AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-03-23 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md

Summary

Added clarification about required IAM role assumptions for KMS key policy effectiveness

Security assessment

Mirrors email sender documentation update for secure KMS configuration without addressing specific vulnerabilities.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md
index 136028f9f..ea0acce4e 100644
--- a/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md
+++ b/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md
@@ -101 +101 @@ Amazon Cognito HTML-escapes reserved characters like `<` (`&lt;`) and `>` (`&gt;
-  2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key.
+  2. The IAM principal that creates or updates your user pool creates a one-time grant against the KMS key that Amazon Cognito uses to encrypt the code. Grant this principal `CreateGrant` permissions for your KMS key. For this example KMS key policy to be effective, the administrator who updates the user pool must be signed in with an assumed-role session for the IAM role ` arn:aws:iam::111222333444:role/my-example-role`.