aws-sdk-cognitoidentityprovider 1.82.0 → 1.85.0

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -130,11 +130,15 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The username for the user.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] group_name
-    #   The group name.
+    #   The name of the group that you want to add your user to.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminAddUserToGroupRequest AWS API Documentation
@@ -154,7 +158,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name for which you want to confirm user registration.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] client_metadata
@@ -319,18 +327,24 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] validation_data
-    #   The user's validation data. This is an array of name-value pairs
-    #   that contain user attributes and attribute values that you can use
-    #   for custom validation, such as restricting the types of user
-    #   accounts that can be registered. For example, you might choose to
-    #   allow or disallow user sign-up based on the user's domain.
-    #
-    #   To configure custom validation, you must create a Pre Sign-up Lambda
-    #   trigger for the user pool as described in the Amazon Cognito
-    #   Developer Guide. The Lambda trigger receives the validation data and
-    #   uses it in the validation process.
-    #
-    #   The user's validation data isn't persisted.
+    #   Temporary user attributes that contribute to the outcomes of your
+    #   pre sign-up Lambda trigger. This set of key-value pairs are for
+    #   custom validation of information that you collect from your users
+    #   but don't need to retain.
+    #
+    #   Your Lambda function can analyze this additional data and act on it.
+    #   Your function might perform external API operations like logging
+    #   user attributes and validation data to Amazon CloudWatch Logs.
+    #   Validation data might also affect the response that your function
+    #   returns to Amazon Cognito, like automatically confirming the user if
+    #   they sign up from within your network.
+    #
+    #   For more information about the pre sign-up Lambda trigger, see [Pre
+    #   sign-up Lambda trigger][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] temporary_password
@@ -457,8 +471,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user from which you would like to delete
-    #   attributes.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] user_attribute_names
@@ -494,7 +511,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user you want to delete.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminDeleteUserRequest AWS API Documentation
@@ -535,7 +556,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user you want to disable.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminDisableUserRequest AWS API Documentation
@@ -562,7 +587,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user you want to enable.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminEnableUserRequest AWS API Documentation
@@ -588,7 +617,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -616,7 +649,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetDeviceRequest AWS API Documentation
@@ -651,7 +688,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user you want to retrieve.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserRequest AWS API Documentation
@@ -858,8 +899,6 @@ module Aws::CognitoIdentityProvider
     #
     #   * Define auth challenge
     #
-    #   * Verify auth challenge
-    #
     #   For more information, see [ Customizing user pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
     #
@@ -967,7 +1006,7 @@ module Aws::CognitoIdentityProvider
     #
     #   * `MFA_SETUP`: For users who are required to set up an MFA factor
     #     before they can sign in. The MFA types activated for the user pool
-    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #     will be listed in the challenge parameters `MFAS_CAN_SETUP` value.
     #
     #     To set up software token MFA, use the session returned here from
     #     `InitiateAuth` as an input to `AssociateSoftwareToken`, and use
@@ -1106,7 +1145,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] limit
@@ -1114,7 +1157,13 @@ module Aws::CognitoIdentityProvider
     #   @return [Integer]
     #
     # @!attribute [rw] pagination_token
-    #   The pagination token.
+    #   This API operation returns a limited number of results. The
+    #   pagination token is an identifier that you can present in an
+    #   additional API request with the same parameters. When you include
+    #   the pagination token, Amazon Cognito returns the next set of items
+    #   after the current list. Subsequent requests return a new pagination
+    #   token. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminListDevicesRequest AWS API Documentation
@@ -1135,7 +1184,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::DeviceType>]
     #
     # @!attribute [rw] pagination_token
-    #   The pagination token.
+    #   The identifier that Amazon Cognito returned with the previous
+    #   request to this operation. When you include a pagination token in
+    #   your request, Amazon Cognito returns the next set of items in the
+    #   list. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminListDevicesResponse AWS API Documentation
@@ -1148,7 +1201,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] username
-    #   The username for the user.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] user_pool_id
@@ -1200,7 +1257,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user pool username or an alias.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] max_results
@@ -1247,7 +1308,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The username for the user.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] group_name
@@ -1273,7 +1338,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user whose password you want to reset.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] client_metadata
@@ -1352,51 +1421,86 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_responses
-    #   The challenge responses. These are inputs corresponding to the value
-    #   of `ChallengeName`, for example:
+    #   The responses to the challenge that you received in the previous
+    #   request. Each challenge has its own required response parameters.
+    #   The following examples are partial JSON request bodies that
+    #   highlight challenge-response parameters.
     #
-    #   * `SMS_MFA`: `SMS_MFA_CODE`, `USERNAME`, `SECRET_HASH` (if app
-    #     client is configured with client secret).
+    #   You must provide a SECRET\_HASH parameter in all challenge responses
+    #   to an app client that has a client secret.
     #
-    #   * `PASSWORD_VERIFIER`: `PASSWORD_CLAIM_SIGNATURE`,
-    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`,
-    #     `SECRET_HASH` (if app client is configured with client secret).
+    #   SMS\_MFA
     #
-    #     <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when signing in with a
-    #     remembered device.
+    #   : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
+    #     \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
     #
-    #      </note>
+    #   PASSWORD\_VERIFIER
     #
-    #   * `ADMIN_NO_SRP_AUTH`: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if app
-    #     client is configured with client secret).
+    #   : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+    #     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+    #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+    #     [timestamp], "USERNAME": "[username]"\}`
     #
-    #   * `NEW_PASSWORD_REQUIRED`: `NEW_PASSWORD`, `USERNAME`, `SECRET_HASH`
-    #     (if app client is configured with client secret). To set any
-    #     required attributes that Amazon Cognito returned as
-    #     `requiredAttributes` in the `AdminInitiateAuth` response, add a
-    #     `userAttributes.attributename ` parameter. This parameter can also
-    #     set values for writable attributes that aren't required by your
-    #     user pool.
+    #     Add `"DEVICE_KEY"` when you sign in with a remembered device.
+    #
+    #   CUSTOM\_CHALLENGE
+    #
+    #   : `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}`
+    #
+    #     Add `"DEVICE_KEY"` when you sign in with a remembered device.
+    #
+    #   NEW\_PASSWORD\_REQUIRED
+    #
+    #   : `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
+    #     \{"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"\}`
+    #
+    #     To set any required attributes that `InitiateAuth` returned in an
+    #     `requiredAttributes` parameter, add
+    #     `"userAttributes.[attribute_name]": "[attribute_value]"`. This
+    #     parameter can also set values for writable attributes that aren't
+    #     required by your user pool.
     #
     #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
     #     a required attribute that already has a value. In
-    #     `AdminRespondToAuthChallenge`, set a value for any keys that
-    #     Amazon Cognito returned in the `requiredAttributes` parameter,
-    #     then use the `AdminUpdateUserAttributes` API operation to modify
-    #     the value of any additional attributes.
+    #     `RespondToAuthChallenge`, set a value for any keys that Amazon
+    #     Cognito returned in the `requiredAttributes` parameter, then use
+    #     the `UpdateUserAttributes` API operation to modify the value of
+    #     any additional attributes.
     #
     #      </note>
     #
-    #   * `MFA_SETUP` requires `USERNAME`, plus you must use the session
-    #     value returned by `VerifySoftwareToken` in the `Session`
-    #     parameter.
+    #   SOFTWARE\_TOKEN\_MFA
+    #
+    #   : `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
+    #     [authenticator_code]\}`
+    #
+    #   DEVICE\_SRP\_AUTH
+    #
+    #   : `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
+    #     "[srp_a]"\}`
+    #
+    #   DEVICE\_PASSWORD\_VERIFIER
+    #
+    #   : `"ChallengeName": "DEVICE_PASSWORD_VERIFIER",
+    #     "ChallengeResponses": \{"DEVICE_KEY": "[device_key]",
+    #     "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+    #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+    #     [timestamp], "USERNAME": "[username]"\}`
+    #
+    #   MFA\_SETUP
     #
-    #   The value of the `USERNAME` attribute must be the user's actual
-    #   username, not an alias (such as an email address or phone number).
-    #   To make this simpler, the `AdminInitiateAuth` response includes the
-    #   actual username value in the `USERNAMEUSER_ID_FOR_SRP` attribute.
-    #   This happens even if you specified an alias in your call to
-    #   `AdminInitiateAuth`.
+    #   : `"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
+    #     "[username]"\}, "SESSION": "[Session ID from
+    #     VerifySoftwareToken]"`
+    #
+    #   SELECT\_MFA\_TYPE
+    #
+    #   : `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
+    #     SOFTWARE_TOKEN_MFA]"\}`
     #
     #   For more information about `SECRET_HASH`, see [Computing secret hash
     #   values][1]. For information about `DEVICE_KEY`, see [Working with
@@ -1554,7 +1658,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaSettingsType]
     #
     # @!attribute [rw] username
-    #   The user pool username or alias.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] user_pool_id
@@ -1582,7 +1690,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user whose password you want to set.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] password
@@ -1617,7 +1729,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user whose options you're setting.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
@@ -1647,7 +1763,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user pool username.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] event_id
@@ -1686,7 +1806,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -1724,8 +1848,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user for whom you want to update user
-    #   attributes.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] user_attributes
@@ -1814,7 +1941,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUserGlobalSignOutRequest AWS API Documentation
@@ -2327,8 +2458,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user for whom you want to enter a code to
-    #   retrieve a forgotten password.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] confirmation_code
@@ -2430,7 +2564,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user whose registration you want to confirm.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] confirmation_code
@@ -2900,11 +3038,43 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
-    #   The read attributes.
+    #   The list of user attributes that you want your app client to have
+    #   read-only access to. After your user authenticates in your app,
+    #   their access token authorizes them to read their own attribute value
+    #   for any attribute in this list. An example of this kind of activity
+    #   is when your user selects a link to view their profile information.
+    #   Your app makes a [GetUser][1] API request to retrieve and display
+    #   your user's profile data.
+    #
+    #   When you don't specify the `ReadAttributes` for your app client,
+    #   your app can read the values of `email_verified`,
+    #   `phone_number_verified`, and the Standard attributes of your user
+    #   pool. When your user pool has read access to these default
+    #   attributes, `ReadAttributes` doesn't return any information. Amazon
+    #   Cognito only populates `ReadAttributes` in the API response if you
+    #   have specified your own custom set of read attributes.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] write_attributes
-    #   The user pool attributes that the app client can write to.
+    #   The list of user attributes that you want your app client to have
+    #   write access to. After your user authenticates in your app, their
+    #   access token authorizes them to set or modify their own attribute
+    #   value for any attribute in this list. An example of this kind of
+    #   activity is when you present your user with a form to update their
+    #   profile information and they change their last name. Your app then
+    #   makes an [UpdateUserAttributes][1] API request and sets
+    #   `family_name` to the new value.
+    #
+    #   When you don't specify the `WriteAttributes` for your app client,
+    #   your app can write the values of the Standard attributes of your
+    #   user pool. When your user pool has write access to these default
+    #   attributes, `WriteAttributes` doesn't return any information.
+    #   Amazon Cognito only populates `WriteAttributes` in the API response
+    #   if you have specified your own custom set of write attributes.
     #
     #   If your app client allows users to sign in through an IdP, this
     #   array must include all attributes that you have mapped to IdP
@@ -2912,11 +3082,12 @@ module Aws::CognitoIdentityProvider
     #   in to your application through an IdP. If your app client does not
     #   have write access to a mapped attribute, Amazon Cognito throws an
     #   error when it tries to update the attribute. For more information,
-    #   see [Specifying IdP Attribute Mappings for Your user pool][1].
+    #   see [Specifying IdP Attribute Mappings for Your user pool][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
@@ -3488,17 +3659,20 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # A custom email sender Lambda configuration type.
+    # The properties of a custom email sender Lambda trigger.
     #
     # @!attribute [rw] lambda_version
-    #   Signature of the "request" attribute in the "event" information
-    #   Amazon Cognito passes to your custom email Lambda function. The only
-    #   supported value is `V1_0`.
+    #   The user pool trigger version of the request that Amazon Cognito
+    #   sends to your Lambda function. Higher-numbered versions add fields
+    #   that support new features.
+    #
+    #   You must use a `LambdaVersion` of `V1_0` with a custom sender
+    #   function.
     #   @return [String]
     #
     # @!attribute [rw] lambda_arn
-    #   The Amazon Resource Name (ARN) of the Lambda function that Amazon
-    #   Cognito activates to send email notifications to users.
+    #   The Amazon Resource Name (ARN) of the function that you want to
+    #   assign to your Lambda trigger.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CustomEmailLambdaVersionConfigType AWS API Documentation
@@ -3510,17 +3684,20 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # A custom SMS sender Lambda configuration type.
+    # The properties of a custom SMS sender Lambda trigger.
     #
     # @!attribute [rw] lambda_version
-    #   Signature of the "request" attribute in the "event" information
-    #   that Amazon Cognito passes to your custom SMS Lambda function. The
-    #   only supported value is `V1_0`.
+    #   The user pool trigger version of the request that Amazon Cognito
+    #   sends to your Lambda function. Higher-numbered versions add fields
+    #   that support new features.
+    #
+    #   You must use a `LambdaVersion` of `V1_0` with a custom sender
+    #   function.
     #   @return [String]
     #
     # @!attribute [rw] lambda_arn
-    #   The Amazon Resource Name (ARN) of the Lambda function that Amazon
-    #   Cognito activates to send SMS notifications to users.
+    #   The Amazon Resource Name (ARN) of the function that you want to
+    #   assign to your Lambda trigger.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CustomSMSLambdaVersionConfigType AWS API Documentation
@@ -4412,8 +4589,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] username
-    #   The user name of the user for whom you want to enter a code to reset
-    #   a forgotten password.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
@@ -5235,8 +5415,6 @@ module Aws::CognitoIdentityProvider
     #
     #   * Define auth challenge
     #
-    #   * Verify auth challenge
-    #
     #   For more information, see [ Customizing user pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
     #
@@ -5294,8 +5472,8 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] challenge_name
     #   The name of the challenge that you're responding to with this call.
-    #   This name is returned in the `AdminInitiateAuth` response if you
-    #   must pass another challenge.
+    #   This name is returned in the `InitiateAuth` response if you must
+    #   pass another challenge.
     #
     #   Valid values include the following:
     #
@@ -5343,7 +5521,7 @@ module Aws::CognitoIdentityProvider
     #
     #   * `MFA_SETUP`: For users who are required to setup an MFA factor
     #     before they can sign in. The MFA types activated for the user pool
-    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #     will be listed in the challenge parameters `MFAS_CAN_SETUP` value.
     #
     #     To set up software token MFA, use the session returned here from
     #     `InitiateAuth` as an input to `AssociateSoftwareToken`. Use the
@@ -5573,9 +5751,23 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] pre_token_generation
-    #   A Lambda trigger that is invoked before token generation.
+    #   The Amazon Resource Name (ARN) of the function that you want to
+    #   assign to your Lambda trigger.
+    #
+    #   Set this parameter for legacy purposes. If you also set an ARN in
+    #   `PreTokenGenerationConfig`, its value must be identical to
+    #   `PreTokenGeneration`. For new instances of pre token generation
+    #   triggers, set the `LambdaArn` of `PreTokenGenerationConfig`.
+    #
+    #   You can set ``
     #   @return [String]
     #
+    # @!attribute [rw] pre_token_generation_config
+    #   The detailed configuration of a pre token generation trigger. If you
+    #   also set an ARN in `PreTokenGeneration`, its value must be identical
+    #   to `PreTokenGenerationConfig`.
+    #   @return [Types::PreTokenGenerationVersionConfigType]
+    #
     # @!attribute [rw] user_migration
     #   The user migration Lambda config type.
     #   @return [String]
@@ -5607,6 +5799,7 @@ module Aws::CognitoIdentityProvider
       :create_auth_challenge,
       :verify_auth_challenge_response,
       :pre_token_generation,
+      :pre_token_generation_config,
       :user_migration,
       :custom_sms_sender,
       :custom_email_sender,
@@ -5643,7 +5836,13 @@ module Aws::CognitoIdentityProvider
     #   @return [Integer]
     #
     # @!attribute [rw] pagination_token
-    #   The pagination token for the list request.
+    #   This API operation returns a limited number of results. The
+    #   pagination token is an identifier that you can present in an
+    #   additional API request with the same parameters. When you include
+    #   the pagination token, Amazon Cognito returns the next set of items
+    #   after the current list. Subsequent requests return a new pagination
+    #   token. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListDevicesRequest AWS API Documentation
@@ -5663,7 +5862,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::DeviceType>]
     #
     # @!attribute [rw] pagination_token
-    #   The pagination token for the list device response.
+    #   The identifier that Amazon Cognito returned with the previous
+    #   request to this operation. When you include a pagination token in
+    #   your request, Amazon Cognito returns the next set of items in the
+    #   list. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListDevicesResponse AWS API Documentation
@@ -5833,9 +6036,13 @@ module Aws::CognitoIdentityProvider
     #   @return [Integer]
     #
     # @!attribute [rw] pagination_token
-    #   An identifier that was returned from the previous call to
-    #   `ListUserImportJobs`, which can be used to return the next set of
-    #   import jobs in the list.
+    #   This API operation returns a limited number of results. The
+    #   pagination token is an identifier that you can present in an
+    #   additional API request with the same parameters. When you include
+    #   the pagination token, Amazon Cognito returns the next set of items
+    #   after the current list. Subsequent requests return a new pagination
+    #   token. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUserImportJobsRequest AWS API Documentation
@@ -5856,8 +6063,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::UserImportJobType>]
     #
     # @!attribute [rw] pagination_token
-    #   An identifier that can be used to return the next set of user import
-    #   jobs in the list.
+    #   The identifier that Amazon Cognito returned with the previous
+    #   request to this operation. When you include a pagination token in
+    #   your request, Amazon Cognito returns the next set of items in the
+    #   list. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUserImportJobsResponse AWS API Documentation
@@ -5970,7 +6180,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] limit
-    #   The limit of the request to list users.
+    #   The maximum number of users that you want to retrieve before
+    #   pagination.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
@@ -5991,7 +6202,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] users
-    #   The users returned in the request to list users.
+    #   A list of users in the group, and their attributes.
     #   @return [Array<Types::UserType>]
     #
     # @!attribute [rw] next_token
@@ -6020,6 +6231,13 @@ module Aws::CognitoIdentityProvider
     #   you want Amazon Cognito to include in the response for each user.
     #   When you don't provide an `AttributesToGet` parameter, Amazon
     #   Cognito returns all attributes for each user.
+    #
+    #   Use `AttributesToGet` with required attributes in your user pool, or
+    #   in conjunction with `Filter`. Amazon Cognito returns an error if not
+    #   all users in the results have set a value for the attribute you
+    #   request. Attributes that you can't filter on, including custom
+    #   attributes, must have a value set in every user profile before an
+    #   `AttributesToGet` parameter returns results.
     #   @return [Array<String>]
     #
     # @!attribute [rw] limit
@@ -6027,9 +6245,13 @@ module Aws::CognitoIdentityProvider
     #   @return [Integer]
     #
     # @!attribute [rw] pagination_token
-    #   An identifier that was returned from the previous call to this
-    #   operation, which can be used to return the next set of items in the
-    #   list.
+    #   This API operation returns a limited number of results. The
+    #   pagination token is an identifier that you can present in an
+    #   additional API request with the same parameters. When you include
+    #   the pagination token, Amazon Cognito returns the next set of items
+    #   after the current list. Subsequent requests return a new pagination
+    #   token. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @!attribute [rw] filter
@@ -6137,9 +6359,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::UserType>]
     #
     # @!attribute [rw] pagination_token
-    #   An identifier that was returned from the previous call to this
-    #   operation, which can be used to return the next set of items in the
-    #   list.
+    #   The identifier that Amazon Cognito returned with the previous
+    #   request to this operation. When you include a pagination token in
+    #   your request, Amazon Cognito returns the next set of items in the
+    #   list. By use of this token, you can paginate through the full list
+    #   of items.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersResponse AWS API Documentation
@@ -6425,7 +6649,9 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] temporary_password_validity_days
     #   The number of days a temporary password is valid in the password
     #   policy. If the user doesn't sign in during this time, an
-    #   administrator must reset their password.
+    #   administrator must reset their password. Defaults to `7`. If you
+    #   submit a value of `0`, Amazon Cognito treats it as a null value and
+    #   sets `TemporaryPasswordValidityDays` to its default value.
     #
     #   <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
     #   can no longer set a value for the legacy `UnusedAccountValidityDays`
@@ -6461,6 +6687,32 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # The properties of a pre token generation Lambda trigger.
+    #
+    # @!attribute [rw] lambda_version
+    #   The user pool trigger version of the request that Amazon Cognito
+    #   sends to your Lambda function. Higher-numbered versions add fields
+    #   that support new features.
+    #   @return [String]
+    #
+    # @!attribute [rw] lambda_arn
+    #   The Amazon Resource Name (ARN) of the function that you want to
+    #   assign to your Lambda trigger.
+    #
+    #   This parameter and the `PreTokenGeneration` property of
+    #   `LambdaConfig` have the same value. For new instances of pre token
+    #   generation triggers, set `LambdaArn`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PreTokenGenerationVersionConfigType AWS API Documentation
+    #
+    class PreTokenGenerationVersionConfigType < Struct.new(
+      :lambda_version,
+      :lambda_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when a precondition is not met.
     #
     # @!attribute [rw] message
@@ -6577,8 +6829,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::UserContextDataType]
     #
     # @!attribute [rw] username
-    #   The `username` attribute of the user to whom you want to resend a
-    #   confirmation code.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
@@ -6743,32 +6998,45 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_responses
-    #   The challenge responses. These are inputs corresponding to the value
-    #   of `ChallengeName`, for example:
+    #   The responses to the challenge that you received in the previous
+    #   request. Each challenge has its own required response parameters.
+    #   The following examples are partial JSON request bodies that
+    #   highlight challenge-response parameters.
     #
-    #   <note markdown="1"> `SECRET_HASH` (if app client is configured with client secret)
-    #   applies to all of the inputs that follow (including
-    #   `SOFTWARE_TOKEN_MFA`).
+    #   You must provide a SECRET\_HASH parameter in all challenge responses
+    #   to an app client that has a client secret.
     #
-    #    </note>
+    #   SMS\_MFA
     #
-    #   * `SMS_MFA`: `SMS_MFA_CODE`, `USERNAME`.
+    #   : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
+    #     \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
     #
-    #   * `PASSWORD_VERIFIER`: `PASSWORD_CLAIM_SIGNATURE`,
-    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
+    #   PASSWORD\_VERIFIER
     #
-    #     <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
-    #     remembered device.
+    #   : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+    #     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+    #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+    #     [timestamp], "USERNAME": "[username]"\}`
     #
-    #      </note>
+    #     Add `"DEVICE_KEY"` when you sign in with a remembered device.
     #
-    #   * `NEW_PASSWORD_REQUIRED`: `NEW_PASSWORD`, `USERNAME`, `SECRET_HASH`
-    #     (if app client is configured with client secret). To set any
-    #     required attributes that Amazon Cognito returned as
-    #     `requiredAttributes` in the `InitiateAuth` response, add a
-    #     `userAttributes.attributename ` parameter. This parameter can also
-    #     set values for writable attributes that aren't required by your
-    #     user pool.
+    #   CUSTOM\_CHALLENGE
+    #
+    #   : `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}`
+    #
+    #     Add `"DEVICE_KEY"` when you sign in with a remembered device.
+    #
+    #   NEW\_PASSWORD\_REQUIRED
+    #
+    #   : `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
+    #     \{"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"\}`
+    #
+    #     To set any required attributes that `InitiateAuth` returned in an
+    #     `requiredAttributes` parameter, add
+    #     `"userAttributes.[attribute_name]": "[attribute_value]"`. This
+    #     parameter can also set values for writable attributes that aren't
+    #     required by your user pool.
     #
     #     <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
     #     a required attribute that already has a value. In
@@ -6779,18 +7047,37 @@ module Aws::CognitoIdentityProvider
     #
     #      </note>
     #
-    #   * `SOFTWARE_TOKEN_MFA`: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE` are
-    #     required attributes.
+    #   SOFTWARE\_TOKEN\_MFA
     #
-    #   * `DEVICE_SRP_AUTH` requires `USERNAME`, `DEVICE_KEY`, `SRP_A` (and
-    #     `SECRET_HASH`).
+    #   : `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
+    #     [authenticator_code]\}`
     #
-    #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
-    #     `PASSWORD_VERIFIER` requires, plus `DEVICE_KEY`.
+    #   DEVICE\_SRP\_AUTH
     #
-    #   * `MFA_SETUP` requires `USERNAME`, plus you must use the session
-    #     value returned by `VerifySoftwareToken` in the `Session`
-    #     parameter.
+    #   : `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
+    #     "[srp_a]"\}`
+    #
+    #   DEVICE\_PASSWORD\_VERIFIER
+    #
+    #   : `"ChallengeName": "DEVICE_PASSWORD_VERIFIER",
+    #     "ChallengeResponses": \{"DEVICE_KEY": "[device_key]",
+    #     "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+    #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+    #     [timestamp], "USERNAME": "[username]"\}`
+    #
+    #   MFA\_SETUP
+    #
+    #   : `"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
+    #     "[username]"\}, "SESSION": "[Session ID from
+    #     VerifySoftwareToken]"`
+    #
+    #   SELECT\_MFA\_TYPE
+    #
+    #   : `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses":
+    #     \{"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
+    #     SOFTWARE_TOKEN_MFA]"\}`
     #
     #   For more information about `SECRET_HASH`, see [Computing secret hash
     #   values][1]. For information about `DEVICE_KEY`, see [Working with
@@ -7052,12 +7339,23 @@ module Aws::CognitoIdentityProvider
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
     #
     # @!attribute [rw] name
-    #   The name of your user pool attribute, for example `username` or
-    #   `custom:costcenter`.
+    #   The name of your user pool attribute. When you create or update a
+    #   user pool, adding a schema attribute creates a custom or
+    #   developer-only attribute. When you add an attribute with a `Name`
+    #   value of `MyAttribute`, Amazon Cognito creates the custom attribute
+    #   `custom:MyAttribute`. When `DeveloperOnlyAttribute` is `true`,
+    #   Amazon Cognito creates your attribute as `dev:MyAttribute`. In an
+    #   operation that describes a user pool, Amazon Cognito returns this
+    #   value as `value` for standard attributes, `custom:value` for custom
+    #   attributes, and `dev:value` for developer-only attributes..
     #   @return [String]
     #
     # @!attribute [rw] attribute_data_type
-    #   The data format of the values for your attribute.
+    #   The data format of the values for your attribute. When you choose an
+    #   `AttributeDataType`, Amazon Cognito validates the input against the
+    #   data type. A custom attribute value in your user's ID token is
+    #   always a string, for example `"custom:isMember" : "true"` or
+    #   `"custom:YearsAsMember" : "12"`.
     #   @return [String]
     #
     # @!attribute [rw] developer_only_attribute
@@ -7395,7 +7693,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user you want to register.
+    #   The username of the user that you want to sign up. The value of this
+    #   parameter is typically a username, but can be any alias attribute in
+    #   your user pool.
     #   @return [String]
     #
     # @!attribute [rw] password
@@ -7410,7 +7710,24 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] validation_data
-    #   The validation data in the request to register a user.
+    #   Temporary user attributes that contribute to the outcomes of your
+    #   pre sign-up Lambda trigger. This set of key-value pairs are for
+    #   custom validation of information that you collect from your users
+    #   but don't need to retain.
+    #
+    #   Your Lambda function can analyze this additional data and act on it.
+    #   Your function might perform external API operations like logging
+    #   user attributes and validation data to Amazon CloudWatch Logs.
+    #   Validation data might also affect the response that your function
+    #   returns to Amazon Cognito, like automatically confirming the user if
+    #   they sign up from within your network.
+    #
+    #   For more information about the pre sign-up Lambda trigger, see [Pre
+    #   sign-up Lambda trigger][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] analytics_metadata
@@ -8002,7 +8319,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user pool username.
+    #   The username of the user that you want to query or modify. The value
+    #   of this parameter is typically your user's username, but it can be
+    #   any of their alias attributes. If `username` isn't an alias
+    #   attribute in your user pool, you can also use their `sub` in this
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] event_id
@@ -8366,11 +8687,56 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
-    #   The read-only attributes of the user pool.
+    #   The list of user attributes that you want your app client to have
+    #   read-only access to. After your user authenticates in your app,
+    #   their access token authorizes them to read their own attribute value
+    #   for any attribute in this list. An example of this kind of activity
+    #   is when your user selects a link to view their profile information.
+    #   Your app makes a [GetUser][1] API request to retrieve and display
+    #   your user's profile data.
+    #
+    #   When you don't specify the `ReadAttributes` for your app client,
+    #   your app can read the values of `email_verified`,
+    #   `phone_number_verified`, and the Standard attributes of your user
+    #   pool. When your user pool has read access to these default
+    #   attributes, `ReadAttributes` doesn't return any information. Amazon
+    #   Cognito only populates `ReadAttributes` in the API response if you
+    #   have specified your own custom set of read attributes.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] write_attributes
-    #   The writeable attributes of the user pool.
+    #   The list of user attributes that you want your app client to have
+    #   write access to. After your user authenticates in your app, their
+    #   access token authorizes them to set or modify their own attribute
+    #   value for any attribute in this list. An example of this kind of
+    #   activity is when you present your user with a form to update their
+    #   profile information and they change their last name. Your app then
+    #   makes an [UpdateUserAttributes][1] API request and sets
+    #   `family_name` to the new value.
+    #
+    #   When you don't specify the `WriteAttributes` for your app client,
+    #   your app can write the values of the Standard attributes of your
+    #   user pool. When your user pool has write access to these default
+    #   attributes, `WriteAttributes` doesn't return any information.
+    #   Amazon Cognito only populates `WriteAttributes` in the API response
+    #   if you have specified your own custom set of write attributes.
+    #
+    #   If your app client allows users to sign in through an IdP, this
+    #   array must include all attributes that you have mapped to IdP
+    #   attributes. Amazon Cognito updates mapped attributes when users sign
+    #   in to your application through an IdP. If your app client does not
+    #   have write access to a mapped attribute, Amazon Cognito throws an
+    #   error when it tries to update the attribute. For more information,
+    #   see [Specifying IdP Attribute Mappings for Your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
@@ -9266,11 +9632,56 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::TokenValidityUnitsType]
     #
     # @!attribute [rw] read_attributes
-    #   The Read-only attributes.
+    #   The list of user attributes that you want your app client to have
+    #   read-only access to. After your user authenticates in your app,
+    #   their access token authorizes them to read their own attribute value
+    #   for any attribute in this list. An example of this kind of activity
+    #   is when your user selects a link to view their profile information.
+    #   Your app makes a [GetUser][1] API request to retrieve and display
+    #   your user's profile data.
+    #
+    #   When you don't specify the `ReadAttributes` for your app client,
+    #   your app can read the values of `email_verified`,
+    #   `phone_number_verified`, and the Standard attributes of your user
+    #   pool. When your user pool has read access to these default
+    #   attributes, `ReadAttributes` doesn't return any information. Amazon
+    #   Cognito only populates `ReadAttributes` in the API response if you
+    #   have specified your own custom set of read attributes.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] write_attributes
-    #   The writeable attributes.
+    #   The list of user attributes that you want your app client to have
+    #   write access to. After your user authenticates in your app, their
+    #   access token authorizes them to set or modify their own attribute
+    #   value for any attribute in this list. An example of this kind of
+    #   activity is when you present your user with a form to update their
+    #   profile information and they change their last name. Your app then
+    #   makes an [UpdateUserAttributes][1] API request and sets
+    #   `family_name` to the new value.
+    #
+    #   When you don't specify the `WriteAttributes` for your app client,
+    #   your app can write the values of the Standard attributes of your
+    #   user pool. When your user pool has write access to these default
+    #   attributes, `WriteAttributes` doesn't return any information.
+    #   Amazon Cognito only populates `WriteAttributes` in the API response
+    #   if you have specified your own custom set of write attributes.
+    #
+    #   If your app client allows users to sign in through an IdP, this
+    #   array must include all attributes that you have mapped to IdP
+    #   attributes. Amazon Cognito updates mapped attributes when users sign
+    #   in to your application through an IdP. If your app client does not
+    #   have write access to a mapped attribute, Amazon Cognito throws an
+    #   error when it tries to update the attribute. For more information,
+    #   see [Specifying IdP Attribute Mappings for Your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
@@ -9639,7 +10050,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::LambdaConfigType]
     #
     # @!attribute [rw] status
-    #   The status of a user pool.
+    #   This parameter is no longer used.
     #   @return [String]
     #
     # @!attribute [rw] last_modified_date