AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-03-23 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md

Summary

Added clarification about required IAM role assumptions for KMS key policy effectiveness

Security assessment

Enhances documentation about secure KMS key configuration requirements but does not address a specific vulnerability.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md
index f067baced..888547124 100644
--- a/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md
+++ b/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md
@@ -116 +116 @@ Amazon Cognito HTML-escapes reserved characters like `<` (`&lt;`) and `>` (`&gt;
-  2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key.
+  2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. For this example KMS key policy to be effective, the administrator who updates the user pool must be signed in with an assumed-role session for the IAM role ` arn:aws:iam::111222333444:role/my-example-role`.