AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-02-26 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-custom-message.md

Summary

Clarified placeholder usage in custom message Lambda functions for admin-created users

Security assessment

Improves documentation clarity about template variables but does not address security issues or describe security features.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-message.md
index d8dcfcd54..b5712a5e2 100644
--- a/cognito/latest/developerguide/user-pool-lambda-custom-message.md
+++ b/cognito/latest/developerguide/user-pool-lambda-custom-message.md
@@ -17 +17 @@ The request includes `codeParameter`. This is a string that acts as a placeholde
-A custom message Lambda function with the `CustomMessage_AdminCreateUser` trigger source returns a user name and verification code. Because an admin-created user must receive both their user name and code, the response from your function must include both `request.usernameParameter` and `request.codeParameter`. 
+The input event for a custom message Lambda function with the `CustomMessage_AdminCreateUser` trigger source includes a username and verification code. Because an admin-created user must receive both their user name and code, the response from your function must include placeholder variables for the username and code. The placeholders for your message are the values of `request.usernameParameter` and `request.codeParameter`. These values are typically `{username}` and `{####}`; as a best practice, reference the input values instead of hardcoding the variable names.