aws-sdk-cognitoidentityprovider 1.69.0 → 1.71.0

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -1480,7 +1480,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   The maximum number of authentication events to return.
+    #   The maximum number of authentication events to return. Returns 60
+    #   events if you set `MaxResults` to 0, or if you don't include a
+    #   `MaxResults` parameter.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
@@ -3401,6 +3403,7 @@ module Aws::CognitoIdentityProvider
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #         enable_token_revocation: false,
     #         enable_propagate_additional_user_context_data: false,
+    #         auth_session_validity: 1,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -3431,6 +3434,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -3445,6 +3451,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -3459,6 +3468,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -3488,45 +3500,44 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported, in favor of new names with the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
     #
-    #   <note markdown="1"> Values with `ALLOW_` prefix must be used only along with the
-    #   `ALLOW_` prefix.
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
     #
     #    </note>
     #
     #   Valid values include:
     #
-    #   ALLOW\_ADMIN\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable admin based user password authentication flow
-    #     `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the
-    #     `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     Secure Remote Password (SRP) protocol to verify passwords.
-    #
-    #   ALLOW\_CUSTOM\_AUTH
-    #
-    #   : Enable Lambda trigger based authentication.
-    #
-    #   ALLOW\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable user password-based authentication. In this flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     SRP protocol to verify passwords.
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
+    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
+    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
-    #   ALLOW\_USER\_SRP\_AUTH
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
-    #   : Enable SRP-based authentication.
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Amazon Cognito receives the password
+    #     in the request instead of using the SRP protocol to verify
+    #     passwords.
     #
-    #   ALLOW\_REFRESH\_TOKEN\_AUTH
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
-    #   : Enable the authflow that refreshes tokens.
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
-    #   If you don't specify a value for `ExplicitAuthFlows`, your user
-    #   client supports `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`.
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -3678,6 +3689,13 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] auth_session_validity
+    #   Amazon Cognito creates a session token for each API request in an
+    #   authentication flow. `AuthSessionValidity` is the duration, in
+    #   minutes, of that session token. Your user pool native user must
+    #   respond to each authentication challenge before the session expires.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
     #
     class CreateUserPoolClientRequest < Struct.new(
@@ -3701,7 +3719,8 @@ module Aws::CognitoIdentityProvider
       :analytics_configuration,
       :prevent_user_existence_errors,
       :enable_token_revocation,
-      :enable_propagate_additional_user_context_data)
+      :enable_propagate_additional_user_context_data,
+      :auth_session_validity)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3797,6 +3816,7 @@ module Aws::CognitoIdentityProvider
     #             temporary_password_validity_days: 1,
     #           },
     #         },
+    #         deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #         lambda_config: {
     #           pre_sign_up: "ArnType",
     #           custom_message: "ArnType",
@@ -3906,6 +3926,18 @@ module Aws::CognitoIdentityProvider
     #   The policies associated with the new user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda trigger configuration information for the new user pool.
     #
@@ -3945,27 +3977,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] sms_verification_message
-    #   A string representing the SMS verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_message
-    #   A string representing the email verification message.
-    #   `EmailVerificationMessage` is allowed only if
-    #   [EmailSendingAccount][1] is DEVELOPER.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_subject
-    #   A string representing the email verification subject.
-    #   `EmailVerificationSubject` is allowed only if
-    #   [EmailSendingAccount][1] is DEVELOPER.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] verification_message_template
@@ -4068,6 +4103,7 @@ module Aws::CognitoIdentityProvider
     class CreateUserPoolRequest < Struct.new(
       :pool_name,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :auto_verified_attributes,
       :alias_attributes,
@@ -4432,7 +4468,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP that was deleted.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
@@ -4672,15 +4708,35 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The device-remembering configuration for a user pool. A null value
-    # indicates that you have deactivated device remembering in your user
-    # pool.
+    # The device-remembering configuration for a user pool. A [
+    # DescribeUserPool][1] request returns a null value for this object when
+    # the user pool isn't configured to remember devices. When device
+    # remembering is active, you can remember a user's device with a
+    # [ConfirmDevice][2] API request. Additionally. when the property
+    # `DeviceOnlyRememberedOnUserPrompt` is `true`, you must follow
+    # `ConfirmDevice` with an [UpdateDeviceStatus][3] API request that sets
+    # the user's device to `remembered` or `not_remembered`.
+    #
+    # To sign in with a remembered device, include `DEVICE_KEY` in the
+    # authentication parameters in your user's [ InitiateAuth][4] request.
+    # If your app doesn't include a `DEVICE_KEY` parameter, the
+    # [response][5] from Amazon Cognito includes newly-generated
+    # `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata`.
+    # Store these values to use in future device-authentication requests.
     #
-    # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
-    # activate the Amazon Cognito device-remembering feature.
+    # <note markdown="1"> When you provide a value for any property of `DeviceConfiguration`,
+    # you activate the device remembering for the user pool.
     #
     #  </note>
     #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
+    # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html
+    # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html
+    # [4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+    # [5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax
+    #
     # @note When making an API call, you may pass DeviceConfigurationType
     #   data as a hash:
     #
@@ -4690,27 +4746,32 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] challenge_required_on_new_device
-    #   When true, device authentication can replace SMS and time-based
-    #   one-time password (TOTP) factors for multi-factor authentication
-    #   (MFA).
+    #   When true, a remembered device can sign in with device
+    #   authentication instead of SMS and time-based one-time password
+    #   (TOTP) factors for multi-factor authentication (MFA).
     #
-    #   <note markdown="1"> Regardless of the value of this field, users that sign in with new
-    #   devices that have not been confirmed or remembered must provide a
-    #   second factor if your user pool requires MFA.
+    #   <note markdown="1"> Whether or not `ChallengeRequiredOnNewDevice` is true, users who
+    #   sign in with devices that have not been confirmed or remembered must
+    #   still provide a second factor in a user pool that requires MFA.
     #
     #    </note>
     #   @return [Boolean]
     #
     # @!attribute [rw] device_only_remembered_on_user_prompt
-    #   When true, Amazon Cognito doesn't remember newly-confirmed devices.
-    #   Users who want to authenticate with their device can instead opt in
-    #   to remembering their device. To collect a choice from your user,
-    #   create an input prompt in your app and return the value that the
-    #   user chooses in an [UpdateDeviceStatus][1] API request.
+    #   When true, Amazon Cognito doesn't automatically remember a user's
+    #   device when your app sends a [ ConfirmDevice][1] API request. In
+    #   your app, create a prompt for your user to choose whether they want
+    #   to remember their device. Return the user's choice in an [
+    #   UpdateDeviceStatus][2] API request.
     #
+    #   When `DeviceOnlyRememberedOnUserPrompt` is `false`, Amazon Cognito
+    #   immediately remembers devices that you register in a `ConfirmDevice`
+    #   API request.
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html
+    #   [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceConfigurationType AWS API Documentation
@@ -4926,7 +4987,7 @@ module Aws::CognitoIdentityProvider
     #     configuration.
     #
     #     To look up the email delivery limit for the default option, see
-    #     [Limits in ][1] in the <i> Developer Guide</i>.
+    #     [Limits][1] in the *Amazon Cognito Developer Guide*.
     #
     #     The default FROM address is `no-reply@verificationemail.com`. To
     #     customize the FROM address, provide the Amazon Resource Name (ARN)
@@ -4948,12 +5009,12 @@ module Aws::CognitoIdentityProvider
     #     Before Amazon Cognito can email your users, it requires additional
     #     permissions to call Amazon SES on your behalf. When you update
     #     your user pool with this option, Amazon Cognito creates a
-    #     *service-linked role*, which is a type of role, in your Amazon Web
-    #     Services account. This role contains the permissions that allow to
-    #     access Amazon SES and send email messages with your address. For
-    #     more information about the service-linked role that Amazon Cognito
-    #     creates, see [Using Service-Linked Roles for Amazon Cognito][2] in
-    #     the *Amazon Cognito Developer Guide*.
+    #     *service-linked role*, which is a type of role in your Amazon Web
+    #     Services account. This role contains the permissions that allow
+    #     you to access Amazon SES and send email messages from your email
+    #     address. For more information about the service-linked role that
+    #     Amazon Cognito creates, see [Using Service-Linked Roles for Amazon
+    #     Cognito][2] in the *Amazon Cognito Developer Guide*.
     #
     #
     #
@@ -5426,7 +5487,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP object.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
@@ -8405,8 +8466,7 @@ module Aws::CognitoIdentityProvider
     #   The MFA configuration. If you set the MfaConfiguration value to
     #   ‘ON’, only users who have set up an MFA factor can sign in. To learn
     #   more, see [Adding Multi-Factor Authentication (MFA) to a user
-    #   pool](cognito/latest/developerguide/user-pool-settings-mfa.html).
-    #   Valid values include:
+    #   pool][1]. Valid values include:
     #
     #   * `OFF` MFA won't be used for any users.
     #
@@ -8414,6 +8474,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `OPTIONAL` MFA will be required only for individual users who have
     #     an MFA factor activated.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigRequest AWS API Documentation
@@ -9413,7 +9477,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP object.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
@@ -9617,6 +9681,7 @@ module Aws::CognitoIdentityProvider
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #         enable_token_revocation: false,
     #         enable_propagate_additional_user_context_data: false,
+    #         auth_session_validity: 1,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -9646,6 +9711,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -9660,6 +9728,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -9674,6 +9745,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -9691,20 +9765,27 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported in favor of new names with the `ALLOW_` prefix. Note that
-    #   values with `ALLOW_` prefix must be used only along with values with
-    #   the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
+    #
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
+    #
+    #    </note>
     #
     #   Valid values include:
     #
     #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
     #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
     #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
-    #     authentication flow, Amazon Cognito receives the password in the
-    #     request instead of using the Secure Remote Password (SRP) protocol
-    #     to verify passwords.
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
     #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
@@ -9716,6 +9797,12 @@ module Aws::CognitoIdentityProvider
     #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
     #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
+    #
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -9863,6 +9950,13 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] auth_session_validity
+    #   Amazon Cognito creates a session token for each API request in an
+    #   authentication flow. `AuthSessionValidity` is the duration, in
+    #   minutes, of that session token. Your user pool native user must
+    #   respond to each authentication challenge before the session expires.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
     #
     class UpdateUserPoolClientRequest < Struct.new(
@@ -9886,7 +9980,8 @@ module Aws::CognitoIdentityProvider
       :analytics_configuration,
       :prevent_user_existence_errors,
       :enable_token_revocation,
-      :enable_propagate_additional_user_context_data)
+      :enable_propagate_additional_user_context_data,
+      :auth_session_validity)
       SENSITIVE = [:client_id]
       include Aws::Structure
     end
@@ -9983,6 +10078,7 @@ module Aws::CognitoIdentityProvider
     #             temporary_password_validity_days: 1,
     #           },
     #         },
+    #         deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #         lambda_config: {
     #           pre_sign_up: "ArnType",
     #           custom_message: "ArnType",
@@ -10070,6 +10166,18 @@ module Aws::CognitoIdentityProvider
     #   A container with the policies you want to update in a user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda configuration information from the request to update the
     #   user pool.
@@ -10081,15 +10189,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] sms_verification_message
-    #   A container with information about the SMS verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_message
-    #   The contents of the email verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_subject
-    #   The subject of the email verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] verification_message_template
@@ -10190,6 +10313,7 @@ module Aws::CognitoIdentityProvider
     class UpdateUserPoolRequest < Struct.new(
       :user_pool_id,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :auto_verified_attributes,
       :sms_verification_message,
@@ -10564,6 +10688,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -10578,6 +10705,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -10592,6 +10722,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -10608,20 +10741,27 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported in favor of new names with the `ALLOW_` prefix. Note that
-    #   values with `ALLOW_` prefix must be used only along with values
-    #   including the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
+    #
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
+    #
+    #    </note>
     #
     #   Valid values include:
     #
     #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
     #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
     #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
-    #     authentication flow, Amazon Cognito receives the password in the
-    #     request instead of using the Secure Remote Password (SRP) protocol
-    #     to verify passwords.
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
     #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
@@ -10633,6 +10773,12 @@ module Aws::CognitoIdentityProvider
     #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
     #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
+    #
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -10794,6 +10940,13 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
     #   @return [Boolean]
     #
+    # @!attribute [rw] auth_session_validity
+    #   Amazon Cognito creates a session token for each API request in an
+    #   authentication flow. `AuthSessionValidity` is the duration, in
+    #   minutes, of that session token. Your user pool native user must
+    #   respond to each authentication challenge before the session expires.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
     #
     class UserPoolClientType < Struct.new(
@@ -10820,7 +10973,8 @@ module Aws::CognitoIdentityProvider
       :analytics_configuration,
       :prevent_user_existence_errors,
       :enable_token_revocation,
-      :enable_propagate_additional_user_context_data)
+      :enable_propagate_additional_user_context_data,
+      :auth_session_validity)
       SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end
@@ -10920,6 +11074,18 @@ module Aws::CognitoIdentityProvider
     #   The policies associated with the user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda triggers associated with the user pool.
     #   @return [Types::LambdaConfigType]
@@ -10954,15 +11120,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] sms_verification_message
-    #   The contents of the SMS verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_message
-    #   The contents of the email verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] email_verification_subject
-    #   The subject of the email verification message.
+    #   This parameter is no longer used. See
+    #   [VerificationMessageTemplateType][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html
     #   @return [String]
     #
     # @!attribute [rw] verification_message_template
@@ -11129,6 +11310,7 @@ module Aws::CognitoIdentityProvider
       :id,
       :name,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :status,
       :last_modified_date,