If a lambda trigger is set up via the SDK (or for instance, via Terraform), then when the lambda attempts to trigger, you'll see something like postconfirmation invocation failed due to error accessdeniedexception. If you navigate to the AWS Console, you will see the lambda correctly selected, however.
The fix is to change it to None in AWS Console, save changes, then change it back to the lambda you want, and save changes again.
This has been a bug for several years and it doesn't appear to have been reported. I first saw it mentioned online in 2016, and discovered it myself today while terraforming a Cognito userpool.
If a lambda trigger is set up via the SDK (or for instance, via Terraform), then when the lambda attempts to trigger, you'll see something like
postconfirmation invocation failed due to error accessdeniedexception. If you navigate to the AWS Console, you will see the lambda correctly selected, however.The fix is to change it to
Nonein AWS Console, save changes, then change it back to the lambda you want, and save changes again.This has been a bug for several years and it doesn't appear to have been reported. I first saw it mentioned online in 2016, and discovered it myself today while terraforming a Cognito userpool.