diff --git a/flake.nix b/flake.nix
index 2a06c554..5211cc99 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,6 +86,8 @@
               mkdir -p $out
               cp -f ${targetPackage}/bin/dailp-graphql $out/bootstrap
               zip -j $out/dailp-graphql.zip $out/bootstrap
+              cp -f ${targetPackage}/bin/auth-post-confirmation $out/bootstrap
+              zip -j $out/auth-post-confirmation.zip $out/bootstrap
             '';
           };
         terraformConfig = pkgs.writeTextFile {
diff --git a/terraform/auth-functions.nix b/terraform/auth-functions.nix
new file mode 100644
index 00000000..6dba21fd
--- /dev/null
+++ b/terraform/auth-functions.nix
@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+let 
+  prefixName = import ./utils.nix { stage = config.setup.stage; };
+in {
+  config.resource = {
+    aws_lambda_function.post_confirmation_event = {
+      function_name = "dailp_post_user_confirmation";
+      role = "$\{aws_iam_role.lambda_exec.arn}";
+      architectures = [ "x86_64" ];
+      description = ''
+        To be invoked by Cognito on PostConfirmation. 
+        Adds a user to a group if their email is in a predefined list.
+      '';
+      environment.variables = {
+        DAILP_AWS_REGION = builtins.getEnv "DAILP_AWS_REGION";
+        GOOGLE_API_KEY = builtins.getEnv "GOOGLE_API_KEY";
+        DAILP_USER_POOL = builtins.getEnv "DAILP_USER_POOL";
+      };
+      filename = "${config.functions.package_path}/dailp-auth-post-confirmation.zip";
+      handler="function_handler";
+      runtime="provided.al2";
+      timeout=60;
+    };
+
+    aws_lambda_permission.allow_cognito_invocation = {
+      action = "lambda:InvokeFunction";
+      function_name = "$\{aws_lambda_function.post_confirmation_event.function_name}";
+      principal = "cognito-idp.amazonaws.com";
+      source_arn = "$\{aws_cognito_user_pool.main.arn}";
+    };
+  };
+}
diff --git a/terraform/auth.nix b/terraform/auth.nix
index 4be790a7..8eccca5b 100644
--- a/terraform/auth.nix
+++ b/terraform/auth.nix
@@ -21,6 +21,9 @@ in {
           You can access the confirmation page at https://${subdomain}dailp.northeastern.edu/auth/confirmation
         '';
       };
+      lambda_config = {
+        post_confirmation = "\${aws_lambda_function.post_confirmation_event.arn}";
+      };
     };
     aws_cognito_user_pool_client.main = {
       name = prefixName "user-pool-client";
diff --git a/terraform/functions-base.nix b/terraform/functions-base.nix
index e30ef87a..1d2ca84d 100644
--- a/terraform/functions-base.nix
+++ b/terraform/functions-base.nix
@@ -8,6 +8,7 @@ in {
       managed_policy_arns = [
         "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
       ];
+      
       assume_role_policy = ''
         {
           "Version": "2012-10-17",
diff --git a/terraform/main.nix b/terraform/main.nix
index 08f95c1d..7bad0d63 100644
--- a/terraform/main.nix
+++ b/terraform/main.nix
@@ -19,6 +19,7 @@ in {
     ./bootstrap.nix
     ./functions.nix
     ./auth.nix
+    ./auth-functions.nix
     ./website.nix
     ./nu-tags.nix
     ./database-sql.nix