aws-sdk-cognitoidentityprovider 1.38.0 → 1.43.0

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -12,6 +14,7 @@ module Aws::CognitoIdentityProvider
     include Seahorse::Model
 
     AWSAccountIdType = Shapes::StringShape.new(name: 'AWSAccountIdType')
+    AccessTokenValidityType = Shapes::IntegerShape.new(name: 'AccessTokenValidityType')
     AccountRecoverySettingType = Shapes::StructureShape.new(name: 'AccountRecoverySettingType')
     AccountTakeoverActionNotifyType = Shapes::BooleanShape.new(name: 'AccountTakeoverActionNotifyType')
     AccountTakeoverActionType = Shapes::StructureShape.new(name: 'AccountTakeoverActionType')
@@ -241,6 +244,7 @@ module Aws::CognitoIdentityProvider
     HexStringType = Shapes::StringShape.new(name: 'HexStringType')
     HttpHeader = Shapes::StructureShape.new(name: 'HttpHeader')
     HttpHeaderList = Shapes::ListShape.new(name: 'HttpHeaderList')
+    IdTokenValidityType = Shapes::IntegerShape.new(name: 'IdTokenValidityType')
     IdentityProviderType = Shapes::StructureShape.new(name: 'IdentityProviderType')
     IdentityProviderTypeType = Shapes::StringShape.new(name: 'IdentityProviderTypeType')
     IdpIdentifierType = Shapes::StringShape.new(name: 'IdpIdentifierType')
@@ -387,7 +391,9 @@ module Aws::CognitoIdentityProvider
     TagResourceResponse = Shapes::StructureShape.new(name: 'TagResourceResponse')
     TagValueType = Shapes::StringShape.new(name: 'TagValueType')
     TemporaryPasswordValidityDaysType = Shapes::IntegerShape.new(name: 'TemporaryPasswordValidityDaysType')
+    TimeUnitsType = Shapes::StringShape.new(name: 'TimeUnitsType')
     TokenModelType = Shapes::StringShape.new(name: 'TokenModelType')
+    TokenValidityUnitsType = Shapes::StructureShape.new(name: 'TokenValidityUnitsType')
     TooManyFailedAttemptsException = Shapes::StructureShape.new(name: 'TooManyFailedAttemptsException')
     TooManyRequestsException = Shapes::StructureShape.new(name: 'TooManyRequestsException')
     UICustomizationType = Shapes::StructureShape.new(name: 'UICustomizationType')
@@ -891,6 +897,9 @@ module Aws::CognitoIdentityProvider
     CreateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, required: true, location_name: "ClientName"))
     CreateUserPoolClientRequest.add_member(:generate_secret, Shapes::ShapeRef.new(shape: GenerateSecret, location_name: "GenerateSecret"))
     CreateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     CreateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     CreateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     CreateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1620,6 +1629,11 @@ module Aws::CognitoIdentityProvider
 
     TagResourceResponse.struct_class = Types::TagResourceResponse
 
+    TokenValidityUnitsType.add_member(:access_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "AccessToken"))
+    TokenValidityUnitsType.add_member(:id_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "IdToken"))
+    TokenValidityUnitsType.add_member(:refresh_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "RefreshToken"))
+    TokenValidityUnitsType.struct_class = Types::TokenValidityUnitsType
+
     TooManyFailedAttemptsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     TooManyFailedAttemptsException.struct_class = Types::TooManyFailedAttemptsException
 
@@ -1707,6 +1721,9 @@ module Aws::CognitoIdentityProvider
     UpdateUserPoolClientRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
     UpdateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, location_name: "ClientName"))
     UpdateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     UpdateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     UpdateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     UpdateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1807,6 +1824,9 @@ module Aws::CognitoIdentityProvider
     UserPoolClientType.add_member(:last_modified_date, Shapes::ShapeRef.new(shape: DateType, location_name: "LastModifiedDate"))
     UserPoolClientType.add_member(:creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "CreationDate"))
     UserPoolClientType.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    UserPoolClientType.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    UserPoolClientType.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    UserPoolClientType.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     UserPoolClientType.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     UserPoolClientType.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     UserPoolClientType.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -2395,6 +2415,7 @@ module Aws::CognitoIdentityProvider
         o.http_request_uri = "/"
         o.input = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenRequest)
         o.output = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
@@ -2993,6 +3014,7 @@ module Aws::CognitoIdentityProvider
         o.name = "InitiateAuth"
         o.http_method = "POST"
         o.http_request_uri = "/"
+        o['authtype'] = "none"
         o.input = Shapes::ShapeRef.new(shape: InitiateAuthRequest)
         o.output = Shapes::ShapeRef.new(shape: InitiateAuthResponse)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
@@ -3213,6 +3235,7 @@ module Aws::CognitoIdentityProvider
         o.name = "RespondToAuthChallenge"
         o.http_method = "POST"
         o.http_request_uri = "/"
+        o['authtype'] = "none"
         o.input = Shapes::ShapeRef.new(shape: RespondToAuthChallengeRequest)
         o.output = Shapes::ShapeRef.new(shape: RespondToAuthChallengeResponse)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)

data/lib/aws-sdk-cognitoidentityprovider/customizations.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:

data/lib/aws-sdk-cognitoidentityprovider/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-cognitoidentityprovider/resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -30,6 +32,7 @@ module Aws::CognitoIdentityProvider
     #
     class AccountRecoverySettingType < Struct.new(
       :recovery_mechanisms)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -66,6 +69,7 @@ module Aws::CognitoIdentityProvider
     class AccountTakeoverActionType < Struct.new(
       :notify,
       :event_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -107,6 +111,7 @@ module Aws::CognitoIdentityProvider
       :low_action,
       :medium_action,
       :high_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -166,6 +171,7 @@ module Aws::CognitoIdentityProvider
     class AccountTakeoverRiskConfigurationType < Struct.new(
       :notify_configuration,
       :actions)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -209,6 +215,7 @@ module Aws::CognitoIdentityProvider
     class AddCustomAttributesRequest < Struct.new(
       :user_pool_id,
       :custom_attributes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -246,6 +253,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :group_name)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -314,6 +322,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -375,6 +384,7 @@ module Aws::CognitoIdentityProvider
       :allow_admin_create_user_only,
       :unused_account_validity_days,
       :invite_message_template)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -421,10 +431,11 @@ module Aws::CognitoIdentityProvider
     #   An array of name-value pairs that contain user attributes and
     #   attribute values to be set for the user to be created. You can
     #   create a user without specifying any attributes other than
-    #   `Username`. However, any attributes that you specify as required (in
-    #   or in the **Attributes** tab of the console) must be supplied either
-    #   by you (in your call to `AdminCreateUser`) or by the user (when he
-    #   or she signs up in response to your welcome message).
+    #   `Username`. However, any attributes that you specify as required
+    #   (when creating a user pool or in the **Attributes** tab of the
+    #   console) must be supplied either by you (in your call to
+    #   `AdminCreateUser`) or by the user (when he or she signs up in
+    #   response to your welcome message).
     #
     #   For custom attributes, you must prepend the `custom:` prefix to the
     #   attribute name.
@@ -436,7 +447,8 @@ module Aws::CognitoIdentityProvider
     #
     #   In your call to `AdminCreateUser`, you can set the `email_verified`
     #   attribute to `True`, and you can set the `phone_number_verified`
-    #   attribute to `True`. (You can also do this by calling .)
+    #   attribute to `True`. (You can also do this by calling
+    #   [AdminUpdateUserAttributes][1].)
     #
     #   * **email**\: The email address of the user to whom the message that
     #     contains the code and username will be sent. Required if the
@@ -447,6 +459,10 @@ module Aws::CognitoIdentityProvider
     #     message that contains the code and username will be sent. Required
     #     if the `phone_number_verified` attribute is set to `True`, or if
     #     `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] validation_data
@@ -563,6 +579,7 @@ module Aws::CognitoIdentityProvider
       :message_action,
       :desired_delivery_mediums,
       :client_metadata)
+      SENSITIVE = [:username, :temporary_password]
       include Aws::Structure
     end
 
@@ -577,6 +594,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminCreateUserResponse < Struct.new(
       :user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -615,6 +633,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :user_attribute_names)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -649,6 +668,7 @@ module Aws::CognitoIdentityProvider
     class AdminDeleteUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -677,6 +697,7 @@ module Aws::CognitoIdentityProvider
     class AdminDisableProviderForUserRequest < Struct.new(
       :user_pool_id,
       :user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -708,6 +729,7 @@ module Aws::CognitoIdentityProvider
     class AdminDisableUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -742,6 +764,7 @@ module Aws::CognitoIdentityProvider
     class AdminEnableUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -781,6 +804,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :device_key)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -813,6 +837,7 @@ module Aws::CognitoIdentityProvider
       :device_key,
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -826,6 +851,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminGetDeviceResponse < Struct.new(
       :device)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -853,6 +879,7 @@ module Aws::CognitoIdentityProvider
     class AdminGetUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -905,8 +932,8 @@ module Aws::CognitoIdentityProvider
     #   *This response parameter is no longer supported.* It provides
     #   information only about SMS MFA configurations. It doesn't provide
     #   information about TOTP software token MFA configurations. To look up
-    #   information about either type of MFA configuration, use the
-    #   AdminGetUserResponse$UserMFASettingList response instead.
+    #   information about either type of MFA configuration, use
+    #   UserMFASettingList instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -930,6 +957,7 @@ module Aws::CognitoIdentityProvider
       :mfa_options,
       :preferred_mfa_setting,
       :user_mfa_setting_list)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1020,18 +1048,20 @@ module Aws::CognitoIdentityProvider
     #
     #   * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
-    #     client secret), `DEVICE_KEY`
+    #     client secret), `DEVICE_KEY`.
     #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
     #     (required), `SECRET_HASH` (required if the app client is
-    #     configured with a client secret), `DEVICE_KEY`
+    #     configured with a client secret), `DEVICE_KEY`.
     #
     #   * For `ADMIN_NO_SRP_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if
     #     app client is configured with client secret), `PASSWORD`
-    #     (required), `DEVICE_KEY`
+    #     (required), `DEVICE_KEY`.
     #
     #   * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
-    #     client is configured with client secret), `DEVICE_KEY`
+    #     client is configured with client secret), `DEVICE_KEY`. To start
+    #     the authentication flow with password verification, include
+    #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
@@ -1119,6 +1149,7 @@ module Aws::CognitoIdentityProvider
       :client_metadata,
       :analytics_metadata,
       :context_data)
+      SENSITIVE = [:client_id, :auth_parameters]
       include Aws::Structure
     end
 
@@ -1205,6 +1236,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1281,6 +1313,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :destination_user,
       :source_user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1323,6 +1356,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :limit,
       :pagination_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1341,6 +1375,7 @@ module Aws::CognitoIdentityProvider
     class AdminListDevicesResponse < Struct.new(
       :devices,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1379,6 +1414,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :limit,
       :next_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1397,6 +1433,7 @@ module Aws::CognitoIdentityProvider
     class AdminListGroupsForUserResponse < Struct.new(
       :groups,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1433,6 +1470,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :max_results,
       :next_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1450,6 +1488,7 @@ module Aws::CognitoIdentityProvider
     class AdminListUserAuthEventsResponse < Struct.new(
       :auth_events,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1480,6 +1519,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :group_name)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1551,6 +1591,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1604,7 +1645,12 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] challenge_responses
@@ -1705,25 +1751,36 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :context_data,
       :client_metadata)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
     # Responds to the authentication challenge, as an administrator.
     #
     # @!attribute [rw] challenge_name
-    #   The name of the challenge. For more information, see .
+    #   The name of the challenge. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
-    #   The challenge parameters. For more information, see .
+    #   The challenge parameters. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] authentication_result
@@ -1738,6 +1795,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1780,6 +1838,7 @@ module Aws::CognitoIdentityProvider
       :software_token_mfa_settings,
       :username,
       :user_pool_id)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1821,6 +1880,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :password,
       :permanent)
+      SENSITIVE = [:username, :password]
       include Aws::Structure
     end
 
@@ -1865,6 +1925,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :mfa_options)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1908,6 +1969,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :event_id,
       :feedback_value)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1950,6 +2012,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :device_key,
       :device_remembered_status)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2043,6 +2106,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :user_attributes,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2076,6 +2140,7 @@ module Aws::CognitoIdentityProvider
     class AdminUserGlobalSignOutRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2098,15 +2163,17 @@ module Aws::CognitoIdentityProvider
     #
     class AliasExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # The Amazon Pinpoint analytics configuration for collecting metrics for
     # a user pool.
     #
-    # <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    # projects in the US East (N. Virginia) us-east-1 Region, regardless of
-    # the region in which the user pool resides.
+    # <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    # supports sending events to Amazon Pinpoint projects in us-east-1. In
+    # regions where Pinpoint is available, Cognito User Pools will support
+    # sending events to Amazon Pinpoint projects within that same region.
     #
     #  </note>
     #
@@ -2145,6 +2212,7 @@ module Aws::CognitoIdentityProvider
       :role_arn,
       :external_id,
       :user_data_shared)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2174,6 +2242,7 @@ module Aws::CognitoIdentityProvider
     #
     class AnalyticsMetadataType < Struct.new(
       :analytics_endpoint_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2200,6 +2269,7 @@ module Aws::CognitoIdentityProvider
     class AssociateSoftwareTokenRequest < Struct.new(
       :access_token,
       :session)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -2219,6 +2289,7 @@ module Aws::CognitoIdentityProvider
     class AssociateSoftwareTokenResponse < Struct.new(
       :secret_code,
       :session)
+      SENSITIVE = [:secret_code]
       include Aws::Structure
     end
 
@@ -2245,6 +2316,7 @@ module Aws::CognitoIdentityProvider
     class AttributeType < Struct.new(
       :name,
       :value)
+      SENSITIVE = [:value]
       include Aws::Structure
     end
 
@@ -2296,6 +2368,7 @@ module Aws::CognitoIdentityProvider
       :challenge_responses,
       :event_context_data,
       :event_feedback)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2334,6 +2407,7 @@ module Aws::CognitoIdentityProvider
       :refresh_token,
       :id_token,
       :new_device_metadata)
+      SENSITIVE = [:access_token, :refresh_token, :id_token]
       include Aws::Structure
     end
 
@@ -2352,6 +2426,7 @@ module Aws::CognitoIdentityProvider
     class ChallengeResponseType < Struct.new(
       :challenge_name,
       :challenge_response)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2384,6 +2459,7 @@ module Aws::CognitoIdentityProvider
       :previous_password,
       :proposed_password,
       :access_token)
+      SENSITIVE = [:previous_password, :proposed_password, :access_token]
       include Aws::Structure
     end
 
@@ -2413,6 +2489,7 @@ module Aws::CognitoIdentityProvider
       :destination,
       :delivery_medium,
       :attribute_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2428,6 +2505,7 @@ module Aws::CognitoIdentityProvider
     #
     class CodeDeliveryFailureException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2442,6 +2520,7 @@ module Aws::CognitoIdentityProvider
     #
     class CodeMismatchException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2462,6 +2541,7 @@ module Aws::CognitoIdentityProvider
     #
     class CompromisedCredentialsActionsType < Struct.new(
       :event_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2491,6 +2571,7 @@ module Aws::CognitoIdentityProvider
     class CompromisedCredentialsRiskConfigurationType < Struct.new(
       :event_filter,
       :actions)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2505,6 +2586,7 @@ module Aws::CognitoIdentityProvider
     #
     class ConcurrentModificationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2546,6 +2628,7 @@ module Aws::CognitoIdentityProvider
       :device_key,
       :device_secret_verifier_config,
       :device_name)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -2560,6 +2643,7 @@ module Aws::CognitoIdentityProvider
     #
     class ConfirmDeviceResponse < Struct.new(
       :user_confirmation_necessary)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2602,7 +2686,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] confirmation_code
     #   The confirmation code sent by a user's request to retrieve a
-    #   forgotten password. For more information, see
+    #   forgotten password. For more information, see [ForgotPassword][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
     #   @return [String]
     #
     # @!attribute [rw] password
@@ -2671,6 +2759,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username, :password]
       include Aws::Structure
     end
 
@@ -2793,6 +2882,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -2851,6 +2941,7 @@ module Aws::CognitoIdentityProvider
       :server_path,
       :http_headers,
       :encoded_data)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2909,6 +3000,7 @@ module Aws::CognitoIdentityProvider
       :description,
       :role_arn,
       :precedence)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2920,6 +3012,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2955,7 +3048,7 @@ module Aws::CognitoIdentityProvider
     #   The identity provider details. The following list describes the
     #   provider detail keys for each identity provider type.
     #
-    #   * For Google, Facebook and Login with Amazon:
+    #   * For Google and Login with Amazon:
     #
     #     * client\_id
     #
@@ -2963,6 +3056,16 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
+    #   * For Facebook:
+    #
+    #     * client\_id
+    #
+    #     * client\_secret
+    #
+    #     * authorize\_scopes
+    #
+    #     * api\_version
+    #
     #   * For Sign in with Apple:
     #
     #     * client\_id
@@ -2999,8 +3102,6 @@ module Aws::CognitoIdentityProvider
     #     * jwks\_uri *if not available from discovery URL specified by
     #       oidc\_issuer key*
     #
-    #     * authorize\_scopes
-    #
     #   * For SAML providers:
     #
     #     * MetadataFile OR MetadataURL
@@ -3026,6 +3127,7 @@ module Aws::CognitoIdentityProvider
       :provider_details,
       :attribute_mapping,
       :idp_identifiers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3037,6 +3139,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3081,6 +3184,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3092,6 +3196,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3126,6 +3231,7 @@ module Aws::CognitoIdentityProvider
       :job_name,
       :user_pool_id,
       :cloud_watch_logs_role_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3140,6 +3246,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3153,6 +3260,13 @@ module Aws::CognitoIdentityProvider
     #         client_name: "ClientNameType", # required
     #         generate_secret: false,
     #         refresh_token_validity: 1,
+    #         access_token_validity: 1,
+    #         id_token_validity: 1,
+    #         token_validity_units: {
+    #           access_token: "seconds", # accepts seconds, minutes, hours, days
+    #           id_token: "seconds", # accepts seconds, minutes, hours, days
+    #           refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #         },
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
     #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -3191,6 +3305,24 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, between 5 minutes and 1 day, after which the access
+    #   token is no longer valid and cannot be used. This value will be
+    #   overridden if you have entered a value in TokenValidityUnits.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, between 5 minutes and 1 day, after which the ID
+    #   token is no longer valid and cannot be used. This value will be
+    #   overridden if you have entered a value in TokenValidityUnits.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The units in which the validity times are represented in. Default
+    #   for RefreshToken is days, and default for ID and access tokens are
+    #   hours.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The read attributes.
     #   @return [Array<String>]
@@ -3327,9 +3459,10 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics
     #   for this user pool.
     #
-    #   <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    #   projects in the US East (N. Virginia) us-east-1 Region, regardless
-    #   of the region in which the user pool resides.
+    #   <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    #   supports sending events to Amazon Pinpoint projects in us-east-1. In
+    #   regions where Pinpoint is available, Cognito User Pools will support
+    #   sending events to Amazon Pinpoint projects within that same region.
     #
     #    </note>
     #   @return [Types::AnalyticsConfigurationType]
@@ -3352,24 +3485,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -3384,6 +3499,9 @@ module Aws::CognitoIdentityProvider
       :client_name,
       :generate_secret,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -3396,6 +3514,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3409,6 +3528,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3453,6 +3573,7 @@ module Aws::CognitoIdentityProvider
       :domain,
       :user_pool_id,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3465,6 +3586,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolDomainResponse < Struct.new(
       :cloud_front_domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3681,7 +3803,11 @@ module Aws::CognitoIdentityProvider
     #   selected sign-in option. For example, when this is set to `False`,
     #   users will be able to sign in using either "username" or
     #   "Username". This configuration is immutable once it has been set.
-    #   For more information, see .
+    #   For more information, see [UsernameConfigurationType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
     #   @return [Types::UsernameConfigurationType]
     #
     # @!attribute [rw] account_recovery_setting
@@ -3693,13 +3819,6 @@ module Aws::CognitoIdentityProvider
     #   enabled. In the absence of this setting, Cognito uses the legacy
     #   behavior to determine the recovery method where SMS is preferred
     #   over email.
-    #
-    #   <note markdown="1"> Starting February 1, 2020, the value of `AccountRecoverySetting`
-    #   will default to `verified_email` first and `verified_phone_number`
-    #   as the second option for newly created user pools if no value is
-    #   provided.
-    #
-    #    </note>
     #   @return [Types::AccountRecoverySettingType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolRequest AWS API Documentation
@@ -3726,6 +3845,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_add_ons,
       :username_configuration,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3740,6 +3860,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolResponse < Struct.new(
       :user_pool)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3763,6 +3884,7 @@ module Aws::CognitoIdentityProvider
     #
     class CustomDomainConfigType < Struct.new(
       :certificate_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3787,6 +3909,7 @@ module Aws::CognitoIdentityProvider
     class DeleteGroupRequest < Struct.new(
       :group_name,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3811,6 +3934,7 @@ module Aws::CognitoIdentityProvider
     class DeleteIdentityProviderRequest < Struct.new(
       :user_pool_id,
       :provider_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3835,6 +3959,7 @@ module Aws::CognitoIdentityProvider
     class DeleteResourceServerRequest < Struct.new(
       :user_pool_id,
       :identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3865,6 +3990,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserAttributesRequest < Struct.new(
       :user_attribute_names,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -3898,6 +4024,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserPoolClientRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -3922,6 +4049,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserPoolDomainRequest < Struct.new(
       :domain,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3946,6 +4074,7 @@ module Aws::CognitoIdentityProvider
     #
     class DeleteUserPoolRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3966,6 +4095,7 @@ module Aws::CognitoIdentityProvider
     #
     class DeleteUserRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -3990,6 +4120,7 @@ module Aws::CognitoIdentityProvider
     class DescribeIdentityProviderRequest < Struct.new(
       :user_pool_id,
       :provider_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4001,6 +4132,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4025,6 +4157,7 @@ module Aws::CognitoIdentityProvider
     class DescribeResourceServerRequest < Struct.new(
       :user_pool_id,
       :identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4036,6 +4169,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4060,6 +4194,7 @@ module Aws::CognitoIdentityProvider
     class DescribeRiskConfigurationRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4071,6 +4206,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeRiskConfigurationResponse < Struct.new(
       :risk_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4098,6 +4234,7 @@ module Aws::CognitoIdentityProvider
     class DescribeUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4112,6 +4249,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4138,6 +4276,7 @@ module Aws::CognitoIdentityProvider
     class DescribeUserPoolClientRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4153,6 +4292,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4171,6 +4311,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolDomainRequest < Struct.new(
       :domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4182,6 +4323,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolDomainResponse < Struct.new(
       :domain_description)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4202,6 +4344,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4216,6 +4359,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolResponse < Struct.new(
       :user_pool)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4243,6 +4387,7 @@ module Aws::CognitoIdentityProvider
     class DeviceConfigurationType < Struct.new(
       :challenge_required_on_new_device,
       :device_only_remembered_on_user_prompt)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4269,6 +4414,7 @@ module Aws::CognitoIdentityProvider
     class DeviceSecretVerifierConfigType < Struct.new(
       :password_verifier,
       :salt)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4302,6 +4448,7 @@ module Aws::CognitoIdentityProvider
       :device_create_date,
       :device_last_modified_date,
       :device_last_authenticated_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4351,6 +4498,7 @@ module Aws::CognitoIdentityProvider
       :version,
       :status,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4364,6 +4512,7 @@ module Aws::CognitoIdentityProvider
     #
     class DuplicateProviderException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4482,6 +4631,7 @@ module Aws::CognitoIdentityProvider
       :email_sending_account,
       :from,
       :configuration_set)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4496,6 +4646,7 @@ module Aws::CognitoIdentityProvider
     #
     class EnableSoftwareTokenMFAException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4530,6 +4681,7 @@ module Aws::CognitoIdentityProvider
       :timezone,
       :city,
       :country)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4553,6 +4705,7 @@ module Aws::CognitoIdentityProvider
       :feedback_value,
       :provider,
       :feedback_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4577,6 +4730,7 @@ module Aws::CognitoIdentityProvider
       :risk_decision,
       :risk_level,
       :compromised_credentials_detected)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4590,6 +4744,7 @@ module Aws::CognitoIdentityProvider
     #
     class ExpiredCodeException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4616,6 +4771,7 @@ module Aws::CognitoIdentityProvider
     class ForgetDeviceRequest < Struct.new(
       :access_token,
       :device_key)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -4714,6 +4870,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :analytics_metadata,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -4729,6 +4886,7 @@ module Aws::CognitoIdentityProvider
     #
     class ForgotPasswordResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4751,6 +4909,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetCSVHeaderRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4771,6 +4930,7 @@ module Aws::CognitoIdentityProvider
     class GetCSVHeaderResponse < Struct.new(
       :user_pool_id,
       :csv_header)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4797,6 +4957,7 @@ module Aws::CognitoIdentityProvider
     class GetDeviceRequest < Struct.new(
       :device_key,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -4810,6 +4971,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetDeviceResponse < Struct.new(
       :device)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4834,6 +4996,7 @@ module Aws::CognitoIdentityProvider
     class GetGroupRequest < Struct.new(
       :group_name,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4845,6 +5008,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4869,6 +5033,7 @@ module Aws::CognitoIdentityProvider
     class GetIdentityProviderByIdentifierRequest < Struct.new(
       :user_pool_id,
       :idp_identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4880,6 +5045,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetIdentityProviderByIdentifierResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4900,6 +5066,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetSigningCertificateRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4913,6 +5080,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetSigningCertificateResponse < Struct.new(
       :certificate)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4937,6 +5105,7 @@ module Aws::CognitoIdentityProvider
     class GetUICustomizationRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4948,6 +5117,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUICustomizationResponse < Struct.new(
       :ui_customization)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5020,6 +5190,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :attribute_name,
       :client_metadata)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5035,6 +5206,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserAttributeVerificationCodeResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5053,6 +5225,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserPoolMfaConfigRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5081,6 +5254,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5102,6 +5276,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5124,8 +5299,8 @@ module Aws::CognitoIdentityProvider
     #   *This response parameter is no longer supported.* It provides
     #   information only about SMS MFA configurations. It doesn't provide
     #   information about TOTP software token MFA configurations. To look up
-    #   information about either type of MFA configuration, use the use the
-    #   GetUserResponse$UserMFASettingList response instead.
+    #   information about either type of MFA configuration, use
+    #   UserMFASettingList instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -5145,6 +5320,7 @@ module Aws::CognitoIdentityProvider
       :mfa_options,
       :preferred_mfa_setting,
       :user_mfa_setting_list)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -5165,6 +5341,7 @@ module Aws::CognitoIdentityProvider
     #
     class GlobalSignOutRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5184,6 +5361,7 @@ module Aws::CognitoIdentityProvider
     #
     class GroupExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5243,6 +5421,7 @@ module Aws::CognitoIdentityProvider
       :precedence,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5269,6 +5448,7 @@ module Aws::CognitoIdentityProvider
     class HttpHeader < Struct.new(
       :header_name,
       :header_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5290,7 +5470,7 @@ module Aws::CognitoIdentityProvider
     #   The identity provider details. The following list describes the
     #   provider detail keys for each identity provider type.
     #
-    #   * For Google, Facebook and Login with Amazon:
+    #   * For Google and Login with Amazon:
     #
     #     * client\_id
     #
@@ -5298,6 +5478,16 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
+    #   * For Facebook:
+    #
+    #     * client\_id
+    #
+    #     * client\_secret
+    #
+    #     * authorize\_scopes
+    #
+    #     * api\_version
+    #
     #   * For Sign in with Apple:
     #
     #     * client\_id
@@ -5371,6 +5561,7 @@ module Aws::CognitoIdentityProvider
       :idp_identifiers,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5441,14 +5632,16 @@ module Aws::CognitoIdentityProvider
     #
     #   * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
-    #     client secret), `DEVICE_KEY`
+    #     client secret), `DEVICE_KEY`.
     #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
     #     (required), `SECRET_HASH` (required if the app client is
-    #     configured with a client secret), `DEVICE_KEY`
+    #     configured with a client secret), `DEVICE_KEY`.
     #
     #   * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
-    #     client is configured with client secret), `DEVICE_KEY`
+    #     client is configured with client secret), `DEVICE_KEY`. To start
+    #     the authentication flow with password verification, include
+    #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
@@ -5539,6 +5732,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :analytics_metadata,
       :user_context_data)
+      SENSITIVE = [:auth_parameters, :client_id]
       include Aws::Structure
     end
 
@@ -5579,10 +5773,10 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
@@ -5608,6 +5802,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5623,6 +5818,7 @@ module Aws::CognitoIdentityProvider
     #
     class InternalErrorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5639,6 +5835,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidEmailRoleAccessPolicyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5654,6 +5851,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidLambdaResponseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5666,6 +5864,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidOAuthFlowException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5681,6 +5880,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidParameterException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5696,6 +5896,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidPasswordException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5711,6 +5912,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidSmsRoleAccessPolicyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5729,6 +5931,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidSmsRoleTrustRelationshipException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5742,6 +5945,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidUserPoolConfigurationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5816,6 +6020,7 @@ module Aws::CognitoIdentityProvider
       :verify_auth_challenge_response,
       :pre_token_generation,
       :user_migration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5831,6 +6036,7 @@ module Aws::CognitoIdentityProvider
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5863,6 +6069,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :limit,
       :pagination_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5881,6 +6088,7 @@ module Aws::CognitoIdentityProvider
     class ListDevicesResponse < Struct.new(
       :devices,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5913,6 +6121,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :limit,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5931,6 +6140,7 @@ module Aws::CognitoIdentityProvider
     class ListGroupsResponse < Struct.new(
       :groups,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5961,6 +6171,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5977,6 +6188,7 @@ module Aws::CognitoIdentityProvider
     class ListIdentityProvidersResponse < Struct.new(
       :providers,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6007,6 +6219,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6023,6 +6236,7 @@ module Aws::CognitoIdentityProvider
     class ListResourceServersResponse < Struct.new(
       :resource_servers,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6042,6 +6256,7 @@ module Aws::CognitoIdentityProvider
     #
     class ListTagsForResourceRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6053,6 +6268,7 @@ module Aws::CognitoIdentityProvider
     #
     class ListTagsForResourceResponse < Struct.new(
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6088,6 +6304,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6108,6 +6325,7 @@ module Aws::CognitoIdentityProvider
     class ListUserImportJobsResponse < Struct.new(
       :user_import_jobs,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6144,6 +6362,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6164,6 +6383,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolClientsResponse < Struct.new(
       :user_pool_clients,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6193,6 +6413,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolsRequest < Struct.new(
       :next_token,
       :max_results)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6213,6 +6434,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolsResponse < Struct.new(
       :user_pools,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6251,6 +6473,7 @@ module Aws::CognitoIdentityProvider
       :group_name,
       :limit,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6269,6 +6492,7 @@ module Aws::CognitoIdentityProvider
     class ListUsersInGroupResponse < Struct.new(
       :users,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6368,6 +6592,7 @@ module Aws::CognitoIdentityProvider
       :limit,
       :pagination_token,
       :filter)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6388,6 +6613,7 @@ module Aws::CognitoIdentityProvider
     class ListUsersResponse < Struct.new(
       :users,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6403,6 +6629,7 @@ module Aws::CognitoIdentityProvider
     #
     class MFAMethodNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6410,13 +6637,6 @@ module Aws::CognitoIdentityProvider
     # MFA configurations. You can't use it for TOTP software token MFA
     # configurations.
     #
-    # To set either type of MFA configuration, use the
-    # AdminSetUserMFAPreference or SetUserMFAPreference actions.
-    #
-    # To look up information about either type of MFA configuration, use the
-    # AdminGetUserResponse$UserMFASettingList or
-    # GetUserResponse$UserMFASettingList responses.
-    #
     # @note When making an API call, you may pass MFAOptionType
     #   data as a hash:
     #
@@ -6440,6 +6660,7 @@ module Aws::CognitoIdentityProvider
     class MFAOptionType < Struct.new(
       :delivery_medium,
       :attribute_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6472,6 +6693,7 @@ module Aws::CognitoIdentityProvider
       :sms_message,
       :email_message,
       :email_subject)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6490,6 +6712,7 @@ module Aws::CognitoIdentityProvider
     class NewDeviceMetadataType < Struct.new(
       :device_key,
       :device_group_key)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6504,6 +6727,7 @@ module Aws::CognitoIdentityProvider
     #
     class NotAuthorizedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6571,6 +6795,7 @@ module Aws::CognitoIdentityProvider
       :block_email,
       :no_action_email,
       :mfa_email)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6603,6 +6828,7 @@ module Aws::CognitoIdentityProvider
       :subject,
       :html_body,
       :text_body)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6630,6 +6856,7 @@ module Aws::CognitoIdentityProvider
     class NumberAttributeConstraintsType < Struct.new(
       :min_value,
       :max_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6695,6 +6922,7 @@ module Aws::CognitoIdentityProvider
       :require_numbers,
       :require_symbols,
       :temporary_password_validity_days)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6708,6 +6936,7 @@ module Aws::CognitoIdentityProvider
     #
     class PasswordResetRequiredException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6721,6 +6950,7 @@ module Aws::CognitoIdentityProvider
     #
     class PreconditionNotMetException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6749,6 +6979,7 @@ module Aws::CognitoIdentityProvider
       :provider_type,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6785,6 +7016,7 @@ module Aws::CognitoIdentityProvider
       :provider_name,
       :provider_attribute_name,
       :provider_attribute_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6813,6 +7045,7 @@ module Aws::CognitoIdentityProvider
     class RecoveryOptionType < Struct.new(
       :priority,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6910,6 +7143,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :analytics_metadata,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -6925,6 +7159,7 @@ module Aws::CognitoIdentityProvider
     #
     class ResendConfirmationCodeResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6940,6 +7175,7 @@ module Aws::CognitoIdentityProvider
     #
     class ResourceNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6966,6 +7202,7 @@ module Aws::CognitoIdentityProvider
     class ResourceServerScopeType < Struct.new(
       :scope_name,
       :scope_description)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6994,6 +7231,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7025,9 +7263,13 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see [InitiateAuth][1].
     #
     #   `ADMIN_NO_SRP_AUTH` is not a valid value.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -7128,25 +7370,35 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
     # The response to respond to the authentication challenge.
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see [InitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
-    #   The challenge parameters. For more information, see .
+    #   The challenge parameters. For more information, see
+    #   [InitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] authentication_result
@@ -7161,6 +7413,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7202,6 +7455,7 @@ module Aws::CognitoIdentityProvider
       :account_takeover_risk_configuration,
       :risk_exception_configuration,
       :last_modified_date)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7231,6 +7485,7 @@ module Aws::CognitoIdentityProvider
     class RiskExceptionConfigurationType < Struct.new(
       :blocked_ip_range_list,
       :skipped_ip_range_list)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7257,6 +7512,7 @@ module Aws::CognitoIdentityProvider
     class SMSMfaSettingsType < Struct.new(
       :enabled,
       :preferred_mfa)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7299,8 +7555,9 @@ module Aws::CognitoIdentityProvider
     #   Specifies whether the attribute type is developer only. This
     #   attribute can only be modified by an administrator. Users will not
     #   be able to modify this attribute using their access token. For
-    #   example, `DeveloperOnlyAttribute` can be modified using the API but
-    #   cannot be updated using the API.
+    #   example, `DeveloperOnlyAttribute` can be modified using
+    #   AdminUpdateUserAttributes but cannot be updated using
+    #   UpdateUserAttributes.
     #
     #
     #
@@ -7347,6 +7604,7 @@ module Aws::CognitoIdentityProvider
       :required,
       :number_attribute_constraints,
       :string_attribute_constraints)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7359,6 +7617,7 @@ module Aws::CognitoIdentityProvider
     #
     class ScopeDoesNotExistException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7451,6 +7710,7 @@ module Aws::CognitoIdentityProvider
       :compromised_credentials_risk_configuration,
       :account_takeover_risk_configuration,
       :risk_exception_configuration)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7462,6 +7722,7 @@ module Aws::CognitoIdentityProvider
     #
     class SetRiskConfigurationResponse < Struct.new(
       :risk_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7498,6 +7759,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :css,
       :image_file)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7509,6 +7771,7 @@ module Aws::CognitoIdentityProvider
     #
     class SetUICustomizationResponse < Struct.new(
       :ui_customization)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7545,6 +7808,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_settings,
       :software_token_mfa_settings,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -7600,6 +7864,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7628,6 +7893,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7660,6 +7926,7 @@ module Aws::CognitoIdentityProvider
     class SetUserSettingsRequest < Struct.new(
       :access_token,
       :mfa_options)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -7794,6 +8061,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username, :password]
       include Aws::Structure
     end
 
@@ -7820,6 +8088,7 @@ module Aws::CognitoIdentityProvider
       :user_confirmed,
       :code_delivery_details,
       :user_sub)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7860,6 +8129,7 @@ module Aws::CognitoIdentityProvider
     class SmsConfigurationType < Struct.new(
       :sns_caller_arn,
       :external_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7893,6 +8163,7 @@ module Aws::CognitoIdentityProvider
     class SmsMfaConfigType < Struct.new(
       :sms_authentication_message,
       :sms_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7906,6 +8177,7 @@ module Aws::CognitoIdentityProvider
     #
     class SoftwareTokenMFANotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7926,6 +8198,7 @@ module Aws::CognitoIdentityProvider
     #
     class SoftwareTokenMfaConfigType < Struct.new(
       :enabled)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7952,6 +8225,7 @@ module Aws::CognitoIdentityProvider
     class SoftwareTokenMfaSettingsType < Struct.new(
       :enabled,
       :preferred_mfa)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7979,6 +8253,7 @@ module Aws::CognitoIdentityProvider
     class StartUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7993,6 +8268,7 @@ module Aws::CognitoIdentityProvider
     #
     class StartUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8020,6 +8296,7 @@ module Aws::CognitoIdentityProvider
     class StopUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8034,6 +8311,7 @@ module Aws::CognitoIdentityProvider
     #
     class StopUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8060,6 +8338,7 @@ module Aws::CognitoIdentityProvider
     class StringAttributeConstraintsType < Struct.new(
       :min_length,
       :max_length)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8087,6 +8366,7 @@ module Aws::CognitoIdentityProvider
     class TagResourceRequest < Struct.new(
       :resource_arn,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8094,6 +8374,43 @@ module Aws::CognitoIdentityProvider
     #
     class TagResourceResponse < Aws::EmptyStructure; end
 
+    # The data type for TokenValidityUnits that specifics the time
+    # measurements for token validity.
+    #
+    # @note When making an API call, you may pass TokenValidityUnitsType
+    #   data as a hash:
+    #
+    #       {
+    #         access_token: "seconds", # accepts seconds, minutes, hours, days
+    #         id_token: "seconds", # accepts seconds, minutes, hours, days
+    #         refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #       }
+    #
+    # @!attribute [rw] access_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in AccessTokenValidity, defaults to hours.
+    #   @return [String]
+    #
+    # @!attribute [rw] id_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in IdTokenValidity, defaults to hours.
+    #   @return [String]
+    #
+    # @!attribute [rw] refresh_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in RefreshTokenValidity, defaults to days.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
+    #
+    class TokenValidityUnitsType < Struct.new(
+      :access_token,
+      :id_token,
+      :refresh_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when the user has made too many failed
     # attempts for a given action (e.g., sign in).
     #
@@ -8106,6 +8423,7 @@ module Aws::CognitoIdentityProvider
     #
     class TooManyFailedAttemptsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8121,6 +8439,7 @@ module Aws::CognitoIdentityProvider
     #
     class TooManyRequestsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8165,6 +8484,7 @@ module Aws::CognitoIdentityProvider
       :css_version,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -8180,6 +8500,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnexpectedLambdaException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8193,6 +8514,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnsupportedIdentityProviderException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8206,6 +8528,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnsupportedUserStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8231,6 +8554,7 @@ module Aws::CognitoIdentityProvider
     class UntagResourceRequest < Struct.new(
       :resource_arn,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8277,6 +8601,7 @@ module Aws::CognitoIdentityProvider
       :event_id,
       :feedback_token,
       :feedback_value)
+      SENSITIVE = [:username, :feedback_token]
       include Aws::Structure
     end
 
@@ -8313,6 +8638,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :device_key,
       :device_remembered_status)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -8352,7 +8678,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] precedence
     #   The new precedence value for the group. For more information about
-    #   this parameter, see .
+    #   this parameter, see [CreateGroup][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateGroupRequest AWS API Documentation
@@ -8363,6 +8693,7 @@ module Aws::CognitoIdentityProvider
       :description,
       :role_arn,
       :precedence)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8374,6 +8705,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8421,6 +8753,7 @@ module Aws::CognitoIdentityProvider
       :provider_details,
       :attribute_mapping,
       :idp_identifiers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8432,6 +8765,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8473,6 +8807,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8484,6 +8819,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8561,6 +8897,7 @@ module Aws::CognitoIdentityProvider
       :user_attributes,
       :access_token,
       :client_metadata)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -8576,6 +8913,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserAttributesResponse < Struct.new(
       :code_delivery_details_list)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8589,6 +8927,13 @@ module Aws::CognitoIdentityProvider
     #         client_id: "ClientIdType", # required
     #         client_name: "ClientNameType",
     #         refresh_token_validity: 1,
+    #         access_token_validity: 1,
+    #         id_token_validity: 1,
+    #         token_validity_units: {
+    #           access_token: "seconds", # accepts seconds, minutes, hours, days
+    #           id_token: "seconds", # accepts seconds, minutes, hours, days
+    #           refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #         },
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
     #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -8626,6 +8971,22 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, after which the access token is no longer valid and
+    #   cannot be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, after which the ID token is no longer valid and
+    #   cannot be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The units in which the validity times are represented in. Default
+    #   for RefreshToken is days, and default for ID and access tokens are
+    #   hours.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The read-only attributes of the user pool.
     #   @return [Array<String>]
@@ -8748,9 +9109,10 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics
     #   for this user pool.
     #
-    #   <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    #   projects in the US East (N. Virginia) us-east-1 Region, regardless
-    #   of the region in which the user pool resides.
+    #   <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    #   supports sending events to Amazon Pinpoint projects in us-east-1. In
+    #   regions where Pinpoint is available, Cognito User Pools will support
+    #   sending events to Amazon Pinpoint projects within that same region.
     #
     #    </note>
     #   @return [Types::AnalyticsConfigurationType]
@@ -8773,24 +9135,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -8805,6 +9149,9 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :client_name,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -8817,6 +9164,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -8832,6 +9180,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8874,6 +9223,7 @@ module Aws::CognitoIdentityProvider
       :domain,
       :user_pool_id,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8888,6 +9238,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserPoolDomainResponse < Struct.new(
       :cloud_front_domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9083,6 +9434,7 @@ module Aws::CognitoIdentityProvider
       :admin_create_user_config,
       :user_pool_add_ons,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9114,6 +9466,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserContextDataType < Struct.new(
       :encoded_data)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9128,6 +9481,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserImportInProgressException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9225,6 +9579,7 @@ module Aws::CognitoIdentityProvider
       :skipped_users,
       :failed_users,
       :completion_message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9240,6 +9595,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserLambdaValidationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9253,6 +9609,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserNotConfirmedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9266,6 +9623,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9278,6 +9636,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolAddOnNotEnabledException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9298,6 +9657,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolAddOnsType < Struct.new(
       :advanced_security_mode)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9322,6 +9682,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :user_pool_id,
       :client_name)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -9356,6 +9717,23 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, specified by tokenValidityUnits, defaulting to
+    #   hours, after which the access token is no longer valid and cannot be
+    #   used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, specified by tokenValidityUnits, defaulting to
+    #   hours, after which the refresh token is no longer valid and cannot
+    #   be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The time units used to specify the token validity times of their
+    #   respective token.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The Read-only attributes.
     #   @return [Array<String>]
@@ -9503,24 +9881,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -9538,6 +9898,9 @@ module Aws::CognitoIdentityProvider
       :last_modified_date,
       :creation_date,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -9550,6 +9913,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end
 
@@ -9588,6 +9952,7 @@ module Aws::CognitoIdentityProvider
       :status,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9615,6 +9980,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolPolicyType < Struct.new(
       :password_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9628,6 +9994,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolTaggingException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9776,7 +10143,11 @@ module Aws::CognitoIdentityProvider
     #   the selected sign-in option. For example, when this is set to
     #   `False`, users will be able to sign in using either "username" or
     #   "Username". This configuration is immutable once it has been set.
-    #   For more information, see .
+    #   For more information, see [UsernameConfigurationType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
     #   @return [Types::UsernameConfigurationType]
     #
     # @!attribute [rw] arn
@@ -9828,6 +10199,7 @@ module Aws::CognitoIdentityProvider
       :username_configuration,
       :arn,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9889,6 +10261,7 @@ module Aws::CognitoIdentityProvider
       :enabled,
       :user_status,
       :mfa_options)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -9924,6 +10297,7 @@ module Aws::CognitoIdentityProvider
     #
     class UsernameConfigurationType < Struct.new(
       :case_sensitive)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9939,6 +10313,7 @@ module Aws::CognitoIdentityProvider
     #
     class UsernameExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9991,6 +10366,7 @@ module Aws::CognitoIdentityProvider
       :email_message_by_link,
       :email_subject_by_link,
       :default_email_option)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -10015,6 +10391,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] user_code
     #   The one time password computed using the secret code returned by
+    #   [AssociateSoftwareToken"][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html
     #   @return [String]
     #
     # @!attribute [rw] friendly_device_name
@@ -10028,6 +10409,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :user_code,
       :friendly_device_name)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -10045,6 +10427,7 @@ module Aws::CognitoIdentityProvider
     class VerifySoftwareTokenResponse < Struct.new(
       :status,
       :session)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -10078,6 +10461,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :attribute_name,
       :code)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end