AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-23 · Documentation low

File: cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md

Summary

Updated trigger event documentation for token generation and refresh scenarios

Security assessment

The change clarifies that the Pre token generation trigger now applies to both authentication and token refresh operations, improving documentation around security-sensitive token management processes. This enhances understanding of security controls but does not fix a vulnerability.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md b/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md
index 6d90b074e..07613243a 100644
--- a//cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md
+++ b//cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md
@@ -290,0 +291 @@ Custom SMS sender |  `CustomSMSSender_VerifyUserAttribute`
+[GetTokensFromRefreshToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetTokensFromRefreshToken.html) | Pre token generation |  `TokenGeneration_Authentication`  
@@ -361 +362 @@ Pre token generation | `TokenGeneration_HostedAuth` |  Amazon Cognito authentica
-Pre token generation | `TokenGeneration_Authentication` | User authentication flows complete.  
+Pre token generation | `TokenGeneration_Authentication` | User authentication or token refresh complete.