aws-sdk-cognitoidentityprovider 1.97.0 → 1.107.0

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -762,7 +762,7 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] user_mfa_setting_list
     #   The MFA options that are activated for the user. The possible values
-    #   in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
+    #   in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserResponse AWS API Documentation
@@ -960,11 +960,15 @@ module Aws::CognitoIdentityProvider
     #     to authenticate.
     #
     #   * `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are
-    #     `SMS_MFA` for text SMS MFA, and `SOFTWARE_TOKEN_MFA` for
-    #     time-based one-time password (TOTP) software token MFA.
+    #     `SMS_MFA` for SMS message MFA, `EMAIL_OTP` for email message MFA,
+    #     and `SOFTWARE_TOKEN_MFA` for time-based one-time password (TOTP)
+    #     software token MFA.
     #
-    #   * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`,
-    #     delivered via SMS.
+    #   * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your
+    #     user pool delivered in an SMS message.
+    #
+    #   * `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that
+    #     your user pool delivered in an email message.
     #
     #   * `PASSWORD_VERIFIER`: Next challenge is to supply
     #     `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and
@@ -1430,11 +1434,21 @@ module Aws::CognitoIdentityProvider
     #   SMS\_MFA
     #
     #   : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
-    #     \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
+    #     \{"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"\}`
+    #
+    #   EMAIL\_OTP
+    #
+    #   : `"ChallengeName": "EMAIL_OTP", "ChallengeResponses":
+    #     \{"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"\}`
     #
     #   PASSWORD\_VERIFIER
     #
-    #   : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+    #   : This challenge response is part of the SRP flow. Amazon Cognito
+    #     requires that your application respond to this challenge within a
+    #     few seconds. When the response time exceeds this period, your user
+    #     pool returns a `NotAuthorizedException` error.
+    #
+    #     `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
     #     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
     #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
     #     [timestamp], "USERNAME": "[username]"\}`
@@ -1648,13 +1662,28 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] sms_mfa_settings
-    #   The SMS text message MFA settings.
+    #   User preferences for SMS message MFA. Activates or deactivates SMS
+    #   MFA and sets it as the preferred MFA method when multiple methods
+    #   are available.
     #   @return [Types::SMSMfaSettingsType]
     #
     # @!attribute [rw] software_token_mfa_settings
-    #   The time-based one-time password software token MFA settings.
+    #   User preferences for time-based one-time password (TOTP) MFA.
+    #   Activates or deactivates TOTP MFA and sets it as the preferred MFA
+    #   method when multiple methods are available.
     #   @return [Types::SoftwareTokenMfaSettingsType]
     #
+    # @!attribute [rw] email_mfa_settings
+    #   User preferences for email message MFA. Activates or deactivates
+    #   email MFA and sets it as the preferred MFA method when multiple
+    #   methods are available. To activate this setting, [ advanced security
+    #   features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::EmailMfaSettingsType]
+    #
     # @!attribute [rw] username
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
@@ -1664,7 +1693,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_pool_id
-    #   The user pool ID.
+    #   The ID of the user pool where you want to set a user's MFA
+    #   preferences.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserMFAPreferenceRequest AWS API Documentation
@@ -1672,6 +1702,7 @@ module Aws::CognitoIdentityProvider
     class AdminSetUserMFAPreferenceRequest < Struct.new(
       :sms_mfa_settings,
       :software_token_mfa_settings,
+      :email_mfa_settings,
       :username,
       :user_pool_id)
       SENSITIVE = [:username]
@@ -1961,6 +1992,27 @@ module Aws::CognitoIdentityProvider
     #
     class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
 
+    # Advanced security configuration options for additional authentication
+    # types in your user pool, including custom authentication.
+    #
+    # @!attribute [rw] custom_auth_mode
+    #   The operating mode of advanced security features in custom
+    #   authentication with [ Custom authentication challenge Lambda
+    #   triggers][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdvancedSecurityAdditionalFlowsType AWS API Documentation
+    #
+    class AdvancedSecurityAdditionalFlowsType < Struct.new(
+      :custom_auth_mode)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when a user tries to confirm the account with
     # an email address or phone number that has already been supplied as an
     # alias for a different user profile. This exception indicates that an
@@ -2257,8 +2309,9 @@ module Aws::CognitoIdentityProvider
     #
     class ChangePasswordResponse < Aws::EmptyStructure; end
 
-    # The CloudWatch logging destination of a user pool detailed activity
-    # logging configuration.
+    # Configuration for the CloudWatch log group destination of user pool
+    # detailed activity logging, or of user activity log export with
+    # advanced security features.
     #
     # @!attribute [rw] log_group_arn
     #   The Amazon Resource Name (arn) of a CloudWatch Logs log group where
@@ -3093,20 +3146,21 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] read_attributes
     #   The list of user attributes that you want your app client to have
-    #   read-only access to. After your user authenticates in your app,
-    #   their access token authorizes them to read their own attribute value
-    #   for any attribute in this list. An example of this kind of activity
-    #   is when your user selects a link to view their profile information.
+    #   read access to. After your user authenticates in your app, their
+    #   access token authorizes them to read their own attribute value for
+    #   any attribute in this list. An example of this kind of activity is
+    #   when your user selects a link to view their profile information.
     #   Your app makes a [GetUser][1] API request to retrieve and display
     #   your user's profile data.
     #
     #   When you don't specify the `ReadAttributes` for your app client,
     #   your app can read the values of `email_verified`,
     #   `phone_number_verified`, and the Standard attributes of your user
-    #   pool. When your user pool has read access to these default
-    #   attributes, `ReadAttributes` doesn't return any information. Amazon
-    #   Cognito only populates `ReadAttributes` in the API response if you
-    #   have specified your own custom set of read attributes.
+    #   pool. When your user pool app client has read access to these
+    #   default attributes, `ReadAttributes` doesn't return any
+    #   information. Amazon Cognito only populates `ReadAttributes` in the
+    #   API response if you have specified your own custom set of read
+    #   attributes.
     #
     #
     #
@@ -3329,6 +3383,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -4479,6 +4535,66 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # Sets or shows user pool email message configuration for MFA. Includes
+    # the subject and body of the email message template for MFA messages.
+    # To activate this setting, [ advanced security features][1] must be
+    # active in your user pool.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #
+    # @!attribute [rw] message
+    #   The template for the email message that your user pool sends to
+    #   users with an MFA code. The message must contain the `\{####\}`
+    #   placeholder. In the message, Amazon Cognito replaces this
+    #   placeholder with the code. If you don't provide this parameter,
+    #   Amazon Cognito sends messages in the default format.
+    #   @return [String]
+    #
+    # @!attribute [rw] subject
+    #   The subject of the email message that your user pool sends to users
+    #   with an MFA code.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/EmailMfaConfigType AWS API Documentation
+    #
+    class EmailMfaConfigType < Struct.new(
+      :message,
+      :subject)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # User preferences for multi-factor authentication with email messages.
+    # Activates or deactivates email MFA and sets it as the preferred MFA
+    # method when multiple methods are available. To activate this setting,
+    # [ advanced security features][1] must be active in your user pool.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #
+    # @!attribute [rw] enabled
+    #   Specifies whether email message MFA is active for a user. When the
+    #   value of this parameter is `Enabled`, the user will be prompted for
+    #   MFA during all sign-in attempts, unless device tracking is turned on
+    #   and the device has been trusted.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] preferred_mfa
+    #   Specifies whether email message MFA is the user's preferred method.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/EmailMfaSettingsType AWS API Documentation
+    #
+    class EmailMfaSettingsType < Struct.new(
+      :enabled,
+      :preferred_mfa)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when there is a code mismatch and the service
     # fails to configure the software token TOTP multi-factor authentication
     # (MFA).
@@ -4598,6 +4714,22 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # Configuration for the Amazon Data Firehose stream destination of user
+    # activity log export with advanced security features.
+    #
+    # @!attribute [rw] stream_arn
+    #   The ARN of an Amazon Data Firehose stream that's the destination
+    #   for advanced security features log export.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/FirehoseConfigurationType AWS API Documentation
+    #
+    class FirehoseConfigurationType < Struct.new(
+      :stream_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when WAF doesn't allow your request based on
     # a web ACL that's associated with your user pool.
     #
@@ -4864,8 +4996,8 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you want to view detailed activity
-    #   logging configuration.
+    #   The ID of the user pool that has the logging configuration that you
+    #   want to view.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationRequest AWS API Documentation
@@ -4877,8 +5009,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] log_delivery_configuration
-    #   The detailed activity logging configuration of the requested user
-    #   pool.
+    #   The logging configuration of the requested user pool.
     #   @return [Types::LogDeliveryConfigurationType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationResponse AWS API Documentation
@@ -5035,14 +5166,27 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] sms_mfa_configuration
-    #   The SMS text message multi-factor authentication (MFA)
-    #   configuration.
+    #   Shows user pool SMS message configuration for MFA. Includes the
+    #   message template and the SMS message sending configuration for
+    #   Amazon SNS.
     #   @return [Types::SmsMfaConfigType]
     #
     # @!attribute [rw] software_token_mfa_configuration
-    #   The software token multi-factor authentication (MFA) configuration.
+    #   Shows user pool configuration for time-based one-time password
+    #   (TOTP) MFA. Includes TOTP enabled or disabled state.
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
+    # @!attribute [rw] email_mfa_configuration
+    #   Shows user pool email message configuration for MFA. Includes the
+    #   subject and body of the email message template for MFA messages. To
+    #   activate this setting, [ advanced security features][1] must be
+    #   active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::EmailMfaConfigType]
+    #
     # @!attribute [rw] mfa_configuration
     #   The multi-factor authentication (MFA) configuration. Valid values
     #   include:
@@ -5060,6 +5204,7 @@ module Aws::CognitoIdentityProvider
     class GetUserPoolMfaConfigResponse < Struct.new(
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
+      :email_mfa_configuration,
       :mfa_configuration)
       SENSITIVE = []
       include Aws::Structure
@@ -5108,7 +5253,7 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] user_mfa_setting_list
     #   The MFA options that are activated for the user. The possible values
-    #   in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
+    #   in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserResponse AWS API Documentation
@@ -5590,8 +5735,11 @@ module Aws::CognitoIdentityProvider
     #
     #    </note>
     #
-    #   * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`,
-    #     delivered via SMS.
+    #   * `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your
+    #     user pool delivered in an SMS message.
+    #
+    #   * `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that
+    #     your user pool delivered in an email message.
     #
     #   * `PASSWORD_VERIFIER`: Next challenge is to supply
     #     `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and
@@ -6487,37 +6635,73 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] log_level
     #   The `errorlevel` selection of logs that a user pool sends for
-    #   detailed activity logging.
+    #   detailed activity logging. To send `userNotification` activity with
+    #   [information about message delivery][1], choose `ERROR` with
+    #   `CloudWatchLogsConfiguration`. To send `userAuthEvents` activity
+    #   with user logs from advanced security features, choose `INFO` with
+    #   one of `CloudWatchLogsConfiguration`, `FirehoseConfiguration`, or
+    #   `S3Configuration`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html
     #   @return [String]
     #
     # @!attribute [rw] event_source
-    #   The source of events that your user pool sends for detailed activity
-    #   logging.
+    #   The source of events that your user pool sends for logging. To send
+    #   error-level logs about user notification activity, set to
+    #   `userNotification`. To send info-level logs about advanced security
+    #   features user activity, set to `userAuthEvents`.
     #   @return [String]
     #
     # @!attribute [rw] cloud_watch_logs_configuration
-    #   The CloudWatch logging destination of a user pool.
+    #   The CloudWatch log group destination of user pool detailed activity
+    #   logs, or of user activity log export with advanced security
+    #   features.
     #   @return [Types::CloudWatchLogsConfigurationType]
     #
+    # @!attribute [rw] s3_configuration
+    #   The Amazon S3 bucket destination of user activity log export with
+    #   advanced security features. To activate this setting, [ advanced
+    #   security features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::S3ConfigurationType]
+    #
+    # @!attribute [rw] firehose_configuration
+    #   The Amazon Data Firehose stream destination of user activity log
+    #   export with advanced security features. To activate this setting, [
+    #   advanced security features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::FirehoseConfigurationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogConfigurationType AWS API Documentation
     #
     class LogConfigurationType < Struct.new(
       :log_level,
       :event_source,
-      :cloud_watch_logs_configuration)
+      :cloud_watch_logs_configuration,
+      :s3_configuration,
+      :firehose_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The logging parameters of a user pool.
+    # The logging parameters of a user pool returned in response to
+    # `GetLogDeliveryConfiguration`.
     #
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you configured detailed activity
-    #   logging.
+    #   The ID of the user pool where you configured logging.
     #   @return [String]
     #
     # @!attribute [rw] log_configurations
-    #   The detailed activity logging destination of a user pool.
+    #   A logging destination of a user pool. User pools can have multiple
+    #   logging destinations for message-delivery and user-activity logs.
     #   @return [Array<Types::LogConfigurationType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogDeliveryConfigurationType AWS API Documentation
@@ -6727,6 +6911,20 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # The message returned when a user's new password matches a previous
+    # password and doesn't comply with the password-history policy.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PasswordHistoryPolicyViolationException AWS API Documentation
+    #
+    class PasswordHistoryPolicyViolationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The password policy type.
     #
     # @!attribute [rw] minimum_length
@@ -6756,6 +6954,23 @@ module Aws::CognitoIdentityProvider
     #   required users to use at least one symbol in their password.
     #   @return [Boolean]
     #
+    # @!attribute [rw] password_history_size
+    #   The number of previous passwords that you want Amazon Cognito to
+    #   restrict each user from reusing. Users can't set a password that
+    #   matches any of `n` previous passwords, where `n` is the value of
+    #   `PasswordHistorySize`.
+    #
+    #   Password history isn't enforced and isn't displayed in
+    #   [DescribeUserPool][1] responses when you set this value to `0` or
+    #   don't provide it. To activate this setting, [ advanced security
+    #   features][2] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Integer]
+    #
     # @!attribute [rw] temporary_password_validity_days
     #   The number of days a temporary password is valid in the password
     #   policy. If the user doesn't sign in during this time, an
@@ -6778,6 +6993,7 @@ module Aws::CognitoIdentityProvider
       :require_lowercase,
       :require_numbers,
       :require_symbols,
+      :password_history_size,
       :temporary_password_validity_days)
       SENSITIVE = []
       include Aws::Structure
@@ -7124,11 +7340,21 @@ module Aws::CognitoIdentityProvider
     #   SMS\_MFA
     #
     #   : `"ChallengeName": "SMS_MFA", "ChallengeResponses":
-    #     \{"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"\}`
+    #     \{"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"\}`
+    #
+    #   EMAIL\_OTP
+    #
+    #   : `"ChallengeName": "EMAIL_OTP", "ChallengeResponses":
+    #     \{"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"\}`
     #
     #   PASSWORD\_VERIFIER
     #
-    #   : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+    #   : This challenge response is part of the SRP flow. Amazon Cognito
+    #     requires that your application respond to this challenge within a
+    #     few seconds. When the response time exceeds this period, your user
+    #     pool returns a `NotAuthorizedException` error.
+    #
+    #     `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
     #     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
     #     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
     #     [timestamp], "USERNAME": "[username]"\}`
@@ -7408,6 +7634,22 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # Configuration for the Amazon S3 bucket destination of user activity
+    # log export with advanced security features.
+    #
+    # @!attribute [rw] bucket_arn
+    #   The ARN of an Amazon S3 bucket that's the destination for advanced
+    #   security features log export.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/S3ConfigurationType AWS API Documentation
+    #
+    class S3ConfigurationType < Struct.new(
+      :bucket_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The type used for enabling SMS multi-factor authentication (MFA) at
     # the user level. Phone numbers don't need to be verified to be used
     # for SMS MFA. If an MFA type is activated for a user, the user will be
@@ -7418,10 +7660,10 @@ module Aws::CognitoIdentityProvider
     # for the user pool.
     #
     # @!attribute [rw] enabled
-    #   Specifies whether SMS text message MFA is activated. If an MFA type
-    #   is activated for a user, the user will be prompted for MFA during
-    #   all sign-in attempts, unless device tracking is turned on and the
-    #   device has been trusted.
+    #   Specifies whether SMS message MFA is activated. If an MFA type is
+    #   activated for a user, the user will be prompted for MFA during all
+    #   sign-in attempts, unless device tracking is turned on and the device
+    #   has been trusted.
     #   @return [Boolean]
     #
     # @!attribute [rw] preferred_mfa
@@ -7548,13 +7790,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you want to configure detailed
-    #   activity logging .
+    #   The ID of the user pool where you want to configure logging.
     #   @return [String]
     #
     # @!attribute [rw] log_configurations
-    #   A collection of all of the detailed activity logging configurations
-    #   for a user pool.
+    #   A collection of the logging configurations for a user pool.
     #   @return [Array<Types::LogConfigurationType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfigurationRequest AWS API Documentation
@@ -7670,13 +7910,28 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] sms_mfa_settings
-    #   The SMS text message multi-factor authentication (MFA) settings.
+    #   User preferences for SMS message MFA. Activates or deactivates SMS
+    #   MFA and sets it as the preferred MFA method when multiple methods
+    #   are available.
     #   @return [Types::SMSMfaSettingsType]
     #
     # @!attribute [rw] software_token_mfa_settings
-    #   The time-based one-time password (TOTP) software token MFA settings.
+    #   User preferences for time-based one-time password (TOTP) MFA.
+    #   Activates or deactivates TOTP MFA and sets it as the preferred MFA
+    #   method when multiple methods are available.
     #   @return [Types::SoftwareTokenMfaSettingsType]
     #
+    # @!attribute [rw] email_mfa_settings
+    #   User preferences for email message MFA. Activates or deactivates
+    #   email MFA and sets it as the preferred MFA method when multiple
+    #   methods are available. To activate this setting, [ advanced security
+    #   features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::EmailMfaSettingsType]
+    #
     # @!attribute [rw] access_token
     #   A valid access token that Amazon Cognito issued to the user whose
     #   MFA preference you want to set.
@@ -7687,6 +7942,7 @@ module Aws::CognitoIdentityProvider
     class SetUserMFAPreferenceRequest < Struct.new(
       :sms_mfa_settings,
       :software_token_mfa_settings,
+      :email_mfa_settings,
       :access_token)
       SENSITIVE = [:access_token]
       include Aws::Structure
@@ -7701,13 +7957,26 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] sms_mfa_configuration
-    #   The SMS text message MFA configuration.
+    #   Configures user pool SMS messages for MFA. Sets the message template
+    #   and the SMS message sending configuration for Amazon SNS.
     #   @return [Types::SmsMfaConfigType]
     #
     # @!attribute [rw] software_token_mfa_configuration
-    #   The software token MFA configuration.
+    #   Configures a user pool for time-based one-time password (TOTP) MFA.
+    #   Enables or disables TOTP.
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
+    # @!attribute [rw] email_mfa_configuration
+    #   Configures user pool email messages for MFA. Sets the subject and
+    #   body of the email message template for MFA messages. To activate
+    #   this setting, [ advanced security features][1] must be active in
+    #   your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::EmailMfaConfigType]
+    #
     # @!attribute [rw] mfa_configuration
     #   The MFA configuration. If you set the MfaConfiguration value to
     #   ‘ON’, only users who have set up an MFA factor can sign in. To learn
@@ -7732,19 +8001,34 @@ module Aws::CognitoIdentityProvider
       :user_pool_id,
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
+      :email_mfa_configuration,
       :mfa_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] sms_mfa_configuration
-    #   The SMS text message MFA configuration.
+    #   Shows user pool SMS message configuration for MFA. Includes the
+    #   message template and the SMS message sending configuration for
+    #   Amazon SNS.
     #   @return [Types::SmsMfaConfigType]
     #
     # @!attribute [rw] software_token_mfa_configuration
-    #   The software token MFA configuration.
+    #   Shows user pool configuration for time-based one-time password
+    #   (TOTP) MFA. Includes TOTP enabled or disabled state.
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
+    # @!attribute [rw] email_mfa_configuration
+    #   Shows user pool email message configuration for MFA. Includes the
+    #   subject and body of the email message template for MFA messages. To
+    #   activate this setting, [ advanced security features][1] must be
+    #   active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::EmailMfaConfigType]
+    #
     # @!attribute [rw] mfa_configuration
     #   The MFA configuration. Valid values include:
     #
@@ -7761,6 +8045,7 @@ module Aws::CognitoIdentityProvider
     class SetUserPoolMfaConfigResponse < Struct.new(
       :sms_mfa_configuration,
       :software_token_mfa_configuration,
+      :email_mfa_configuration,
       :mfa_configuration)
       SENSITIVE = []
       include Aws::Structure
@@ -7923,7 +8208,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::CodeDeliveryDetailsType]
     #
     # @!attribute [rw] user_sub
-    #   The UUID of the authenticated user. This isn't the same as
+    #   The 128-bit ID of the authenticated user. This isn't the same as
     #   `username`.
     #   @return [String]
     #
@@ -8001,14 +8286,16 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The SMS text message multi-factor authentication (MFA) configuration
-    # type.
+    # Configures user pool SMS messages for multi-factor authentication
+    # (MFA). Sets the message template and the SMS message sending
+    # configuration for Amazon SNS.
     #
     # @!attribute [rw] sms_authentication_message
-    #   The SMS authentication message that will be sent to users with the
-    #   code they must sign in. The message must contain the ‘\\\{####\\}’
-    #   placeholder, which is replaced with the code. If the message isn't
-    #   included, and default message will be used.
+    #   The SMS message that your user pool sends to users with an MFA code.
+    #   The message must contain the `\{####\}` placeholder. In the message,
+    #   Amazon Cognito replaces this placeholder with the code. If you
+    #   don't provide this parameter, Amazon Cognito sends messages in the
+    #   default format.
     #   @return [String]
     #
     # @!attribute [rw] sms_configuration
@@ -8044,7 +8331,8 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The type used for enabling software token MFA at the user pool level.
+    # Configures a user pool for time-based one-time password (TOTP)
+    # multi-factor authentication (MFA). Enables or disables TOTP.
     #
     # @!attribute [rw] enabled
     #   Specifies whether software token MFA is activated.
@@ -8925,20 +9213,21 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] read_attributes
     #   The list of user attributes that you want your app client to have
-    #   read-only access to. After your user authenticates in your app,
-    #   their access token authorizes them to read their own attribute value
-    #   for any attribute in this list. An example of this kind of activity
-    #   is when your user selects a link to view their profile information.
+    #   read access to. After your user authenticates in your app, their
+    #   access token authorizes them to read their own attribute value for
+    #   any attribute in this list. An example of this kind of activity is
+    #   when your user selects a link to view their profile information.
     #   Your app makes a [GetUser][1] API request to retrieve and display
     #   your user's profile data.
     #
     #   When you don't specify the `ReadAttributes` for your app client,
     #   your app can read the values of `email_verified`,
     #   `phone_number_verified`, and the Standard attributes of your user
-    #   pool. When your user pool has read access to these default
-    #   attributes, `ReadAttributes` doesn't return any information. Amazon
-    #   Cognito only populates `ReadAttributes` in the API response if you
-    #   have specified your own custom set of read attributes.
+    #   pool. When your user pool app client has read access to these
+    #   default attributes, `ReadAttributes` doesn't return any
+    #   information. Amazon Cognito only populates `ReadAttributes` in the
+    #   API response if you have specified your own custom set of read
+    #   attributes.
     #
     #
     #
@@ -9156,6 +9445,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -9736,13 +10027,22 @@ module Aws::CognitoIdentityProvider
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #
     # @!attribute [rw] advanced_security_mode
-    #   The operating mode of advanced security features in your user pool.
+    #   The operating mode of advanced security features for standard
+    #   authentication types in your user pool, including username-password
+    #   and secure remote password (SRP) authentication.
     #   @return [String]
     #
+    # @!attribute [rw] advanced_security_additional_flows
+    #   Advanced security configuration options for additional
+    #   authentication types in your user pool, including custom
+    #   authentication.
+    #   @return [Types::AdvancedSecurityAdditionalFlowsType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolAddOnsType AWS API Documentation
     #
     class UserPoolAddOnsType < Struct.new(
-      :advanced_security_mode)
+      :advanced_security_mode,
+      :advanced_security_additional_flows)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -9864,20 +10164,21 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] read_attributes
     #   The list of user attributes that you want your app client to have
-    #   read-only access to. After your user authenticates in your app,
-    #   their access token authorizes them to read their own attribute value
-    #   for any attribute in this list. An example of this kind of activity
-    #   is when your user selects a link to view their profile information.
+    #   read access to. After your user authenticates in your app, their
+    #   access token authorizes them to read their own attribute value for
+    #   any attribute in this list. An example of this kind of activity is
+    #   when your user selects a link to view their profile information.
     #   Your app makes a [GetUser][1] API request to retrieve and display
     #   your user's profile data.
     #
     #   When you don't specify the `ReadAttributes` for your app client,
     #   your app can read the values of `email_verified`,
     #   `phone_number_verified`, and the Standard attributes of your user
-    #   pool. When your user pool has read access to these default
-    #   attributes, `ReadAttributes` doesn't return any information. Amazon
-    #   Cognito only populates `ReadAttributes` in the API response if you
-    #   have specified your own custom set of read attributes.
+    #   pool. When your user pool app client has read access to these
+    #   default attributes, `ReadAttributes` doesn't return any
+    #   information. Amazon Cognito only populates `ReadAttributes` in the
+    #   API response if you have specified your own custom set of read
+    #   attributes.
     #
     #
     #
@@ -10092,8 +10393,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `ENABLED` - This prevents user existence-related errors.
     #
-    #   * `LEGACY` - This represents the old behavior of Amazon Cognito
+    #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -10832,3 +11135,4 @@ module Aws::CognitoIdentityProvider
 
   end
 end
+