Today was about Infrastructure Forensics. My "Delete Account" button was lying to me.

The Bug: The Lambda returned status: success, but the user stayed in Cognito and the transactions stayed in DynamoDB.

The Fix (The IAM Side):
I was using table.batch_writer() for cleanup. This requires BatchWriteItem permissions, which my role didn't have. I fixed it via CLI:

Bash
aws iam put-role-policy --role-name FinanceAgent-Role --policy-name BatchDelete --policy-document '{
"Statement": [{"Effect": "Allow", "Action": ["dynamodb:BatchWriteItem"], "Resource": "arn:aws:dynamodb:..."}]
}'
The Fix (The Identity Side):
I stopped searching for users by email (which is case-sensitive in Cognito) and switched to the unique sub / username provided in the JWT:

Python

Infallible deletion

cognito_username = payload.get('cognito:username')
cognito_client.admin_delete_user(UserPoolId=USER_POOL_ID, Username=cognito_username)
The Fix (The Consistency Side):
To avoid "Ghost Data" (AI using old names), I added a 1.5s delay in the React onboarding flow. This ensures DynamoDB has finished replicating the new profile across all global nodes before the first AI prompt is fired.

Result: A 100% surgical, secure, and verified deletion flow. 🛡️⚡