aws-sdk-cognitoidentityprovider 1.79.0 → 1.81.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -400,6 +400,24 @@ module Aws::CognitoIdentityProvider
 
     # Adds additional user attributes to the user pool schema.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to add custom
     #   attributes.
@@ -443,7 +461,23 @@ module Aws::CognitoIdentityProvider
 
     # Adds the specified user to the specified group.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -476,7 +510,23 @@ module Aws::CognitoIdentityProvider
     # Confirms user registration as an admin without using a confirmation
     # code. Works on any user.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for which you want to confirm user registration.
@@ -578,12 +628,25 @@ module Aws::CognitoIdentityProvider
     # In either case, the user will be in the `FORCE_CHANGE_PASSWORD` state
     # until they sign in and change their password.
     #
-    # `AdminCreateUser` requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where the user will be created.
@@ -656,10 +719,9 @@ module Aws::CognitoIdentityProvider
     #   Cognito generates one for you.
     #
     #   The temporary password can only be used until the user account
-    #   expiration limit that you specified when you created the user pool. To
-    #   reset the account after that time limit, you must call
-    #   `AdminCreateUser` again, specifying `"RESEND"` for the `MessageAction`
-    #   parameter.
+    #   expiration limit that you set for your user pool. To reset the account
+    #   after that time limit, you must call `AdminCreateUser` again and
+    #   specify `RESEND` for the `MessageAction` parameter.
     #
     # @option params [Boolean] :force_alias_creation
     #   This parameter is used only if the `phone_number_verified` or
@@ -726,6 +788,64 @@ module Aws::CognitoIdentityProvider
     #
     #   * {Types::AdminCreateUserResponse#user #user} => Types::UserType
     #
+    #
+    # @example Example: An AdminCreateUser request for for a test user named John.
+    #
+    #   # This request submits a value for all possible parameters for AdminCreateUser.
+    #
+    #   resp = client.admin_create_user({
+    #     desired_delivery_mediums: [
+    #       "SMS", 
+    #     ], 
+    #     message_action: "SUPPRESS", 
+    #     temporary_password: "This-is-my-test-99!", 
+    #     user_attributes: [
+    #       {
+    #         name: "name", 
+    #         value: "John", 
+    #       }, 
+    #       {
+    #         name: "phone_number", 
+    #         value: "+12065551212", 
+    #       }, 
+    #       {
+    #         name: "email", 
+    #         value: "testuser@example.com", 
+    #       }, 
+    #     ], 
+    #     user_pool_id: "us-east-1_EXAMPLE", 
+    #     username: "testuser", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     user: {
+    #       attributes: [
+    #         {
+    #           name: "sub", 
+    #           value: "d16b4aa8-8633-4abd-93b3-5062a8e1b5f8", 
+    #         }, 
+    #         {
+    #           name: "name", 
+    #           value: "John", 
+    #         }, 
+    #         {
+    #           name: "phone_number", 
+    #           value: "+12065551212", 
+    #         }, 
+    #         {
+    #           name: "email", 
+    #           value: "testuser@example.com", 
+    #         }, 
+    #       ], 
+    #       enabled: true, 
+    #       user_create_date: Time.parse(1689980857.949), 
+    #       user_last_modified_date: Time.parse(1689980857.949), 
+    #       user_status: "FORCE_CHANGE_PASSWORD", 
+    #       username: "testuser", 
+    #     }, 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.admin_create_user({
@@ -777,7 +897,23 @@ module Aws::CognitoIdentityProvider
 
     # Deletes a user as an administrator. Works on any user.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to delete the user.
@@ -806,7 +942,23 @@ module Aws::CognitoIdentityProvider
     # Deletes the user attributes in a user pool as an administrator. Works
     # on any user.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to delete user
@@ -852,9 +1004,6 @@ module Aws::CognitoIdentityProvider
     # `DestinationUser`, the user must create a new user account. See
     # [AdminLinkProviderForUser][1].
     #
-    # This action is enabled only for admin access and requires developer
-    # credentials.
-    #
     # The `ProviderName` must match the value specified when creating an IdP
     # for the pool.
     #
@@ -878,9 +1027,24 @@ module Aws::CognitoIdentityProvider
     # `ProviderAttributeName` must be `Cognito_Subject` and
     # `ProviderAttributeValue` must be the subject of the SAML assertion.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][2]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][3]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -914,8 +1078,23 @@ module Aws::CognitoIdentityProvider
     # deactivated user can't sign in, but still appears in the responses to
     # `GetUser` and `ListUsers` API requests.
     #
-    # You must make this API request with Amazon Web Services credentials
-    # that have `cognito-idp:AdminDisableUser` permissions.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to disable the user.
@@ -943,7 +1122,23 @@ module Aws::CognitoIdentityProvider
 
     # Enables the specified user as an administrator. Works on any user.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to enable the user.
@@ -971,7 +1166,23 @@ module Aws::CognitoIdentityProvider
 
     # Forgets the device, as an administrator.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -1003,7 +1214,23 @@ module Aws::CognitoIdentityProvider
 
     # Gets the device, as an administrator.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -1048,7 +1275,23 @@ module Aws::CognitoIdentityProvider
     # Gets the specified user by user name in a user pool as an
     # administrator. Works on any user.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to get information
@@ -1125,12 +1368,25 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The ID of the Amazon Cognito user pool.
@@ -1181,19 +1437,28 @@ module Aws::CognitoIdentityProvider
     #     `SECRET_HASH` (required if the app client is configured with a
     #     client secret), `DEVICE_KEY`.
     #
+    #   * For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD`
+    #     (required), `SECRET_HASH` (required if the app client is configured
+    #     with a client secret), `DEVICE_KEY`.
+    #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
     #     client secret), `DEVICE_KEY`.
     #
-    #   * For `ADMIN_NO_SRP_AUTH`: `USERNAME` (required), `SECRET_HASH` (if
-    #     app client is configured with client secret), `PASSWORD` (required),
-    #     `DEVICE_KEY`.
-    #
     #   * For `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app
     #     client is configured with client secret), `DEVICE_KEY`. To start the
     #     authentication flow with password verification, include
     #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #
+    #   For more information about `SECRET_HASH`, see [Computing secret hash
+    #   values][1]. For information about `DEVICE_KEY`, see [Working with user
+    #   devices in your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #
     # @option params [Hash<String,String>] :client_metadata
     #   A map of custom key-value pairs that you can provide as input for
     #   certain custom workflows that this action triggers.
@@ -1347,14 +1612,30 @@ module Aws::CognitoIdentityProvider
     # only be used with external IdPs and provider attributes that have been
     # trusted by the application owner.
     #
-    # This action is administrative and requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
     #
     # @option params [required, Types::ProviderUserIdentifierType] :destination_user
     #   The existing user in the user pool that you want to assign to the
-    #   external IdP user account. This user can be a native (Username +
+    #   external IdP user account. This user can be a local (Username +
     #   Password) Amazon Cognito user pools user or a federated user (for
     #   example, a SAML or Facebook user). If the user doesn't exist, Amazon
     #   Cognito generates an exception. Amazon Cognito returns this user when
@@ -1389,13 +1670,21 @@ module Aws::CognitoIdentityProvider
     #
     #
     #
+    #   For OIDC, the `ProviderAttributeName` can be any value that matches a
+    #   claim in the ID token, or that your app retrieves from the `userInfo`
+    #   endpoint. You must map the claim to a user pool attribute in your IdP
+    #   configuration, and set the user pool attribute name as the value of
+    #   `ProviderAttributeName` in your `AdminLinkProviderForUser` request.
+    #
     #   For SAML, the `ProviderAttributeName` can be any value that matches a
-    #   claim in the SAML assertion. If you want to link SAML users based on
-    #   the subject of the SAML assertion, you should map the subject to a
-    #   claim through the SAML IdP and submit that claim name as the
-    #   `ProviderAttributeName`. If you set `ProviderAttributeName` to
+    #   claim in the SAML assertion. To link SAML users based on the subject
+    #   of the SAML assertion, map the subject to a claim through the SAML IdP
+    #   and set that claim name as the value of `ProviderAttributeName` in
+    #   your `AdminLinkProviderForUser` request.
+    #
+    #   For both OIDC and SAML users, when you set `ProviderAttributeName` to
     #   `Cognito_Subject`, Amazon Cognito will automatically parse the default
-    #   unique identifier found in the subject from the SAML token.
+    #   unique identifier found in the subject from the IdP token.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1426,7 +1715,23 @@ module Aws::CognitoIdentityProvider
 
     # Lists devices, as an administrator.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -1477,7 +1782,23 @@ module Aws::CognitoIdentityProvider
 
     # Lists the groups that the user belongs to.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :username
     #   The username for the user.
@@ -1533,6 +1854,24 @@ module Aws::CognitoIdentityProvider
     # A history of user activity and any risks detected as part of Amazon
     # Cognito advanced security.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -1597,7 +1936,23 @@ module Aws::CognitoIdentityProvider
 
     # Removes the specified user from the specified group.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -1630,17 +1985,6 @@ module Aws::CognitoIdentityProvider
     # Resets the specified user's password in a user pool as an
     # administrator. Works on any user.
     #
-    # When a developer calls this API, the current password is invalidated,
-    # so it must be changed. If a user tries to sign in after the API is
-    # called, the app will get a PasswordResetRequiredException exception
-    # back and should direct the user down the flow to reset the password,
-    # which is the same as the forgot password flow. In addition, if the
-    # user pool has phone verification selected and a verified phone number
-    # exists for the user, or if email verification is selected and a
-    # verified email exists for the user, calling this API will also result
-    # in sending a message to the end user with the code to change their
-    # password.
-    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
@@ -1662,12 +2006,35 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
-    # Calling this action requires developer credentials.
+    # Deactivates a user's password, requiring them to change it. If a user
+    # tries to sign in after the API is called, Amazon Cognito responds with
+    # a `PasswordResetRequiredException` error. Your app must then perform
+    # the actions that reset your user's password: the forgot-password
+    # flow. In addition, if the user pool has phone verification selected
+    # and a verified phone number exists for the user, or if email
+    # verification is selected and a verified email exists for the user,
+    # calling this API will also result in sending a message to the end user
+    # with the code to change their password.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to reset the user's
@@ -1757,12 +2124,25 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The ID of the Amazon Cognito user pool.
@@ -1823,6 +2203,15 @@ module Aws::CognitoIdentityProvider
     #   happens even if you specified an alias in your call to
     #   `AdminInitiateAuth`.
     #
+    #   For more information about `SECRET_HASH`, see [Computing secret hash
+    #   values][1]. For information about `DEVICE_KEY`, see [Working with user
+    #   devices in your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #
     # @option params [String] :session
     #   The session that should be passed both ways in challenge-response
     #   calls to the service. If an `InitiateAuth` or `RespondToAuthChallenge`
@@ -1963,6 +2352,24 @@ module Aws::CognitoIdentityProvider
     # options are activated and no preference is set, a challenge to choose
     # an MFA option will be returned during sign-in.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [Types::SMSMfaSettingsType] :sms_mfa_settings
     #   The SMS text message MFA settings.
     #
@@ -2014,6 +2421,38 @@ module Aws::CognitoIdentityProvider
     # Once the user has set a new password, or the password is permanent,
     # the user status is set to `Confirmed`.
     #
+    # `AdminSetUserPassword` can set a password for the user profile that
+    # Amazon Cognito creates for third-party federated users. When you set a
+    # password, the federated user's status changes from
+    # `EXTERNAL_PROVIDER` to `CONFIRMED`. A user in this state can sign in
+    # as a federated user, and initiate authentication flows in the API like
+    # a linked native user. They can also modify their password and
+    # attributes in token-authenticated API requests like `ChangePassword`
+    # and `UpdateUserAttributes`. As a best security practice and to keep
+    # users in sync with your external IdP, don't set passwords on
+    # federated user profiles. To set up a federated user for native sign-in
+    # with a linked native user, refer to [Linking federated users to an
+    # existing user profile][1].
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][2]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][3]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to set the user's
     #   password.
@@ -2052,9 +2491,24 @@ module Aws::CognitoIdentityProvider
     # (TOTP) software token MFA. To configure either type of MFA, use
     # [AdminSetUserMFAPreference][1] instead.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][2]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][3]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The ID of the user pool that contains the user whose options you're
@@ -2096,6 +2550,24 @@ module Aws::CognitoIdentityProvider
     # evaluation decision for the user pool as part of Amazon Cognito
     # advanced security.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -2106,7 +2578,12 @@ module Aws::CognitoIdentityProvider
     #   The authentication event ID.
     #
     # @option params [required, String] :feedback_value
-    #   The authentication event feedback value.
+    #   The authentication event feedback value. When you provide a
+    #   `FeedbackValue` value of `valid`, you tell Amazon Cognito that you
+    #   trust a user session where Amazon Cognito has evaluated some level of
+    #   risk. When you provide a `FeedbackValue` value of `invalid`, you tell
+    #   Amazon Cognito that you don't trust a user session, or you don't
+    #   believe that Amazon Cognito evaluated a high-enough risk level.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2130,7 +2607,23 @@ module Aws::CognitoIdentityProvider
 
     # Updates the device status as an administrator.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -2164,15 +2657,6 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Updates the specified user's attributes, including developer
-    # attributes, as an administrator. Works on any user.
-    #
-    # For custom attributes, you must prepend the `custom:` prefix to the
-    # attribute name.
-    #
-    # In addition to updating user attributes, this API can also be used to
-    # mark phone and email as verified.
-    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
@@ -2194,12 +2678,36 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
-    # Calling this action requires developer credentials.
+    # Updates the specified user's attributes, including developer
+    # attributes, as an administrator. Works on any user. To delete an
+    # attribute from your user, submit the attribute in your API request
+    # with a blank value.
+    #
+    # For custom attributes, you must prepend the `custom:` prefix to the
+    # attribute name.
+    #
+    # In addition to updating user attributes, this API can also be used to
+    # mark phone and email as verified.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
     #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to update user
@@ -2293,16 +2801,34 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Signs out a user from all devices. You must sign
-    # `AdminUserGlobalSignOut` requests with Amazon Web Services
-    # credentials. It also invalidates all refresh tokens that Amazon
-    # Cognito has issued to a user. The user's current access and ID tokens
-    # remain valid until they expire. By default, access and ID tokens
-    # expire one hour after they're issued. A user can still use a hosted
-    # UI cookie to retrieve new tokens for the duration of the cookie
-    # validity period of 1 hour.
+    # Signs out a user from all devices. `AdminUserGlobalSignOut`
+    # invalidates all identity, access and refresh tokens that Amazon
+    # Cognito has issued to a user. A user can still use a hosted UI cookie
+    # to retrieve new tokens for the duration of the 1-hour cookie validity
+    # period.
+    #
+    # Your app isn't aware that a user's access token is revoked unless it
+    # attempts to authorize a user pools API request with an access token
+    # that contains the scope `aws.cognito.signin.user.admin`. Your app
+    # might otherwise accept access tokens until they expire.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
     #
-    # Calling this action requires developer credentials.
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -2350,9 +2876,19 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][2].
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -2391,6 +2927,19 @@ module Aws::CognitoIdentityProvider
 
     # Changes the password for a specified user in a user pool.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :previous_password
     #   The old password.
     #
@@ -2423,6 +2972,19 @@ module Aws::CognitoIdentityProvider
     # Confirms tracking of the device. This API call is the call that begins
     # device tracking.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
     #   device you want to confirm.
@@ -2468,13 +3030,31 @@ module Aws::CognitoIdentityProvider
     # Allows a user to enter a confirmation code to reset a forgotten
     # password.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :client_id
     #   The app client ID of the app associated with the user pool.
     #
     # @option params [String] :secret_hash
     #   A keyed-hash message authentication code (HMAC) calculated using the
     #   secret key of a user pool client and username plus the client ID in
-    #   the message.
+    #   the message. For more information about `SecretHash`, see [Computing
+    #   secret hash values][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
     #
     # @option params [required, String] :username
     #   The user name of the user for whom you want to enter a code to
@@ -2572,6 +3152,19 @@ module Aws::CognitoIdentityProvider
 
     # Confirms registration of a new user.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :client_id
     #   The ID of the app client associated with the user pool.
     #
@@ -2676,7 +3269,23 @@ module Aws::CognitoIdentityProvider
 
     # Creates a new group in the specified user pool.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :group_name
     #   The name of the group. Must be unique.
@@ -2745,6 +3354,24 @@ module Aws::CognitoIdentityProvider
 
     # Creates an IdP for a user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -2839,7 +3466,7 @@ module Aws::CognitoIdentityProvider
     #
     #   resp = client.create_identity_provider({
     #     user_pool_id: "UserPoolIdType", # required
-    #     provider_name: "ProviderNameTypeV1", # required
+    #     provider_name: "ProviderNameTypeV2", # required
     #     provider_type: "SAML", # required, accepts SAML, Facebook, Google, LoginWithAmazon, SignInWithApple, OIDC
     #     provider_details: { # required
     #       "StringType" => "StringType",
@@ -2876,6 +3503,24 @@ module Aws::CognitoIdentityProvider
     # Creates a new OAuth2.0 resource server and defines custom scopes
     # within it.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
     #
@@ -2927,7 +3572,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Creates the user import job.
+    # Creates a user import job.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :job_name
     #   The job name for the user import job.
@@ -2977,9 +3640,6 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Creates a new Amazon Cognito user pool and sets the password policy
-    # for the pool.
-    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
@@ -3001,10 +3661,31 @@ module Aws::CognitoIdentityProvider
     #
     #  </note>
     #
+    # Creates a new Amazon Cognito user pool and sets the password policy
+    # for the pool.
+    #
+    # If you don't provide a value for an attribute, Amazon Cognito sets it
+    # to its default value.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :pool_name
     #   A string used to name the user pool.
@@ -3139,15 +3820,32 @@ module Aws::CognitoIdentityProvider
     #   can be standard or custom attributes.
     #
     # @option params [Types::UserPoolAddOnsType] :user_pool_add_ons
-    #   Enables advanced security risk detection. Set the key
-    #   `AdvancedSecurityMode` to the value "AUDIT".
+    #   User pool add-ons. Contains settings for activation of advanced
+    #   security features. To log user security information but take no
+    #   action, set to `AUDIT`. To configure automatic security responses to
+    #   risky traffic to your user pool, set to `ENFORCED`.
+    #
+    #   For more information, see [Adding advanced security to a user
+    #   pool][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #
     # @option params [Types::UsernameConfigurationType] :username_configuration
     #   Case sensitivity on the username input for the selected sign-in
-    #   option. For example, when case sensitivity is set to `False`, users
-    #   can sign in using either "username" or "Username". This
-    #   configuration is immutable once it has been set. For more information,
-    #   see [UsernameConfigurationType][1].
+    #   option. When case sensitivity is set to `False` (case insensitive),
+    #   users can sign in with any combination of capital and lowercase
+    #   letters. For example, `username`, `USERNAME`, or `UserName`, or for
+    #   email, `email@example.com` or `EMaiL@eXamplE.Com`. For most use cases,
+    #   set case sensitivity to `False` (case insensitive) as a best practice.
+    #   When usernames and email addresses are case insensitive, Amazon
+    #   Cognito treats any variation in case as the same user, and prevents a
+    #   case variation from being assigned to the same attribute for a
+    #   different user.
+    #
+    #   This configuration is immutable after you set it. For more
+    #   information, see [UsernameConfigurationType][1].
     #
     #
     #
@@ -3167,6 +3865,462 @@ module Aws::CognitoIdentityProvider
     #
     #   * {Types::CreateUserPoolResponse#user_pool #user_pool} => Types::UserPoolType
     #
+    #
+    # @example Example: Example user pool with email and username sign-in
+    #
+    #   # The following example creates a user pool with all configurable properties set to an example value. The resulting user
+    #   # pool allows sign-in with username or email address, has optional MFA, and has a Lambda function assigned to each
+    #   # possible trigger.
+    #
+    #   resp = client.create_user_pool({
+    #     account_recovery_setting: {
+    #       recovery_mechanisms: [
+    #         {
+    #           name: "verified_email", 
+    #           priority: 1, 
+    #         }, 
+    #       ], 
+    #     }, 
+    #     admin_create_user_config: {
+    #       allow_admin_create_user_only: false, 
+    #       invite_message_template: {
+    #         email_message: "Your username is {username} and temporary password is {####}.", 
+    #         email_subject: "Your sign-in information", 
+    #         sms_message: "Your username is {username} and temporary password is {####}.", 
+    #       }, 
+    #     }, 
+    #     alias_attributes: [
+    #       "email", 
+    #     ], 
+    #     auto_verified_attributes: [
+    #       "email", 
+    #     ], 
+    #     deletion_protection: "ACTIVE", 
+    #     device_configuration: {
+    #       challenge_required_on_new_device: true, 
+    #       device_only_remembered_on_user_prompt: true, 
+    #     }, 
+    #     email_configuration: {
+    #       configuration_set: "my-test-ses-configuration-set", 
+    #       email_sending_account: "DEVELOPER", 
+    #       from: "support@example.com", 
+    #       reply_to_email_address: "support@example.com", 
+    #       source_arn: "arn:aws:ses:us-east-1:123456789012:identity/support@example.com", 
+    #     }, 
+    #     email_verification_message: "Your verification code is {####}.", 
+    #     email_verification_subject: "Verify your email address", 
+    #     lambda_config: {
+    #       custom_email_sender: {
+    #         lambda_arn: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         lambda_version: "V1_0", 
+    #       }, 
+    #       custom_message: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       custom_sms_sender: {
+    #         lambda_arn: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         lambda_version: "V1_0", 
+    #       }, 
+    #       define_auth_challenge: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       kms_key_id: "arn:aws:kms:us-east-1:123456789012:key/a6c4f8e2-0c45-47db-925f-87854bc9e357", 
+    #       post_authentication: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       post_confirmation: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       pre_authentication: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       pre_sign_up: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       pre_token_generation: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       user_migration: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       verify_auth_challenge_response: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #     }, 
+    #     mfa_configuration: "OPTIONAL", 
+    #     policies: {
+    #       password_policy: {
+    #         minimum_length: 6, 
+    #         require_lowercase: true, 
+    #         require_numbers: true, 
+    #         require_symbols: true, 
+    #         require_uppercase: true, 
+    #         temporary_password_validity_days: 7, 
+    #       }, 
+    #     }, 
+    #     pool_name: "my-test-user-pool", 
+    #     schema: [
+    #       {
+    #         attribute_data_type: "Number", 
+    #         developer_only_attribute: true, 
+    #         mutable: true, 
+    #         name: "mydev", 
+    #         number_attribute_constraints: {
+    #           max_value: "99", 
+    #           min_value: "1", 
+    #         }, 
+    #         required: false, 
+    #         string_attribute_constraints: {
+    #           max_length: "99", 
+    #           min_length: "1", 
+    #         }, 
+    #       }, 
+    #     ], 
+    #     sms_authentication_message: "Your verification code is {####}.", 
+    #     sms_configuration: {
+    #       external_id: "my-role-external-id", 
+    #       sns_caller_arn: "arn:aws:iam::123456789012:role/service-role/test-cognito-SMS-Role", 
+    #     }, 
+    #     sms_verification_message: "Your verification code is {####}.", 
+    #     user_attribute_update_settings: {
+    #       attributes_require_verification_before_update: [
+    #         "email", 
+    #       ], 
+    #     }, 
+    #     user_pool_add_ons: {
+    #       advanced_security_mode: "OFF", 
+    #     }, 
+    #     user_pool_tags: {
+    #       "my-test-tag-key" => "my-test-tag-key", 
+    #     }, 
+    #     username_configuration: {
+    #       case_sensitive: true, 
+    #     }, 
+    #     verification_message_template: {
+    #       default_email_option: "CONFIRM_WITH_CODE", 
+    #       email_message: "Your confirmation code is {####}", 
+    #       email_message_by_link: "Choose this link to {##verify your email##}", 
+    #       email_subject: "Here is your confirmation code", 
+    #       email_subject_by_link: "Here is your confirmation link", 
+    #       sms_message: "Your confirmation code is {####}", 
+    #     }, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     user_pool: {
+    #       account_recovery_setting: {
+    #         recovery_mechanisms: [
+    #           {
+    #             name: "verified_email", 
+    #             priority: 1, 
+    #           }, 
+    #         ], 
+    #       }, 
+    #       admin_create_user_config: {
+    #         allow_admin_create_user_only: false, 
+    #         invite_message_template: {
+    #           email_message: "Your username is {username} and temporary password is {####}.", 
+    #           email_subject: "Your sign-in information", 
+    #           sms_message: "Your username is {username} and temporary password is {####}.", 
+    #         }, 
+    #         unused_account_validity_days: 7, 
+    #       }, 
+    #       alias_attributes: [
+    #         "email", 
+    #       ], 
+    #       arn: "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_EXAMPLE", 
+    #       auto_verified_attributes: [
+    #         "email", 
+    #       ], 
+    #       creation_date: Time.parse(1689721665.239), 
+    #       deletion_protection: "ACTIVE", 
+    #       device_configuration: {
+    #         challenge_required_on_new_device: true, 
+    #         device_only_remembered_on_user_prompt: true, 
+    #       }, 
+    #       email_configuration: {
+    #         configuration_set: "my-test-ses-configuration-set", 
+    #         email_sending_account: "DEVELOPER", 
+    #         from: "support@example.com", 
+    #         reply_to_email_address: "support@example.com", 
+    #         source_arn: "arn:aws:ses:us-east-1:123456789012:identity/support@example.com", 
+    #       }, 
+    #       email_verification_message: "Your verification code is {####}.", 
+    #       email_verification_subject: "Verify your email address", 
+    #       estimated_number_of_users: 0, 
+    #       id: "us-east-1_EXAMPLE", 
+    #       lambda_config: {
+    #         custom_email_sender: {
+    #           lambda_arn: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #           lambda_version: "V1_0", 
+    #         }, 
+    #         custom_message: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         custom_sms_sender: {
+    #           lambda_arn: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #           lambda_version: "V1_0", 
+    #         }, 
+    #         define_auth_challenge: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         kms_key_id: "arn:aws:kms:us-east-1:767671399759:key/4d43904c-8edf-4bb4-9fca-fb1a80e41cbe", 
+    #         post_authentication: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         post_confirmation: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         pre_authentication: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         pre_sign_up: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         pre_token_generation: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         user_migration: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #         verify_auth_challenge_response: "arn:aws:lambda:us-east-1:123456789012:function:MyFunction", 
+    #       }, 
+    #       last_modified_date: Time.parse(1689721665.239), 
+    #       mfa_configuration: "OPTIONAL", 
+    #       name: "my-test-user-pool", 
+    #       policies: {
+    #         password_policy: {
+    #           minimum_length: 6, 
+    #           require_lowercase: true, 
+    #           require_numbers: true, 
+    #           require_symbols: true, 
+    #           require_uppercase: true, 
+    #           temporary_password_validity_days: 7, 
+    #         }, 
+    #       }, 
+    #       schema_attributes: [
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: false, 
+    #           name: "sub", 
+    #           required: true, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "1", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "name", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "given_name", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "family_name", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "middle_name", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "nickname", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "preferred_username", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "profile", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "picture", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "website", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "email", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "Boolean", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "email_verified", 
+    #           required: false, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "gender", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "birthdate", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "10", 
+    #             min_length: "10", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "zoneinfo", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "locale", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "phone_number", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "Boolean", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "phone_number_verifie", 
+    #           required: false, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "String", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "address", 
+    #           required: false, 
+    #           string_attribute_constraints: {
+    #             max_length: "2048", 
+    #             min_length: "0", 
+    #           }, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "Number", 
+    #           developer_only_attribute: false, 
+    #           mutable: true, 
+    #           name: "updated_at", 
+    #           number_attribute_constraints: {
+    #             min_value: "0", 
+    #           }, 
+    #           required: false, 
+    #         }, 
+    #         {
+    #           attribute_data_type: "Number", 
+    #           developer_only_attribute: true, 
+    #           mutable: true, 
+    #           name: "dev:custom:mydev", 
+    #           number_attribute_constraints: {
+    #             max_value: "99", 
+    #             min_value: "1", 
+    #           }, 
+    #           required: false, 
+    #         }, 
+    #       ], 
+    #       sms_authentication_message: "Your verification code is {####}.", 
+    #       sms_configuration: {
+    #         external_id: "my-role-external-id", 
+    #         sns_caller_arn: "arn:aws:iam::123456789012:role/service-role/test-cognito-SMS-Role", 
+    #         sns_region: "us-east-1", 
+    #       }, 
+    #       sms_verification_message: "Your verification code is {####}.", 
+    #       user_attribute_update_settings: {
+    #         attributes_require_verification_before_update: [
+    #           "email", 
+    #         ], 
+    #       }, 
+    #       user_pool_add_ons: {
+    #         advanced_security_mode: "OFF", 
+    #       }, 
+    #       user_pool_tags: {
+    #         "my-test-tag-key" => "my-test-tag-value", 
+    #       }, 
+    #       username_configuration: {
+    #         case_sensitive: true, 
+    #       }, 
+    #       verification_message_template: {
+    #         default_email_option: "CONFIRM_WITH_CODE", 
+    #         email_message: "Your confirmation code is {####}", 
+    #         email_message_by_link: "Choose this link to {##verify your email##}", 
+    #         email_subject: "Here is your confirmation code", 
+    #         email_subject_by_link: "Here is your confirmation link", 
+    #         sms_message: "Your confirmation code is {####}", 
+    #       }, 
+    #     }, 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_user_pool({
@@ -3385,9 +4539,27 @@ module Aws::CognitoIdentityProvider
     # automatically activated. For more information about revoking tokens,
     # see [RevokeToken][1].
     #
+    # If you don't provide a value for an attribute, Amazon Cognito sets it
+    # to its default value.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][2]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][3]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to create a user
@@ -3444,7 +4616,7 @@ module Aws::CognitoIdentityProvider
     #   `TokenValidityUnits` as `hours`, your user can authenticate their
     #   session with their ID token for 10 hours.
     #
-    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   The default time unit for `IdTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
     #   If you don't specify otherwise in the configuration of your app
@@ -3593,8 +4765,26 @@ module Aws::CognitoIdentityProvider
     #   created in Resource Servers are also supported.
     #
     # @option params [Boolean] :allowed_o_auth_flows_user_pool_client
-    #   Set to true if the client is allowed to follow the OAuth protocol when
-    #   interacting with Amazon Cognito user pools.
+    #   Set to `true` to use OAuth 2.0 features in your user pool app client.
+    #
+    #   `AllowedOAuthFlowsUserPoolClient` must be `true` before you can
+    #   configure the following features in your app client.
+    #
+    #   * `CallBackURLs`: Callback URLs.
+    #
+    #   * `LogoutURLs`: Sign-out redirect URLs.
+    #
+    #   * `AllowedOAuthScopes`: OAuth 2.0 scopes.
+    #
+    #   * `AllowedOAuthFlows`: Support for authorization code, implicit, and
+    #     client credentials OAuth 2.0 grants.
+    #
+    #   To use OAuth 2.0 features, configure one of these features in the
+    #   Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to
+    #   `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API
+    #   request. If you don't set a value for
+    #   `AllowedOAuthFlowsUserPoolClient` in a request with the CLI or SDKs,
+    #   it defaults to `false`.
     #
     # @option params [Types::AnalyticsConfigurationType] :analytics_configuration
     #   The user pool analytics configuration for collecting metrics and
@@ -3660,6 +4850,134 @@ module Aws::CognitoIdentityProvider
     #
     #   * {Types::CreateUserPoolClientResponse#user_pool_client #user_pool_client} => Types::UserPoolClientType
     #
+    #
+    # @example Example: Example user pool app client with email and username sign-in
+    #
+    #   # The following example creates an app client with all configurable properties set to an example value. The resulting user
+    #   # pool client connects to an analytics client, allows sign-in with username and password, and has two external identity
+    #   # providers associated with it.
+    #
+    #   resp = client.create_user_pool_client({
+    #     access_token_validity: 6, 
+    #     allowed_o_auth_flows: [
+    #       "code", 
+    #     ], 
+    #     allowed_o_auth_flows_user_pool_client: true, 
+    #     allowed_o_auth_scopes: [
+    #       "aws.cognito.signin.user.admin", 
+    #       "openid", 
+    #     ], 
+    #     analytics_configuration: {
+    #       application_id: "d70b2ba36a8c4dc5a04a0451a31a1e12", 
+    #       external_id: "my-external-id", 
+    #       role_arn: "arn:aws:iam::123456789012:role/test-cognitouserpool-role", 
+    #       user_data_shared: true, 
+    #     }, 
+    #     callback_urls: [
+    #       "https://example.com", 
+    #       "http://localhost", 
+    #       "myapp://example", 
+    #     ], 
+    #     client_name: "my-test-app-client", 
+    #     default_redirect_uri: "https://example.com", 
+    #     explicit_auth_flows: [
+    #       "ALLOW_ADMIN_USER_PASSWORD_AUTH", 
+    #       "ALLOW_USER_PASSWORD_AUTH", 
+    #       "ALLOW_REFRESH_TOKEN_AUTH", 
+    #     ], 
+    #     generate_secret: true, 
+    #     id_token_validity: 6, 
+    #     logout_urls: [
+    #       "https://example.com/logout", 
+    #     ], 
+    #     prevent_user_existence_errors: "ENABLED", 
+    #     read_attributes: [
+    #       "email", 
+    #       "address", 
+    #       "preferred_username", 
+    #     ], 
+    #     refresh_token_validity: 6, 
+    #     supported_identity_providers: [
+    #       "SignInWithApple", 
+    #       "MySSO", 
+    #     ], 
+    #     token_validity_units: {
+    #       access_token: "hours", 
+    #       id_token: "minutes", 
+    #       refresh_token: "days", 
+    #     }, 
+    #     user_pool_id: "us-east-1_EXAMPLE", 
+    #     write_attributes: [
+    #       "family_name", 
+    #       "email", 
+    #     ], 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     user_pool_client: {
+    #       access_token_validity: 6, 
+    #       allowed_o_auth_flows: [
+    #         "code", 
+    #       ], 
+    #       allowed_o_auth_flows_user_pool_client: true, 
+    #       allowed_o_auth_scopes: [
+    #         "aws.cognito.signin.user.admin", 
+    #         "openid", 
+    #       ], 
+    #       analytics_configuration: {
+    #         application_id: "d70b2ba36a8c4dc5a04a0451a31a1e12", 
+    #         external_id: "my-external-id", 
+    #         role_arn: "arn:aws:iam::123456789012:role/test-cognitouserpool-role", 
+    #         user_data_shared: true, 
+    #       }, 
+    #       auth_session_validity: 3, 
+    #       callback_urls: [
+    #         "https://example.com", 
+    #         "http://localhost", 
+    #         "myapp://example", 
+    #       ], 
+    #       client_id: "26cb2c60kq7nbmas7rbme9b6pp", 
+    #       client_name: "my-test-app-client", 
+    #       client_secret: "13ka4h7u28d9oo44tqpq9djqsfvhvu8rk4d2ighvpu0k8fj1c2r9", 
+    #       creation_date: Time.parse(1689885426.107), 
+    #       default_redirect_uri: "https://example.com", 
+    #       enable_propagate_additional_user_context_data: false, 
+    #       enable_token_revocation: true, 
+    #       explicit_auth_flows: [
+    #         "ALLOW_USER_PASSWORD_AUTH", 
+    #         "ALLOW_ADMIN_USER_PASSWORD_AUTH", 
+    #         "ALLOW_REFRESH_TOKEN_AUTH", 
+    #       ], 
+    #       id_token_validity: 6, 
+    #       last_modified_date: Time.parse(1689885426.107), 
+    #       logout_urls: [
+    #         "https://example.com/logout", 
+    #       ], 
+    #       prevent_user_existence_errors: "ENABLED", 
+    #       read_attributes: [
+    #         "address", 
+    #         "preferred_username", 
+    #         "email", 
+    #       ], 
+    #       refresh_token_validity: 6, 
+    #       supported_identity_providers: [
+    #         "SignInWithApple", 
+    #         "MySSO", 
+    #       ], 
+    #       token_validity_units: {
+    #         access_token: "hours", 
+    #         id_token: "minutes", 
+    #         refresh_token: "days", 
+    #       }, 
+    #       user_pool_id: "us-east-1_EXAMPLE", 
+    #       write_attributes: [
+    #         "family_name", 
+    #         "email", 
+    #       ], 
+    #     }, 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_user_pool_client({
@@ -3750,6 +5068,24 @@ module Aws::CognitoIdentityProvider
 
     # Creates a new domain for a user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :domain
     #   The domain string. For custom domains, this is the fully-qualified
     #   domain name, such as `auth.example.com`. For Amazon Cognito prefix
@@ -3880,7 +5216,20 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Allows a user to delete himself or herself.
+    # Allows a user to delete their own user profile.
+    #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose user
@@ -3905,6 +5254,19 @@ module Aws::CognitoIdentityProvider
 
     # Deletes the attributes for a user.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, Array<String>] :user_attribute_names
     #   An array of strings representing the user attribute names you want to
     #   delete.
@@ -4197,6 +5559,24 @@ module Aws::CognitoIdentityProvider
     # Returns the configuration information and metadata of the specified
     # user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool you want to describe.
     #
@@ -4309,6 +5689,24 @@ module Aws::CognitoIdentityProvider
     # Client method for returning the configuration information and metadata
     # of the specified user pool app client.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool you want to describe.
     #
@@ -4416,6 +5814,19 @@ module Aws::CognitoIdentityProvider
 
     # Forgets the specified device.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
     #   registered device you want to forget.
@@ -4447,15 +5858,28 @@ module Aws::CognitoIdentityProvider
     # method used to send the confirmation code is sent according to the
     # specified AccountRecoverySetting. For more information, see
     # [Recovering User Accounts][1] in the *Amazon Cognito Developer Guide*.
-    # If neither a verified phone number nor a verified email exists, an
-    # `InvalidParameterException` is thrown. To use the confirmation code
-    # for resetting the password, call [ConfirmForgotPassword][2].
+    # To use the confirmation code for resetting the password, call
+    # [ConfirmForgotPassword][2].
+    #
+    # If neither a verified phone number nor a verified email exists, this
+    # API returns `InvalidParameterException`. If your app client has a
+    # client secret and you don't provide a `SECRET_HASH` parameter, this
+    # API returns `NotAuthorizedException`.
+    #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][3].
+    #
+    #  </note>
     #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][3]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][4]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -4467,7 +5891,7 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][4] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][5] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
@@ -4476,8 +5900,9 @@ module Aws::CognitoIdentityProvider
     #
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html
     # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html
-    # [3]: https://console.aws.amazon.com/pinpoint/home/
-    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [4]: https://console.aws.amazon.com/pinpoint/home/
+    # [5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :client_id
     #   The ID of the client associated with the user pool.
@@ -4611,6 +6036,19 @@ module Aws::CognitoIdentityProvider
 
     # Gets the device.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :device_key
     #   The device key.
     #
@@ -4730,6 +6168,39 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
+    # Gets the detailed activity logging configuration for a user pool.
+    #
+    # @option params [required, String] :user_pool_id
+    #   The ID of the user pool where you want to view detailed activity
+    #   logging configuration.
+    #
+    # @return [Types::GetLogDeliveryConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetLogDeliveryConfigurationResponse#log_delivery_configuration #log_delivery_configuration} => Types::LogDeliveryConfigurationType
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_log_delivery_configuration({
+    #     user_pool_id: "UserPoolIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.log_delivery_configuration.user_pool_id #=> String
+    #   resp.log_delivery_configuration.log_configurations #=> Array
+    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR"
+    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification"
+    #   resp.log_delivery_configuration.log_configurations[0].cloud_watch_logs_configuration.log_group_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfiguration AWS API Documentation
+    #
+    # @overload get_log_delivery_configuration(params = {})
+    # @param [Hash] params ({})
+    def get_log_delivery_configuration(params = {}, options = {})
+      req = build_request(:get_log_delivery_configuration, params)
+      req.send_request(options)
+    end
+
     # This method takes a user pool ID, and returns the signing certificate.
     # The issued certificate is valid for 10 years from the date of issue.
     #
@@ -4809,6 +6280,19 @@ module Aws::CognitoIdentityProvider
 
     # Gets the user attributes and metadata for a user.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :access_token
     #   A non-expired access token for the user whose information you want to
     #   query.
@@ -4853,11 +6337,20 @@ module Aws::CognitoIdentityProvider
     # attribute name. Sends a message to a user with a code that they must
     # return in a VerifyUserAttribute request.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -4869,15 +6362,16 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :access_token
     #   A non-expired access token for the user whose attribute verification
@@ -4988,10 +6482,28 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Signs out users from all devices. It also invalidates all refresh
-    # tokens that Amazon Cognito has issued to a user. A user can still use
-    # a hosted UI cookie to retrieve new tokens for the duration of the
-    # 1-hour cookie validity period.
+    # Signs out a user from all devices. `GlobalSignOut` invalidates all
+    # identity, access and refresh tokens that Amazon Cognito has issued to
+    # a user. A user can still use a hosted UI cookie to retrieve new tokens
+    # for the duration of the 1-hour cookie validity period.
+    #
+    # Your app isn't aware that a user's access token is revoked unless it
+    # attempts to authorize a user pools API request with an access token
+    # that contains the scope `aws.cognito.signin.user.admin`. Your app
+    # might otherwise accept access tokens until they expire.
+    #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user who you
@@ -5019,11 +6531,20 @@ module Aws::CognitoIdentityProvider
     # more information, see [ Adding user pool sign-in through a third
     # party][1].
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][2].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][3]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -5035,7 +6556,7 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][4] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
@@ -5043,8 +6564,9 @@ module Aws::CognitoIdentityProvider
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html
-    # [2]: https://console.aws.amazon.com/pinpoint/home/
-    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [3]: https://console.aws.amazon.com/pinpoint/home/
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :auth_flow
     #   The authentication flow for this call to run. The API action will
@@ -5086,6 +6608,10 @@ module Aws::CognitoIdentityProvider
     #     `SECRET_HASH` (required if the app client is configured with a
     #     client secret), `DEVICE_KEY`.
     #
+    #   * For `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD`
+    #     (required), `SECRET_HASH` (required if the app client is configured
+    #     with a client secret), `DEVICE_KEY`.
+    #
     #   * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required),
     #     `SECRET_HASH` (required if the app client is configured with a
     #     client secret), `DEVICE_KEY`.
@@ -5095,6 +6621,15 @@ module Aws::CognitoIdentityProvider
     #     authentication flow with password verification, include
     #     `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
     #
+    #   For more information about `SECRET_HASH`, see [Computing secret hash
+    #   values][1]. For information about `DEVICE_KEY`, see [Working with user
+    #   devices in your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #
     # @option params [Hash<String,String>] :client_metadata
     #   A map of custom key-value pairs that you can provide as input for
     #   certain custom workflows that this action triggers.
@@ -5178,6 +6713,42 @@ module Aws::CognitoIdentityProvider
     #   * {Types::InitiateAuthResponse#challenge_parameters #challenge_parameters} => Hash&lt;String,String&gt;
     #   * {Types::InitiateAuthResponse#authentication_result #authentication_result} => Types::AuthenticationResultType
     #
+    #
+    # @example Example: Example username and password sign-in for a user who has TOTP MFA
+    #
+    #   # The following example signs in the user mytestuser with analytics data, client metadata, and user context data for
+    #   # advanced security.
+    #
+    #   resp = client.initiate_auth({
+    #     analytics_metadata: {
+    #       analytics_endpoint_id: "d70b2ba36a8c4dc5a04a0451a31a1e12", 
+    #     }, 
+    #     auth_flow: "USER_PASSWORD_AUTH", 
+    #     auth_parameters: {
+    #       "PASSWORD" => "This-is-my-test-99!", 
+    #       "SECRET_HASH" => "oT5ZkS8ctnrhYeeGsGTvOzPhoc/Jd1cO5fueBWFVmp8=", 
+    #       "USERNAME" => "mytestuser", 
+    #     }, 
+    #     client_id: "1example23456789", 
+    #     client_metadata: {
+    #       "MyTestKey" => "MyTestValue", 
+    #     }, 
+    #     user_context_data: {
+    #       encoded_data: "AmazonCognitoAdvancedSecurityData_object", 
+    #       ip_address: "192.0.2.1", 
+    #     }, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     challenge_name: "SOFTWARE_TOKEN_MFA", 
+    #     challenge_parameters: {
+    #       "FRIENDLY_DEVICE_NAME" => "mytestauthenticator", 
+    #       "USER_ID_FOR_SRP" => "mytestuser", 
+    #     }, 
+    #     session: "AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXdlc3QtMjowMTU3MzY3MjcxOTg6a2V5LzI5OTFhNGE5LTM5YTAtNDQ0Mi04MWU4LWRkYjY4NTllMTg2MQC4AQIBAHhjxv5lVLhE2_WNrC1zuomqn08qDUUp3z9v4EGAjazZ-wGP3HuBF5Izvxf-9WkCT5uyAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMeQoT5e6Dpfh52caqAgEQgDvuL8uLMhPt0WmQpZnkNED1gob6xbqt5LaQo_H4L5CuT4Kj499dGCoZ1q1trmlZSRgRm0wwGGG8lFU37QIAAAAADAAAEAAAAAAAAAAAAAAAAADuLe9_UJ4oZAMsQYr0ntiT_____wAAAAEAAAAAAAAAAAAAAAEAAADnLDGmKBQtsCafNokRmPLgl2itBKuKR2dfZBQb5ucCYkzThM5HOfQUSEL-A3dZzfYDC0IODsrcMkrbeeVyMJk-FCzsxS9Og8BEBVnvi9WjZkPJ4mF0YS6FUXnoPSBV5oUqGzRaT-tJ169SUFZAUfFM1fGeJ8T57-QdCxjyISRCWV1VG5_7TiCioyRGfWwzNVWh7exJortF3ccfOyiEyxeqJ2VJvJq3m_w8NP24_PMDpktpRMKftObIMlD5ewRTNCdrUXQ1BW5KIxhJLGjYfRzJDZuKzmEgS-VHsKz0z76w-AlAgdfvdAjflLnsgduU5kUX4YP6jqnetg", 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.initiate_auth({
@@ -5224,6 +6795,19 @@ module Aws::CognitoIdentityProvider
     # Lists the sign-in devices that Amazon Cognito has registered to the
     # current user.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose list
     #   of devices you want to view.
@@ -5270,7 +6854,23 @@ module Aws::CognitoIdentityProvider
 
     # Lists the groups associated with a user pool.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -5321,6 +6921,24 @@ module Aws::CognitoIdentityProvider
 
     # Lists information about all IdPs for a user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -5365,6 +6983,24 @@ module Aws::CognitoIdentityProvider
 
     # Lists the resource servers for a user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
     #
@@ -5445,7 +7081,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Lists the user import jobs.
+    # Lists user import jobs for a user pool.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool that the users are being imported
@@ -5501,6 +7155,24 @@ module Aws::CognitoIdentityProvider
 
     # Lists the clients that have been created for the specified user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to list user pool
     #   clients.
@@ -5548,6 +7220,24 @@ module Aws::CognitoIdentityProvider
 
     # Lists the user pools associated with an Amazon Web Services account.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [String] :next_token
     #   An identifier that was returned from the previous call to this
     #   operation, which can be used to return the next set of items in the
@@ -5605,16 +7295,35 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Lists the users in the Amazon Cognito user pool.
+    # Lists users and their basic details in a user pool.
+    #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool on which the search should be
     #   performed.
     #
     # @option params [Array<String>] :attributes_to_get
-    #   An array of strings, where each string is the name of a user attribute
-    #   to be returned for each user in the search results. If the array is
-    #   null, all attributes are returned.
+    #   A JSON array of user attribute names, for example `given_name`, that
+    #   you want Amazon Cognito to include in the response for each user. When
+    #   you don't provide an `AttributesToGet` parameter, Amazon Cognito
+    #   returns all attributes for each user.
     #
     # @option params [Integer] :limit
     #   Maximum number of users to be returned.
@@ -5700,6 +7409,155 @@ module Aws::CognitoIdentityProvider
     #
     # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
     #
+    #
+    # @example Example: A ListUsers request for the next 3 users whose email address starts with "testuser."
+    #
+    #   # This request submits a value for all possible parameters for ListUsers. By iterating the PaginationToken, you can page
+    #   # through and collect all users in a user pool.
+    #
+    #   resp = client.list_users({
+    #     attributes_to_get: [
+    #       "email", 
+    #       "sub", 
+    #     ], 
+    #     filter: "\"email\"^=\"testuser\"", 
+    #     limit: 3, 
+    #     pagination_token: "abcd1234EXAMPLE", 
+    #     user_pool_id: "us-east-1_EXAMPLE", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     pagination_token: "efgh5678EXAMPLE", 
+    #     users: [
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "eaad0219-2117-439f-8d46-4db20e59268f", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1682955829.578), 
+    #         user_last_modified_date: Time.parse(1689030181.63), 
+    #         user_status: "CONFIRMED", 
+    #         username: "testuser", 
+    #       }, 
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "3b994cfd-0b07-4581-be46-3c82f9a70c90", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser2@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1684427979.201), 
+    #         user_last_modified_date: Time.parse(1684427979.201), 
+    #         user_status: "UNCONFIRMED", 
+    #         username: "testuser2", 
+    #       }, 
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "5929e0d1-4c34-42d1-9b79-a5ecacfe66f7", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser3@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1684427823.641), 
+    #         user_last_modified_date: Time.parse(1684427823.641), 
+    #         user_status: "UNCONFIRMED", 
+    #         username: "testuser3@example.com", 
+    #       }, 
+    #     ], 
+    #   }
+    #
+    # @example Example: A ListUsers request for the next 3 users whose email address starts with "testuser."
+    #
+    #   # This request submits a value for all possible parameters for ListUsers. By iterating the PaginationToken, you can page
+    #   # through and collect all users in a user pool.
+    #
+    #   resp = client.list_users({
+    #     attributes_to_get: [
+    #       "email", 
+    #       "sub", 
+    #     ], 
+    #     filter: "\"email\"^=\"testuser\"", 
+    #     limit: 3, 
+    #     pagination_token: "abcd1234EXAMPLE", 
+    #     user_pool_id: "us-east-1_EXAMPLE", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     pagination_token: "efgh5678EXAMPLE", 
+    #     users: [
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "eaad0219-2117-439f-8d46-4db20e59268f", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1682955829.578), 
+    #         user_last_modified_date: Time.parse(1689030181.63), 
+    #         user_status: "CONFIRMED", 
+    #         username: "testuser", 
+    #       }, 
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "3b994cfd-0b07-4581-be46-3c82f9a70c90", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser2@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1684427979.201), 
+    #         user_last_modified_date: Time.parse(1684427979.201), 
+    #         user_status: "UNCONFIRMED", 
+    #         username: "testuser2", 
+    #       }, 
+    #       {
+    #         attributes: [
+    #           {
+    #             name: "sub", 
+    #             value: "5929e0d1-4c34-42d1-9b79-a5ecacfe66f7", 
+    #           }, 
+    #           {
+    #             name: "email", 
+    #             value: "testuser3@example.com", 
+    #           }, 
+    #         ], 
+    #         enabled: true, 
+    #         user_create_date: Time.parse(1684427823.641), 
+    #         user_last_modified_date: Time.parse(1684427823.641), 
+    #         user_status: "UNCONFIRMED", 
+    #         username: "testuser3@example.com", 
+    #       }, 
+    #     ], 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.list_users({
@@ -5737,7 +7595,23 @@ module Aws::CognitoIdentityProvider
 
     # Lists the users in the specified group.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -5797,11 +7671,20 @@ module Aws::CognitoIdentityProvider
     # Resends the confirmation (for confirmation of registration) to a
     # specific user in the user pool.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -5813,15 +7696,16 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :client_id
     #   The ID of the client associated with the user pool.
@@ -5922,11 +7806,20 @@ module Aws::CognitoIdentityProvider
 
     # Responds to the authentication challenge.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -5938,15 +7831,16 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :client_id
     #   The app client ID.
@@ -6015,6 +7909,15 @@ module Aws::CognitoIdentityProvider
     #   * `MFA_SETUP` requires `USERNAME`, plus you must use the session value
     #     returned by `VerifySoftwareToken` in the `Session` parameter.
     #
+    #   For more information about `SECRET_HASH`, see [Computing secret hash
+    #   values][1]. For information about `DEVICE_KEY`, see [Working with user
+    #   devices in your user pool][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The Amazon Pinpoint analytics metadata that contributes to your
     #   metrics for `RespondToAuthChallenge` calls.
@@ -6121,6 +8024,19 @@ module Aws::CognitoIdentityProvider
     # use the revoked token to access Amazon Cognito user APIs, or to
     # authorize access to your resource server.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :token
     #   The refresh token that you want to revoke.
     #
@@ -6150,6 +8066,53 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
+    # Sets up or modifies the detailed activity logging configuration of a
+    # user pool.
+    #
+    # @option params [required, String] :user_pool_id
+    #   The ID of the user pool where you want to configure detailed activity
+    #   logging .
+    #
+    # @option params [required, Array<Types::LogConfigurationType>] :log_configurations
+    #   A collection of all of the detailed activity logging configurations
+    #   for a user pool.
+    #
+    # @return [Types::SetLogDeliveryConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::SetLogDeliveryConfigurationResponse#log_delivery_configuration #log_delivery_configuration} => Types::LogDeliveryConfigurationType
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.set_log_delivery_configuration({
+    #     user_pool_id: "UserPoolIdType", # required
+    #     log_configurations: [ # required
+    #       {
+    #         log_level: "ERROR", # required, accepts ERROR
+    #         event_source: "userNotification", # required, accepts userNotification
+    #         cloud_watch_logs_configuration: {
+    #           log_group_arn: "ArnType",
+    #         },
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.log_delivery_configuration.user_pool_id #=> String
+    #   resp.log_delivery_configuration.log_configurations #=> Array
+    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR"
+    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification"
+    #   resp.log_delivery_configuration.log_configurations[0].cloud_watch_logs_configuration.log_group_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfiguration AWS API Documentation
+    #
+    # @overload set_log_delivery_configuration(params = {})
+    # @param [Hash] params ({})
+    def set_log_delivery_configuration(params = {}, options = {})
+      req = build_request(:set_log_delivery_configuration, params)
+      req.send_request(options)
+    end
+
     # Configures actions on detected risks. To delete the risk configuration
     # for `UserPoolId` or `ClientId`, pass null values for all four
     # configuration types.
@@ -6347,6 +8310,19 @@ module Aws::CognitoIdentityProvider
     # based on the assessed risk level of sign-in attempts, deactivate MFA
     # for users and turn on Adaptive Authentication for the user pool.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [Types::SMSMfaSettingsType] :sms_mfa_settings
     #   The SMS text message multi-factor authentication (MFA) settings.
     #
@@ -6408,7 +8384,7 @@ module Aws::CognitoIdentityProvider
     #
     #
     # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -6483,9 +8459,19 @@ module Aws::CognitoIdentityProvider
     # (TOTP) software token MFA. To configure either type of MFA, use
     # [SetUserMFAPreference][1] instead.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][2].
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose user
@@ -6521,11 +8507,20 @@ module Aws::CognitoIdentityProvider
     # Registers the user in the specified user pool and creates a user name,
     # password, and user attributes.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -6537,15 +8532,16 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :client_id
     #   The ID of the client associated with the user pool.
@@ -6841,6 +8837,19 @@ module Aws::CognitoIdentityProvider
     # evaluation decision for the user pool as part of Amazon Cognito
     # advanced security.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -6854,7 +8863,12 @@ module Aws::CognitoIdentityProvider
     #   The feedback token.
     #
     # @option params [required, String] :feedback_value
-    #   The authentication event feedback value.
+    #   The authentication event feedback value. When you provide a
+    #   `FeedbackValue` value of `valid`, you tell Amazon Cognito that you
+    #   trust a user session where Amazon Cognito has evaluated some level of
+    #   risk. When you provide a `FeedbackValue` value of `invalid`, you tell
+    #   Amazon Cognito that you don't trust a user session, or you don't
+    #   believe that Amazon Cognito evaluated a high-enough risk level.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -6879,6 +8893,19 @@ module Aws::CognitoIdentityProvider
 
     # Updates the device status.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
     #   device status you want to update.
@@ -6910,7 +8937,23 @@ module Aws::CognitoIdentityProvider
 
     # Updates the specified group with the specified attributes.
     #
-    # Calling this action requires developer credentials.
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :group_name
     #   The name of the group.
@@ -6969,6 +9012,24 @@ module Aws::CognitoIdentityProvider
 
     # Updates IdP information for a user pool.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
     #
@@ -7032,6 +9093,24 @@ module Aws::CognitoIdentityProvider
     # If you don't provide a value for an attribute, it is set to the
     # default value.
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][1]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
     #
@@ -7082,11 +9161,20 @@ module Aws::CognitoIdentityProvider
 
     # Allows a user to update a specific attribute (one at a time).
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -7098,15 +9186,16 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, Array<Types::AttributeType>] :user_attributes
     #   An array of name-value pairs representing user attributes.
@@ -7196,16 +9285,11 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Updates the specified user pool with the specified attributes. You can
-    # get a list of the current user pool settings using
-    # [DescribeUserPool][1]. If you don't provide a value for an attribute,
-    # it will be set to the default value.
-    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -7217,16 +9301,38 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
     #
+    # Updates the specified user pool with the specified attributes. You can
+    # get a list of the current user pool settings using
+    # [DescribeUserPool][3].
     #
+    # If you don't provide a value for an attribute, Amazon Cognito sets it
+    # to its default value.
     #
-    # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
-    # [2]: https://console.aws.amazon.com/pinpoint/home/
-    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][4]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][5]
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://console.aws.amazon.com/pinpoint/home/
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool you want to update.
@@ -7346,8 +9452,17 @@ module Aws::CognitoIdentityProvider
     #   The configuration for `AdminCreateUser` requests.
     #
     # @option params [Types::UserPoolAddOnsType] :user_pool_add_ons
-    #   Enables advanced security risk detection. Set the key
-    #   `AdvancedSecurityMode` to the value "AUDIT".
+    #   User pool add-ons. Contains settings for activation of advanced
+    #   security features. To log user security information but take no
+    #   action, set to `AUDIT`. To configure automatic security responses to
+    #   risky traffic to your user pool, set to `ENFORCED`.
+    #
+    #   For more information, see [Adding advanced security to a user
+    #   pool][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #
     # @option params [Types::AccountRecoverySettingType] :account_recovery_setting
     #   The available verified method a user can use to recover their password
@@ -7468,17 +9583,32 @@ module Aws::CognitoIdentityProvider
     # attributes. You can get a list of the current user pool app client
     # settings using [DescribeUserPoolClient][1].
     #
-    # If you don't provide a value for an attribute, it will be set to the
-    # default value.
+    # If you don't provide a value for an attribute, Amazon Cognito sets it
+    # to its default value.
     #
     # You can also use this operation to enable token revocation for user
     # pool clients. For more information about revoking tokens, see
     # [RevokeToken][2].
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][3]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html
     # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to update the user
@@ -7534,16 +9664,16 @@ module Aws::CognitoIdentityProvider
     #   `TokenValidityUnits` as `hours`, your user can authenticate their
     #   session with their ID token for 10 hours.
     #
-    #   The default time unit for `AccessTokenValidity` in an API request is
+    #   The default time unit for `IdTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
     #   If you don't specify otherwise in the configuration of your app
     #   client, your ID tokens are valid for one hour.
     #
     # @option params [Types::TokenValidityUnitsType] :token_validity_units
-    #   The units in which the validity times are represented. The default
-    #   unit for RefreshToken is days, and the default for ID and access
-    #   tokens is hours.
+    #   The time units you use when you set the duration of ID, access, and
+    #   refresh tokens. The default unit for RefreshToken is days, and the
+    #   default for ID and access tokens is hours.
     #
     # @option params [Array<String>] :read_attributes
     #   The read-only attributes of the user pool.
@@ -7670,8 +9800,26 @@ module Aws::CognitoIdentityProvider
     #   created in Resource Servers are also supported.
     #
     # @option params [Boolean] :allowed_o_auth_flows_user_pool_client
-    #   Set to true if the client is allowed to follow the OAuth protocol when
-    #   interacting with Amazon Cognito user pools.
+    #   Set to `true` to use OAuth 2.0 features in your user pool app client.
+    #
+    #   `AllowedOAuthFlowsUserPoolClient` must be `true` before you can
+    #   configure the following features in your app client.
+    #
+    #   * `CallBackURLs`: Callback URLs.
+    #
+    #   * `LogoutURLs`: Sign-out redirect URLs.
+    #
+    #   * `AllowedOAuthScopes`: OAuth 2.0 scopes.
+    #
+    #   * `AllowedOAuthFlows`: Support for authorization code, implicit, and
+    #     client credentials OAuth 2.0 grants.
+    #
+    #   To use OAuth 2.0 features, configure one of these features in the
+    #   Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to
+    #   `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API
+    #   request. If you don't set a value for
+    #   `AllowedOAuthFlowsUserPoolClient` in a request with the CLI or SDKs,
+    #   it defaults to `false`.
     #
     # @option params [Types::AnalyticsConfigurationType] :analytics_configuration
     #   The Amazon Pinpoint analytics configuration necessary to collect
@@ -7853,9 +10001,24 @@ module Aws::CognitoIdentityProvider
     # For more information about adding a custom domain to your user pool,
     # see [Using Your Own Domain for the Hosted UI][1].
     #
+    # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
+    # in requests for this API operation. For this operation, you must use
+    # IAM credentials to authorize requests, and you must grant yourself the
+    # corresponding IAM permission in a policy.
+    #
+    #  **Learn more**
+    #
+    #  * [Signing Amazon Web Services API Requests][2]
+    #
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][3]
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :domain
     #   The domain name for the custom domain that hosts the sign-up and
@@ -7907,6 +10070,19 @@ module Aws::CognitoIdentityProvider
     # "verified" if successful. The request takes an access token or a
     # session string, but not both.
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][1].
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    #
     # @option params [String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
     #   software token you want to verify.
@@ -7961,9 +10137,19 @@ module Aws::CognitoIdentityProvider
     # attribute to its pending value. For more information, see [
     # UserAttributeUpdateSettingsType][1].
     #
+    # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
+    # policies in requests for this API operation. For this operation, you
+    # can't use IAM credentials to authorize requests, and you can't grant
+    # IAM permissions in policies. For more information about authorization
+    # models in Amazon Cognito, see [Using the Amazon Cognito native and
+    # OIDC APIs][2].
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserAttributeUpdateSettingsType.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose user
@@ -8007,7 +10193,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.79.0'
+      context[:gem_version] = '1.81.0'
       Seahorse::Client::Request.new(handlers, context)
     end