I have set up a custom email sender function that currently just decrypts the code (if present) and logs the event.
I can see in the logs that the lambda is correctly triggered for the other trigger source types such as CustomEmailSender_AdminCreateUser when I run the aws cognito-idp admin-create-user CLI command, and the CustomEmailSender_ForgotPassword when I submit the Forgot Password form on the Hosted UI. However, I do not see any logs when user attributes are updated. I've tested with both the admin-update-user-attributes and the update-user-attributes commands, as well as in the AWS console.
When is the email with the CustomEmailSender_UpdateUserAttribute trigger source sent? Is there a configuration on my user pool or client that I am missing?
According to Cognito documentation on Custom message Lambda trigger sources:
CustomMessage_UpdateUserAttribute | Custom message – When a user's email or phone number is changed, this trigger sends a verification code automatically to the user. Cannot be used for other attributes.
So it only triggers with changes to the email or phone number fields, in order to verify them.