AWS cognito documentation change
Summary
Added clarification about required IAM role assumptions for KMS key policy effectiveness
Security assessment
Enhances documentation about secure KMS key configuration requirements but does not address a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md index f067baced..888547124 100644 --- a/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md +++ b/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md @@ -116 +116 @@ Amazon Cognito HTML-escapes reserved characters like `<` (`<`) and `>` (`> - 2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. + 2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. For this example KMS key policy to be effective, the administrator who updates the user pool must be signed in with an assumed-role session for the IAM role ` arn:aws:iam::111222333444:role/my-example-role`.