Setting up Lambda IAM Policy to access Cognito

Question

I've created a lambda to check for custom logic before signing up a new Cognito user. In creating the IAM Policy for this lambda, what is the correct "Action" and "Resource" I should use here?

I'm following this guide: https://medium.com/@earlg3/using-lambda-aws-cognito-triggers-to-only-allow-auto-verification-to-specific-domain-db2efea79c44

Lambda

exports.handler = function(event, context) {
    
    // Configure the email domain that will be allowed to automatically verify.
    var approvedDomain = "approveddomain.com";
    
    // Log the event information for debugging purposes.
    console.log('Received event:', JSON.stringify(event, null, 2));if (event.request.userAttributes.email.includes('@' + approvedDomain)) {
        console.log ("This is an approved email address. Proceeding to send verification email.");
        event.response.emailSubject = "Signup Verification Code";
        event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
        context.done(null, event);
    } else {
        console.log ("This is not an approved email address. Throwing error.");
        var error = new Error('EMAIL_DOMAIN_ERR');
        context.done(error, event);
   }};

My best guess so far:

{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaSignUp",
            "Effect": "Allow",
            "Action": [
                "cognito-sync:*",
                "cognito-idp:*",
            ],
            "Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
        }
    ]
}

Setting up Lambda IAM Policy to access Cognito

Answers (1)

Related Questions