Using Lambda + AWS Cognito Triggers to Only Allow Auto-Verification to Specific Domain

Earl Gay
Earl Gay
Aug 23, 2017 · 3 min read

If you are using AWS Cognito for your authentication source for your site, it can be easily configured to require verification of emails which can then automatically confirm users as they sign up. This makes the process very simple to allow users to sign up on their own, verify their email address, and get to using your application.

Enabling Email Verification within Cognito

If you need to add some logic into that workflow, Cognito provides “Triggers.” These triggers can occur at various stages of the process, and they execute Lambda functions to provide the customization. An example in the official documentation is blocking authentication based on a particular Client ID, but there are lots of options and it puts the power in your hands.

The challenge with the original automatic verification process is that it allows anyone at all to sign up, verify, and use the application. In my use case, I wanted to make it so only users with a specific email address domain (e.g. could do everything automatically. If the user came from an unapproved domain, I still wanted them to be able to sign up, but I wanted it to require manual verification for an override.

The Lambda Triggers within Cognito let me do this, but I couldn’t find an easily Google-able example online of doing this. After some tinkering, I came to the following simple solution:

  1. Create a Lambda Function (e.g. cogEmailDomainVerify)
exports.handler = function(event, context) {

// Configure the email domain that will be allowed to automatically verify.
var approvedDomain = "";

// Log the event information for debugging purposes.
console.log('Received event:', JSON.stringify(event, null, 2));
if ('@' + approvedDomain)) {
console.log ("This is an approved email address. Proceeding to send verification email.");
event.response.emailSubject = "Signup Verification Code";
event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
context.done(null, event);
} else {
console.log ("This is not an approved email address. Throwing error.");
var error = new Error('EMAIL_DOMAIN_ERR');
context.done(error, event);

2. Within Cognito, under Triggers -> Custom Message, choose the Lambda function. (The above code could be modified and the trigger could be performed at a different stage if alternative (i.e. more restrictive) behavior was required.)

Selecting the Lambda function as a Custom Message Trigger

3. (Optional) Modify your code to check for an “EMAIL_DOMAIN_ERR” message and handle it accordingly.

var onFailure = function registerFailure(err) {
if (err.message.includes("EMAIL_DOMAIN_ERR")) {
alert("This email address is not within the approved list. Please contact an Administrator for manual verfication.");
window.location.href = signinUrl;
} else {

After making those quick changes, you should now be able to sign up, verify, and start using the application automatically if using an; however, any other email address will require manual verification before they can actually start using the application.

First user is not within the approved domain and required manual verification. Second user is within approved domain and was able to verify automatically.

In order to do manual verification, that can be done by logging into Cognito, selecting the user, and selecting “Confirm user”.

Confirming a User within Cognito Manually

The process is very simple, and shows another way Lambda provides powerful capabilities and integrates well into other AWS services.

More Details:

Earl Gay

Written by

Earl Gay

Practice Manager, @roundtowertech | Mobility, Cloud, and Random Technology | Posts are mine and don’t represent my company.