AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-08-28 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-pre-sign-up.md

Summary

Added clarification about userAttributes availability in pre-sign-up Lambda trigger

Security assessment

The change provides additional documentation clarity about attribute availability but doesn't introduce or modify security controls. It helps developers understand data flow without addressing vulnerabilities.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.md b/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.md
index e25478049..7cc62b62a 100644
--- a//cognito/latest/developerguide/user-pool-lambda-pre-sign-up.md
+++ b//cognito/latest/developerguide/user-pool-lambda-pre-sign-up.md
@@ -11 +11 @@ You might want to customize the sign-up process in user pools that have self-ser
-Immediately before Amazon Cognito completes creation of a new [local](./cognito-terms.html#terms-localuser) or [federated](./cognito-terms.html#terms-federateduser) user, it activates the pre sign-up Lambda function. Your user pool invokes this trigger on self-service sign-up with [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html) or first sign-in with a trusted [identity provider](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-federated), and on user creation with [AdminCreateUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html). As part of the sign-up process, you can use this function to analyze the sign-in event with custom logic, and modify or deny the new user.
+Immediately before Amazon Cognito completes creation of a new [local](./cognito-terms.html#terms-localuser) or [federated](./cognito-terms.html#terms-federateduser) user, it activates the pre sign-up Lambda function. The `userAttributes` in the request object sent to this function contain attributes that have been provided by local user sign-up or that have successfully been mapped from provider attributes for a federated user. Your user pool invokes this trigger on self-service sign-up with [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html) or first sign-in with a trusted [identity provider](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-federated), and on user creation with [AdminCreateUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html). As part of the sign-up process, you can use this function to analyze the sign-in event with custom logic, and modify or deny the new user.