AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-pre-authentication.md

Summary

Updated trigger activation conditions related to PreventUserExistenceErrors, simplified section titles, clarified response handling

Security assessment

Clarifies operational behavior of authentication triggers but doesn't address security vulnerabilities or add security-specific documentation

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-pre-authentication.md b/cognito/latest/developerguide/user-pool-lambda-pre-authentication.md
index 2107c86c5..522c7fe18 100644
--- a//cognito/latest/developerguide/user-pool-lambda-pre-authentication.md
+++ b//cognito/latest/developerguide/user-pool-lambda-pre-authentication.md
@@ -5 +5 @@
-Authentication flow overviewPre authentication Lambda trigger parametersPre authentication example
+Flow overviewParametersExample: block an app client
@@ -13 +13 @@ Amazon Cognito invokes this trigger when a user attempts to sign in so that you
-This Lambda trigger doesn't activate when a user doesn't exist, or already has an existing session in your user pool. If the `PreventUserExistenceErrors` setting of a user pool app client is set to `ENABLED`, then the Lambda trigger will activate.
+This Lambda trigger doesn't activate when a user doesn't exist unless the `PreventUserExistenceErrors` setting of a user pool app client is set to `ENABLED`. Renewal of an existing authentication session also doesn't activate this trigger.
@@ -17 +17 @@ This Lambda trigger doesn't activate when a user doesn't exist, or already has a
-  * Authentication flow overview
+  * Flow overview
@@ -26 +26 @@ This Lambda trigger doesn't activate when a user doesn't exist, or already has a
-## Authentication flow overview
+## Flow overview
@@ -76 +76 @@ One or more key-value pairs that contain the validation data in the user's sign-
-Amazon Cognito does not expect any additional return information in the response. Your function can return an error to reject the sign-in attempt, or use API operations to query and modify your resources.
+Amazon Cognito doesn't process any added information that your function returns in the response. Your function can return an error to reject the sign-in attempt, or use API operations to query and modify your resources.
@@ -129 +129 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Post confirmation Lambda trigger
+Post confirmation
@@ -131 +131 @@ Post confirmation Lambda trigger
-Post authentication Lambda trigger
+Post authentication