diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py
index f855dfdc1..66aeeb4f6 100644
--- a/samtranslator/model/eventsources/push.py
+++ b/samtranslator/model/eventsources/push.py
@@ -1199,26 +1199,27 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def]
             lambda_permission.set_resource_attribute(attribute, value)
         resources.append(lambda_permission)
 
-        self._inject_lambda_config(function, userpool)  # type: ignore[no-untyped-call]
-        resources.append(CognitoUserPool.from_dict(userpool_id, userpool))
+        self._inject_lambda_config(function, userpool, userpool_id)
+        resources.append(CognitoUserPool.from_dict(userpool_id, userpool, userpool_id))
         return resources
 
-    def _inject_lambda_config(self, function, userpool):  # type: ignore[no-untyped-def]
+    def _inject_lambda_config(self, function: Any, userpool: Dict[str, Any], userpool_id: str) -> None:
         event_triggers = self.Trigger
         if isinstance(self.Trigger, str):
             event_triggers = [self.Trigger]
 
         # TODO can these be conditional?
 
-        properties = userpool.get("Properties", None)
+        properties = userpool.get("Properties")
         if properties is None:
             properties = {}
             userpool["Properties"] = properties
 
-        lambda_config = properties.get("LambdaConfig", None)
+        lambda_config = properties.get("LambdaConfig")
         if lambda_config is None:
             lambda_config = {}
             properties["LambdaConfig"] = lambda_config
+        sam_expect(lambda_config, userpool_id, "LambdaConfig").to_be_a_map()
 
         for event_trigger in event_triggers:
             if event_trigger not in lambda_config:
@@ -1227,7 +1228,6 @@ def _inject_lambda_config(self, function, userpool):  # type: ignore[no-untyped-
                 raise InvalidEventException(
                     self.relative_id, f'Cognito trigger "{self.Trigger}" defined multiple times.'
                 )
-        return userpool
 
 
 class HttpApi(PushEventSource):
diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py
index 7c882a741..151b30d8d 100644
--- a/samtranslator/swagger/swagger.py
+++ b/samtranslator/swagger/swagger.py
@@ -41,6 +41,7 @@ class SwaggerEditor(BaseEditor):
     _X_APIGW_REQUEST_VALIDATOR = "x-amazon-apigateway-request-validator"
     _X_ENDPOINT_CONFIG = "x-amazon-apigateway-endpoint-configuration"
     _CACHE_KEY_PARAMETERS = "cacheKeyParameters"
+    _SECURITY_DEFINITIONS = "securityDefinitions"
     # https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
     _EXCLUDED_PATHS_FIELDS = ["summary", "description", "parameters"]
     _POLICY_TYPE_IAM = "Iam"
@@ -65,9 +66,9 @@ def __init__(self, doc: Optional[Dict[str, Any]]) -> None:
 
         self._doc = _deepcopy(doc)
         self.paths = self._doc["paths"]
-        self.security_definitions = self._doc.get("securityDefinitions", Py27Dict())
-        self.gateway_responses = self._doc.get(self._X_APIGW_GATEWAY_RESPONSES, Py27Dict())
-        self.resource_policy = self._doc.get(self._X_APIGW_POLICY, Py27Dict())
+        self.security_definitions = self._doc.get(self._SECURITY_DEFINITIONS) or Py27Dict()
+        self.gateway_responses = self._doc.get(self._X_APIGW_GATEWAY_RESPONSES) or Py27Dict()
+        self.resource_policy = self._doc.get(self._X_APIGW_POLICY) or Py27Dict()
         self.definitions = self._doc.get("definitions", Py27Dict())
 
         # https://swagger.io/specification/#path-item-object
@@ -1208,7 +1209,7 @@ def swagger(self) -> Dict[str, Any]:
                 self._doc[key] = self.paths
 
         if self.security_definitions:
-            self._doc["securityDefinitions"] = self.security_definitions
+            self._doc[self._SECURITY_DEFINITIONS] = self.security_definitions
         if self.gateway_responses:
             self._doc[self._X_APIGW_GATEWAY_RESPONSES] = self.gateway_responses
         if self.definitions:
diff --git a/tests/translator/input/error_cognito_userpool_invalid_lambda_config.yaml b/tests/translator/input/error_cognito_userpool_invalid_lambda_config.yaml
new file mode 100644
index 000000000..fcd2be6b9
--- /dev/null
+++ b/tests/translator/input/error_cognito_userpool_invalid_lambda_config.yaml
@@ -0,0 +1,20 @@
+Resources:
+  UserPool:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      LambdaConfig:
+      - this: should not be a list
+
+  Function:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/member_portal.zip
+      Handler: index.gethtml
+      Runtime: nodejs12.x
+      Events:
+        OneTrigger:
+          Type: Cognito
+          Properties:
+            UserPool:
+              Ref: UserPool
+            Trigger: PreSignUp
diff --git a/tests/translator/output/error_cognito_userpool_invalid_lambda_config.json b/tests/translator/output/error_cognito_userpool_invalid_lambda_config.json
new file mode 100644
index 000000000..053bdf196
--- /dev/null
+++ b/tests/translator/output/error_cognito_userpool_invalid_lambda_config.json
@@ -0,0 +1,9 @@
+{
+  "_autoGeneratedBreakdownErrorMessage": [
+    "Invalid Serverless Application Specification document. ",
+    "Number of errors found: 1. ",
+    "Resource with id [UserPool] is invalid. ",
+    "Property 'LambdaConfig' should be a map."
+  ],
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [UserPool] is invalid. Property 'LambdaConfig' should be a map."
+}