AWS cognito medium security documentation change
Summary
Updated Lambda function example with improved security practices: added email/code masking in logs, modernized encryption SDK usage, and detailed deployment instructions
Security assessment
The change introduces sensitive data masking in logs (email addresses and codes) which directly prevents credential leakage. It also removes a third-party base64 library in favor of native Buffer methods, reducing supply chain risks. However, there's no explicit mention of fixing a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md index 4f0495ba6..bcc626cdc 100644 --- a//cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md +++ b//cognito/latest/developerguide/user-pool-lambda-custom-email-sender.md @@ -208,0 +209 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an +###### To deploy this function @@ -210,6 +211,30 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const AWS = require('aws-sdk'); - const b64 = require('base64-js'); - const encryptionSdk = require('@aws-crypto/client-node'); - //Configure the encryption SDK client with the KMS key from the environment variables. - const { encrypt, decrypt } = encryptionSdk.buildClient(encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT); - const generatorKeyId = process.env.KEY_ALIAS; + 1. Install the latest version of NodeJS in your developer workspace. + + 2. Create a new NodeJS project in your workspace. + + 3. Initialize your project with `npm init -y`. + + 4. Create the script for the Lambda function: `touch index.mjs`. + + 5. Paste the contents of the below example into `index.mjs`. + + 6. Download the project dependency, AWS Encryption SDK: `npm install @aws-crypto/client-node`. + + 7. Zip the project directory into a file: `zip -r my_deployment_package.zip .`. + + 8. [Deploy the ZIP file to your function](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html). + + + + +This example function decrypts the code and, for sign-up events, simulates sending an email message to the user's email address. + + + import { KmsKeyringNode, buildClient, CommitmentPolicy } from '@aws-crypto/client-node'; + + // Configure the encryption SDK client with the KMS key from the environment variables + const { encrypt, decrypt } = buildClient( + CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT + ); + + const generatorKeyId = process.env.KEY_ID; @@ -217,3 +242,19 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds }) - exports.handler = async (event) => { - //Decrypt the secret code using encryption SDK. + const keyring = new KmsKeyringNode({ generatorKeyId, keyIds }); + + // Example function to simulate sending email. + // This example logs message details to CloudWatch Logs from your Lambda function. + // Update this function with custom logic that sends an email message to 'emailaddress' with body 'message'. + const sendEmail = async (emailAddress, message) => { + // Log the destination with the email address masked. + console.log(`Simulating email send to ${emailAddress.replace(/[^@.]/g, '*')}`); + // Log the message with the code masked. + console.log(`Message content: ${message.replace(/\b\d{6,8}\b/g, '********')}`); + // Simulate API delay + await new Promise(resolve => setTimeout(resolve, 100)); + console.log('Email sent successfully'); + return true; + }; + + export const handler = async (event) => { + try { + // Decrypt the secret code using encryption SDK @@ -222,2 +263,2 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const { plaintext, messageHeader } = await decrypt(keyring, b64.toByteArray(event.request.code)); - plainTextCode = plaintext + const { plaintext, messageHeader } = await decrypt(keyring, Buffer.from(event.request.code, 'base64')); + plainTextCode = Buffer.from(plaintext).toString('utf-8'); @@ -225 +266,2 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //PlainTextCode now contains the decrypted secret. + + // Handle different trigger sources @@ -227,5 +269,3 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send an email message to your user via a custom provider. - //Include the temporary password in the message. - } - else if(event.triggerSource == 'CustomEmailSender_Authentication'){ - //Send an MFA message. + const emailAddress = event.request.userAttributes.email; + const message = `Welcome! Your verification code is: ${plainTextCode}`; + await sendEmail(emailAddress, message); @@ -234 +274 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message with next steps for password reset. + // Handle resend code @@ -237 +277 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message with next steps for password reset. + // Handle forgot password @@ -240 +280 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message with next steps for confirming the new attribute. + // Handle update attribute @@ -243 +283 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message with next steps for confirming the new attribute. + // Handle verify attribute @@ -246 +286,4 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message with next steps for signing in with a new user profile. + // Handle admin create user + } + else if (event.triggerSource == 'CustomEmailSender_Authentication') { + // Handle authentication @@ -249 +292 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send a message describing the threat protection event and next steps. + // Handle account takeover notification @@ -251,0 +296,4 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + } catch (error) { + console.error('Error in custom email sender:', error); + throw error; + }