aws-sdk-cognitoidentityprovider 1.46.0 → 1.51.0

data/VERSION

@@ -0,0 +1 @@
+1.51.0

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-cognitoidentityprovider/customizations'
 # @!group service
 module Aws::CognitoIdentityProvider
 
-  GEM_VERSION = '1.46.0'
+  GEM_VERSION = '1.51.0'
 
 end

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -1629,6 +1629,9 @@ module Aws::CognitoIdentityProvider
     #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
     #     with client secret).
     #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session` parameter.
+    #
     #   The value of the `USERNAME` attribute must be the user's actual
     #   username, not an alias (such as email address or phone number). To
     #   make this easier, the `AdminInitiateAuth` response includes the actual
@@ -2746,9 +2749,21 @@ module Aws::CognitoIdentityProvider
     #
     # @option params [String] :email_verification_message
     #   A string representing the email verification message.
+    #   EmailVerificationMessage is allowed only if [EmailSendingAccount][1]
+    #   is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #
     # @option params [String] :email_verification_subject
     #   A string representing the email verification subject.
+    #   EmailVerificationSubject is allowed only if [EmailSendingAccount][1]
+    #   is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #
     # @option params [Types::VerificationMessageTemplateType] :verification_message_template
     #   The template for the verification message that the user sees when the
@@ -2834,6 +2849,15 @@ module Aws::CognitoIdentityProvider
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
     #       user_migration: "ArnType",
+    #       custom_sms_sender: {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       },
+    #       custom_email_sender: {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       },
+    #       kms_key_id: "ArnType",
     #     },
     #     auto_verified_attributes: ["phone_number"], # accepts phone_number, email
     #     alias_attributes: ["phone_number"], # accepts phone_number, email, preferred_username
@@ -2931,6 +2955,11 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
     #   resp.user_pool.lambda_config.user_migration #=> String
+    #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
+    #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pool.lambda_config.custom_email_sender.lambda_arn #=> String
+    #   resp.user_pool.lambda_config.kms_key_id #=> String
     #   resp.user_pool.status #=> String, one of "Enabled", "Disabled"
     #   resp.user_pool.last_modified_date #=> Time
     #   resp.user_pool.creation_date #=> Time
@@ -3320,7 +3349,7 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Deletes a group. Currently only groups with no members can be deleted.
+    # Deletes a group.
     #
     # Calling this action requires developer credentials.
     #
@@ -3746,6 +3775,11 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
     #   resp.user_pool.lambda_config.user_migration #=> String
+    #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
+    #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pool.lambda_config.custom_email_sender.lambda_arn #=> String
+    #   resp.user_pool.lambda_config.kms_key_id #=> String
     #   resp.user_pool.status #=> String, one of "Enabled", "Disabled"
     #   resp.user_pool.last_modified_date #=> Time
     #   resp.user_pool.creation_date #=> Time
@@ -4997,6 +5031,11 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pools[0].lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pools[0].lambda_config.pre_token_generation #=> String
     #   resp.user_pools[0].lambda_config.user_migration #=> String
+    #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_arn #=> String
+    #   resp.user_pools[0].lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
+    #   resp.user_pools[0].lambda_config.custom_email_sender.lambda_arn #=> String
+    #   resp.user_pools[0].lambda_config.kms_key_id #=> String
     #   resp.user_pools[0].status #=> String, one of "Enabled", "Disabled"
     #   resp.user_pools[0].last_modified_date #=> Time
     #   resp.user_pools[0].creation_date #=> Time
@@ -5330,6 +5369,9 @@ module Aws::CognitoIdentityProvider
     #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
     #     `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
     #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session` parameter.
+    #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The Amazon Pinpoint analytics metadata for collecting metrics for
     #   `RespondToAuthChallenge` calls.
@@ -5619,7 +5661,12 @@ module Aws::CognitoIdentityProvider
     # one factor can be set as preferred. The preferred MFA factor will be
     # used to authenticate a user if multiple factors are enabled. If
     # multiple options are enabled and no preference is set, a challenge to
-    # choose an MFA option will be returned during sign in.
+    # choose an MFA option will be returned during sign in. If an MFA type
+    # is enabled for a user, the user will be prompted for MFA during all
+    # sign in attempts, unless device tracking is turned on and the device
+    # has been trusted. If you would like MFA to be applied selectively
+    # based on the assessed risk level of sign in attempts, disable MFA for
+    # users and turn on Adaptive Authentication for the user pool.
     #
     # @option params [Types::SMSMfaSettingsType] :sms_mfa_settings
     #   The SMS text message multi-factor authentication (MFA) settings.
@@ -5667,7 +5714,11 @@ module Aws::CognitoIdentityProvider
     #   The software token MFA configuration.
     #
     # @option params [String] :mfa_configuration
-    #   The MFA configuration. Valid values include:
+    #   The MFA configuration. Users who don't have an MFA factor set up
+    #   won't be able to sign-in if you set the MfaConfiguration value to
+    #   ‘ON’. See [Adding Multi-Factor Authentication (MFA) to a User
+    #   Pool](cognito/latest/developerguide/user-pool-settings-mfa.html) to
+    #   learn more. Valid values include:
     #
     #   * `OFF` MFA will not be used for any users.
     #
@@ -6420,11 +6471,17 @@ module Aws::CognitoIdentityProvider
     #     user registration.
     #
     #   * `ON` - MFA tokens are required for all user registrations. You can
-    #     only specify required when you are initially creating a user pool.
+    #     only specify ON when you are initially creating a user pool. You can
+    #     use the [SetUserPoolMfaConfig][1] API operation to turn MFA "ON"
+    #     for existing user pools.
     #
     #   * `OPTIONAL` - Users have the option when registering to create an MFA
     #     token.
     #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html
+    #
     # @option params [Types::DeviceConfigurationType] :device_configuration
     #   Device configuration.
     #
@@ -6482,6 +6539,15 @@ module Aws::CognitoIdentityProvider
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
     #       user_migration: "ArnType",
+    #       custom_sms_sender: {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       },
+    #       custom_email_sender: {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       },
+    #       kms_key_id: "ArnType",
     #     },
     #     auto_verified_attributes: ["phone_number"], # accepts phone_number, email
     #     sms_verification_message: "SmsVerificationMessageType",
@@ -6982,7 +7048,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.46.0'
+      context[:gem_version] = '1.51.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -149,6 +149,10 @@ module Aws::CognitoIdentityProvider
     CustomAttributeNameType = Shapes::StringShape.new(name: 'CustomAttributeNameType')
     CustomAttributesListType = Shapes::ListShape.new(name: 'CustomAttributesListType')
     CustomDomainConfigType = Shapes::StructureShape.new(name: 'CustomDomainConfigType')
+    CustomEmailLambdaVersionConfigType = Shapes::StructureShape.new(name: 'CustomEmailLambdaVersionConfigType')
+    CustomEmailSenderLambdaVersionType = Shapes::StringShape.new(name: 'CustomEmailSenderLambdaVersionType')
+    CustomSMSLambdaVersionConfigType = Shapes::StructureShape.new(name: 'CustomSMSLambdaVersionConfigType')
+    CustomSMSSenderLambdaVersionType = Shapes::StringShape.new(name: 'CustomSMSSenderLambdaVersionType')
     DateType = Shapes::TimestampShape.new(name: 'DateType')
     DefaultEmailOptionType = Shapes::StringShape.new(name: 'DefaultEmailOptionType')
     DeleteGroupRequest = Shapes::StructureShape.new(name: 'DeleteGroupRequest')
@@ -957,6 +961,14 @@ module Aws::CognitoIdentityProvider
     CustomDomainConfigType.add_member(:certificate_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "CertificateArn"))
     CustomDomainConfigType.struct_class = Types::CustomDomainConfigType
 
+    CustomEmailLambdaVersionConfigType.add_member(:lambda_version, Shapes::ShapeRef.new(shape: CustomEmailSenderLambdaVersionType, required: true, location_name: "LambdaVersion"))
+    CustomEmailLambdaVersionConfigType.add_member(:lambda_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "LambdaArn"))
+    CustomEmailLambdaVersionConfigType.struct_class = Types::CustomEmailLambdaVersionConfigType
+
+    CustomSMSLambdaVersionConfigType.add_member(:lambda_version, Shapes::ShapeRef.new(shape: CustomSMSSenderLambdaVersionType, required: true, location_name: "LambdaVersion"))
+    CustomSMSLambdaVersionConfigType.add_member(:lambda_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "LambdaArn"))
+    CustomSMSLambdaVersionConfigType.struct_class = Types::CustomSMSLambdaVersionConfigType
+
     DeleteGroupRequest.add_member(:group_name, Shapes::ShapeRef.new(shape: GroupNameType, required: true, location_name: "GroupName"))
     DeleteGroupRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     DeleteGroupRequest.struct_class = Types::DeleteGroupRequest
@@ -1274,6 +1286,9 @@ module Aws::CognitoIdentityProvider
     LambdaConfigType.add_member(:verify_auth_challenge_response, Shapes::ShapeRef.new(shape: ArnType, location_name: "VerifyAuthChallengeResponse"))
     LambdaConfigType.add_member(:pre_token_generation, Shapes::ShapeRef.new(shape: ArnType, location_name: "PreTokenGeneration"))
     LambdaConfigType.add_member(:user_migration, Shapes::ShapeRef.new(shape: ArnType, location_name: "UserMigration"))
+    LambdaConfigType.add_member(:custom_sms_sender, Shapes::ShapeRef.new(shape: CustomSMSLambdaVersionConfigType, location_name: "CustomSMSSender"))
+    LambdaConfigType.add_member(:custom_email_sender, Shapes::ShapeRef.new(shape: CustomEmailLambdaVersionConfigType, location_name: "CustomEmailSender"))
+    LambdaConfigType.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: ArnType, location_name: "KMSKeyID"))
     LambdaConfigType.struct_class = Types::LambdaConfigType
 
     LimitExceededException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))

data/lib/aws-sdk-cognitoidentityprovider/customizations.rb

@@ -2,7 +2,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-cognitoidentityprovider/errors.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-cognitoidentityprovider/resource.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -705,7 +705,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminDisableProviderForUserResponse < Aws::EmptyStructure; end
 
-    # Represents the request to disable any user as an administrator.
+    # Represents the request to disable the user as an administrator.
     #
     # @note When making an API call, you may pass AdminDisableUserRequest
     #   data as a hash:
@@ -1191,10 +1191,22 @@ module Aws::CognitoIdentityProvider
     #     with `USERNAME` and `PASSWORD` directly. An app client must be
     #     enabled to use this flow.
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: For users which are required to change
+    #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
     #     their passwords after successful first login. This challenge
     #     should be passed with `NEW_PASSWORD` and any other required
     #     attributes.
+    #
+    #   * `MFA_SETUP`\: For users who are required to setup an MFA factor
+    #     before they can sign-in. The MFA types enabled for the user pool
+    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #
+    #     To setup software token MFA, use the session returned here from
+    #     `InitiateAuth` as an input to `AssociateSoftwareToken`, and use
+    #     the session returned by `VerifySoftwareToken` as an input to
+    #     `RespondToAuthChallenge` with challenge name `MFA_SETUP` to
+    #     complete sign-in. To setup SMS MFA, users will need help from an
+    #     administrator to add a phone number to their account and then call
+    #     `InitiateAuth` again to restart sign-in.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -1671,6 +1683,10 @@ module Aws::CognitoIdentityProvider
     #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
     #     with client secret).
     #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session`
+    #     parameter.
+    #
     #   The value of the `USERNAME` attribute must be the user's actual
     #   username, not an alias (such as email address or phone number). To
     #   make this easier, the `AdminInitiateAuth` response includes the
@@ -3628,6 +3644,15 @@ module Aws::CognitoIdentityProvider
     #           verify_auth_challenge_response: "ArnType",
     #           pre_token_generation: "ArnType",
     #           user_migration: "ArnType",
+    #           custom_sms_sender: {
+    #             lambda_version: "V1_0", # required, accepts V1_0
+    #             lambda_arn: "ArnType", # required
+    #           },
+    #           custom_email_sender: {
+    #             lambda_version: "V1_0", # required, accepts V1_0
+    #             lambda_arn: "ArnType", # required
+    #           },
+    #           kms_key_id: "ArnType",
     #         },
     #         auto_verified_attributes: ["phone_number"], # accepts phone_number, email
     #         alias_attributes: ["phone_number"], # accepts phone_number, email, preferred_username
@@ -3757,10 +3782,22 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] email_verification_message
     #   A string representing the email verification message.
+    #   EmailVerificationMessage is allowed only if [EmailSendingAccount][1]
+    #   is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] email_verification_subject
     #   A string representing the email verification subject.
+    #   EmailVerificationSubject is allowed only if [EmailSendingAccount][1]
+    #   is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] verification_message_template
@@ -3898,6 +3935,66 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # A custom email sender Lambda configuration type.
+    #
+    # @note When making an API call, you may pass CustomEmailLambdaVersionConfigType
+    #   data as a hash:
+    #
+    #       {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       }
+    #
+    # @!attribute [rw] lambda_version
+    #   The Lambda version represents the signature of the "request"
+    #   attribute in the "event" information Amazon Cognito passes to your
+    #   custom email Lambda function. The only supported value is `V1_0`.
+    #   @return [String]
+    #
+    # @!attribute [rw] lambda_arn
+    #   The Lambda Amazon Resource Name of the Lambda function that Amazon
+    #   Cognito triggers to send email notifications to users.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CustomEmailLambdaVersionConfigType AWS API Documentation
+    #
+    class CustomEmailLambdaVersionConfigType < Struct.new(
+      :lambda_version,
+      :lambda_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A custom SMS sender Lambda configuration type.
+    #
+    # @note When making an API call, you may pass CustomSMSLambdaVersionConfigType
+    #   data as a hash:
+    #
+    #       {
+    #         lambda_version: "V1_0", # required, accepts V1_0
+    #         lambda_arn: "ArnType", # required
+    #       }
+    #
+    # @!attribute [rw] lambda_version
+    #   The Lambda version represents the signature of the "request"
+    #   attribute in the "event" information Amazon Cognito passes to your
+    #   custom SMS Lambda function. The only supported value is `V1_0`.
+    #   @return [String]
+    #
+    # @!attribute [rw] lambda_arn
+    #   The Lambda Amazon Resource Name of the Lambda function that Amazon
+    #   Cognito triggers to send SMS notifications to users.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CustomSMSLambdaVersionConfigType AWS API Documentation
+    #
+    class CustomSMSLambdaVersionConfigType < Struct.new(
+      :lambda_version,
+      :lambda_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteGroupRequest
     #   data as a hash:
     #
@@ -4528,6 +4625,16 @@ module Aws::CognitoIdentityProvider
 
     # The email configuration type.
     #
+    # <note markdown="1"> Amazon Cognito has specific regions for use with Amazon SES. For more
+    # information on the supported regions, see [Email Settings for Amazon
+    # Cognito User Pools][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html
+    #
     # @note When making an API call, you may pass EmailConfigurationType
     #   data as a hash:
     #
@@ -4580,6 +4687,29 @@ module Aws::CognitoIdentityProvider
     #     customize the FROM address, provide the ARN of an Amazon SES
     #     verified email address for the `SourceArn` parameter.
     #
+    #     If EmailSendingAccount is COGNITO\_DEFAULT, the following
+    #     parameters aren't allowed:
+    #
+    #     * EmailVerificationMessage
+    #
+    #     * EmailVerificationSubject
+    #
+    #     * InviteMessageTemplate.EmailMessage
+    #
+    #     * InviteMessageTemplate.EmailSubject
+    #
+    #     * VerificationMessageTemplate.EmailMessage
+    #
+    #     * VerificationMessageTemplate.EmailMessageByLink
+    #
+    #     * VerificationMessageTemplate.EmailSubject,
+    #
+    #     * VerificationMessageTemplate.EmailSubjectByLink
+    #
+    #     <note markdown="1"> DEVELOPER EmailSendingAccount is required.
+    #
+    #      </note>
+    #
     #   DEVELOPER
     #
     #   : When Amazon Cognito emails your users, it uses your Amazon SES
@@ -5775,10 +5905,22 @@ module Aws::CognitoIdentityProvider
     #   * `DEVICE_PASSWORD_VERIFIER`\: Similar to `PASSWORD_VERIFIER`, but
     #     for devices only.
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: For users which are required to change
+    #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
     #     their passwords after successful first login. This challenge
     #     should be passed with `NEW_PASSWORD` and any other required
     #     attributes.
+    #
+    #   * `MFA_SETUP`\: For users who are required to setup an MFA factor
+    #     before they can sign-in. The MFA types enabled for the user pool
+    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #
+    #     To setup software token MFA, use the session returned here from
+    #     `InitiateAuth` as an input to `AssociateSoftwareToken`, and use
+    #     the session returned by `VerifySoftwareToken` as an input to
+    #     `RespondToAuthChallenge` with challenge name `MFA_SETUP` to
+    #     complete sign-in. To setup SMS MFA, users will need help from an
+    #     administrator to add a phone number to their account and then call
+    #     `InitiateAuth` again to restart sign-in.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -5975,6 +6117,15 @@ module Aws::CognitoIdentityProvider
     #         verify_auth_challenge_response: "ArnType",
     #         pre_token_generation: "ArnType",
     #         user_migration: "ArnType",
+    #         custom_sms_sender: {
+    #           lambda_version: "V1_0", # required, accepts V1_0
+    #           lambda_arn: "ArnType", # required
+    #         },
+    #         custom_email_sender: {
+    #           lambda_version: "V1_0", # required, accepts V1_0
+    #           lambda_arn: "ArnType", # required
+    #         },
+    #         kms_key_id: "ArnType",
     #       }
     #
     # @!attribute [rw] pre_sign_up
@@ -6017,6 +6168,21 @@ module Aws::CognitoIdentityProvider
     #   The user migration Lambda config type.
     #   @return [String]
     #
+    # @!attribute [rw] custom_sms_sender
+    #   A custom SMS sender AWS Lambda trigger.
+    #   @return [Types::CustomSMSLambdaVersionConfigType]
+    #
+    # @!attribute [rw] custom_email_sender
+    #   A custom email sender AWS Lambda trigger.
+    #   @return [Types::CustomEmailLambdaVersionConfigType]
+    #
+    # @!attribute [rw] kms_key_id
+    #   The Amazon Resource Name of Key Management Service [Customer master
+    #   keys](/kms/latest/developerguide/concepts.html#master_keys) . Amazon
+    #   Cognito uses the key to encrypt codes and temporary passwords sent
+    #   to `CustomEmailSender` and `CustomSMSSender`.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LambdaConfigType AWS API Documentation
     #
     class LambdaConfigType < Struct.new(
@@ -6029,7 +6195,10 @@ module Aws::CognitoIdentityProvider
       :create_auth_challenge,
       :verify_auth_challenge_response,
       :pre_token_generation,
-      :user_migration)
+      :user_migration,
+      :custom_sms_sender,
+      :custom_email_sender,
+      :kms_key_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -6690,11 +6859,21 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] email_message
-    #   The message template for email messages.
+    #   The message template for email messages. EmailMessage is allowed
+    #   only if [EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] email_subject
-    #   The subject line for email messages.
+    #   The subject line for email messages. EmailSubject is allowed only if
+    #   [EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/MessageTemplateType AWS API Documentation
@@ -7316,6 +7495,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
     #     `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
+    #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session`
+    #     parameter.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] analytics_metadata
@@ -7499,7 +7682,13 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The type used for enabling SMS MFA at the user level.
+    # The type used for enabling SMS MFA at the user level. Phone numbers
+    # don't need to be verified to be used for SMS MFA. If an MFA type is
+    # enabled for a user, the user will be prompted for MFA during all sign
+    # in attempts, unless device tracking is turned on and the device has
+    # been trusted. If you would like MFA to be applied selectively based on
+    # the assessed risk level of sign in attempts, disable MFA for users and
+    # turn on Adaptive Authentication for the user pool.
     #
     # @note When making an API call, you may pass SMSMfaSettingsType
     #   data as a hash:
@@ -7510,7 +7699,10 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] enabled
-    #   Specifies whether SMS text message MFA is enabled.
+    #   Specifies whether SMS text message MFA is enabled. If an MFA type is
+    #   enabled for a user, the user will be prompted for MFA during all
+    #   sign in attempts, unless device tracking is turned on and the device
+    #   has been trusted.
     #   @return [Boolean]
     #
     # @!attribute [rw] preferred_mfa
@@ -7857,7 +8049,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The MFA configuration. Valid values include:
+    #   The MFA configuration. Users who don't have an MFA factor set up
+    #   won't be able to sign-in if you set the MfaConfiguration value to
+    #   ‘ON’. See [Adding Multi-Factor Authentication (MFA) to a User
+    #   Pool](cognito/latest/developerguide/user-pool-settings-mfa.html) to
+    #   learn more. Valid values include:
     #
     #   * `OFF` MFA will not be used for any users.
     #
@@ -8119,7 +8315,12 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] sns_caller_arn
     #   The Amazon Resource Name (ARN) of the Amazon Simple Notification
     #   Service (SNS) caller. This is the ARN of the IAM role in your AWS
-    #   account which Cognito will use to send SMS messages.
+    #   account which Cognito will use to send SMS messages. SMS messages
+    #   are subject to a [spending limit][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
     #   @return [String]
     #
     # @!attribute [rw] external_id
@@ -8132,6 +8333,14 @@ module Aws::CognitoIdentityProvider
     #   role for SMS MFA, Cognito will create a role with the required
     #   permissions and a trust policy that demonstrates use of the
     #   `ExternalId`.
+    #
+    #   For more information about the `ExternalId` of a role, see [How to
+    #   use an external ID when granting access to your AWS resources to a
+    #   third party][1]
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SmsConfigurationType AWS API Documentation
@@ -8212,7 +8421,13 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The type used for enabling software token MFA at the user level.
+    # The type used for enabling software token MFA at the user level. If an
+    # MFA type is enabled for a user, the user will be prompted for MFA
+    # during all sign in attempts, unless device tracking is turned on and
+    # the device has been trusted. If you would like MFA to be applied
+    # selectively based on the assessed risk level of sign in attempts,
+    # disable MFA for users and turn on Adaptive Authentication for the user
+    # pool.
     #
     # @note When making an API call, you may pass SoftwareTokenMfaSettingsType
     #   data as a hash:
@@ -8223,7 +8438,10 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] enabled
-    #   Specifies whether software token MFA is enabled.
+    #   Specifies whether software token MFA is enabled. If an MFA type is
+    #   enabled for a user, the user will be prompted for MFA during all
+    #   sign in attempts, unless device tracking is turned on and the device
+    #   has been trusted.
     #   @return [Boolean]
     #
     # @!attribute [rw] preferred_mfa
@@ -9281,6 +9499,15 @@ module Aws::CognitoIdentityProvider
     #           verify_auth_challenge_response: "ArnType",
     #           pre_token_generation: "ArnType",
     #           user_migration: "ArnType",
+    #           custom_sms_sender: {
+    #             lambda_version: "V1_0", # required, accepts V1_0
+    #             lambda_arn: "ArnType", # required
+    #           },
+    #           custom_email_sender: {
+    #             lambda_version: "V1_0", # required, accepts V1_0
+    #             lambda_arn: "ArnType", # required
+    #           },
+    #           kms_key_id: "ArnType",
     #         },
     #         auto_verified_attributes: ["phone_number"], # accepts phone_number, email
     #         sms_verification_message: "SmsVerificationMessageType",
@@ -9381,10 +9608,16 @@ module Aws::CognitoIdentityProvider
     #     user registration.
     #
     #   * `ON` - MFA tokens are required for all user registrations. You can
-    #     only specify required when you are initially creating a user pool.
+    #     only specify ON when you are initially creating a user pool. You
+    #     can use the [SetUserPoolMfaConfig][1] API operation to turn MFA
+    #     "ON" for existing user pools.
     #
     #   * `OPTIONAL` - Users have the option when registering to create an
     #     MFA token.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html
     #   @return [String]
     #
     # @!attribute [rw] device_configuration
@@ -10347,21 +10580,41 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] email_message
-    #   The email message template.
+    #   The email message template. EmailMessage is allowed only if [
+    #   EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] email_subject
-    #   The subject line for the email message template.
+    #   The subject line for the email message template. EmailSubject is
+    #   allowed only if [EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] email_message_by_link
     #   The email message template for sending a confirmation link to the
-    #   user.
+    #   user. EmailMessageByLink is allowed only if [
+    #   EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] email_subject_by_link
     #   The subject line for the email message template for sending a
-    #   confirmation link to the user.
+    #   confirmation link to the user. EmailSubjectByLink is allowed only [
+    #   EmailSendingAccount][1] is DEVELOPER.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
     #   @return [String]
     #
     # @!attribute [rw] default_email_option