Triggering a Lambda function upon deleting a user on AWS Cognito User Pool

16
votes

AWS Cognito User Pools have some pre-defined events to handle user signup, confirmation etc. The full list is here.

However, there is no apparent trigger for deleting a user.

So, is there any way one can trigger a Lambda function when a user is deleted from Cognito User Pool (of course, with arguments like username and/or email address)?

1
amazon-web-servicesaws-lambdaaws-cognito
I do not have an out of box solution in mind. As a workaround, can you update your application code to trigger a lambda function whenever the application invokes the "DeleteUser"[1] or "AdminDeleteUser"[2] APIs? [1] docs.aws.amazon.com/cognito-user-identity-pools/latest/… , [2] docs.aws.amazon.com/cognito-user-identity-pools/latest/…Denis Weerasiri
Well, for my use case I do not call lambda functions from my code. If I had to do that, I also would require an API Gateway etc. just for a single case which is not so frequent. Appreciate your suggestion, but it's far costly and spaghetti for me now.vahdet
Tried digging through CloudTrail to see if these events could be used as CloudWatch Event Triggers. Unfortunately, it doesn't seem that DeleteUser or AdminDeleteUser events are sent to cloudtrail: docs.aws.amazon.com/cognito/latest/developerguide/… However, if your app is logging to CloudWatch, you might be able to insert your own events for triggering.ashtonium

1 Answers

5
votes

If you are using "Amazon Cognito Sync":

Amazon Cognito raises the Sync Trigger event when a dataset is synchronized. You can use the Sync Trigger event to take an action when a user is updated or deleted. Please have a look on below official document for more information and steps.

Ref: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-events.html

Records updated by the app user will have the 'op' field set as “replace” and the records deleted will have 'op' field as "remove".

According to above point in referenced documentation op field can help you to identify operation, So if value is "removed" in op then you can perform your actions for your business logic requirement.

If you are not using "Amazon Cognito Sync":

  1. Create user records in DynamoDB table "user" using Post Confirmation Lambda Trigger.
  2. Build your own user listing based on DynamoDB table "user".
  3. Build your own user delete api using lambda function and aws api gateway.
  4. You lambda function should handle delete user from cognito & also your business logic that you want to perform.