AWS cognito documentation change
Summary
Added clarification about required IAM role assumptions for KMS key policy effectiveness
Security assessment
Mirrors email sender documentation update for secure KMS configuration without addressing specific vulnerabilities.
Diff
diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md index 136028f9f..ea0acce4e 100644 --- a/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md +++ b/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md @@ -101 +101 @@ Amazon Cognito HTML-escapes reserved characters like `<` (`<`) and `>` (`> - 2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. + 2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. For this example KMS key policy to be effective, the administrator who updates the user pool must be signed in with an assumed-role session for the IAM role ` arn:aws:iam::111222333444:role/my-example-role`.