AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation medium

File: cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.md

Summary

Expanded example documentation for custom authentication challenges, including CAPTCHA and security question workflows. Updated section titles for clarity.

Security assessment

Adds detailed guidance on implementing security features like CAPTCHA and security questions in custom authentication flows. While security-related, there is no evidence of addressing a specific vulnerability.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.md b/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.md
index 99ad8eaa2..2f76d4f03 100644
--- a//cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.md
+++ b//cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.md
@@ -5 +5 @@
-Create Auth challenge Lambda trigger parametersCreate Auth challenge example
+ParametersExample: custom challenge with CAPTCHA
@@ -130 +130,3 @@ Your name for the custom challenge, if this is a custom challenge.
-A CAPTCHA is created as a challenge to the user. The URL for the CAPTCHA image is added to the public challenge parameters as "`captchaUrl`", and the expected answer is added to the private challenge parameters.
+This function has two custom challenges that correspond to the challenge sequence in our [define auth challenge example](./user-pool-lambda-define-auth-challenge.html#aws-lambda-triggers-define-auth-challenge-example). The first two challenges are SRP authentication. For the third challenge, this function returns a CAPTCHA URL to your application in the challenge response. Your application renders the CAPTCHA at the given URL and returns the user's input. The URL for the CAPTCHA image is added to the public challenge parameters as "`captchaUrl`", and the expected answer is added to the private challenge parameters.
+
+For the fourth challenge, this function returns a security question. Your application renders the question and prompts the user for their answer. After users solve both custom challenges, the define auth challenge trigger confirms that your user pool can issue tokens.
@@ -168 +170 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Define auth challenge Lambda trigger
+Define auth challenge