Cognito's AWS documentation says:
Each custom attribute: Cannot be removed or changed once added to the user pool.
I believe they are referring to the name of the custom attribute, no the value itself.
So, the value could be changed from a Lambda function for instance. Let's say we are storing fidelity points for each user in our e-commerce website.
Is a custom attribute the proper place to store this kind of information?. Or should I create a new DynamoDB table linked to the UserId in the user pool?
in my opinion If you need that the attribute value appears on identity token you should use the custom attrib, if not is better to store that on another place.
Example: You have 'users' that are admins of 'pages', then you store on Custom Attrib that relationship. Cognito add that information to the Identity Token, then When the user make an api call to 'pages' you only need to trust the information in the token and not make an extra database call to check if user is related to that page.
Custom Attrib are very restrictive as documentation says:
You can add up to 50 custom attributes to your user pool. You can specify a minimum and/or maximum length for custom attributes. However, the maximum length for any custom attribute can be no more than 2048 characters.
Each custom attribute:
Can be defined as a string or a number.
Can't be required.
Can't be removed or changed once added to the user pool.
Can have a name with a character length that is within the limit that is accepted by Amazon Cognito. For more information, see Quotas in Amazon Cognito.
If you don't need the attrib on the token I prefer to use dynameDB, a lot less restrictive.