CloudWatch event for Cognito Identity

Question

I have been trying to trigger a lambda function using CloudWatch event for Cognito-Identity for any read/write event but the problem is the lambda function is not getting triggered for any login/logout/update attribute etc. I read the documentation(which is not sufficient) and had also talked to AWS Support but didn't get any satisfactory answer although they assured me to get back to me after consulting peers. The Rule I created had the following main components:

Event pattern:

{
   "source": [
     "aws.cognito-identity"
   ]
}

Status: Enabled

Targets:

• Type: Lambda function
• Resource Name: recipeDefaults
• Input: Matched event

The question I have is: when does it get triggered? What are the list of activities which is performed on Cognito-Identity to trigger the lambda function.

Answer 1

TL;DR: It seems your use case would require the aws.cognito-idp event source, but unfortunately Amazon Cognito User Pools does not yet support Events Delivered Via CloudTrail (note that the supported services list includes 'Cognito Identity', but not 'Cognito User Pools').

Background

I'm afraid this boils down to the utterly confusing service naming and abbreviations related to the two main Amazon Cognito components:

• Initially there have only been Amazon Cognito Identity Pools - from a technical perspective this comprises a federated identity, so the resulting service key used internally and also for the AWS CLI is cognito-identity
• Meanwhile there are also Amazon Cognito User Pools - from a technical perspective this comprises an identity provider (IDP), so the resulting service key used internally and also for the AWS CLI is cognito-idp
• To make matters worse, the API reference for Amazon Cognito Federated Identities (aka Amazon Cognito Identity Pools) is hosted with an URL cognitoidentity, whereas the API reference for Amazon Cognito Identity Provider (aka Amazon Cognito User Pools) used is hosted with an URL cognito-user-identity-pool

Now, you seem to be primarily interested in the Amazon Cognito User Pools API actions like AdminUpdateUserAttributes. Accordingly, your rule would need to target the aws.cognito-idp rather than the aws.cognito-identity event source, but unfortunately Amazon Cognito User Pools does not yet support Events Delivered Via CloudTrail (note that the supported services list includes 'Cognito Identity', but not 'Cognito User Pools').

Answer 2

Since @steffen-opel's answer, cognito-idp has been added as an event source to CloudTrail. It's registered under the event source cognito-idp.amazonaws.com, and all Cognito User Pool Actions are supported.