AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation medium

File: cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.md

Summary

Updated example to include CAPTCHA and security question challenges in authentication flow. Added implementation guidance for custom challenge sequences.

Security assessment

Enhanced documentation for multi-factor authentication through custom challenges improves security posture, but doesn't address a specific disclosed vulnerability.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.md b/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.md
index 74f8ab5be..f7147b18e 100644
--- a//cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.md
+++ b//cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.md
@@ -5 +5 @@
-Define Auth challenge Lambda trigger parametersDefine Auth challenge example
+ParametersExample: set up a challenge sequence
@@ -157 +157,3 @@ If you want to end the current authentication process, set to `true`. To continu
-This example defines a series of challenges for authentication and issues tokens only if the user has completed all of the challenges successfully.
+This example defines a series of challenges for authentication and issues tokens only if the user has completed all of the challenges successfully. When users complete SRP authentication with the `SRP_A` and `PASSWORD_VERIFIER` challenges, this function passes them a `CUSTOM_CHALLENGE` that invokes the create auth challenge trigger. In combination with our [create auth challenge example](./user-pool-lambda-create-auth-challenge.html#aws-lambda-triggers-create-auth-challenge-example), this sequence delivers a CAPTCHA challenge for challenge three and a security question for challenge four.
+
+After the user solves the CAPTCHA and answers the security question, this function confirms that your user pool can issue tokens. SRP authentication isn't required; you can also set the CAPTCHA and security question as challenges one & two. In the case where your define auth challenge function doesn't declare SRP challenges, your users' success is determined entirely by their responses to your custom prompts.
@@ -211 +213 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Challenge Lambda triggers
+Custom challenge
@@ -213 +215 @@ Challenge Lambda triggers
-Create auth challenge Lambda trigger
+Create auth challenge