SMS message settings for Amazon Cognito user pools - Amazon Cognito
Best practicesSetting up SMS messaging for the first time in Amazon Cognito user pools

SMS message settings for Amazon Cognito user pools

Some Amazon Cognito events for your user pool might cause Amazon Cognito to send SMS text messages to your users. For example, if you configure your user pool to require phone verification, Amazon Cognito sends an SMS text message when a user signs up for a new account in your app or resets their password. Depending on the action that initiates the SMS text message, the message contains a verification code, a temporary password, or a welcome message.

Amazon Cognito uses Amazon Simple Notification Service (Amazon SNS) for delivery of SMS text messages. Amazon SNS in turn hands off SMS messages to AWS End User Messaging SMS. If you are sending a text message through Amazon Cognito for the first time, AWS End User Messaging SMS places you in a sandbox environment. In the sandbox environment, you can test your applications for SMS text messages. In the sandbox, you can only simulate the sending of messages.

Note

In November 2024, AWS replaced Amazon SNS SMS messaging with AWS End User Messaging SMS. Currently, The Amazon Cognito console refers to Amazon SNS resources. User pools initiate SMS messages with the Amazon SNS Publish operation, which is a pass-through to AWS End User Messaging SMS. Accordingly, you must still configure permissions for sns:Publish, not sms-voice:SendTextMessage.

AWS End User Messaging SMS charges for SMS text messages. For more information, see AWS End User Messaging SMS pricing.

Amazon Cognito sends SMS messages to your users with a code that they can enter. The following table shows the events that can generate an SMS message.

Message options

Activity API operation Delivery options Format options Customizable Message template
Forgot password ForgotPassword, AdminResetUserPassword Email, SMS code Yes Verification message
Invitation AdminCreateUser Email, SMS code Yes Invitation message
Self-registration SignUp, ResendConfirmationCode Email, SMS code, link Yes Verification message
Email address or phone number verification UpdateUserAttributes, AdminUpdateUserAttributes, GetUserAttributeVerificationCode Email, SMS code Yes Verification message
Multi-factor authentication (MFA) AdminInitiateAuth, InitiateAuth Email¹, SMS, authenticator app code Yes² MFA message
One-time password authentication (OTP) AdminInitiateAuth, InitiateAuth Email¹, SMS code Yes MFA message³

¹ Requires Essentials feature plan or higher and Amazon SES email configuration.

² For SMS and email messages.

³ You can only customize the MFA message template when MFA is required or optional in your user pool. When MFA is inactive, Amazon Cognito sends one-time passwords with the default template.

AWS End User Messaging SMS charges for SMS messages. For more information, see AWS End User Messaging SMS pricing.

To learn more about MFA, see SMS and email message MFA.

Amazon Cognito might prevent delivery of additional email or SMS messages to a single destination in a short time period. If you believe your user pool is affected, configure and review logs for message delivery errors and then contact your account team.

Best practices

Because of the volume of unsolicited SMS traffic worldwide, some governments impose barriers between the senders and recipients of SMS messages. When you use SMS messages for MFA and user updates, you must take additional steps to ensure that your messages are delivered. You must also monitor SMS-message-related regulations in countries where your users might live and keep your SMS message configuration current. For more information, see SMS and MMS country capabilities and limitations in the AWS End User Messaging SMS User Guide.

The use of SMS messages to authenticate and verify users isn't a security best practice. Phone numbers can change owners, and might not reliably represent a something you have factor of MFA for your users. Instead, implement TOTP MFA in your app or with your third-party IdP. You can also create additional custom authentication factors with Custom authentication challenge Lambda triggers.

Review the following links for information about securing your SMS message delivery architecture.

Setting up SMS messaging for the first time in Amazon Cognito user pools

Amazon Cognito uses Amazon SNS, and indirectly AWS End User Messaging SMS, to send SMS messages from your user pools. You can also use a Custom SMS sender Lambda trigger to use your own resources to send SMS messages. The first time that you set up SMS text messages in a particular AWS Region, AWS End User Messaging SMS places your AWS account in the SMS sandbox for that Region. AWS End User Messaging SMS uses the sandbox to prevent fraud and abuse and to meet compliance requirements. When your AWS account is in the sandbox, AWS End User Messaging SMS imposes some restrictions. For example, you can send text messages to a maximum of 10 verified destination numbers if you have an origination identity, or you can simulate sending messages without an origination identity. While your AWS account remains in the sandbox, do not send SMS messages in production. When you're in the sandbox, Amazon Cognito can't send messages to your users' phone numbers.

Prepare an IAM role that Amazon Cognito can use to send SMS messages with AWS End User Messaging SMS

When you send an SMS message from your user pool, Amazon Cognito assumes an IAM role in your account. Amazon Cognito uses the sns:Publish permission assigned to that role to send SMS messages to your users. In the Amazon Cognito console, you can set an IAM role selection from the Authentication methods menu of your user pool, under SMS or make this selection during the user pool creation wizard.

The following example IAM role trust policy grants Amazon Cognito user pools a limited ability to assume the role. Amazon Cognito can only assume the role when it meets the following conditions:

  • The assume-role operation is on behalf of the user pool in the aws:SourceArn condition.

  • The assume-role operation is on behalf of a user pool in the AWS account set by the aws:SourceAccount condition.

  • The assume-role operation includes the external ID in the sts:externalId condition.

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cognito-idp:us-west-2:111122223333:userpool/us-west-2_EXAMPLE"
                }
            }
        }
    ]
}

You can specify an exact user pool ARN or a wildcard ARN in the value of the aws:SourceArn condition. Look up the ARNs of your user pools in the AWS Management Console or with a DescribeUserPool API request.

To send SMS messages for multi-factor authentication, your IAM role trust policy must have an sts:ExternalId condition. The value of this condition must match the ExternalId property of the SmsConfiguration of your user pool. When you create an IAM role during the process of user pool creation in the Amazon Cognito console, Amazon Cognito configures the external ID for you in the role and in the user pool settings. This isn't true when you use an existing IAM role.

You must update the user pool ExternalId parameter in an UpdateUserPool API request and update the IAM role trust policy with an sts:externalId condition with the same value. To learn how to use the API to update a user pool in a way that preserves the original configuration, see Updating user pool and app client configuration.

For more information about IAM roles and trust policies, see Roles terms and concepts in the AWS Identity and Access Management User Guide.

Choose the AWS Region for SMS messages

In some AWS Regions, you can choose the Region that contains the Amazon SNS resources that you want to use for Amazon Cognito SMS messages. In any AWS Region where Amazon Cognito is available, except for Asia Pacific (Seoul), you can use Amazon SNS resources in the AWS Region where you created your user pool. To make your SMS messaging faster and more reliable when you have a choice of Regions, use Amazon SNS resources in the same Region as your user pool.

Choose a Region for SMS resources in the Configure message delivery step of the new user pool wizard. You can also choose Edit under SMS in the Authentication methods menu of an existing user pool.

At launch, for some AWS Regions, Amazon Cognito sent SMS messages with Amazon SNS resources in an alternate Region. To set your preferred Region, use the SnsRegion parameter of the SmsConfigurationType object for your user pool. When you programmatically create an Amazon Cognito user pools resource in an Amazon Cognito Region from the following table and you do not provide an SnsRegion parameter, your user pool can send SMS messages with Amazon SNS resources in a legacy Amazon SNS Region.

Amazon Cognito user pools in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region.

Amazon SNS (via AWS End User Messaging SMS) sets the spending quota for all new accounts at $1.00 (USD) per month. You might have increased your spend limit in an AWS Region that you use with Amazon Cognito. Before you change the AWS Region for Amazon SNS SMS messages, open a quota increase case in the AWS Support Center to increase your limit in the new Region. For more information, see Moving from the AWS End User Messaging SMS MMS and Voice sandbox to production in the AWS End User Messaging SMS User Guide.

You can send SMS messages for any Amazon Cognito Region in the following table with Amazon SNS resources in the corresponding Amazon SNS Region.

Amazon Cognito Region Amazon SNS Region

US East (Ohio)

US East (Ohio), US East (N. Virginia)

US East (N. Virginia)

US East (N. Virginia)

US West (N. California)

US West (N. California)

US West (Oregon)

US West (Oregon)

Canada (Central)

Canada (Central), US East (N. Virginia)

Canada West (Calgary)

Canada West (Calgary)

Europe (Frankfurt)

Europe (Frankfurt), Europe (Ireland)

Europe (London)

Europe (London), Europe (Ireland)

Europe (Ireland)

Europe (Ireland)

Europe (Paris)

Europe (Paris)

Europe (Stockholm)

Europe (Stockholm)

Europe (Milan)

Europe (Milan)

Europe (Spain)

Europe (Spain)

Europe (Zurich)

Europe (Zurich)
Asia Pacific (Malaysia) Asia Pacific (Singapore)

Asia Pacific (Mumbai)

Asia Pacific (Mumbai), Asia Pacific (Singapore)

Asia Pacific (Hyderabad)

Asia Pacific (Hyderabad)

Asia Pacific (Hong Kong)

Asia Pacific (Singapore)

Asia Pacific (Seoul)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

Asia Pacific (Sydney)

Asia Pacific (Tokyo)

Asia Pacific (Tokyo)

Asia Pacific (Jakarta)

Asia Pacific (Jakarta)

Asia Pacific (Osaka)

Asia Pacific (Osaka)

Asia Pacific (Melbourne)

Asia Pacific (Melbourne)

Middle East (Bahrain)

Middle East (Bahrain)

Middle East (UAE)

Middle East (UAE)

South America (São Paulo)

South America (São Paulo)

Israel (Tel Aviv)

Israel (Tel Aviv)

Africa (Cape Town)

Africa (Cape Town)

Obtain an origination identity to send SMS messages to US phone numbers

If you plan to send SMS text messages to US phone numbers, you must obtain an origination identity, regardless of whether you build an SMS sandbox testing environment, or a production environment.

US carriers require an origination identity to send messages to US phone numbers. If you don't already have an origination identity, you must get one. To learn how to obtain an origination identity, see Request a phone number in the AWS End User Messaging SMS User Guide.

When you have more than one origination identity in the same AWS Region, AWS End User Messaging SMS chooses an origination identity type in the following order of priority: short code, 10DLC, toll-free number. You can't change this priority. For more information, see AWS End User Messaging SMS FAQs.

Confirm that you are in the SMS sandbox

Use the following procedure to confirm that you are in the SMS sandbox. Repeat for each AWS Region where you have production Amazon Cognito user pools.

To confirm that you are in the SMS sandbox

  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Choose User Pools.

  3. Choose an existing user pool from the list.

  4. Choose the Authentication methods menu.

  5. In the SMS configuration section, expand Move to Amazon SNS production environment. If your account is in the SMS sandbox, you will see the following message:

    Configure AWS service dependencies to complete your SMS message setup

    If you don’t see this message, then someone has set up SMS messages in your account already. Skip to Complete user pool setup in Amazon Cognito.

  6. Choose the Amazon SNS link under Move to Amazon SNS production environment. This opens the Amazon SNS console in a new tab.

  7. Verify that you are in the sandbox environment. The console message indicates your sandbox status and AWS Region, as follows:

    This account is in the SMS sandbox in US East (N. Virginia).

Move your account out of the sandbox

To use your app in production, move your account out of the SMS sandbox and into production. After you have configured an origination identity in the AWS Region that contains the AWS End User Messaging SMS resources that you want Amazon Cognito to use, you can verify US phone numbers while your AWS account remains in the SMS sandbox. When your environment is in production, you don't have to verify user phone numbers before you send SMS messages to them.

You can create a request to exit the sandbox from either the AWS End User Messaging SMS console or the Amazon SNS console. For detailed instructions, see Moving from the SMS Sandbox in the AWS End User Messaging SMS User Guide.

Use simulator numbers or verified phone numbers with AWS End User Messaging SMS

If you have moved your account out of the SMS sandbox, skip this step.

If you're in the sandbox but you have set up an origination number, you can send messages to verified destination numbers. To set up verified destinations, see Add a verified destination phone number in the AWS End User Messaging SMS User Guide.

You can also send messages with simulated senders and destinations. Simulator messages produce logs but don't get sent out over the carrier network. From the Shortcuts menu, select Test SMS sending with SMS simulator. For more information, see Simulator phone numbers in the AWS End User Messaging SMS User Guide.

Complete user pool setup in Amazon Cognito

Return to the browser tab where you were creating or editing your user pool. Complete the procedure. When you have successfully added SMS configuration to your user pool, Amazon Cognito sends a test message to an internal phone number to verify that your configuration works. Amazon SNS charges for each test SMS message.