aws-sdk-cognitoidentityprovider 1.39.0 → 1.44.0

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -14,6 +14,7 @@ module Aws::CognitoIdentityProvider
     include Seahorse::Model
 
     AWSAccountIdType = Shapes::StringShape.new(name: 'AWSAccountIdType')
+    AccessTokenValidityType = Shapes::IntegerShape.new(name: 'AccessTokenValidityType')
     AccountRecoverySettingType = Shapes::StructureShape.new(name: 'AccountRecoverySettingType')
     AccountTakeoverActionNotifyType = Shapes::BooleanShape.new(name: 'AccountTakeoverActionNotifyType')
     AccountTakeoverActionType = Shapes::StructureShape.new(name: 'AccountTakeoverActionType')
@@ -243,6 +244,7 @@ module Aws::CognitoIdentityProvider
     HexStringType = Shapes::StringShape.new(name: 'HexStringType')
     HttpHeader = Shapes::StructureShape.new(name: 'HttpHeader')
     HttpHeaderList = Shapes::ListShape.new(name: 'HttpHeaderList')
+    IdTokenValidityType = Shapes::IntegerShape.new(name: 'IdTokenValidityType')
     IdentityProviderType = Shapes::StructureShape.new(name: 'IdentityProviderType')
     IdentityProviderTypeType = Shapes::StringShape.new(name: 'IdentityProviderTypeType')
     IdpIdentifierType = Shapes::StringShape.new(name: 'IdpIdentifierType')
@@ -389,7 +391,9 @@ module Aws::CognitoIdentityProvider
     TagResourceResponse = Shapes::StructureShape.new(name: 'TagResourceResponse')
     TagValueType = Shapes::StringShape.new(name: 'TagValueType')
     TemporaryPasswordValidityDaysType = Shapes::IntegerShape.new(name: 'TemporaryPasswordValidityDaysType')
+    TimeUnitsType = Shapes::StringShape.new(name: 'TimeUnitsType')
     TokenModelType = Shapes::StringShape.new(name: 'TokenModelType')
+    TokenValidityUnitsType = Shapes::StructureShape.new(name: 'TokenValidityUnitsType')
     TooManyFailedAttemptsException = Shapes::StructureShape.new(name: 'TooManyFailedAttemptsException')
     TooManyRequestsException = Shapes::StructureShape.new(name: 'TooManyRequestsException')
     UICustomizationType = Shapes::StructureShape.new(name: 'UICustomizationType')
@@ -709,9 +713,10 @@ module Aws::CognitoIdentityProvider
     AliasExistsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     AliasExistsException.struct_class = Types::AliasExistsException
 
-    AnalyticsConfigurationType.add_member(:application_id, Shapes::ShapeRef.new(shape: HexStringType, required: true, location_name: "ApplicationId"))
-    AnalyticsConfigurationType.add_member(:role_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "RoleArn"))
-    AnalyticsConfigurationType.add_member(:external_id, Shapes::ShapeRef.new(shape: StringType, required: true, location_name: "ExternalId"))
+    AnalyticsConfigurationType.add_member(:application_id, Shapes::ShapeRef.new(shape: HexStringType, location_name: "ApplicationId"))
+    AnalyticsConfigurationType.add_member(:application_arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "ApplicationArn"))
+    AnalyticsConfigurationType.add_member(:role_arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "RoleArn"))
+    AnalyticsConfigurationType.add_member(:external_id, Shapes::ShapeRef.new(shape: StringType, location_name: "ExternalId"))
     AnalyticsConfigurationType.add_member(:user_data_shared, Shapes::ShapeRef.new(shape: BooleanType, location_name: "UserDataShared"))
     AnalyticsConfigurationType.struct_class = Types::AnalyticsConfigurationType
 
@@ -893,6 +898,9 @@ module Aws::CognitoIdentityProvider
     CreateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, required: true, location_name: "ClientName"))
     CreateUserPoolClientRequest.add_member(:generate_secret, Shapes::ShapeRef.new(shape: GenerateSecret, location_name: "GenerateSecret"))
     CreateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    CreateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     CreateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     CreateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     CreateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1622,6 +1630,11 @@ module Aws::CognitoIdentityProvider
 
     TagResourceResponse.struct_class = Types::TagResourceResponse
 
+    TokenValidityUnitsType.add_member(:access_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "AccessToken"))
+    TokenValidityUnitsType.add_member(:id_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "IdToken"))
+    TokenValidityUnitsType.add_member(:refresh_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "RefreshToken"))
+    TokenValidityUnitsType.struct_class = Types::TokenValidityUnitsType
+
     TooManyFailedAttemptsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     TooManyFailedAttemptsException.struct_class = Types::TooManyFailedAttemptsException
 
@@ -1709,6 +1722,9 @@ module Aws::CognitoIdentityProvider
     UpdateUserPoolClientRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
     UpdateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, location_name: "ClientName"))
     UpdateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    UpdateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     UpdateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     UpdateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     UpdateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1809,6 +1825,9 @@ module Aws::CognitoIdentityProvider
     UserPoolClientType.add_member(:last_modified_date, Shapes::ShapeRef.new(shape: DateType, location_name: "LastModifiedDate"))
     UserPoolClientType.add_member(:creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "CreationDate"))
     UserPoolClientType.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
+    UserPoolClientType.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
+    UserPoolClientType.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
+    UserPoolClientType.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
     UserPoolClientType.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
     UserPoolClientType.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
     UserPoolClientType.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -2397,6 +2416,7 @@ module Aws::CognitoIdentityProvider
         o.http_request_uri = "/"
         o.input = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenRequest)
         o.output = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)

data/lib/aws-sdk-cognitoidentityprovider/customizations.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -32,6 +32,7 @@ module Aws::CognitoIdentityProvider
     #
     class AccountRecoverySettingType < Struct.new(
       :recovery_mechanisms)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -68,6 +69,7 @@ module Aws::CognitoIdentityProvider
     class AccountTakeoverActionType < Struct.new(
       :notify,
       :event_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -109,6 +111,7 @@ module Aws::CognitoIdentityProvider
       :low_action,
       :medium_action,
       :high_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -168,6 +171,7 @@ module Aws::CognitoIdentityProvider
     class AccountTakeoverRiskConfigurationType < Struct.new(
       :notify_configuration,
       :actions)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -211,6 +215,7 @@ module Aws::CognitoIdentityProvider
     class AddCustomAttributesRequest < Struct.new(
       :user_pool_id,
       :custom_attributes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -248,6 +253,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :group_name)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -316,6 +322,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -377,6 +384,7 @@ module Aws::CognitoIdentityProvider
       :allow_admin_create_user_only,
       :unused_account_validity_days,
       :invite_message_template)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -423,10 +431,11 @@ module Aws::CognitoIdentityProvider
     #   An array of name-value pairs that contain user attributes and
     #   attribute values to be set for the user to be created. You can
     #   create a user without specifying any attributes other than
-    #   `Username`. However, any attributes that you specify as required (in
-    #   or in the **Attributes** tab of the console) must be supplied either
-    #   by you (in your call to `AdminCreateUser`) or by the user (when he
-    #   or she signs up in response to your welcome message).
+    #   `Username`. However, any attributes that you specify as required
+    #   (when creating a user pool or in the **Attributes** tab of the
+    #   console) must be supplied either by you (in your call to
+    #   `AdminCreateUser`) or by the user (when he or she signs up in
+    #   response to your welcome message).
     #
     #   For custom attributes, you must prepend the `custom:` prefix to the
     #   attribute name.
@@ -438,7 +447,8 @@ module Aws::CognitoIdentityProvider
     #
     #   In your call to `AdminCreateUser`, you can set the `email_verified`
     #   attribute to `True`, and you can set the `phone_number_verified`
-    #   attribute to `True`. (You can also do this by calling .)
+    #   attribute to `True`. (You can also do this by calling
+    #   [AdminUpdateUserAttributes][1].)
     #
     #   * **email**\: The email address of the user to whom the message that
     #     contains the code and username will be sent. Required if the
@@ -449,6 +459,10 @@ module Aws::CognitoIdentityProvider
     #     message that contains the code and username will be sent. Required
     #     if the `phone_number_verified` attribute is set to `True`, or if
     #     `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] validation_data
@@ -565,6 +579,7 @@ module Aws::CognitoIdentityProvider
       :message_action,
       :desired_delivery_mediums,
       :client_metadata)
+      SENSITIVE = [:username, :temporary_password]
       include Aws::Structure
     end
 
@@ -579,6 +594,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminCreateUserResponse < Struct.new(
       :user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -617,6 +633,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :user_attribute_names)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -651,6 +668,7 @@ module Aws::CognitoIdentityProvider
     class AdminDeleteUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -679,6 +697,7 @@ module Aws::CognitoIdentityProvider
     class AdminDisableProviderForUserRequest < Struct.new(
       :user_pool_id,
       :user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -710,6 +729,7 @@ module Aws::CognitoIdentityProvider
     class AdminDisableUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -744,6 +764,7 @@ module Aws::CognitoIdentityProvider
     class AdminEnableUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -783,6 +804,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :device_key)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -815,6 +837,7 @@ module Aws::CognitoIdentityProvider
       :device_key,
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -828,6 +851,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminGetDeviceResponse < Struct.new(
       :device)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -855,6 +879,7 @@ module Aws::CognitoIdentityProvider
     class AdminGetUserRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -907,8 +932,8 @@ module Aws::CognitoIdentityProvider
     #   *This response parameter is no longer supported.* It provides
     #   information only about SMS MFA configurations. It doesn't provide
     #   information about TOTP software token MFA configurations. To look up
-    #   information about either type of MFA configuration, use the
-    #   AdminGetUserResponse$UserMFASettingList response instead.
+    #   information about either type of MFA configuration, use
+    #   UserMFASettingList instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -932,6 +957,7 @@ module Aws::CognitoIdentityProvider
       :mfa_options,
       :preferred_mfa_setting,
       :user_mfa_setting_list)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1022,18 +1048,20 @@ module Aws::CognitoIdentityProvider
     #
     #   * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
-    #     client secret), `DEVICE_KEY`
+    #     client secret), `DEVICE_KEY`.
     #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
     #     (required), `SECRET_HASH` (required if the app client is
-    #     configured with a client secret), `DEVICE_KEY`
+    #     configured with a client secret), `DEVICE_KEY`.
     #
     #   * For `ADMIN_NO_SRP_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if
     #     app client is configured with client secret), `PASSWORD`
-    #     (required), `DEVICE_KEY`
+    #     (required), `DEVICE_KEY`.
     #
     #   * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
-    #     client is configured with client secret), `DEVICE_KEY`
+    #     client is configured with client secret), `DEVICE_KEY`. To start
+    #     the authentication flow with password verification, include
+    #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
@@ -1121,6 +1149,7 @@ module Aws::CognitoIdentityProvider
       :client_metadata,
       :analytics_metadata,
       :context_data)
+      SENSITIVE = [:client_id, :auth_parameters]
       include Aws::Structure
     end
 
@@ -1207,6 +1236,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1283,6 +1313,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :destination_user,
       :source_user)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1325,6 +1356,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :limit,
       :pagination_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1343,6 +1375,7 @@ module Aws::CognitoIdentityProvider
     class AdminListDevicesResponse < Struct.new(
       :devices,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1381,6 +1414,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :limit,
       :next_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1399,6 +1433,7 @@ module Aws::CognitoIdentityProvider
     class AdminListGroupsForUserResponse < Struct.new(
       :groups,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1435,6 +1470,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :max_results,
       :next_token)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1452,6 +1488,7 @@ module Aws::CognitoIdentityProvider
     class AdminListUserAuthEventsResponse < Struct.new(
       :auth_events,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1482,6 +1519,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :group_name)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1553,6 +1591,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1606,7 +1645,12 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] challenge_responses
@@ -1707,25 +1751,36 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :context_data,
       :client_metadata)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
     # Responds to the authentication challenge, as an administrator.
     #
     # @!attribute [rw] challenge_name
-    #   The name of the challenge. For more information, see .
+    #   The name of the challenge. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
-    #   The challenge parameters. For more information, see .
+    #   The challenge parameters. For more information, see
+    #   [AdminInitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] authentication_result
@@ -1740,6 +1795,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1782,6 +1838,7 @@ module Aws::CognitoIdentityProvider
       :software_token_mfa_settings,
       :username,
       :user_pool_id)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1823,6 +1880,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :password,
       :permanent)
+      SENSITIVE = [:username, :password]
       include Aws::Structure
     end
 
@@ -1867,6 +1925,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :username,
       :mfa_options)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1910,6 +1969,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :event_id,
       :feedback_value)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -1952,6 +2012,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :device_key,
       :device_remembered_status)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2045,6 +2106,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :user_attributes,
       :client_metadata)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2078,6 +2140,7 @@ module Aws::CognitoIdentityProvider
     class AdminUserGlobalSignOutRequest < Struct.new(
       :user_pool_id,
       :username)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -2100,15 +2163,17 @@ module Aws::CognitoIdentityProvider
     #
     class AliasExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # The Amazon Pinpoint analytics configuration for collecting metrics for
     # a user pool.
     #
-    # <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    # projects in the US East (N. Virginia) us-east-1 Region, regardless of
-    # the region in which the user pool resides.
+    # <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    # supports sending events to Amazon Pinpoint projects in us-east-1. In
+    # regions where Pinpoint is available, Cognito User Pools will support
+    # sending events to Amazon Pinpoint projects within that same region.
     #
     #  </note>
     #
@@ -2116,9 +2181,10 @@ module Aws::CognitoIdentityProvider
     #   data as a hash:
     #
     #       {
-    #         application_id: "HexStringType", # required
-    #         role_arn: "ArnType", # required
-    #         external_id: "StringType", # required
+    #         application_id: "HexStringType",
+    #         application_arn: "ArnType",
+    #         role_arn: "ArnType",
+    #         external_id: "StringType",
     #         user_data_shared: false,
     #       }
     #
@@ -2126,6 +2192,13 @@ module Aws::CognitoIdentityProvider
     #   The application ID for an Amazon Pinpoint application.
     #   @return [String]
     #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
+    #   can use the Amazon Pinpoint project for Pinpoint integration with
+    #   the chosen User Pool Client. Amazon Cognito publishes events to the
+    #   pinpoint project declared by the app ARN.
+    #   @return [String]
+    #
     # @!attribute [rw] role_arn
     #   The ARN of an IAM role that authorizes Amazon Cognito to publish
     #   events to Amazon Pinpoint analytics.
@@ -2144,9 +2217,11 @@ module Aws::CognitoIdentityProvider
     #
     class AnalyticsConfigurationType < Struct.new(
       :application_id,
+      :application_arn,
       :role_arn,
       :external_id,
       :user_data_shared)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2176,6 +2251,7 @@ module Aws::CognitoIdentityProvider
     #
     class AnalyticsMetadataType < Struct.new(
       :analytics_endpoint_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2202,6 +2278,7 @@ module Aws::CognitoIdentityProvider
     class AssociateSoftwareTokenRequest < Struct.new(
       :access_token,
       :session)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -2221,6 +2298,7 @@ module Aws::CognitoIdentityProvider
     class AssociateSoftwareTokenResponse < Struct.new(
       :secret_code,
       :session)
+      SENSITIVE = [:secret_code]
       include Aws::Structure
     end
 
@@ -2247,6 +2325,7 @@ module Aws::CognitoIdentityProvider
     class AttributeType < Struct.new(
       :name,
       :value)
+      SENSITIVE = [:value]
       include Aws::Structure
     end
 
@@ -2298,6 +2377,7 @@ module Aws::CognitoIdentityProvider
       :challenge_responses,
       :event_context_data,
       :event_feedback)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2336,6 +2416,7 @@ module Aws::CognitoIdentityProvider
       :refresh_token,
       :id_token,
       :new_device_metadata)
+      SENSITIVE = [:access_token, :refresh_token, :id_token]
       include Aws::Structure
     end
 
@@ -2354,6 +2435,7 @@ module Aws::CognitoIdentityProvider
     class ChallengeResponseType < Struct.new(
       :challenge_name,
       :challenge_response)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2386,6 +2468,7 @@ module Aws::CognitoIdentityProvider
       :previous_password,
       :proposed_password,
       :access_token)
+      SENSITIVE = [:previous_password, :proposed_password, :access_token]
       include Aws::Structure
     end
 
@@ -2415,6 +2498,7 @@ module Aws::CognitoIdentityProvider
       :destination,
       :delivery_medium,
       :attribute_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2430,6 +2514,7 @@ module Aws::CognitoIdentityProvider
     #
     class CodeDeliveryFailureException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2444,6 +2529,7 @@ module Aws::CognitoIdentityProvider
     #
     class CodeMismatchException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2464,6 +2550,7 @@ module Aws::CognitoIdentityProvider
     #
     class CompromisedCredentialsActionsType < Struct.new(
       :event_action)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2493,6 +2580,7 @@ module Aws::CognitoIdentityProvider
     class CompromisedCredentialsRiskConfigurationType < Struct.new(
       :event_filter,
       :actions)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2507,6 +2595,7 @@ module Aws::CognitoIdentityProvider
     #
     class ConcurrentModificationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2548,6 +2637,7 @@ module Aws::CognitoIdentityProvider
       :device_key,
       :device_secret_verifier_config,
       :device_name)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -2562,6 +2652,7 @@ module Aws::CognitoIdentityProvider
     #
     class ConfirmDeviceResponse < Struct.new(
       :user_confirmation_necessary)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2604,7 +2695,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] confirmation_code
     #   The confirmation code sent by a user's request to retrieve a
-    #   forgotten password. For more information, see
+    #   forgotten password. For more information, see [ForgotPassword][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
     #   @return [String]
     #
     # @!attribute [rw] password
@@ -2673,6 +2768,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username, :password]
       include Aws::Structure
     end
 
@@ -2795,6 +2891,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -2853,6 +2950,7 @@ module Aws::CognitoIdentityProvider
       :server_path,
       :http_headers,
       :encoded_data)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2911,6 +3009,7 @@ module Aws::CognitoIdentityProvider
       :description,
       :role_arn,
       :precedence)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2922,6 +3021,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2957,7 +3057,7 @@ module Aws::CognitoIdentityProvider
     #   The identity provider details. The following list describes the
     #   provider detail keys for each identity provider type.
     #
-    #   * For Google, Facebook and Login with Amazon:
+    #   * For Google and Login with Amazon:
     #
     #     * client\_id
     #
@@ -2965,6 +3065,16 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
+    #   * For Facebook:
+    #
+    #     * client\_id
+    #
+    #     * client\_secret
+    #
+    #     * authorize\_scopes
+    #
+    #     * api\_version
+    #
     #   * For Sign in with Apple:
     #
     #     * client\_id
@@ -3001,8 +3111,6 @@ module Aws::CognitoIdentityProvider
     #     * jwks\_uri *if not available from discovery URL specified by
     #       oidc\_issuer key*
     #
-    #     * authorize\_scopes
-    #
     #   * For SAML providers:
     #
     #     * MetadataFile OR MetadataURL
@@ -3028,6 +3136,7 @@ module Aws::CognitoIdentityProvider
       :provider_details,
       :attribute_mapping,
       :idp_identifiers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3039,6 +3148,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3083,6 +3193,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3094,6 +3205,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3128,6 +3240,7 @@ module Aws::CognitoIdentityProvider
       :job_name,
       :user_pool_id,
       :cloud_watch_logs_role_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3142,6 +3255,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3155,6 +3269,13 @@ module Aws::CognitoIdentityProvider
     #         client_name: "ClientNameType", # required
     #         generate_secret: false,
     #         refresh_token_validity: 1,
+    #         access_token_validity: 1,
+    #         id_token_validity: 1,
+    #         token_validity_units: {
+    #           access_token: "seconds", # accepts seconds, minutes, hours, days
+    #           id_token: "seconds", # accepts seconds, minutes, hours, days
+    #           refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #         },
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
     #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -3166,9 +3287,10 @@ module Aws::CognitoIdentityProvider
     #         allowed_o_auth_scopes: ["ScopeType"],
     #         allowed_o_auth_flows_user_pool_client: false,
     #         analytics_configuration: {
-    #           application_id: "HexStringType", # required
-    #           role_arn: "ArnType", # required
-    #           external_id: "StringType", # required
+    #           application_id: "HexStringType",
+    #           application_arn: "ArnType",
+    #           role_arn: "ArnType",
+    #           external_id: "StringType",
     #           user_data_shared: false,
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
@@ -3193,6 +3315,24 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, between 5 minutes and 1 day, after which the access
+    #   token is no longer valid and cannot be used. This value will be
+    #   overridden if you have entered a value in TokenValidityUnits.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, between 5 minutes and 1 day, after which the ID
+    #   token is no longer valid and cannot be used. This value will be
+    #   overridden if you have entered a value in TokenValidityUnits.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The units in which the validity times are represented in. Default
+    #   for RefreshToken is days, and default for ID and access tokens are
+    #   hours.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The read attributes.
     #   @return [Array<String>]
@@ -3329,9 +3469,10 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics
     #   for this user pool.
     #
-    #   <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    #   projects in the US East (N. Virginia) us-east-1 Region, regardless
-    #   of the region in which the user pool resides.
+    #   <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    #   supports sending events to Amazon Pinpoint projects in us-east-1. In
+    #   regions where Pinpoint is available, Cognito User Pools will support
+    #   sending events to Amazon Pinpoint projects within that same region.
     #
     #    </note>
     #   @return [Types::AnalyticsConfigurationType]
@@ -3354,24 +3495,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -3386,6 +3509,9 @@ module Aws::CognitoIdentityProvider
       :client_name,
       :generate_secret,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -3398,6 +3524,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3411,6 +3538,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3455,6 +3583,7 @@ module Aws::CognitoIdentityProvider
       :domain,
       :user_pool_id,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3467,6 +3596,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolDomainResponse < Struct.new(
       :cloud_front_domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3683,7 +3813,11 @@ module Aws::CognitoIdentityProvider
     #   selected sign-in option. For example, when this is set to `False`,
     #   users will be able to sign in using either "username" or
     #   "Username". This configuration is immutable once it has been set.
-    #   For more information, see .
+    #   For more information, see [UsernameConfigurationType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
     #   @return [Types::UsernameConfigurationType]
     #
     # @!attribute [rw] account_recovery_setting
@@ -3695,13 +3829,6 @@ module Aws::CognitoIdentityProvider
     #   enabled. In the absence of this setting, Cognito uses the legacy
     #   behavior to determine the recovery method where SMS is preferred
     #   over email.
-    #
-    #   <note markdown="1"> Starting February 1, 2020, the value of `AccountRecoverySetting`
-    #   will default to `verified_email` first and `verified_phone_number`
-    #   as the second option for newly created user pools if no value is
-    #   provided.
-    #
-    #    </note>
     #   @return [Types::AccountRecoverySettingType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolRequest AWS API Documentation
@@ -3728,6 +3855,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_add_ons,
       :username_configuration,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3742,6 +3870,7 @@ module Aws::CognitoIdentityProvider
     #
     class CreateUserPoolResponse < Struct.new(
       :user_pool)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3765,6 +3894,7 @@ module Aws::CognitoIdentityProvider
     #
     class CustomDomainConfigType < Struct.new(
       :certificate_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3789,6 +3919,7 @@ module Aws::CognitoIdentityProvider
     class DeleteGroupRequest < Struct.new(
       :group_name,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3813,6 +3944,7 @@ module Aws::CognitoIdentityProvider
     class DeleteIdentityProviderRequest < Struct.new(
       :user_pool_id,
       :provider_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3837,6 +3969,7 @@ module Aws::CognitoIdentityProvider
     class DeleteResourceServerRequest < Struct.new(
       :user_pool_id,
       :identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3867,6 +4000,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserAttributesRequest < Struct.new(
       :user_attribute_names,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -3900,6 +4034,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserPoolClientRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -3924,6 +4059,7 @@ module Aws::CognitoIdentityProvider
     class DeleteUserPoolDomainRequest < Struct.new(
       :domain,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3948,6 +4084,7 @@ module Aws::CognitoIdentityProvider
     #
     class DeleteUserPoolRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3968,6 +4105,7 @@ module Aws::CognitoIdentityProvider
     #
     class DeleteUserRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -3992,6 +4130,7 @@ module Aws::CognitoIdentityProvider
     class DescribeIdentityProviderRequest < Struct.new(
       :user_pool_id,
       :provider_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4003,6 +4142,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4027,6 +4167,7 @@ module Aws::CognitoIdentityProvider
     class DescribeResourceServerRequest < Struct.new(
       :user_pool_id,
       :identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4038,6 +4179,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4062,6 +4204,7 @@ module Aws::CognitoIdentityProvider
     class DescribeRiskConfigurationRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4073,6 +4216,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeRiskConfigurationResponse < Struct.new(
       :risk_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4100,6 +4244,7 @@ module Aws::CognitoIdentityProvider
     class DescribeUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4114,6 +4259,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4140,6 +4286,7 @@ module Aws::CognitoIdentityProvider
     class DescribeUserPoolClientRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4155,6 +4302,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4173,6 +4321,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolDomainRequest < Struct.new(
       :domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4184,6 +4333,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolDomainResponse < Struct.new(
       :domain_description)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4204,6 +4354,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4218,6 +4369,7 @@ module Aws::CognitoIdentityProvider
     #
     class DescribeUserPoolResponse < Struct.new(
       :user_pool)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4245,6 +4397,7 @@ module Aws::CognitoIdentityProvider
     class DeviceConfigurationType < Struct.new(
       :challenge_required_on_new_device,
       :device_only_remembered_on_user_prompt)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4271,6 +4424,7 @@ module Aws::CognitoIdentityProvider
     class DeviceSecretVerifierConfigType < Struct.new(
       :password_verifier,
       :salt)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4304,6 +4458,7 @@ module Aws::CognitoIdentityProvider
       :device_create_date,
       :device_last_modified_date,
       :device_last_authenticated_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4353,6 +4508,7 @@ module Aws::CognitoIdentityProvider
       :version,
       :status,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4366,6 +4522,7 @@ module Aws::CognitoIdentityProvider
     #
     class DuplicateProviderException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4484,6 +4641,7 @@ module Aws::CognitoIdentityProvider
       :email_sending_account,
       :from,
       :configuration_set)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4498,6 +4656,7 @@ module Aws::CognitoIdentityProvider
     #
     class EnableSoftwareTokenMFAException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4532,6 +4691,7 @@ module Aws::CognitoIdentityProvider
       :timezone,
       :city,
       :country)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4555,6 +4715,7 @@ module Aws::CognitoIdentityProvider
       :feedback_value,
       :provider,
       :feedback_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4579,6 +4740,7 @@ module Aws::CognitoIdentityProvider
       :risk_decision,
       :risk_level,
       :compromised_credentials_detected)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4592,6 +4754,7 @@ module Aws::CognitoIdentityProvider
     #
     class ExpiredCodeException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4618,6 +4781,7 @@ module Aws::CognitoIdentityProvider
     class ForgetDeviceRequest < Struct.new(
       :access_token,
       :device_key)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -4716,6 +4880,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :analytics_metadata,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -4731,6 +4896,7 @@ module Aws::CognitoIdentityProvider
     #
     class ForgotPasswordResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4753,6 +4919,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetCSVHeaderRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4773,6 +4940,7 @@ module Aws::CognitoIdentityProvider
     class GetCSVHeaderResponse < Struct.new(
       :user_pool_id,
       :csv_header)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4799,6 +4967,7 @@ module Aws::CognitoIdentityProvider
     class GetDeviceRequest < Struct.new(
       :device_key,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -4812,6 +4981,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetDeviceResponse < Struct.new(
       :device)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4836,6 +5006,7 @@ module Aws::CognitoIdentityProvider
     class GetGroupRequest < Struct.new(
       :group_name,
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4847,6 +5018,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4871,6 +5043,7 @@ module Aws::CognitoIdentityProvider
     class GetIdentityProviderByIdentifierRequest < Struct.new(
       :user_pool_id,
       :idp_identifier)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4882,6 +5055,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetIdentityProviderByIdentifierResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4902,6 +5076,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetSigningCertificateRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4915,6 +5090,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetSigningCertificateResponse < Struct.new(
       :certificate)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4939,6 +5115,7 @@ module Aws::CognitoIdentityProvider
     class GetUICustomizationRequest < Struct.new(
       :user_pool_id,
       :client_id)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -4950,6 +5127,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUICustomizationResponse < Struct.new(
       :ui_customization)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5022,6 +5200,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :attribute_name,
       :client_metadata)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5037,6 +5216,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserAttributeVerificationCodeResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5055,6 +5235,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserPoolMfaConfigRequest < Struct.new(
       :user_pool_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5083,6 +5264,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5104,6 +5286,7 @@ module Aws::CognitoIdentityProvider
     #
     class GetUserRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5126,8 +5309,8 @@ module Aws::CognitoIdentityProvider
     #   *This response parameter is no longer supported.* It provides
     #   information only about SMS MFA configurations. It doesn't provide
     #   information about TOTP software token MFA configurations. To look up
-    #   information about either type of MFA configuration, use the use the
-    #   GetUserResponse$UserMFASettingList response instead.
+    #   information about either type of MFA configuration, use
+    #   UserMFASettingList instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -5147,6 +5330,7 @@ module Aws::CognitoIdentityProvider
       :mfa_options,
       :preferred_mfa_setting,
       :user_mfa_setting_list)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -5167,6 +5351,7 @@ module Aws::CognitoIdentityProvider
     #
     class GlobalSignOutRequest < Struct.new(
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5186,6 +5371,7 @@ module Aws::CognitoIdentityProvider
     #
     class GroupExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5245,6 +5431,7 @@ module Aws::CognitoIdentityProvider
       :precedence,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5271,6 +5458,7 @@ module Aws::CognitoIdentityProvider
     class HttpHeader < Struct.new(
       :header_name,
       :header_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5292,7 +5480,7 @@ module Aws::CognitoIdentityProvider
     #   The identity provider details. The following list describes the
     #   provider detail keys for each identity provider type.
     #
-    #   * For Google, Facebook and Login with Amazon:
+    #   * For Google and Login with Amazon:
     #
     #     * client\_id
     #
@@ -5300,6 +5488,16 @@ module Aws::CognitoIdentityProvider
     #
     #     * authorize\_scopes
     #
+    #   * For Facebook:
+    #
+    #     * client\_id
+    #
+    #     * client\_secret
+    #
+    #     * authorize\_scopes
+    #
+    #     * api\_version
+    #
     #   * For Sign in with Apple:
     #
     #     * client\_id
@@ -5373,6 +5571,7 @@ module Aws::CognitoIdentityProvider
       :idp_identifiers,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5443,14 +5642,16 @@ module Aws::CognitoIdentityProvider
     #
     #   * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
-    #     client secret), `DEVICE_KEY`
+    #     client secret), `DEVICE_KEY`.
     #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
     #     (required), `SECRET_HASH` (required if the app client is
-    #     configured with a client secret), `DEVICE_KEY`
+    #     configured with a client secret), `DEVICE_KEY`.
     #
     #   * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
-    #     client is configured with client secret), `DEVICE_KEY`
+    #     client is configured with client secret), `DEVICE_KEY`. To start
+    #     the authentication flow with password verification, include
+    #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
@@ -5541,6 +5742,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :analytics_metadata,
       :user_context_data)
+      SENSITIVE = [:auth_parameters, :client_id]
       include Aws::Structure
     end
 
@@ -5581,10 +5783,10 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
@@ -5610,6 +5812,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5625,6 +5828,7 @@ module Aws::CognitoIdentityProvider
     #
     class InternalErrorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5641,6 +5845,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidEmailRoleAccessPolicyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5656,6 +5861,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidLambdaResponseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5668,6 +5874,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidOAuthFlowException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5683,6 +5890,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidParameterException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5698,6 +5906,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidPasswordException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5713,6 +5922,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidSmsRoleAccessPolicyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5731,6 +5941,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidSmsRoleTrustRelationshipException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5744,6 +5955,7 @@ module Aws::CognitoIdentityProvider
     #
     class InvalidUserPoolConfigurationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5818,6 +6030,7 @@ module Aws::CognitoIdentityProvider
       :verify_auth_challenge_response,
       :pre_token_generation,
       :user_migration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5833,6 +6046,7 @@ module Aws::CognitoIdentityProvider
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5865,6 +6079,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :limit,
       :pagination_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -5883,6 +6098,7 @@ module Aws::CognitoIdentityProvider
     class ListDevicesResponse < Struct.new(
       :devices,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5915,6 +6131,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :limit,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5933,6 +6150,7 @@ module Aws::CognitoIdentityProvider
     class ListGroupsResponse < Struct.new(
       :groups,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5963,6 +6181,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -5979,6 +6198,7 @@ module Aws::CognitoIdentityProvider
     class ListIdentityProvidersResponse < Struct.new(
       :providers,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6009,6 +6229,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6025,6 +6246,7 @@ module Aws::CognitoIdentityProvider
     class ListResourceServersResponse < Struct.new(
       :resource_servers,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6044,6 +6266,7 @@ module Aws::CognitoIdentityProvider
     #
     class ListTagsForResourceRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6055,6 +6278,7 @@ module Aws::CognitoIdentityProvider
     #
     class ListTagsForResourceResponse < Struct.new(
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6090,6 +6314,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6110,6 +6335,7 @@ module Aws::CognitoIdentityProvider
     class ListUserImportJobsResponse < Struct.new(
       :user_import_jobs,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6146,6 +6372,7 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6166,6 +6393,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolClientsResponse < Struct.new(
       :user_pool_clients,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6195,6 +6423,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolsRequest < Struct.new(
       :next_token,
       :max_results)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6215,6 +6444,7 @@ module Aws::CognitoIdentityProvider
     class ListUserPoolsResponse < Struct.new(
       :user_pools,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6253,6 +6483,7 @@ module Aws::CognitoIdentityProvider
       :group_name,
       :limit,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6271,6 +6502,7 @@ module Aws::CognitoIdentityProvider
     class ListUsersInGroupResponse < Struct.new(
       :users,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6370,6 +6602,7 @@ module Aws::CognitoIdentityProvider
       :limit,
       :pagination_token,
       :filter)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6390,6 +6623,7 @@ module Aws::CognitoIdentityProvider
     class ListUsersResponse < Struct.new(
       :users,
       :pagination_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6405,6 +6639,7 @@ module Aws::CognitoIdentityProvider
     #
     class MFAMethodNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6412,13 +6647,6 @@ module Aws::CognitoIdentityProvider
     # MFA configurations. You can't use it for TOTP software token MFA
     # configurations.
     #
-    # To set either type of MFA configuration, use the
-    # AdminSetUserMFAPreference or SetUserMFAPreference actions.
-    #
-    # To look up information about either type of MFA configuration, use the
-    # AdminGetUserResponse$UserMFASettingList or
-    # GetUserResponse$UserMFASettingList responses.
-    #
     # @note When making an API call, you may pass MFAOptionType
     #   data as a hash:
     #
@@ -6442,6 +6670,7 @@ module Aws::CognitoIdentityProvider
     class MFAOptionType < Struct.new(
       :delivery_medium,
       :attribute_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6474,6 +6703,7 @@ module Aws::CognitoIdentityProvider
       :sms_message,
       :email_message,
       :email_subject)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6492,6 +6722,7 @@ module Aws::CognitoIdentityProvider
     class NewDeviceMetadataType < Struct.new(
       :device_key,
       :device_group_key)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6506,6 +6737,7 @@ module Aws::CognitoIdentityProvider
     #
     class NotAuthorizedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6573,6 +6805,7 @@ module Aws::CognitoIdentityProvider
       :block_email,
       :no_action_email,
       :mfa_email)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6605,6 +6838,7 @@ module Aws::CognitoIdentityProvider
       :subject,
       :html_body,
       :text_body)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6632,6 +6866,7 @@ module Aws::CognitoIdentityProvider
     class NumberAttributeConstraintsType < Struct.new(
       :min_value,
       :max_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6697,6 +6932,7 @@ module Aws::CognitoIdentityProvider
       :require_numbers,
       :require_symbols,
       :temporary_password_validity_days)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6710,6 +6946,7 @@ module Aws::CognitoIdentityProvider
     #
     class PasswordResetRequiredException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6723,6 +6960,7 @@ module Aws::CognitoIdentityProvider
     #
     class PreconditionNotMetException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6751,6 +6989,7 @@ module Aws::CognitoIdentityProvider
       :provider_type,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6787,6 +7026,7 @@ module Aws::CognitoIdentityProvider
       :provider_name,
       :provider_attribute_name,
       :provider_attribute_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6815,6 +7055,7 @@ module Aws::CognitoIdentityProvider
     class RecoveryOptionType < Struct.new(
       :priority,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6912,6 +7153,7 @@ module Aws::CognitoIdentityProvider
       :username,
       :analytics_metadata,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username]
       include Aws::Structure
     end
 
@@ -6927,6 +7169,7 @@ module Aws::CognitoIdentityProvider
     #
     class ResendConfirmationCodeResponse < Struct.new(
       :code_delivery_details)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6942,6 +7185,7 @@ module Aws::CognitoIdentityProvider
     #
     class ResourceNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6968,6 +7212,7 @@ module Aws::CognitoIdentityProvider
     class ResourceServerScopeType < Struct.new(
       :scope_name,
       :scope_description)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -6996,6 +7241,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7027,9 +7273,13 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see [InitiateAuth][1].
     #
     #   `ADMIN_NO_SRP_AUTH` is not a valid value.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -7130,25 +7380,35 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
     # The response to respond to the authentication challenge.
     #
     # @!attribute [rw] challenge_name
-    #   The challenge name. For more information, see .
+    #   The challenge name. For more information, see [InitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [String]
     #
     # @!attribute [rw] session
     #   The session which should be passed both ways in challenge-response
-    #   calls to the service. If the or API call determines that the caller
-    #   needs to go through another challenge, they return a session with
-    #   other challenge parameters. This session should be passed as it is
-    #   to the next `RespondToAuthChallenge` API call.
+    #   calls to the service. If the caller needs to go through another
+    #   challenge, they return a session with other challenge parameters.
+    #   This session should be passed as it is to the next
+    #   `RespondToAuthChallenge` API call.
     #   @return [String]
     #
     # @!attribute [rw] challenge_parameters
-    #   The challenge parameters. For more information, see .
+    #   The challenge parameters. For more information, see
+    #   [InitiateAuth][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] authentication_result
@@ -7163,6 +7423,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_parameters,
       :authentication_result)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7204,6 +7465,7 @@ module Aws::CognitoIdentityProvider
       :account_takeover_risk_configuration,
       :risk_exception_configuration,
       :last_modified_date)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7233,6 +7495,7 @@ module Aws::CognitoIdentityProvider
     class RiskExceptionConfigurationType < Struct.new(
       :blocked_ip_range_list,
       :skipped_ip_range_list)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7259,6 +7522,7 @@ module Aws::CognitoIdentityProvider
     class SMSMfaSettingsType < Struct.new(
       :enabled,
       :preferred_mfa)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7301,8 +7565,9 @@ module Aws::CognitoIdentityProvider
     #   Specifies whether the attribute type is developer only. This
     #   attribute can only be modified by an administrator. Users will not
     #   be able to modify this attribute using their access token. For
-    #   example, `DeveloperOnlyAttribute` can be modified using the API but
-    #   cannot be updated using the API.
+    #   example, `DeveloperOnlyAttribute` can be modified using
+    #   AdminUpdateUserAttributes but cannot be updated using
+    #   UpdateUserAttributes.
     #
     #
     #
@@ -7349,6 +7614,7 @@ module Aws::CognitoIdentityProvider
       :required,
       :number_attribute_constraints,
       :string_attribute_constraints)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7361,6 +7627,7 @@ module Aws::CognitoIdentityProvider
     #
     class ScopeDoesNotExistException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7453,6 +7720,7 @@ module Aws::CognitoIdentityProvider
       :compromised_credentials_risk_configuration,
       :account_takeover_risk_configuration,
       :risk_exception_configuration)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7464,6 +7732,7 @@ module Aws::CognitoIdentityProvider
     #
     class SetRiskConfigurationResponse < Struct.new(
       :risk_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7500,6 +7769,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :css,
       :image_file)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -7511,6 +7781,7 @@ module Aws::CognitoIdentityProvider
     #
     class SetUICustomizationResponse < Struct.new(
       :ui_customization)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7547,6 +7818,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_settings,
       :software_token_mfa_settings,
       :access_token)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -7602,6 +7874,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7630,6 +7903,7 @@ module Aws::CognitoIdentityProvider
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
       :mfa_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7662,6 +7936,7 @@ module Aws::CognitoIdentityProvider
     class SetUserSettingsRequest < Struct.new(
       :access_token,
       :mfa_options)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -7796,6 +8071,7 @@ module Aws::CognitoIdentityProvider
       :analytics_metadata,
       :user_context_data,
       :client_metadata)
+      SENSITIVE = [:client_id, :secret_hash, :username, :password]
       include Aws::Structure
     end
 
@@ -7822,6 +8098,7 @@ module Aws::CognitoIdentityProvider
       :user_confirmed,
       :code_delivery_details,
       :user_sub)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7862,6 +8139,7 @@ module Aws::CognitoIdentityProvider
     class SmsConfigurationType < Struct.new(
       :sns_caller_arn,
       :external_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7895,6 +8173,7 @@ module Aws::CognitoIdentityProvider
     class SmsMfaConfigType < Struct.new(
       :sms_authentication_message,
       :sms_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7908,6 +8187,7 @@ module Aws::CognitoIdentityProvider
     #
     class SoftwareTokenMFANotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7928,6 +8208,7 @@ module Aws::CognitoIdentityProvider
     #
     class SoftwareTokenMfaConfigType < Struct.new(
       :enabled)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7954,6 +8235,7 @@ module Aws::CognitoIdentityProvider
     class SoftwareTokenMfaSettingsType < Struct.new(
       :enabled,
       :preferred_mfa)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7981,6 +8263,7 @@ module Aws::CognitoIdentityProvider
     class StartUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -7995,6 +8278,7 @@ module Aws::CognitoIdentityProvider
     #
     class StartUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8022,6 +8306,7 @@ module Aws::CognitoIdentityProvider
     class StopUserImportJobRequest < Struct.new(
       :user_pool_id,
       :job_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8036,6 +8321,7 @@ module Aws::CognitoIdentityProvider
     #
     class StopUserImportJobResponse < Struct.new(
       :user_import_job)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8062,6 +8348,7 @@ module Aws::CognitoIdentityProvider
     class StringAttributeConstraintsType < Struct.new(
       :min_length,
       :max_length)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8089,6 +8376,7 @@ module Aws::CognitoIdentityProvider
     class TagResourceRequest < Struct.new(
       :resource_arn,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8096,6 +8384,43 @@ module Aws::CognitoIdentityProvider
     #
     class TagResourceResponse < Aws::EmptyStructure; end
 
+    # The data type for TokenValidityUnits that specifics the time
+    # measurements for token validity.
+    #
+    # @note When making an API call, you may pass TokenValidityUnitsType
+    #   data as a hash:
+    #
+    #       {
+    #         access_token: "seconds", # accepts seconds, minutes, hours, days
+    #         id_token: "seconds", # accepts seconds, minutes, hours, days
+    #         refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #       }
+    #
+    # @!attribute [rw] access_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in AccessTokenValidity, defaults to hours.
+    #   @return [String]
+    #
+    # @!attribute [rw] id_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in IdTokenValidity, defaults to hours.
+    #   @return [String]
+    #
+    # @!attribute [rw] refresh_token
+    #   A time unit in “seconds”, “minutes”, “hours” or “days” for the value
+    #   in RefreshTokenValidity, defaults to days.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
+    #
+    class TokenValidityUnitsType < Struct.new(
+      :access_token,
+      :id_token,
+      :refresh_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when the user has made too many failed
     # attempts for a given action (e.g., sign in).
     #
@@ -8108,6 +8433,7 @@ module Aws::CognitoIdentityProvider
     #
     class TooManyFailedAttemptsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8123,6 +8449,7 @@ module Aws::CognitoIdentityProvider
     #
     class TooManyRequestsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8167,6 +8494,7 @@ module Aws::CognitoIdentityProvider
       :css_version,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -8182,6 +8510,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnexpectedLambdaException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8195,6 +8524,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnsupportedIdentityProviderException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8208,6 +8538,7 @@ module Aws::CognitoIdentityProvider
     #
     class UnsupportedUserStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8233,6 +8564,7 @@ module Aws::CognitoIdentityProvider
     class UntagResourceRequest < Struct.new(
       :resource_arn,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8279,6 +8611,7 @@ module Aws::CognitoIdentityProvider
       :event_id,
       :feedback_token,
       :feedback_value)
+      SENSITIVE = [:username, :feedback_token]
       include Aws::Structure
     end
 
@@ -8315,6 +8648,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :device_key,
       :device_remembered_status)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -8354,7 +8688,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] precedence
     #   The new precedence value for the group. For more information about
-    #   this parameter, see .
+    #   this parameter, see [CreateGroup][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateGroupRequest AWS API Documentation
@@ -8365,6 +8703,7 @@ module Aws::CognitoIdentityProvider
       :description,
       :role_arn,
       :precedence)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8376,6 +8715,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateGroupResponse < Struct.new(
       :group)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8423,6 +8763,7 @@ module Aws::CognitoIdentityProvider
       :provider_details,
       :attribute_mapping,
       :idp_identifiers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8434,6 +8775,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateIdentityProviderResponse < Struct.new(
       :identity_provider)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8475,6 +8817,7 @@ module Aws::CognitoIdentityProvider
       :identifier,
       :name,
       :scopes)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8486,6 +8829,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateResourceServerResponse < Struct.new(
       :resource_server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8563,6 +8907,7 @@ module Aws::CognitoIdentityProvider
       :user_attributes,
       :access_token,
       :client_metadata)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -8578,6 +8923,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserAttributesResponse < Struct.new(
       :code_delivery_details_list)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8591,6 +8937,13 @@ module Aws::CognitoIdentityProvider
     #         client_id: "ClientIdType", # required
     #         client_name: "ClientNameType",
     #         refresh_token_validity: 1,
+    #         access_token_validity: 1,
+    #         id_token_validity: 1,
+    #         token_validity_units: {
+    #           access_token: "seconds", # accepts seconds, minutes, hours, days
+    #           id_token: "seconds", # accepts seconds, minutes, hours, days
+    #           refresh_token: "seconds", # accepts seconds, minutes, hours, days
+    #         },
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
     #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -8602,9 +8955,10 @@ module Aws::CognitoIdentityProvider
     #         allowed_o_auth_scopes: ["ScopeType"],
     #         allowed_o_auth_flows_user_pool_client: false,
     #         analytics_configuration: {
-    #           application_id: "HexStringType", # required
-    #           role_arn: "ArnType", # required
-    #           external_id: "StringType", # required
+    #           application_id: "HexStringType",
+    #           application_arn: "ArnType",
+    #           role_arn: "ArnType",
+    #           external_id: "StringType",
     #           user_data_shared: false,
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
@@ -8628,6 +8982,22 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, after which the access token is no longer valid and
+    #   cannot be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, after which the ID token is no longer valid and
+    #   cannot be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The units in which the validity times are represented in. Default
+    #   for RefreshToken is days, and default for ID and access tokens are
+    #   hours.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The read-only attributes of the user pool.
     #   @return [Array<String>]
@@ -8750,9 +9120,10 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics
     #   for this user pool.
     #
-    #   <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
-    #   projects in the US East (N. Virginia) us-east-1 Region, regardless
-    #   of the region in which the user pool resides.
+    #   <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
+    #   supports sending events to Amazon Pinpoint projects in us-east-1. In
+    #   regions where Pinpoint is available, Cognito User Pools will support
+    #   sending events to Amazon Pinpoint projects within that same region.
     #
     #    </note>
     #   @return [Types::AnalyticsConfigurationType]
@@ -8775,24 +9146,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -8807,6 +9160,9 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :client_name,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -8819,6 +9175,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -8834,6 +9191,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserPoolClientResponse < Struct.new(
       :user_pool_client)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8876,6 +9234,7 @@ module Aws::CognitoIdentityProvider
       :domain,
       :user_pool_id,
       :custom_domain_config)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -8890,6 +9249,7 @@ module Aws::CognitoIdentityProvider
     #
     class UpdateUserPoolDomainResponse < Struct.new(
       :cloud_front_domain)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9085,6 +9445,7 @@ module Aws::CognitoIdentityProvider
       :admin_create_user_config,
       :user_pool_add_ons,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9116,6 +9477,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserContextDataType < Struct.new(
       :encoded_data)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9130,6 +9492,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserImportInProgressException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9227,6 +9590,7 @@ module Aws::CognitoIdentityProvider
       :skipped_users,
       :failed_users,
       :completion_message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9242,6 +9606,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserLambdaValidationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9255,6 +9620,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserNotConfirmedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9268,6 +9634,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9280,6 +9647,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolAddOnNotEnabledException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9300,6 +9668,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolAddOnsType < Struct.new(
       :advanced_security_mode)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9324,6 +9693,7 @@ module Aws::CognitoIdentityProvider
       :client_id,
       :user_pool_id,
       :client_name)
+      SENSITIVE = [:client_id]
       include Aws::Structure
     end
 
@@ -9358,6 +9728,23 @@ module Aws::CognitoIdentityProvider
     #   valid and cannot be used.
     #   @return [Integer]
     #
+    # @!attribute [rw] access_token_validity
+    #   The time limit, specified by tokenValidityUnits, defaulting to
+    #   hours, after which the access token is no longer valid and cannot be
+    #   used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] id_token_validity
+    #   The time limit, specified by tokenValidityUnits, defaulting to
+    #   hours, after which the refresh token is no longer valid and cannot
+    #   be used.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] token_validity_units
+    #   The time units used to specify the token validity times of their
+    #   respective token.
+    #   @return [Types::TokenValidityUnitsType]
+    #
     # @!attribute [rw] read_attributes
     #   The Read-only attributes.
     #   @return [Array<String>]
@@ -9505,24 +9892,6 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the old behavior of Cognito where user
     #     existence related errors are not prevented.
     #
-    #   This setting affects the behavior of following APIs:
-    #
-    #   * AdminInitiateAuth
-    #
-    #   * AdminRespondToAuthChallenge
-    #
-    #   * InitiateAuth
-    #
-    #   * RespondToAuthChallenge
-    #
-    #   * ForgotPassword
-    #
-    #   * ConfirmForgotPassword
-    #
-    #   * ConfirmSignUp
-    #
-    #   * ResendConfirmationCode
-    #
     #   <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
     #   will default to `ENABLED` for newly created user pool clients if no
     #   value is provided.
@@ -9540,6 +9909,9 @@ module Aws::CognitoIdentityProvider
       :last_modified_date,
       :creation_date,
       :refresh_token_validity,
+      :access_token_validity,
+      :id_token_validity,
+      :token_validity_units,
       :read_attributes,
       :write_attributes,
       :explicit_auth_flows,
@@ -9552,6 +9924,7 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
       :prevent_user_existence_errors)
+      SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end
 
@@ -9590,6 +9963,7 @@ module Aws::CognitoIdentityProvider
       :status,
       :last_modified_date,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9617,6 +9991,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolPolicyType < Struct.new(
       :password_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9630,6 +10005,7 @@ module Aws::CognitoIdentityProvider
     #
     class UserPoolTaggingException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9778,7 +10154,11 @@ module Aws::CognitoIdentityProvider
     #   the selected sign-in option. For example, when this is set to
     #   `False`, users will be able to sign in using either "username" or
     #   "Username". This configuration is immutable once it has been set.
-    #   For more information, see .
+    #   For more information, see [UsernameConfigurationType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
     #   @return [Types::UsernameConfigurationType]
     #
     # @!attribute [rw] arn
@@ -9830,6 +10210,7 @@ module Aws::CognitoIdentityProvider
       :username_configuration,
       :arn,
       :account_recovery_setting)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9891,6 +10272,7 @@ module Aws::CognitoIdentityProvider
       :enabled,
       :user_status,
       :mfa_options)
+      SENSITIVE = [:username]
       include Aws::Structure
     end
 
@@ -9926,6 +10308,7 @@ module Aws::CognitoIdentityProvider
     #
     class UsernameConfigurationType < Struct.new(
       :case_sensitive)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9941,6 +10324,7 @@ module Aws::CognitoIdentityProvider
     #
     class UsernameExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -9993,6 +10377,7 @@ module Aws::CognitoIdentityProvider
       :email_message_by_link,
       :email_subject_by_link,
       :default_email_option)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -10017,6 +10402,11 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] user_code
     #   The one time password computed using the secret code returned by
+    #   [AssociateSoftwareToken"][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html
     #   @return [String]
     #
     # @!attribute [rw] friendly_device_name
@@ -10030,6 +10420,7 @@ module Aws::CognitoIdentityProvider
       :session,
       :user_code,
       :friendly_device_name)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end
 
@@ -10047,6 +10438,7 @@ module Aws::CognitoIdentityProvider
     class VerifySoftwareTokenResponse < Struct.new(
       :status,
       :session)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -10080,6 +10472,7 @@ module Aws::CognitoIdentityProvider
       :access_token,
       :attribute_name,
       :code)
+      SENSITIVE = [:access_token]
       include Aws::Structure
     end