diff --git a/.changelog/38168.txt b/.changelog/38168.txt
index 79ed38b1b399..c831f4754318 100644
--- a/.changelog/38168.txt
+++ b/.changelog/38168.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-data-source/aws_cognito_user_pool_client: Fix `InvalidParameterException: 2 validation errors detected`  errors on Read
+data-source/aws_cognito_user_pool_client: Fix `InvalidParameterException: 2 validation errors detected` errors on Read
 ```
diff --git a/.changelog/38184.txt b/.changelog/38184.txt
new file mode 100644
index 000000000000..8e82a6d37fa0
--- /dev/null
+++ b/.changelog/38184.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_cognito_user_pool: Fix `runtime error: index out of range [0] with length 0` panic when adding `lambda_config`
+```
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index be80d5d77239..577b4a979515 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,4 @@
-## 5.57.0 (Unreleased)
+## 5.56.1 (Unreleased)
 
 BUG FIXES:
 
diff --git a/internal/service/cognitoidp/user_pool.go b/internal/service/cognitoidp/user_pool.go
index b24e2d977516..cd3b25326563 100644
--- a/internal/service/cognitoidp/user_pool.go
+++ b/internal/service/cognitoidp/user_pool.go
@@ -997,7 +997,15 @@ func resourceUserPoolUpdate(ctx context.Context, d *schema.ResourceData, meta in
 		if v, ok := d.GetOk("lambda_config"); ok {
 			if v, ok := v.([]interface{})[0].(map[string]interface{}); ok && v != nil {
 				if d.HasChange("lambda_config.0.pre_token_generation") {
-					v["pre_token_generation_config"].([]interface{})[0].(map[string]interface{})["lambda_arn"] = d.Get("lambda_config.0.pre_token_generation")
+					preTokenGeneration := d.Get("lambda_config.0.pre_token_generation")
+					if tfList, ok := v["pre_token_generation_config"].([]interface{}); ok && len(tfList) > 0 && tfList[0] != nil {
+						v["pre_token_generation_config"].([]interface{})[0].(map[string]interface{})["lambda_arn"] = preTokenGeneration
+					} else {
+						v["pre_token_generation_config"] = []interface{}{map[string]interface{}{
+							"lambda_arn":     preTokenGeneration,
+							"lambda_version": string(awstypes.PreTokenGenerationLambdaVersionTypeV10), // A guess...
+						}}
+					}
 				}
 
 				if d.HasChange("lambda_config.0.pre_token_generation_config.0.lambda_arn") {
diff --git a/internal/service/cognitoidp/user_pool_test.go b/internal/service/cognitoidp/user_pool_test.go
index 1590e57c88f7..1550c9e4fcb0 100644
--- a/internal/service/cognitoidp/user_pool_test.go
+++ b/internal/service/cognitoidp/user_pool_test.go
@@ -1334,6 +1334,53 @@ func TestAccCognitoIDPUserPool_WithLambda_preGenerationTokenConfig(t *testing.T)
 	})
 }
 
+// https://github.com/hashicorp/terraform-provider-aws/issues/38164.
+func TestAccCognitoIDPUserPool_addLambda(t *testing.T) {
+	ctx := acctest.Context(t)
+	var pool awstypes.UserPoolType
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cognito_user_pool.test"
+	lambdaResourceName := "aws_lambda_function.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheckIdentityProvider(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.CognitoIDPServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckUserPoolDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccUserPoolConfig_name(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolExists(ctx, resourceName, &pool),
+					resource.TestCheckResourceAttr(resourceName, "lambda_config.#", acctest.Ct0),
+				),
+			},
+			{
+				Config: testAccUserPoolConfig_lambda(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolExists(ctx, resourceName, &pool),
+					resource.TestCheckResourceAttr(resourceName, "lambda_config.#", acctest.Ct1),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.create_auth_challenge", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.custom_message", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.define_auth_challenge", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.post_authentication", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.post_confirmation", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.pre_authentication", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.pre_sign_up", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.pre_token_generation", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.user_migration", lambdaResourceName, names.AttrARN),
+					resource.TestCheckResourceAttrPair(resourceName, "lambda_config.0.verify_auth_challenge_response", lambdaResourceName, names.AttrARN),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccCognitoIDPUserPool_schemaAttributes(t *testing.T) {
 	ctx := acctest.Context(t)
 	var pool1, pool2 awstypes.UserPoolType