Today was about Infrastructure Forensics. My "Delete Account" button was lying to me. The Bug: The Lambda returned status: success, but the user stayed in Cognito and the transactions stayed in DynamoDB. The Fix (The IAM Side): I was using table.batch_writer() for cleanup. This requires BatchWriteItem permissions, which my role didn't have. I fixed it via CLI: Bash aws iam put-role-policy --role-name FinanceAgent-Role --policy-name BatchDelete --policy-document '{ "Statement": [{"Effect": "Allow", "Action": ["dynamodb:BatchWriteItem"], "Resource": "arn:aws:dynamodb:..."}] }' The Fix (The Identity Side): I stopped searching for users by email (which is case-sensitive in Cognito) and switched to the unique sub / username provided in the JWT: Python Infallible deletion cognito_username = payload.get('cognito:username') cognito_client.admin_delete_user(UserPoolId=USER_POOL_ID, Username=cognito_username) The Fix (The Consistency Side): To avoid "Ghost Data" (AI using old names), I added a 1.5s delay in the React…