed. The value cannot be provided during registration.

....

Alias values must be unique in a user pool. If an alias is configured for an email address or phone number, the value provided can be in a verified state in only one account. During sign-up, if an email address or phone number is supplied as an alias from a different account that has already been used, registration succeeds. Nevertheless, when a user tries to confirm the account with this email (or phone number) and enters the valid code, an AliasExistsException error is thrown. The error indicates to the user that an account with this email (or phone number) already exists. At this point, the user can abandon the new account creation and can try to reset the password for the old account. If the user continues creating the new account, your app should call the ConfirmSignUp API with the forceAliasCreation option. This moves the alias from the previous account to the newly created account, and it also marks the attribute unverified in the previous account.