My current stack is like this:

1. User creates an account via AWS Cognito
2. A post confirmation lambda is triggered which then adds further user details to a database

My database uses the sub id generated by cognito as the userId so they are the same. I also copy the email address as the Username in my database. My intention is to use Cognito for Authentication and my own database for the functionality of my app.

However if the user wishes to update their email address I need to amend this in both cognito and my database. My first attempt made a call to cognito in my lambda using admin_update_user_attributes but soon realised it was blocked from making external calls to the internet, so i created a nat gateway which worked but it simply costs way too much!

My second idea was to go through cognito, having my front end make the call and then have cognito trigger a lambda to update my database but I don't think this is possible.

Is there a configuration or something I'm missing to be able to access AWS cognito via a lambda through the API gateway as they are both AWS services.

I dont want to make two seperate calls via my frontend as this creates a risk of one being completed but not the other.

Thanks

A NAT gateway will be needed if you have your Lambda function in a VPC as there are no Cognito VPC endpoints at this time.

List of currently supported AWS services with endpoints.

If you are using a DB like Dynamo, the Lambda function does not need to be in a VPC so you could achieve the usecase you mentioned above.

Another option could be to do the Cognito update asynchronously, so your Lambda could potentially use VPC endpoints to put an object in SQS and then have a Lambda poller (outside VPC) to poll the messages and update Cognito. Or achieve a similar usecase by making use of private API Gateways.

These are just potential ideas which I have not done myself.