aws-sdk-cognitoidentityprovider 1.97.0 → 1.107.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -762,7 +762,7 @@ module Aws::CognitoIdentityProvider
762
762
  #
763
763
  # @!attribute [rw] user_mfa_setting_list
764
764
  # The MFA options that are activated for the user. The possible values
765
- # in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
765
+ # in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.
766
766
  # @return [Array<String>]
767
767
  #
768
768
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserResponse AWS API Documentation
@@ -960,11 +960,15 @@ module Aws::CognitoIdentityProvider
960
960
  # to authenticate.
961
961
  #
962
962
  # * `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are
963
- # `SMS_MFA` for text SMS MFA, and `SOFTWARE_TOKEN_MFA` for
964
- # time-based one-time password (TOTP) software token MFA.
963
+ # `SMS_MFA` for SMS message MFA, `EMAIL_OTP` for email message MFA,
964
+ # and `SOFTWARE_TOKEN_MFA` for time-based one-time password (TOTP)
965
+ # software token MFA.
965
966
  #
966
- # * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`,
967
- # delivered via SMS.
967
+ # * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your
968
+ # user pool delivered in an SMS message.
969
+ #
970
+ # * `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that
971
+ # your user pool delivered in an email message.
968
972
  #
969
973
  # * `PASSWORD_VERIFIER`: Next challenge is to supply
970
974
  # `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and
@@ -1430,11 +1434,21 @@ module Aws::CognitoIdentityProvider
1430
1434
  # SMS\_MFA
1431
1435
  #
1432
1436
  # : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
1433
- # \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
1437
+ # \{"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"\}`
1438
+ #
1439
+ # EMAIL\_OTP
1440
+ #
1441
+ # : `"ChallengeName": "EMAIL_OTP", "ChallengeResponses":
1442
+ # \{"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"\}`
1434
1443
  #
1435
1444
  # PASSWORD\_VERIFIER
1436
1445
  #
1437
- # : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
1446
+ # : This challenge response is part of the SRP flow. Amazon Cognito
1447
+ # requires that your application respond to this challenge within a
1448
+ # few seconds. When the response time exceeds this period, your user
1449
+ # pool returns a `NotAuthorizedException` error.
1450
+ #
1451
+ # `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
1438
1452
  # \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
1439
1453
  # "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
1440
1454
  # [timestamp], "USERNAME": "[username]"\}`
@@ -1648,13 +1662,28 @@ module Aws::CognitoIdentityProvider
1648
1662
  end
1649
1663
 
1650
1664
  # @!attribute [rw] sms_mfa_settings
1651
- # The SMS text message MFA settings.
1665
+ # User preferences for SMS message MFA. Activates or deactivates SMS
1666
+ # MFA and sets it as the preferred MFA method when multiple methods
1667
+ # are available.
1652
1668
  # @return [Types::SMSMfaSettingsType]
1653
1669
  #
1654
1670
  # @!attribute [rw] software_token_mfa_settings
1655
- # The time-based one-time password software token MFA settings.
1671
+ # User preferences for time-based one-time password (TOTP) MFA.
1672
+ # Activates or deactivates TOTP MFA and sets it as the preferred MFA
1673
+ # method when multiple methods are available.
1656
1674
  # @return [Types::SoftwareTokenMfaSettingsType]
1657
1675
  #
1676
+ # @!attribute [rw] email_mfa_settings
1677
+ # User preferences for email message MFA. Activates or deactivates
1678
+ # email MFA and sets it as the preferred MFA method when multiple
1679
+ # methods are available. To activate this setting, [ advanced security
1680
+ # features][1] must be active in your user pool.
1681
+ #
1682
+ #
1683
+ #
1684
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
1685
+ # @return [Types::EmailMfaSettingsType]
1686
+ #
1658
1687
  # @!attribute [rw] username
1659
1688
  # The username of the user that you want to query or modify. The value
1660
1689
  # of this parameter is typically your user's username, but it can be
@@ -1664,7 +1693,8 @@ module Aws::CognitoIdentityProvider
1664
1693
  # @return [String]
1665
1694
  #
1666
1695
  # @!attribute [rw] user_pool_id
1667
- # The user pool ID.
1696
+ # The ID of the user pool where you want to set a user's MFA
1697
+ # preferences.
1668
1698
  # @return [String]
1669
1699
  #
1670
1700
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserMFAPreferenceRequest AWS API Documentation
@@ -1672,6 +1702,7 @@ module Aws::CognitoIdentityProvider
1672
1702
  class AdminSetUserMFAPreferenceRequest < Struct.new(
1673
1703
  :sms_mfa_settings,
1674
1704
  :software_token_mfa_settings,
1705
+ :email_mfa_settings,
1675
1706
  :username,
1676
1707
  :user_pool_id)
1677
1708
  SENSITIVE = [:username]
@@ -1961,6 +1992,27 @@ module Aws::CognitoIdentityProvider
1961
1992
  #
1962
1993
  class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
1963
1994
 
1995
+ # Advanced security configuration options for additional authentication
1996
+ # types in your user pool, including custom authentication.
1997
+ #
1998
+ # @!attribute [rw] custom_auth_mode
1999
+ # The operating mode of advanced security features in custom
2000
+ # authentication with [ Custom authentication challenge Lambda
2001
+ # triggers][1].
2002
+ #
2003
+ #
2004
+ #
2005
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
2006
+ # @return [String]
2007
+ #
2008
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdvancedSecurityAdditionalFlowsType AWS API Documentation
2009
+ #
2010
+ class AdvancedSecurityAdditionalFlowsType < Struct.new(
2011
+ :custom_auth_mode)
2012
+ SENSITIVE = []
2013
+ include Aws::Structure
2014
+ end
2015
+
1964
2016
  # This exception is thrown when a user tries to confirm the account with
1965
2017
  # an email address or phone number that has already been supplied as an
1966
2018
  # alias for a different user profile. This exception indicates that an
@@ -2257,8 +2309,9 @@ module Aws::CognitoIdentityProvider
2257
2309
  #
2258
2310
  class ChangePasswordResponse < Aws::EmptyStructure; end
2259
2311
 
2260
- # The CloudWatch logging destination of a user pool detailed activity
2261
- # logging configuration.
2312
+ # Configuration for the CloudWatch log group destination of user pool
2313
+ # detailed activity logging, or of user activity log export with
2314
+ # advanced security features.
2262
2315
  #
2263
2316
  # @!attribute [rw] log_group_arn
2264
2317
  # The Amazon Resource Name (arn) of a CloudWatch Logs log group where
@@ -3093,20 +3146,21 @@ module Aws::CognitoIdentityProvider
3093
3146
  #
3094
3147
  # @!attribute [rw] read_attributes
3095
3148
  # The list of user attributes that you want your app client to have
3096
- # read-only access to. After your user authenticates in your app,
3097
- # their access token authorizes them to read their own attribute value
3098
- # for any attribute in this list. An example of this kind of activity
3099
- # is when your user selects a link to view their profile information.
3149
+ # read access to. After your user authenticates in your app, their
3150
+ # access token authorizes them to read their own attribute value for
3151
+ # any attribute in this list. An example of this kind of activity is
3152
+ # when your user selects a link to view their profile information.
3100
3153
  # Your app makes a [GetUser][1] API request to retrieve and display
3101
3154
  # your user's profile data.
3102
3155
  #
3103
3156
  # When you don't specify the `ReadAttributes` for your app client,
3104
3157
  # your app can read the values of `email_verified`,
3105
3158
  # `phone_number_verified`, and the Standard attributes of your user
3106
- # pool. When your user pool has read access to these default
3107
- # attributes, `ReadAttributes` doesn't return any information. Amazon
3108
- # Cognito only populates `ReadAttributes` in the API response if you
3109
- # have specified your own custom set of read attributes.
3159
+ # pool. When your user pool app client has read access to these
3160
+ # default attributes, `ReadAttributes` doesn't return any
3161
+ # information. Amazon Cognito only populates `ReadAttributes` in the
3162
+ # API response if you have specified your own custom set of read
3163
+ # attributes.
3110
3164
  #
3111
3165
  #
3112
3166
  #
@@ -3329,6 +3383,8 @@ module Aws::CognitoIdentityProvider
3329
3383
  #
3330
3384
  # * `LEGACY` - This represents the early behavior of Amazon Cognito
3331
3385
  # where user existence related errors aren't prevented.
3386
+ #
3387
+ # Defaults to `LEGACY` when you don't provide a value.
3332
3388
  # @return [String]
3333
3389
  #
3334
3390
  # @!attribute [rw] enable_token_revocation
@@ -4479,6 +4535,66 @@ module Aws::CognitoIdentityProvider
4479
4535
  include Aws::Structure
4480
4536
  end
4481
4537
 
4538
+ # Sets or shows user pool email message configuration for MFA. Includes
4539
+ # the subject and body of the email message template for MFA messages.
4540
+ # To activate this setting, [ advanced security features][1] must be
4541
+ # active in your user pool.
4542
+ #
4543
+ #
4544
+ #
4545
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
4546
+ #
4547
+ # @!attribute [rw] message
4548
+ # The template for the email message that your user pool sends to
4549
+ # users with an MFA code. The message must contain the `\{####\}`
4550
+ # placeholder. In the message, Amazon Cognito replaces this
4551
+ # placeholder with the code. If you don't provide this parameter,
4552
+ # Amazon Cognito sends messages in the default format.
4553
+ # @return [String]
4554
+ #
4555
+ # @!attribute [rw] subject
4556
+ # The subject of the email message that your user pool sends to users
4557
+ # with an MFA code.
4558
+ # @return [String]
4559
+ #
4560
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/EmailMfaConfigType AWS API Documentation
4561
+ #
4562
+ class EmailMfaConfigType < Struct.new(
4563
+ :message,
4564
+ :subject)
4565
+ SENSITIVE = []
4566
+ include Aws::Structure
4567
+ end
4568
+
4569
+ # User preferences for multi-factor authentication with email messages.
4570
+ # Activates or deactivates email MFA and sets it as the preferred MFA
4571
+ # method when multiple methods are available. To activate this setting,
4572
+ # [ advanced security features][1] must be active in your user pool.
4573
+ #
4574
+ #
4575
+ #
4576
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
4577
+ #
4578
+ # @!attribute [rw] enabled
4579
+ # Specifies whether email message MFA is active for a user. When the
4580
+ # value of this parameter is `Enabled`, the user will be prompted for
4581
+ # MFA during all sign-in attempts, unless device tracking is turned on
4582
+ # and the device has been trusted.
4583
+ # @return [Boolean]
4584
+ #
4585
+ # @!attribute [rw] preferred_mfa
4586
+ # Specifies whether email message MFA is the user's preferred method.
4587
+ # @return [Boolean]
4588
+ #
4589
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/EmailMfaSettingsType AWS API Documentation
4590
+ #
4591
+ class EmailMfaSettingsType < Struct.new(
4592
+ :enabled,
4593
+ :preferred_mfa)
4594
+ SENSITIVE = []
4595
+ include Aws::Structure
4596
+ end
4597
+
4482
4598
  # This exception is thrown when there is a code mismatch and the service
4483
4599
  # fails to configure the software token TOTP multi-factor authentication
4484
4600
  # (MFA).
@@ -4598,6 +4714,22 @@ module Aws::CognitoIdentityProvider
4598
4714
  include Aws::Structure
4599
4715
  end
4600
4716
 
4717
+ # Configuration for the Amazon Data Firehose stream destination of user
4718
+ # activity log export with advanced security features.
4719
+ #
4720
+ # @!attribute [rw] stream_arn
4721
+ # The ARN of an Amazon Data Firehose stream that's the destination
4722
+ # for advanced security features log export.
4723
+ # @return [String]
4724
+ #
4725
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/FirehoseConfigurationType AWS API Documentation
4726
+ #
4727
+ class FirehoseConfigurationType < Struct.new(
4728
+ :stream_arn)
4729
+ SENSITIVE = []
4730
+ include Aws::Structure
4731
+ end
4732
+
4601
4733
  # This exception is thrown when WAF doesn't allow your request based on
4602
4734
  # a web ACL that's associated with your user pool.
4603
4735
  #
@@ -4864,8 +4996,8 @@ module Aws::CognitoIdentityProvider
4864
4996
  end
4865
4997
 
4866
4998
  # @!attribute [rw] user_pool_id
4867
- # The ID of the user pool where you want to view detailed activity
4868
- # logging configuration.
4999
+ # The ID of the user pool that has the logging configuration that you
5000
+ # want to view.
4869
5001
  # @return [String]
4870
5002
  #
4871
5003
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationRequest AWS API Documentation
@@ -4877,8 +5009,7 @@ module Aws::CognitoIdentityProvider
4877
5009
  end
4878
5010
 
4879
5011
  # @!attribute [rw] log_delivery_configuration
4880
- # The detailed activity logging configuration of the requested user
4881
- # pool.
5012
+ # The logging configuration of the requested user pool.
4882
5013
  # @return [Types::LogDeliveryConfigurationType]
4883
5014
  #
4884
5015
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationResponse AWS API Documentation
@@ -5035,14 +5166,27 @@ module Aws::CognitoIdentityProvider
5035
5166
  end
5036
5167
 
5037
5168
  # @!attribute [rw] sms_mfa_configuration
5038
- # The SMS text message multi-factor authentication (MFA)
5039
- # configuration.
5169
+ # Shows user pool SMS message configuration for MFA. Includes the
5170
+ # message template and the SMS message sending configuration for
5171
+ # Amazon SNS.
5040
5172
  # @return [Types::SmsMfaConfigType]
5041
5173
  #
5042
5174
  # @!attribute [rw] software_token_mfa_configuration
5043
- # The software token multi-factor authentication (MFA) configuration.
5175
+ # Shows user pool configuration for time-based one-time password
5176
+ # (TOTP) MFA. Includes TOTP enabled or disabled state.
5044
5177
  # @return [Types::SoftwareTokenMfaConfigType]
5045
5178
  #
5179
+ # @!attribute [rw] email_mfa_configuration
5180
+ # Shows user pool email message configuration for MFA. Includes the
5181
+ # subject and body of the email message template for MFA messages. To
5182
+ # activate this setting, [ advanced security features][1] must be
5183
+ # active in your user pool.
5184
+ #
5185
+ #
5186
+ #
5187
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
5188
+ # @return [Types::EmailMfaConfigType]
5189
+ #
5046
5190
  # @!attribute [rw] mfa_configuration
5047
5191
  # The multi-factor authentication (MFA) configuration. Valid values
5048
5192
  # include:
@@ -5060,6 +5204,7 @@ module Aws::CognitoIdentityProvider
5060
5204
  class GetUserPoolMfaConfigResponse < Struct.new(
5061
5205
  :sms_mfa_configuration,
5062
5206
  :software_token_mfa_configuration,
5207
+ :email_mfa_configuration,
5063
5208
  :mfa_configuration)
5064
5209
  SENSITIVE = []
5065
5210
  include Aws::Structure
@@ -5108,7 +5253,7 @@ module Aws::CognitoIdentityProvider
5108
5253
  #
5109
5254
  # @!attribute [rw] user_mfa_setting_list
5110
5255
  # The MFA options that are activated for the user. The possible values
5111
- # in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
5256
+ # in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.
5112
5257
  # @return [Array<String>]
5113
5258
  #
5114
5259
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserResponse AWS API Documentation
@@ -5590,8 +5735,11 @@ module Aws::CognitoIdentityProvider
5590
5735
  #
5591
5736
  # </note>
5592
5737
  #
5593
- # * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`,
5594
- # delivered via SMS.
5738
+ # * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your
5739
+ # user pool delivered in an SMS message.
5740
+ #
5741
+ # * `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that
5742
+ # your user pool delivered in an email message.
5595
5743
  #
5596
5744
  # * `PASSWORD_VERIFIER`: Next challenge is to supply
5597
5745
  # `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and
@@ -6487,37 +6635,73 @@ module Aws::CognitoIdentityProvider
6487
6635
  #
6488
6636
  # @!attribute [rw] log_level
6489
6637
  # The `errorlevel` selection of logs that a user pool sends for
6490
- # detailed activity logging.
6638
+ # detailed activity logging. To send `userNotification` activity with
6639
+ # [information about message delivery][1], choose `ERROR` with
6640
+ # `CloudWatchLogsConfiguration`. To send `userAuthEvents` activity
6641
+ # with user logs from advanced security features, choose `INFO` with
6642
+ # one of `CloudWatchLogsConfiguration`, `FirehoseConfiguration`, or
6643
+ # `S3Configuration`.
6644
+ #
6645
+ #
6646
+ #
6647
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html
6491
6648
  # @return [String]
6492
6649
  #
6493
6650
  # @!attribute [rw] event_source
6494
- # The source of events that your user pool sends for detailed activity
6495
- # logging.
6651
+ # The source of events that your user pool sends for logging. To send
6652
+ # error-level logs about user notification activity, set to
6653
+ # `userNotification`. To send info-level logs about advanced security
6654
+ # features user activity, set to `userAuthEvents`.
6496
6655
  # @return [String]
6497
6656
  #
6498
6657
  # @!attribute [rw] cloud_watch_logs_configuration
6499
- # The CloudWatch logging destination of a user pool.
6658
+ # The CloudWatch log group destination of user pool detailed activity
6659
+ # logs, or of user activity log export with advanced security
6660
+ # features.
6500
6661
  # @return [Types::CloudWatchLogsConfigurationType]
6501
6662
  #
6663
+ # @!attribute [rw] s3_configuration
6664
+ # The Amazon S3 bucket destination of user activity log export with
6665
+ # advanced security features. To activate this setting, [ advanced
6666
+ # security features][1] must be active in your user pool.
6667
+ #
6668
+ #
6669
+ #
6670
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
6671
+ # @return [Types::S3ConfigurationType]
6672
+ #
6673
+ # @!attribute [rw] firehose_configuration
6674
+ # The Amazon Data Firehose stream destination of user activity log
6675
+ # export with advanced security features. To activate this setting, [
6676
+ # advanced security features][1] must be active in your user pool.
6677
+ #
6678
+ #
6679
+ #
6680
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
6681
+ # @return [Types::FirehoseConfigurationType]
6682
+ #
6502
6683
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogConfigurationType AWS API Documentation
6503
6684
  #
6504
6685
  class LogConfigurationType < Struct.new(
6505
6686
  :log_level,
6506
6687
  :event_source,
6507
- :cloud_watch_logs_configuration)
6688
+ :cloud_watch_logs_configuration,
6689
+ :s3_configuration,
6690
+ :firehose_configuration)
6508
6691
  SENSITIVE = []
6509
6692
  include Aws::Structure
6510
6693
  end
6511
6694
 
6512
- # The logging parameters of a user pool.
6695
+ # The logging parameters of a user pool returned in response to
6696
+ # `GetLogDeliveryConfiguration`.
6513
6697
  #
6514
6698
  # @!attribute [rw] user_pool_id
6515
- # The ID of the user pool where you configured detailed activity
6516
- # logging.
6699
+ # The ID of the user pool where you configured logging.
6517
6700
  # @return [String]
6518
6701
  #
6519
6702
  # @!attribute [rw] log_configurations
6520
- # The detailed activity logging destination of a user pool.
6703
+ # A logging destination of a user pool. User pools can have multiple
6704
+ # logging destinations for message-delivery and user-activity logs.
6521
6705
  # @return [Array<Types::LogConfigurationType>]
6522
6706
  #
6523
6707
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogDeliveryConfigurationType AWS API Documentation
@@ -6727,6 +6911,20 @@ module Aws::CognitoIdentityProvider
6727
6911
  include Aws::Structure
6728
6912
  end
6729
6913
 
6914
+ # The message returned when a user's new password matches a previous
6915
+ # password and doesn't comply with the password-history policy.
6916
+ #
6917
+ # @!attribute [rw] message
6918
+ # @return [String]
6919
+ #
6920
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PasswordHistoryPolicyViolationException AWS API Documentation
6921
+ #
6922
+ class PasswordHistoryPolicyViolationException < Struct.new(
6923
+ :message)
6924
+ SENSITIVE = []
6925
+ include Aws::Structure
6926
+ end
6927
+
6730
6928
  # The password policy type.
6731
6929
  #
6732
6930
  # @!attribute [rw] minimum_length
@@ -6756,6 +6954,23 @@ module Aws::CognitoIdentityProvider
6756
6954
  # required users to use at least one symbol in their password.
6757
6955
  # @return [Boolean]
6758
6956
  #
6957
+ # @!attribute [rw] password_history_size
6958
+ # The number of previous passwords that you want Amazon Cognito to
6959
+ # restrict each user from reusing. Users can't set a password that
6960
+ # matches any of `n` previous passwords, where `n` is the value of
6961
+ # `PasswordHistorySize`.
6962
+ #
6963
+ # Password history isn't enforced and isn't displayed in
6964
+ # [DescribeUserPool][1] responses when you set this value to `0` or
6965
+ # don't provide it. To activate this setting, [ advanced security
6966
+ # features][2] must be active in your user pool.
6967
+ #
6968
+ #
6969
+ #
6970
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
6971
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
6972
+ # @return [Integer]
6973
+ #
6759
6974
  # @!attribute [rw] temporary_password_validity_days
6760
6975
  # The number of days a temporary password is valid in the password
6761
6976
  # policy. If the user doesn't sign in during this time, an
@@ -6778,6 +6993,7 @@ module Aws::CognitoIdentityProvider
6778
6993
  :require_lowercase,
6779
6994
  :require_numbers,
6780
6995
  :require_symbols,
6996
+ :password_history_size,
6781
6997
  :temporary_password_validity_days)
6782
6998
  SENSITIVE = []
6783
6999
  include Aws::Structure
@@ -7124,11 +7340,21 @@ module Aws::CognitoIdentityProvider
7124
7340
  # SMS\_MFA
7125
7341
  #
7126
7342
  # : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
7127
- # \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
7343
+ # \{"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"\}`
7344
+ #
7345
+ # EMAIL\_OTP
7346
+ #
7347
+ # : `"ChallengeName": "EMAIL_OTP", "ChallengeResponses":
7348
+ # \{"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"\}`
7128
7349
  #
7129
7350
  # PASSWORD\_VERIFIER
7130
7351
  #
7131
- # : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
7352
+ # : This challenge response is part of the SRP flow. Amazon Cognito
7353
+ # requires that your application respond to this challenge within a
7354
+ # few seconds. When the response time exceeds this period, your user
7355
+ # pool returns a `NotAuthorizedException` error.
7356
+ #
7357
+ # `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
7132
7358
  # \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
7133
7359
  # "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
7134
7360
  # [timestamp], "USERNAME": "[username]"\}`
@@ -7408,6 +7634,22 @@ module Aws::CognitoIdentityProvider
7408
7634
  include Aws::Structure
7409
7635
  end
7410
7636
 
7637
+ # Configuration for the Amazon S3 bucket destination of user activity
7638
+ # log export with advanced security features.
7639
+ #
7640
+ # @!attribute [rw] bucket_arn
7641
+ # The ARN of an Amazon S3 bucket that's the destination for advanced
7642
+ # security features log export.
7643
+ # @return [String]
7644
+ #
7645
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/S3ConfigurationType AWS API Documentation
7646
+ #
7647
+ class S3ConfigurationType < Struct.new(
7648
+ :bucket_arn)
7649
+ SENSITIVE = []
7650
+ include Aws::Structure
7651
+ end
7652
+
7411
7653
  # The type used for enabling SMS multi-factor authentication (MFA) at
7412
7654
  # the user level. Phone numbers don't need to be verified to be used
7413
7655
  # for SMS MFA. If an MFA type is activated for a user, the user will be
@@ -7418,10 +7660,10 @@ module Aws::CognitoIdentityProvider
7418
7660
  # for the user pool.
7419
7661
  #
7420
7662
  # @!attribute [rw] enabled
7421
- # Specifies whether SMS text message MFA is activated. If an MFA type
7422
- # is activated for a user, the user will be prompted for MFA during
7423
- # all sign-in attempts, unless device tracking is turned on and the
7424
- # device has been trusted.
7663
+ # Specifies whether SMS message MFA is activated. If an MFA type is
7664
+ # activated for a user, the user will be prompted for MFA during all
7665
+ # sign-in attempts, unless device tracking is turned on and the device
7666
+ # has been trusted.
7425
7667
  # @return [Boolean]
7426
7668
  #
7427
7669
  # @!attribute [rw] preferred_mfa
@@ -7548,13 +7790,11 @@ module Aws::CognitoIdentityProvider
7548
7790
  end
7549
7791
 
7550
7792
  # @!attribute [rw] user_pool_id
7551
- # The ID of the user pool where you want to configure detailed
7552
- # activity logging .
7793
+ # The ID of the user pool where you want to configure logging.
7553
7794
  # @return [String]
7554
7795
  #
7555
7796
  # @!attribute [rw] log_configurations
7556
- # A collection of all of the detailed activity logging configurations
7557
- # for a user pool.
7797
+ # A collection of the logging configurations for a user pool.
7558
7798
  # @return [Array<Types::LogConfigurationType>]
7559
7799
  #
7560
7800
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfigurationRequest AWS API Documentation
@@ -7670,13 +7910,28 @@ module Aws::CognitoIdentityProvider
7670
7910
  end
7671
7911
 
7672
7912
  # @!attribute [rw] sms_mfa_settings
7673
- # The SMS text message multi-factor authentication (MFA) settings.
7913
+ # User preferences for SMS message MFA. Activates or deactivates SMS
7914
+ # MFA and sets it as the preferred MFA method when multiple methods
7915
+ # are available.
7674
7916
  # @return [Types::SMSMfaSettingsType]
7675
7917
  #
7676
7918
  # @!attribute [rw] software_token_mfa_settings
7677
- # The time-based one-time password (TOTP) software token MFA settings.
7919
+ # User preferences for time-based one-time password (TOTP) MFA.
7920
+ # Activates or deactivates TOTP MFA and sets it as the preferred MFA
7921
+ # method when multiple methods are available.
7678
7922
  # @return [Types::SoftwareTokenMfaSettingsType]
7679
7923
  #
7924
+ # @!attribute [rw] email_mfa_settings
7925
+ # User preferences for email message MFA. Activates or deactivates
7926
+ # email MFA and sets it as the preferred MFA method when multiple
7927
+ # methods are available. To activate this setting, [ advanced security
7928
+ # features][1] must be active in your user pool.
7929
+ #
7930
+ #
7931
+ #
7932
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
7933
+ # @return [Types::EmailMfaSettingsType]
7934
+ #
7680
7935
  # @!attribute [rw] access_token
7681
7936
  # A valid access token that Amazon Cognito issued to the user whose
7682
7937
  # MFA preference you want to set.
@@ -7687,6 +7942,7 @@ module Aws::CognitoIdentityProvider
7687
7942
  class SetUserMFAPreferenceRequest < Struct.new(
7688
7943
  :sms_mfa_settings,
7689
7944
  :software_token_mfa_settings,
7945
+ :email_mfa_settings,
7690
7946
  :access_token)
7691
7947
  SENSITIVE = [:access_token]
7692
7948
  include Aws::Structure
@@ -7701,13 +7957,26 @@ module Aws::CognitoIdentityProvider
7701
7957
  # @return [String]
7702
7958
  #
7703
7959
  # @!attribute [rw] sms_mfa_configuration
7704
- # The SMS text message MFA configuration.
7960
+ # Configures user pool SMS messages for MFA. Sets the message template
7961
+ # and the SMS message sending configuration for Amazon SNS.
7705
7962
  # @return [Types::SmsMfaConfigType]
7706
7963
  #
7707
7964
  # @!attribute [rw] software_token_mfa_configuration
7708
- # The software token MFA configuration.
7965
+ # Configures a user pool for time-based one-time password (TOTP) MFA.
7966
+ # Enables or disables TOTP.
7709
7967
  # @return [Types::SoftwareTokenMfaConfigType]
7710
7968
  #
7969
+ # @!attribute [rw] email_mfa_configuration
7970
+ # Configures user pool email messages for MFA. Sets the subject and
7971
+ # body of the email message template for MFA messages. To activate
7972
+ # this setting, [ advanced security features][1] must be active in
7973
+ # your user pool.
7974
+ #
7975
+ #
7976
+ #
7977
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
7978
+ # @return [Types::EmailMfaConfigType]
7979
+ #
7711
7980
  # @!attribute [rw] mfa_configuration
7712
7981
  # The MFA configuration. If you set the MfaConfiguration value to
7713
7982
  # ‘ON’, only users who have set up an MFA factor can sign in. To learn
@@ -7732,19 +8001,34 @@ module Aws::CognitoIdentityProvider
7732
8001
  :user_pool_id,
7733
8002
  :sms_mfa_configuration,
7734
8003
  :software_token_mfa_configuration,
8004
+ :email_mfa_configuration,
7735
8005
  :mfa_configuration)
7736
8006
  SENSITIVE = []
7737
8007
  include Aws::Structure
7738
8008
  end
7739
8009
 
7740
8010
  # @!attribute [rw] sms_mfa_configuration
7741
- # The SMS text message MFA configuration.
8011
+ # Shows user pool SMS message configuration for MFA. Includes the
8012
+ # message template and the SMS message sending configuration for
8013
+ # Amazon SNS.
7742
8014
  # @return [Types::SmsMfaConfigType]
7743
8015
  #
7744
8016
  # @!attribute [rw] software_token_mfa_configuration
7745
- # The software token MFA configuration.
8017
+ # Shows user pool configuration for time-based one-time password
8018
+ # (TOTP) MFA. Includes TOTP enabled or disabled state.
7746
8019
  # @return [Types::SoftwareTokenMfaConfigType]
7747
8020
  #
8021
+ # @!attribute [rw] email_mfa_configuration
8022
+ # Shows user pool email message configuration for MFA. Includes the
8023
+ # subject and body of the email message template for MFA messages. To
8024
+ # activate this setting, [ advanced security features][1] must be
8025
+ # active in your user pool.
8026
+ #
8027
+ #
8028
+ #
8029
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
8030
+ # @return [Types::EmailMfaConfigType]
8031
+ #
7748
8032
  # @!attribute [rw] mfa_configuration
7749
8033
  # The MFA configuration. Valid values include:
7750
8034
  #
@@ -7761,6 +8045,7 @@ module Aws::CognitoIdentityProvider
7761
8045
  class SetUserPoolMfaConfigResponse < Struct.new(
7762
8046
  :sms_mfa_configuration,
7763
8047
  :software_token_mfa_configuration,
8048
+ :email_mfa_configuration,
7764
8049
  :mfa_configuration)
7765
8050
  SENSITIVE = []
7766
8051
  include Aws::Structure
@@ -7923,7 +8208,7 @@ module Aws::CognitoIdentityProvider
7923
8208
  # @return [Types::CodeDeliveryDetailsType]
7924
8209
  #
7925
8210
  # @!attribute [rw] user_sub
7926
- # The UUID of the authenticated user. This isn't the same as
8211
+ # The 128-bit ID of the authenticated user. This isn't the same as
7927
8212
  # `username`.
7928
8213
  # @return [String]
7929
8214
  #
@@ -8001,14 +8286,16 @@ module Aws::CognitoIdentityProvider
8001
8286
  include Aws::Structure
8002
8287
  end
8003
8288
 
8004
- # The SMS text message multi-factor authentication (MFA) configuration
8005
- # type.
8289
+ # Configures user pool SMS messages for multi-factor authentication
8290
+ # (MFA). Sets the message template and the SMS message sending
8291
+ # configuration for Amazon SNS.
8006
8292
  #
8007
8293
  # @!attribute [rw] sms_authentication_message
8008
- # The SMS authentication message that will be sent to users with the
8009
- # code they must sign in. The message must contain the ‘\\\{####\\}
8010
- # placeholder, which is replaced with the code. If the message isn't
8011
- # included, and default message will be used.
8294
+ # The SMS message that your user pool sends to users with an MFA code.
8295
+ # The message must contain the `\{####\}` placeholder. In the message,
8296
+ # Amazon Cognito replaces this placeholder with the code. If you
8297
+ # don't provide this parameter, Amazon Cognito sends messages in the
8298
+ # default format.
8012
8299
  # @return [String]
8013
8300
  #
8014
8301
  # @!attribute [rw] sms_configuration
@@ -8044,7 +8331,8 @@ module Aws::CognitoIdentityProvider
8044
8331
  include Aws::Structure
8045
8332
  end
8046
8333
 
8047
- # The type used for enabling software token MFA at the user pool level.
8334
+ # Configures a user pool for time-based one-time password (TOTP)
8335
+ # multi-factor authentication (MFA). Enables or disables TOTP.
8048
8336
  #
8049
8337
  # @!attribute [rw] enabled
8050
8338
  # Specifies whether software token MFA is activated.
@@ -8925,20 +9213,21 @@ module Aws::CognitoIdentityProvider
8925
9213
  #
8926
9214
  # @!attribute [rw] read_attributes
8927
9215
  # The list of user attributes that you want your app client to have
8928
- # read-only access to. After your user authenticates in your app,
8929
- # their access token authorizes them to read their own attribute value
8930
- # for any attribute in this list. An example of this kind of activity
8931
- # is when your user selects a link to view their profile information.
9216
+ # read access to. After your user authenticates in your app, their
9217
+ # access token authorizes them to read their own attribute value for
9218
+ # any attribute in this list. An example of this kind of activity is
9219
+ # when your user selects a link to view their profile information.
8932
9220
  # Your app makes a [GetUser][1] API request to retrieve and display
8933
9221
  # your user's profile data.
8934
9222
  #
8935
9223
  # When you don't specify the `ReadAttributes` for your app client,
8936
9224
  # your app can read the values of `email_verified`,
8937
9225
  # `phone_number_verified`, and the Standard attributes of your user
8938
- # pool. When your user pool has read access to these default
8939
- # attributes, `ReadAttributes` doesn't return any information. Amazon
8940
- # Cognito only populates `ReadAttributes` in the API response if you
8941
- # have specified your own custom set of read attributes.
9226
+ # pool. When your user pool app client has read access to these
9227
+ # default attributes, `ReadAttributes` doesn't return any
9228
+ # information. Amazon Cognito only populates `ReadAttributes` in the
9229
+ # API response if you have specified your own custom set of read
9230
+ # attributes.
8942
9231
  #
8943
9232
  #
8944
9233
  #
@@ -9156,6 +9445,8 @@ module Aws::CognitoIdentityProvider
9156
9445
  #
9157
9446
  # * `LEGACY` - This represents the early behavior of Amazon Cognito
9158
9447
  # where user existence related errors aren't prevented.
9448
+ #
9449
+ # Defaults to `LEGACY` when you don't provide a value.
9159
9450
  # @return [String]
9160
9451
  #
9161
9452
  # @!attribute [rw] enable_token_revocation
@@ -9736,13 +10027,22 @@ module Aws::CognitoIdentityProvider
9736
10027
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
9737
10028
  #
9738
10029
  # @!attribute [rw] advanced_security_mode
9739
- # The operating mode of advanced security features in your user pool.
10030
+ # The operating mode of advanced security features for standard
10031
+ # authentication types in your user pool, including username-password
10032
+ # and secure remote password (SRP) authentication.
9740
10033
  # @return [String]
9741
10034
  #
10035
+ # @!attribute [rw] advanced_security_additional_flows
10036
+ # Advanced security configuration options for additional
10037
+ # authentication types in your user pool, including custom
10038
+ # authentication.
10039
+ # @return [Types::AdvancedSecurityAdditionalFlowsType]
10040
+ #
9742
10041
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolAddOnsType AWS API Documentation
9743
10042
  #
9744
10043
  class UserPoolAddOnsType < Struct.new(
9745
- :advanced_security_mode)
10044
+ :advanced_security_mode,
10045
+ :advanced_security_additional_flows)
9746
10046
  SENSITIVE = []
9747
10047
  include Aws::Structure
9748
10048
  end
@@ -9864,20 +10164,21 @@ module Aws::CognitoIdentityProvider
9864
10164
  #
9865
10165
  # @!attribute [rw] read_attributes
9866
10166
  # The list of user attributes that you want your app client to have
9867
- # read-only access to. After your user authenticates in your app,
9868
- # their access token authorizes them to read their own attribute value
9869
- # for any attribute in this list. An example of this kind of activity
9870
- # is when your user selects a link to view their profile information.
10167
+ # read access to. After your user authenticates in your app, their
10168
+ # access token authorizes them to read their own attribute value for
10169
+ # any attribute in this list. An example of this kind of activity is
10170
+ # when your user selects a link to view their profile information.
9871
10171
  # Your app makes a [GetUser][1] API request to retrieve and display
9872
10172
  # your user's profile data.
9873
10173
  #
9874
10174
  # When you don't specify the `ReadAttributes` for your app client,
9875
10175
  # your app can read the values of `email_verified`,
9876
10176
  # `phone_number_verified`, and the Standard attributes of your user
9877
- # pool. When your user pool has read access to these default
9878
- # attributes, `ReadAttributes` doesn't return any information. Amazon
9879
- # Cognito only populates `ReadAttributes` in the API response if you
9880
- # have specified your own custom set of read attributes.
10177
+ # pool. When your user pool app client has read access to these
10178
+ # default attributes, `ReadAttributes` doesn't return any
10179
+ # information. Amazon Cognito only populates `ReadAttributes` in the
10180
+ # API response if you have specified your own custom set of read
10181
+ # attributes.
9881
10182
  #
9882
10183
  #
9883
10184
  #
@@ -10092,8 +10393,10 @@ module Aws::CognitoIdentityProvider
10092
10393
  #
10093
10394
  # * `ENABLED` - This prevents user existence-related errors.
10094
10395
  #
10095
- # * `LEGACY` - This represents the old behavior of Amazon Cognito
10396
+ # * `LEGACY` - This represents the early behavior of Amazon Cognito
10096
10397
  # where user existence related errors aren't prevented.
10398
+ #
10399
+ # Defaults to `LEGACY` when you don't provide a value.
10097
10400
  # @return [String]
10098
10401
  #
10099
10402
  # @!attribute [rw] enable_token_revocation
@@ -10832,3 +11135,4 @@ module Aws::CognitoIdentityProvider
10832
11135
 
10833
11136
  end
10834
11137
  end
11138
+