Is it possible to configure AWS Cognito to send SMS messages from a different AWS account?

Question

• I want to have a script which programmatically creates an AWS account and creates a Cognito user pool within that account.
• I want this user pool to support multi-factor authentication via SMS.
• Cognito sends SMS messages using the SNS service. When you create a new AWS account, by default you start in the SNS sandbox, and you have to apply to AWS support to escape the sandbox.
• I don't want to have to manually apply to escape the sandbox every time I run the account creation script. (I don't think it's possible to automate leaving the sandbox for multiple accounts, or for all accounts in an AWS organization?)
• Therefore I would like to have a single central account which is used for sending MFA SNS messages, and I would like to configure Cognito to send those messages from this account.

Is this possible? The Cognito console prompts me to provide AWS Cognito a role to send SMS messages - if I provide a cross-account role, will Cognito automatically send messages from the desired account? Is there any other way to achieve what I want, other than rethinking my architecture and just combining my Cognito user pools into a single shared account?

Answer 1

You could create a custom Lambda function to deliver SMS for Cognito. This Lambda could in turn assume a role in a different AWS account and call SNS on behalf of that account, which would cause the SMS to be delivered through that account.

Answer 2

Currently, it is not possible to configure AWS Cognito to send SMS messages from a different AWS account. AWS Cognito is designed to be used within the same AWS account.

When you send an SMS message from your user pool, Amazon Cognito assumes an IAM role in your account. Hence in my experience, Cognito does not allow this. More details here