AWS Cognito: how to allow users to change email without verification?


I’m new to AWS and I’m looking for a way to allow the users of my Android app to change their emails without going through the verification process (I managed to do it for the subscription).

I tried to follow this and this, and here is what I did.

In my Android app:

Then, in my AWS console, I added a trigger in Cognito on Custom message, and here is my lambda function, which is triggered everytime a user updates his email:

The result is: the email is properly updated (but it works whithout the lambda), but the lambda crashes, with the following error:

autoValidationUserEmailModification is not authorized to perform: cognito-idp:AdminUpdateUserAttributes

So it looks like an authorization is missing.

My questions are:

  • How can I fix the authorization part?
  • Is that method the right way to disable email verification on updating user email?

Thanks for your help.


Allow your function perform AdminUpdateUserAttributes on you Cognito Pool resource.

Update Lambda execution rules with block like:

where Resource is your Cognito User Pool ARN.

Leave a Reply