Custom sender Lambda triggers - Amazon Cognito
Required resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Custom sender Lambda triggers

The Lambda triggers CustomEmailSender and CustomSMSSender support third-party email and SMS notifications in user pools. You can choose SMS and email providers to send notifications to users from within your Lambda function code. When Amazon Cognito sends invitations, MFA codes, confirmation codes, verification codes, and temporary passwords to users, the events activate your configured Lambda functions. Amazon Cognito sends the code and temporary passwords (secrets) to your activated Lambda functions. Amazon Cognito encrypts these secrets with an Amazon KMS customer managed key and the Amazon Encryption SDK. The Amazon Encryption SDK is a client-side encryption library that helps you to encrypt and decrypt generic data.

Note

To configure your user pools to use these Lambda triggers, you can use the Amazon CLI or SDK. These configurations aren't available from Amazon Cognito console.

CustomEmailSender

Amazon Cognito invokes this trigger to send email notifications to users.

CustomSMSSender

Amazon Cognito invokes this trigger to send SMS notifications to users.

Required resources

Amazon Cognito doesn't send users' codes in plaintext in the events that it sends to custom sender triggers. The Lambda functions must decrypt codes in the events. The following concepts are the encryption architecture that your function must use to get codes that it can deliver to users.

Amazon KMS

Amazon KMS is a managed service to create and control Amazon KMS keys. These keys encrypt your data. For more information see, What is Amazon Key Management Service?.

KMS key

A KMS key is a logical representation of a cryptographic key. The KMS key includes metadata, such as the key ID, creation date, description, and key state. The KMS key also contains the key material used to encrypt and decrypt data. For more information see, Amazon KMS keys.

Symmetric KMS key

A symmetric KMS key is a 256-bit encryption key that doesn't exit Amazon KMS unencrypted. To use a symmetric KMS key, you must call Amazon KMS. Amazon Cognito uses symmetric keys. The same key encrypts and decrypts. For more information see, Symmetric KMS keys.