Cognito Custom Email Sender Code Decryption

Question

I am implementing a custom email sending Lambda for Cognito. When attempting to decrypt the "code" I am receiving the "Aws::KMS::Errors::InvalidCiphertextException" exception.

I have a symmetric KMS key assigned to the Lambda via the Cognito User Pool, and can successfully trigger the Lambda.
I have attempted to use both "Base64.decode64" and Base64.strict_decode64" before passing the ciphertext to the decode method.

The CloudTrail logs are showing that Cognito is using the KMS GenerateKeyPair method, and providing an encryption context:
```
{
  "userpool-id": "my-user-pool",
  "aws-crypto-public-key": "AULXovx/...==" 
}
```

I have therefore attempted to pass this "encryption_context" to the decrypt method, however the "aws-crypto-public-key" is unique to each request. The KMS documentation explains (as best I can understand) that public keys are not applicable for symmetric keys.

Questions: 
- Have I correctly understood the requirements to decode the ciphertext input?
- If so, how can I retrieve the public-key value for the given ciphertext input?

---
Language: Ruby
SDK Version: 3

Accepted Answer

I was using the wrong library to decrypt the ciphertext. Cognito is using the Encryption SDK to encrypt the code, not KMS, therefore it requires the use of the same SDK to decrypt.

Notes:

The Encryption SDK, in this circumstance, is using the symmetric KMS key configured on the user pool to perform the encryption.
The Encryption SDK is not currently available for Ruby

Notes: 
- The Encryption SDK, in this circumstance, is using the symmetric KMS key configured on the user pool to perform the encryption.
- The Encryption SDK is not currently available for Ruby

Cognito Custom Email Sender Code Decryption

Relevant content