AWS cognito medium security documentation change
Summary
Updated Lambda function code example with modern ES modules, added deployment steps, improved error handling, and sensitive data masking in logs
Security assessment
Added phone number and code masking in logs prevents sensitive data exposure. The change from 'KEY_ALIAS' to 'KEY_ID' clarifies proper KMS key reference. Error handling improvements help prevent uncaught exceptions. These changes address security best practices for handling PII and cryptographic operations.
Diff
diff --git a/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md b/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md index 82bb01d2f..b613a32d5 100644 --- a//cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md +++ b//cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.md @@ -192,0 +193 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an +###### To deploy this function @@ -194,6 +195,28 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const AWS = require('aws-sdk'); - const b64 = require('base64-js'); - const encryptionSdk = require('@aws-crypto/client-node'); - //Configure the encryption SDK client with the KMS key from the environment variables. - const { encrypt, decrypt } = encryptionSdk.buildClient(encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT); - const generatorKeyId = process.env.KEY_ALIAS; + 1. Install the latest version of NodeJS in your developer workspace. + + 2. Create a new NodeJS project in your workspace. + + 3. Initialize your project with `npm init -y`. + + 4. Create the script for the Lambda function: `touch index.mjs`. + + 5. Paste the contents of the below example into `index.mjs`. + + 6. Download the project dependency, AWS Encryption SDK: `npm install @aws-crypto/client-node`. + + 7. Zip the project directory into a file: `zip -r my_deployment_package.zip .`. + + 8. [Deploy the ZIP file to your function](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html). + + + + + + import { KmsKeyringNode, buildClient, CommitmentPolicy } from '@aws-crypto/client-node'; + + // Configure the encryption SDK client with the KMS key from the environment variables + const { encrypt, decrypt } = buildClient( + CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT + ); + + const generatorKeyId = process.env.KEY_ID; @@ -201,3 +224,19 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds }) - exports.handler = async (event) => { - //Decrypt the secret code using encryption SDK. + const keyring = new KmsKeyringNode({ generatorKeyId, keyIds }); + + // Example function to simulate sending SMS. + // This example logs message details to CloudWatch Logs from your Lambda function. + // Update this function with custom logic that sends an SMS message to 'phoneNumber' with body 'message'. + const sendSMS = async (phoneNumber, message) => { + // Log the destination with the phone number masked. + console.log(`Simulating SMS send to ${phoneNumber.replace(/[^+]/g, '*')}`); + // Log the message with the code masked. + console.log(`Message content: ${message.replace(/\b\d{6,8}\b/g, '********')}`); + // Simulate API delay + await new Promise(resolve => setTimeout(resolve, 100)); + console.log('SMS sent successfully'); + return true; + }; + + export const handler = async (event) => { + try { + // Decrypt the secret code using encryption SDK @@ -206,2 +245,2 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - const { plaintext, messageHeader } = await decrypt(keyring, b64.toByteArray(event.request.code)); - plainTextCode = plaintext + const { plaintext, messageHeader } = await decrypt(keyring, Buffer.from(event.request.code, 'base64')); + plainTextCode = Buffer.from(plaintext).toString('utf-8'); @@ -209 +248,2 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //PlainTextCode now contains the decrypted secret. + + // Handle different trigger sources @@ -211,2 +251,3 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an - //Send an SMS message to your user via a custom provider. - //Include the temporary password in the message. + const phoneNumber = event.request.userAttributes.phone_number; + const message = `Welcome! Your verification code is: ${plainTextCode}`; + await sendSMS(phoneNumber, message); @@ -214,0 +256 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + // Handle resend code @@ -216,0 +259 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + // Handle forgot password @@ -218,0 +262 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + // Handle update attribute @@ -220,0 +265 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + // Handle verify attribute @@ -222,0 +268,4 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + // Handle admin create user + } + else if (event.triggerSource == 'CustomSMSSender_AccountTakeOverNotification') { + // Handle account takeover notification @@ -224,0 +275,4 @@ The Amazon Resource Name (ARN) of the KMS key that you want to use to encrypt an + } catch (error) { + console.error('Error in custom SMS sender:', error); + throw error; + }