aws-sdk-cognitoidentityprovider 1.97.0 → 1.99.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bae5a83b6aded602a6cc01d2dcc7c0dd1a11bcb1f4f6fdb5082c7e5f78753209
-  data.tar.gz: 41424eb6cadcdb7bbcd8eb0d8a6b6ba0e21de25fcd926525bfba484f999a49db
+  metadata.gz: '0448672142fc86bc27bf133f51cb3f2c8092f71e46e3bfa5e0def970431994ed'
+  data.tar.gz: a98d09b88ceb9812faa39cc8b0d7b547a9be39bca7693f3f0cb8a4280133bada
 SHA512:
-  metadata.gz: 1deb3891d1dc9a55c3bebb5e27fd340cfb038bffb59b08a57bd5bcab60b7e226294c751fd4bffd2125eb133644b7d14d7a88da42152fdd571974c2acd1551d30
-  data.tar.gz: b86b8ee77b3bde681438a6d9705a91df380d57a81a6ce6ab4fb23221ea34cefdbfebbdc3a379428b3e9e5fd87337c6098d8ee65e6be1de29871d1e396d6dae45
+  metadata.gz: bc1ded98828c9bf018c41552b275ec3dd536952c36642b8c315fd03406ebcad1fd60fbc28e002dfc80a284a5d1ead9665dafb59d5e7a86512484abdbe74d7008
+  data.tar.gz: 8bad31b166c87eae0beb13997575320162e52ba7f9b44994398a792515172026528a47f38173f04d1fe2cdc12143ad20be5ec11843c50fb80fc75d28875aff33

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
 
+1.99.0 (2024-08-08)
+------------------
+
+* Feature - Added support for threat protection for custom authentication in Amazon Cognito user pools.
+
+1.98.0 (2024-08-06)
+------------------
+
+* Feature - Advanced security feature updates to include password history and log export for Cognito user pools.
+
 1.97.0 (2024-07-02)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.97.0
+1.99.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -547,18 +547,14 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # This IAM-authenticated API operation provides a code that Amazon
-    # Cognito sent to your user when they signed up in your user pool. After
-    # your user enters their code, they confirm ownership of the email
-    # address or phone number that they provided, and their user account
-    # becomes active. Depending on your user pool configuration, your users
-    # will receive their confirmation code in an email or SMS message.
+    # This IAM-authenticated API operation confirms user sign-up as an
+    # administrator. Unlike [ConfirmSignUp][1], your IAM credentials
+    # authorize user account confirmation. No confirmation code is required.
     #
-    # Local users who signed up in your user pool are the only type of user
-    # who can confirm sign-up with a code. Users who federate through an
-    # external identity provider (IdP) have already been confirmed by their
-    # IdP. Administrator-created users confirm their accounts when they
-    # respond to their invitation email message and choose a password.
+    # This request sets a user account active in a user pool that [requires
+    # confirmation of new user accounts][2] before they can sign in. You can
+    # configure your user pool to not send confirmation codes to new users
+    # and instead confirm them with this API operation on the back end.
     #
     # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
     # in requests for this API operation. For this operation, you must use
@@ -567,16 +563,18 @@ module Aws::CognitoIdentityProvider
     #
     #  **Learn more**
     #
-    #  * [Signing Amazon Web Services API Requests][1]
+    #  * [Signing Amazon Web Services API Requests][3]
     #
-    # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmSignUp.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#signing-up-users-in-your-app-and-confirming-them-as-admin
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for which you want to confirm user registration.
@@ -3084,7 +3082,7 @@ module Aws::CognitoIdentityProvider
     # require MFA, the user can then authenticate with user name and
     # password credentials alone. If your user pool requires TOTP MFA,
     # Amazon Cognito generates an `MFA_SETUP` or `SOFTWARE_TOKEN_SETUP`
-    # challenge each time your user signs. Complete setup with
+    # challenge each time your user signs in. Complete setup with
     # `AssociateSoftwareToken` and `VerifySoftwareToken`.
     #
     #  After you set up software token MFA for your user, Amazon Cognito
@@ -4636,6 +4634,7 @@ module Aws::CognitoIdentityProvider
     #         require_lowercase: false,
     #         require_numbers: false,
     #         require_symbols: false,
+    #         password_history_size: 1,
     #         temporary_password_validity_days: 1,
     #       },
     #     },
@@ -4731,6 +4730,9 @@ module Aws::CognitoIdentityProvider
     #     ],
     #     user_pool_add_ons: {
     #       advanced_security_mode: "OFF", # required, accepts OFF, AUDIT, ENFORCED
+    #       advanced_security_additional_flows: {
+    #         custom_auth_mode: "AUDIT", # accepts AUDIT, ENFORCED
+    #       },
     #     },
     #     username_configuration: {
     #       case_sensitive: false, # required
@@ -4754,6 +4756,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.policies.password_policy.require_lowercase #=> Boolean
     #   resp.user_pool.policies.password_policy.require_numbers #=> Boolean
     #   resp.user_pool.policies.password_policy.require_symbols #=> Boolean
+    #   resp.user_pool.policies.password_policy.password_history_size #=> Integer
     #   resp.user_pool.policies.password_policy.temporary_password_validity_days #=> Integer
     #   resp.user_pool.deletion_protection #=> String, one of "ACTIVE", "INACTIVE"
     #   resp.user_pool.lambda_config.pre_sign_up #=> String
@@ -4828,6 +4831,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.admin_create_user_config.invite_message_template.email_message #=> String
     #   resp.user_pool.admin_create_user_config.invite_message_template.email_subject #=> String
     #   resp.user_pool.user_pool_add_ons.advanced_security_mode #=> String, one of "OFF", "AUDIT", "ENFORCED"
+    #   resp.user_pool.user_pool_add_ons.advanced_security_additional_flows.custom_auth_mode #=> String, one of "AUDIT", "ENFORCED"
     #   resp.user_pool.username_configuration.case_sensitive #=> Boolean
     #   resp.user_pool.arn #=> String
     #   resp.user_pool.account_recovery_setting.recovery_mechanisms #=> Array
@@ -5163,6 +5167,8 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
     #
+    #   Defaults to `LEGACY` when you don't provide a value.
+    #
     # @option params [Boolean] :enable_token_revocation
     #   Activates or deactivates token revocation. For more information about
     #   revoking tokens, see [RevokeToken][1].
@@ -5959,6 +5965,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.policies.password_policy.require_lowercase #=> Boolean
     #   resp.user_pool.policies.password_policy.require_numbers #=> Boolean
     #   resp.user_pool.policies.password_policy.require_symbols #=> Boolean
+    #   resp.user_pool.policies.password_policy.password_history_size #=> Integer
     #   resp.user_pool.policies.password_policy.temporary_password_validity_days #=> Integer
     #   resp.user_pool.deletion_protection #=> String, one of "ACTIVE", "INACTIVE"
     #   resp.user_pool.lambda_config.pre_sign_up #=> String
@@ -6033,6 +6040,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.admin_create_user_config.invite_message_template.email_message #=> String
     #   resp.user_pool.admin_create_user_config.invite_message_template.email_subject #=> String
     #   resp.user_pool.user_pool_add_ons.advanced_security_mode #=> String, one of "OFF", "AUDIT", "ENFORCED"
+    #   resp.user_pool.user_pool_add_ons.advanced_security_additional_flows.custom_auth_mode #=> String, one of "AUDIT", "ENFORCED"
     #   resp.user_pool.username_configuration.case_sensitive #=> Boolean
     #   resp.user_pool.arn #=> String
     #   resp.user_pool.account_recovery_setting.recovery_mechanisms #=> Array
@@ -6548,11 +6556,11 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Gets the detailed activity logging configuration for a user pool.
+    # Gets the logging configuration of a user pool.
     #
     # @option params [required, String] :user_pool_id
-    #   The ID of the user pool where you want to view detailed activity
-    #   logging configuration.
+    #   The ID of the user pool that has the logging configuration that you
+    #   want to view.
     #
     # @return [Types::GetLogDeliveryConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -6568,9 +6576,11 @@ module Aws::CognitoIdentityProvider
     #
     #   resp.log_delivery_configuration.user_pool_id #=> String
     #   resp.log_delivery_configuration.log_configurations #=> Array
-    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR"
-    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification"
+    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR", "INFO"
+    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification", "userAuthEvents"
     #   resp.log_delivery_configuration.log_configurations[0].cloud_watch_logs_configuration.log_group_arn #=> String
+    #   resp.log_delivery_configuration.log_configurations[0].s3_configuration.bucket_arn #=> String
+    #   resp.log_delivery_configuration.log_configurations[0].firehose_configuration.stream_arn #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfiguration AWS API Documentation
     #
@@ -8466,16 +8476,15 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Sets up or modifies the detailed activity logging configuration of a
-    # user pool.
+    # Sets up or modifies the logging configuration of a user pool. User
+    # pools can export user notification logs and advanced security features
+    # user activity logs.
     #
     # @option params [required, String] :user_pool_id
-    #   The ID of the user pool where you want to configure detailed activity
-    #   logging .
+    #   The ID of the user pool where you want to configure logging.
     #
     # @option params [required, Array<Types::LogConfigurationType>] :log_configurations
-    #   A collection of all of the detailed activity logging configurations
-    #   for a user pool.
+    #   A collection of the logging configurations for a user pool.
     #
     # @return [Types::SetLogDeliveryConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -8487,11 +8496,17 @@ module Aws::CognitoIdentityProvider
     #     user_pool_id: "UserPoolIdType", # required
     #     log_configurations: [ # required
     #       {
-    #         log_level: "ERROR", # required, accepts ERROR
-    #         event_source: "userNotification", # required, accepts userNotification
+    #         log_level: "ERROR", # required, accepts ERROR, INFO
+    #         event_source: "userNotification", # required, accepts userNotification, userAuthEvents
     #         cloud_watch_logs_configuration: {
     #           log_group_arn: "ArnType",
     #         },
+    #         s3_configuration: {
+    #           bucket_arn: "S3ArnType",
+    #         },
+    #         firehose_configuration: {
+    #           stream_arn: "ArnType",
+    #         },
     #       },
     #     ],
     #   })
@@ -8500,9 +8515,11 @@ module Aws::CognitoIdentityProvider
     #
     #   resp.log_delivery_configuration.user_pool_id #=> String
     #   resp.log_delivery_configuration.log_configurations #=> Array
-    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR"
-    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification"
+    #   resp.log_delivery_configuration.log_configurations[0].log_level #=> String, one of "ERROR", "INFO"
+    #   resp.log_delivery_configuration.log_configurations[0].event_source #=> String, one of "userNotification", "userAuthEvents"
     #   resp.log_delivery_configuration.log_configurations[0].cloud_watch_logs_configuration.log_group_arn #=> String
+    #   resp.log_delivery_configuration.log_configurations[0].s3_configuration.bucket_arn #=> String
+    #   resp.log_delivery_configuration.log_configurations[0].firehose_configuration.stream_arn #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfiguration AWS API Documentation
     #
@@ -10050,6 +10067,7 @@ module Aws::CognitoIdentityProvider
     #         require_lowercase: false,
     #         require_numbers: false,
     #         require_symbols: false,
+    #         password_history_size: 1,
     #         temporary_password_validity_days: 1,
     #       },
     #     },
@@ -10126,6 +10144,9 @@ module Aws::CognitoIdentityProvider
     #     },
     #     user_pool_add_ons: {
     #       advanced_security_mode: "OFF", # required, accepts OFF, AUDIT, ENFORCED
+    #       advanced_security_additional_flows: {
+    #         custom_auth_mode: "AUDIT", # accepts AUDIT, ENFORCED
+    #       },
     #     },
     #     account_recovery_setting: {
     #       recovery_mechanisms: [
@@ -10463,6 +10484,8 @@ module Aws::CognitoIdentityProvider
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
     #
+    #   Defaults to `LEGACY` when you don't provide a value.
+    #
     # @option params [Boolean] :enable_token_revocation
     #   Activates or deactivates token revocation. For more information about
     #   revoking tokens, see [RevokeToken][1].
@@ -10808,7 +10831,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.97.0'
+      context[:gem_version] = '1.99.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -73,6 +73,8 @@ module Aws::CognitoIdentityProvider
     AdminUpdateUserAttributesResponse = Shapes::StructureShape.new(name: 'AdminUpdateUserAttributesResponse')
     AdminUserGlobalSignOutRequest = Shapes::StructureShape.new(name: 'AdminUserGlobalSignOutRequest')
     AdminUserGlobalSignOutResponse = Shapes::StructureShape.new(name: 'AdminUserGlobalSignOutResponse')
+    AdvancedSecurityAdditionalFlowsType = Shapes::StructureShape.new(name: 'AdvancedSecurityAdditionalFlowsType')
+    AdvancedSecurityEnabledModeType = Shapes::StringShape.new(name: 'AdvancedSecurityEnabledModeType')
     AdvancedSecurityModeType = Shapes::StringShape.new(name: 'AdvancedSecurityModeType')
     AliasAttributeType = Shapes::StringShape.new(name: 'AliasAttributeType')
     AliasAttributesListType = Shapes::ListShape.new(name: 'AliasAttributesListType')
@@ -221,6 +223,7 @@ module Aws::CognitoIdentityProvider
     ExplicitAuthFlowsListType = Shapes::ListShape.new(name: 'ExplicitAuthFlowsListType')
     ExplicitAuthFlowsType = Shapes::StringShape.new(name: 'ExplicitAuthFlowsType')
     FeedbackValueType = Shapes::StringShape.new(name: 'FeedbackValueType')
+    FirehoseConfigurationType = Shapes::StructureShape.new(name: 'FirehoseConfigurationType')
     ForbiddenException = Shapes::StructureShape.new(name: 'ForbiddenException')
     ForceAliasCreation = Shapes::BooleanShape.new(name: 'ForceAliasCreation')
     ForgetDeviceRequest = Shapes::StructureShape.new(name: 'ForgetDeviceRequest')
@@ -321,6 +324,8 @@ module Aws::CognitoIdentityProvider
     OAuthFlowsType = Shapes::ListShape.new(name: 'OAuthFlowsType')
     PaginationKey = Shapes::StringShape.new(name: 'PaginationKey')
     PaginationKeyType = Shapes::StringShape.new(name: 'PaginationKeyType')
+    PasswordHistoryPolicyViolationException = Shapes::StructureShape.new(name: 'PasswordHistoryPolicyViolationException')
+    PasswordHistorySizeType = Shapes::IntegerShape.new(name: 'PasswordHistorySizeType')
     PasswordPolicyMinLengthType = Shapes::IntegerShape.new(name: 'PasswordPolicyMinLengthType')
     PasswordPolicyType = Shapes::StructureShape.new(name: 'PasswordPolicyType')
     PasswordResetRequiredException = Shapes::StructureShape.new(name: 'PasswordResetRequiredException')
@@ -366,7 +371,9 @@ module Aws::CognitoIdentityProvider
     RiskDecisionType = Shapes::StringShape.new(name: 'RiskDecisionType')
     RiskExceptionConfigurationType = Shapes::StructureShape.new(name: 'RiskExceptionConfigurationType')
     RiskLevelType = Shapes::StringShape.new(name: 'RiskLevelType')
+    S3ArnType = Shapes::StringShape.new(name: 'S3ArnType')
     S3BucketType = Shapes::StringShape.new(name: 'S3BucketType')
+    S3ConfigurationType = Shapes::StructureShape.new(name: 'S3ConfigurationType')
     SESConfigurationSet = Shapes::StringShape.new(name: 'SESConfigurationSet')
     SMSMfaSettingsType = Shapes::StructureShape.new(name: 'SMSMfaSettingsType')
     SchemaAttributeType = Shapes::StructureShape.new(name: 'SchemaAttributeType')
@@ -735,6 +742,9 @@ module Aws::CognitoIdentityProvider
 
     AdminUserGlobalSignOutResponse.struct_class = Types::AdminUserGlobalSignOutResponse
 
+    AdvancedSecurityAdditionalFlowsType.add_member(:custom_auth_mode, Shapes::ShapeRef.new(shape: AdvancedSecurityEnabledModeType, location_name: "CustomAuthMode"))
+    AdvancedSecurityAdditionalFlowsType.struct_class = Types::AdvancedSecurityAdditionalFlowsType
+
     AliasAttributesListType.member = Shapes::ShapeRef.new(shape: AliasAttributeType)
 
     AliasExistsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
@@ -1149,6 +1159,9 @@ module Aws::CognitoIdentityProvider
 
     ExplicitAuthFlowsListType.member = Shapes::ShapeRef.new(shape: ExplicitAuthFlowsType)
 
+    FirehoseConfigurationType.add_member(:stream_arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "StreamArn"))
+    FirehoseConfigurationType.struct_class = Types::FirehoseConfigurationType
+
     ForbiddenException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     ForbiddenException.struct_class = Types::ForbiddenException
 
@@ -1433,6 +1446,8 @@ module Aws::CognitoIdentityProvider
     LogConfigurationType.add_member(:log_level, Shapes::ShapeRef.new(shape: LogLevel, required: true, location_name: "LogLevel"))
     LogConfigurationType.add_member(:event_source, Shapes::ShapeRef.new(shape: EventSourceName, required: true, location_name: "EventSource"))
     LogConfigurationType.add_member(:cloud_watch_logs_configuration, Shapes::ShapeRef.new(shape: CloudWatchLogsConfigurationType, location_name: "CloudWatchLogsConfiguration"))
+    LogConfigurationType.add_member(:s3_configuration, Shapes::ShapeRef.new(shape: S3ConfigurationType, location_name: "S3Configuration"))
+    LogConfigurationType.add_member(:firehose_configuration, Shapes::ShapeRef.new(shape: FirehoseConfigurationType, location_name: "FirehoseConfiguration"))
     LogConfigurationType.struct_class = Types::LogConfigurationType
 
     LogDeliveryConfigurationType.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
@@ -1481,11 +1496,15 @@ module Aws::CognitoIdentityProvider
 
     OAuthFlowsType.member = Shapes::ShapeRef.new(shape: OAuthFlowType)
 
+    PasswordHistoryPolicyViolationException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
+    PasswordHistoryPolicyViolationException.struct_class = Types::PasswordHistoryPolicyViolationException
+
     PasswordPolicyType.add_member(:minimum_length, Shapes::ShapeRef.new(shape: PasswordPolicyMinLengthType, location_name: "MinimumLength"))
     PasswordPolicyType.add_member(:require_uppercase, Shapes::ShapeRef.new(shape: BooleanType, location_name: "RequireUppercase"))
     PasswordPolicyType.add_member(:require_lowercase, Shapes::ShapeRef.new(shape: BooleanType, location_name: "RequireLowercase"))
     PasswordPolicyType.add_member(:require_numbers, Shapes::ShapeRef.new(shape: BooleanType, location_name: "RequireNumbers"))
     PasswordPolicyType.add_member(:require_symbols, Shapes::ShapeRef.new(shape: BooleanType, location_name: "RequireSymbols"))
+    PasswordPolicyType.add_member(:password_history_size, Shapes::ShapeRef.new(shape: PasswordHistorySizeType, location_name: "PasswordHistorySize"))
     PasswordPolicyType.add_member(:temporary_password_validity_days, Shapes::ShapeRef.new(shape: TemporaryPasswordValidityDaysType, location_name: "TemporaryPasswordValidityDays"))
     PasswordPolicyType.struct_class = Types::PasswordPolicyType
 
@@ -1583,6 +1602,9 @@ module Aws::CognitoIdentityProvider
     RiskExceptionConfigurationType.add_member(:skipped_ip_range_list, Shapes::ShapeRef.new(shape: SkippedIPRangeListType, location_name: "SkippedIPRangeList"))
     RiskExceptionConfigurationType.struct_class = Types::RiskExceptionConfigurationType
 
+    S3ConfigurationType.add_member(:bucket_arn, Shapes::ShapeRef.new(shape: S3ArnType, location_name: "BucketArn"))
+    S3ConfigurationType.struct_class = Types::S3ConfigurationType
+
     SMSMfaSettingsType.add_member(:enabled, Shapes::ShapeRef.new(shape: BooleanType, location_name: "Enabled"))
     SMSMfaSettingsType.add_member(:preferred_mfa, Shapes::ShapeRef.new(shape: BooleanType, location_name: "PreferredMfa"))
     SMSMfaSettingsType.struct_class = Types::SMSMfaSettingsType
@@ -1915,6 +1937,7 @@ module Aws::CognitoIdentityProvider
     UserPoolAddOnNotEnabledException.struct_class = Types::UserPoolAddOnNotEnabledException
 
     UserPoolAddOnsType.add_member(:advanced_security_mode, Shapes::ShapeRef.new(shape: AdvancedSecurityModeType, required: true, location_name: "AdvancedSecurityMode"))
+    UserPoolAddOnsType.add_member(:advanced_security_additional_flows, Shapes::ShapeRef.new(shape: AdvancedSecurityAdditionalFlowsType, location_name: "AdvancedSecurityAdditionalFlows"))
     UserPoolAddOnsType.struct_class = Types::UserPoolAddOnsType
 
     UserPoolClientDescription.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, location_name: "ClientId"))
@@ -2400,6 +2423,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: ExpiredCodeException)
         o.errors << Shapes::ShapeRef.new(shape: UnexpectedLambdaException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidPasswordException)
+        o.errors << Shapes::ShapeRef.new(shape: PasswordHistoryPolicyViolationException)
         o.errors << Shapes::ShapeRef.new(shape: UserLambdaValidationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidLambdaResponseException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
@@ -2443,6 +2467,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidPasswordException)
+        o.errors << Shapes::ShapeRef.new(shape: PasswordHistoryPolicyViolationException)
       end)
 
       api.add_operation(:admin_set_user_settings, Seahorse::Model::Operation.new.tap do |o|
@@ -2551,6 +2576,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidPasswordException)
+        o.errors << Shapes::ShapeRef.new(shape: PasswordHistoryPolicyViolationException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
@@ -2597,6 +2623,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: UserLambdaValidationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidPasswordException)
+        o.errors << Shapes::ShapeRef.new(shape: PasswordHistoryPolicyViolationException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: CodeMismatchException)
         o.errors << Shapes::ShapeRef.new(shape: ExpiredCodeException)
@@ -3413,6 +3440,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: UnexpectedLambdaException)
         o.errors << Shapes::ShapeRef.new(shape: UserLambdaValidationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidPasswordException)
+        o.errors << Shapes::ShapeRef.new(shape: PasswordHistoryPolicyViolationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidLambdaResponseException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidUserPoolConfigurationException)

data/lib/aws-sdk-cognitoidentityprovider/errors.rb

@@ -48,6 +48,7 @@ module Aws::CognitoIdentityProvider
   # * {LimitExceededException}
   # * {MFAMethodNotFoundException}
   # * {NotAuthorizedException}
+  # * {PasswordHistoryPolicyViolationException}
   # * {PasswordResetRequiredException}
   # * {PreconditionNotMetException}
   # * {ResourceNotFoundException}
@@ -390,6 +391,21 @@ module Aws::CognitoIdentityProvider
       end
     end
 
+    class PasswordHistoryPolicyViolationException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::CognitoIdentityProvider::Types::PasswordHistoryPolicyViolationException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class PasswordResetRequiredException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -1961,6 +1961,28 @@ module Aws::CognitoIdentityProvider
     #
     class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
 
+    # Advanced security configuration options for additional authentication
+    # types in your user pool, including custom authentication and
+    # refresh-token authentication.
+    #
+    # @!attribute [rw] custom_auth_mode
+    #   The operating mode of advanced security features in custom
+    #   authentication with [ Custom authentication challenge Lambda
+    #   triggers][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdvancedSecurityAdditionalFlowsType AWS API Documentation
+    #
+    class AdvancedSecurityAdditionalFlowsType < Struct.new(
+      :custom_auth_mode)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when a user tries to confirm the account with
     # an email address or phone number that has already been supplied as an
     # alias for a different user profile. This exception indicates that an
@@ -2257,8 +2279,9 @@ module Aws::CognitoIdentityProvider
     #
     class ChangePasswordResponse < Aws::EmptyStructure; end
 
-    # The CloudWatch logging destination of a user pool detailed activity
-    # logging configuration.
+    # Configuration for the CloudWatch log group destination of user pool
+    # detailed activity logging, or of user activity log export with
+    # advanced security features.
     #
     # @!attribute [rw] log_group_arn
     #   The Amazon Resource Name (arn) of a CloudWatch Logs log group where
@@ -3329,6 +3352,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -4598,6 +4623,22 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # Configuration for the Amazon Data Firehose stream destination of user
+    # activity log export with advanced security features.
+    #
+    # @!attribute [rw] stream_arn
+    #   The ARN of an Amazon Data Firehose stream that's the destination
+    #   for advanced security features log export.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/FirehoseConfigurationType AWS API Documentation
+    #
+    class FirehoseConfigurationType < Struct.new(
+      :stream_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when WAF doesn't allow your request based on
     # a web ACL that's associated with your user pool.
     #
@@ -4864,8 +4905,8 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you want to view detailed activity
-    #   logging configuration.
+    #   The ID of the user pool that has the logging configuration that you
+    #   want to view.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationRequest AWS API Documentation
@@ -4877,8 +4918,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] log_delivery_configuration
-    #   The detailed activity logging configuration of the requested user
-    #   pool.
+    #   The logging configuration of the requested user pool.
     #   @return [Types::LogDeliveryConfigurationType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationResponse AWS API Documentation
@@ -6487,37 +6527,73 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] log_level
     #   The `errorlevel` selection of logs that a user pool sends for
-    #   detailed activity logging.
+    #   detailed activity logging. To send `userNotification` activity with
+    #   [information about message delivery][1], choose `ERROR` with
+    #   `CloudWatchLogsConfiguration`. To send `userAuthEvents` activity
+    #   with user logs from advanced security features, choose `INFO` with
+    #   one of `CloudWatchLogsConfiguration`, `FirehoseConfiguration`, or
+    #   `S3Configuration`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html
     #   @return [String]
     #
     # @!attribute [rw] event_source
-    #   The source of events that your user pool sends for detailed activity
-    #   logging.
+    #   The source of events that your user pool sends for logging. To send
+    #   error-level logs about user notification activity, set to
+    #   `userNotification`. To send info-level logs about advanced security
+    #   features user activity, set to `userAuthEvents`.
     #   @return [String]
     #
     # @!attribute [rw] cloud_watch_logs_configuration
-    #   The CloudWatch logging destination of a user pool.
+    #   The CloudWatch log group destination of user pool detailed activity
+    #   logs, or of user activity log export with advanced security
+    #   features.
     #   @return [Types::CloudWatchLogsConfigurationType]
     #
+    # @!attribute [rw] s3_configuration
+    #   The Amazon S3 bucket destination of user activity log export with
+    #   advanced security features. To activate this setting, [ advanced
+    #   security features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::S3ConfigurationType]
+    #
+    # @!attribute [rw] firehose_configuration
+    #   The Amazon Data Firehose stream destination of user activity log
+    #   export with advanced security features. To activate this setting, [
+    #   advanced security features][1] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Types::FirehoseConfigurationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogConfigurationType AWS API Documentation
     #
     class LogConfigurationType < Struct.new(
       :log_level,
       :event_source,
-      :cloud_watch_logs_configuration)
+      :cloud_watch_logs_configuration,
+      :s3_configuration,
+      :firehose_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The logging parameters of a user pool.
+    # The logging parameters of a user pool returned in response to
+    # `GetLogDeliveryConfiguration`.
     #
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you configured detailed activity
-    #   logging.
+    #   The ID of the user pool where you configured logging.
     #   @return [String]
     #
     # @!attribute [rw] log_configurations
-    #   The detailed activity logging destination of a user pool.
+    #   A logging destination of a user pool. User pools can have multiple
+    #   logging destinations for message-delivery and user-activity logs.
     #   @return [Array<Types::LogConfigurationType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogDeliveryConfigurationType AWS API Documentation
@@ -6727,6 +6803,20 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # The message returned when a user's new password matches a previous
+    # password and doesn't comply with the password-history policy.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PasswordHistoryPolicyViolationException AWS API Documentation
+    #
+    class PasswordHistoryPolicyViolationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The password policy type.
     #
     # @!attribute [rw] minimum_length
@@ -6756,6 +6846,23 @@ module Aws::CognitoIdentityProvider
     #   required users to use at least one symbol in their password.
     #   @return [Boolean]
     #
+    # @!attribute [rw] password_history_size
+    #   The number of previous passwords that you want Amazon Cognito to
+    #   restrict each user from reusing. Users can't set a password that
+    #   matches any of `n` previous passwords, where `n` is the value of
+    #   `PasswordHistorySize`.
+    #
+    #   Password history isn't enforced and isn't displayed in
+    #   [DescribeUserPool][1] responses when you set this value to `0` or
+    #   don't provide it. To activate this setting, [ advanced security
+    #   features][2] must be active in your user pool.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+    #   @return [Integer]
+    #
     # @!attribute [rw] temporary_password_validity_days
     #   The number of days a temporary password is valid in the password
     #   policy. If the user doesn't sign in during this time, an
@@ -6778,6 +6885,7 @@ module Aws::CognitoIdentityProvider
       :require_lowercase,
       :require_numbers,
       :require_symbols,
+      :password_history_size,
       :temporary_password_validity_days)
       SENSITIVE = []
       include Aws::Structure
@@ -7408,6 +7516,22 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # Configuration for the Amazon S3 bucket destination of user activity
+    # log export with advanced security features.
+    #
+    # @!attribute [rw] bucket_arn
+    #   The ARN of an Amazon S3 bucket that's the destination for advanced
+    #   security features log export.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/S3ConfigurationType AWS API Documentation
+    #
+    class S3ConfigurationType < Struct.new(
+      :bucket_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The type used for enabling SMS multi-factor authentication (MFA) at
     # the user level. Phone numbers don't need to be verified to be used
     # for SMS MFA. If an MFA type is activated for a user, the user will be
@@ -7548,13 +7672,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] user_pool_id
-    #   The ID of the user pool where you want to configure detailed
-    #   activity logging .
+    #   The ID of the user pool where you want to configure logging.
     #   @return [String]
     #
     # @!attribute [rw] log_configurations
-    #   A collection of all of the detailed activity logging configurations
-    #   for a user pool.
+    #   A collection of the logging configurations for a user pool.
     #   @return [Array<Types::LogConfigurationType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfigurationRequest AWS API Documentation
@@ -7923,7 +8045,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::CodeDeliveryDetailsType]
     #
     # @!attribute [rw] user_sub
-    #   The UUID of the authenticated user. This isn't the same as
+    #   The 128-bit ID of the authenticated user. This isn't the same as
     #   `username`.
     #   @return [String]
     #
@@ -9156,6 +9278,8 @@ module Aws::CognitoIdentityProvider
     #
     #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation
@@ -9736,13 +9860,22 @@ module Aws::CognitoIdentityProvider
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
     #
     # @!attribute [rw] advanced_security_mode
-    #   The operating mode of advanced security features in your user pool.
+    #   The operating mode of advanced security features for standard
+    #   authentication types in your user pool, including username-password
+    #   and secure remote password (SRP) authentication.
     #   @return [String]
     #
+    # @!attribute [rw] advanced_security_additional_flows
+    #   Advanced security configuration options for additional
+    #   authentication types in your user pool, including custom
+    #   authentication and refresh-token authentication.
+    #   @return [Types::AdvancedSecurityAdditionalFlowsType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolAddOnsType AWS API Documentation
     #
     class UserPoolAddOnsType < Struct.new(
-      :advanced_security_mode)
+      :advanced_security_mode,
+      :advanced_security_additional_flows)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -10092,8 +10225,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `ENABLED` - This prevents user existence-related errors.
     #
-    #   * `LEGACY` - This represents the old behavior of Amazon Cognito
+    #   * `LEGACY` - This represents the early behavior of Amazon Cognito
     #     where user existence related errors aren't prevented.
+    #
+    #   Defaults to `LEGACY` when you don't provide a value.
     #   @return [String]
     #
     # @!attribute [rw] enable_token_revocation

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-cognitoidentityprovider/customizations'
 # @!group service
 module Aws::CognitoIdentityProvider
 
-  GEM_VERSION = '1.97.0'
+  GEM_VERSION = '1.99.0'
 
 end

data/sig/client.rbs

@@ -634,6 +634,7 @@ module Aws
                                   require_lowercase: bool?,
                                   require_numbers: bool?,
                                   require_symbols: bool?,
+                                  password_history_size: ::Integer?,
                                   temporary_password_validity_days: ::Integer?
                                 }?
                               },
@@ -726,7 +727,10 @@ module Aws
                                 },
                               ],
                               ?user_pool_add_ons: {
-                                advanced_security_mode: ("OFF" | "AUDIT" | "ENFORCED")
+                                advanced_security_mode: ("OFF" | "AUDIT" | "ENFORCED"),
+                                advanced_security_additional_flows: {
+                                  custom_auth_mode: ("AUDIT" | "ENFORCED")?
+                                }?
                               },
                               ?username_configuration: {
                                 case_sensitive: bool
@@ -1297,10 +1301,16 @@ module Aws
                                             user_pool_id: ::String,
                                             log_configurations: Array[
                                               {
-                                                log_level: ("ERROR"),
-                                                event_source: ("userNotification"),
+                                                log_level: ("ERROR" | "INFO"),
+                                                event_source: ("userNotification" | "userAuthEvents"),
                                                 cloud_watch_logs_configuration: {
                                                   log_group_arn: ::String?
+                                                }?,
+                                                s3_configuration: {
+                                                  bucket_arn: ::String?
+                                                }?,
+                                                firehose_configuration: {
+                                                  stream_arn: ::String?
                                                 }?
                                               },
                                             ]
@@ -1610,6 +1620,7 @@ module Aws
                                   require_lowercase: bool?,
                                   require_numbers: bool?,
                                   require_symbols: bool?,
+                                  password_history_size: ::Integer?,
                                   temporary_password_validity_days: ::Integer?
                                 }?
                               },
@@ -1683,7 +1694,10 @@ module Aws
                                 }?
                               },
                               ?user_pool_add_ons: {
-                                advanced_security_mode: ("OFF" | "AUDIT" | "ENFORCED")
+                                advanced_security_mode: ("OFF" | "AUDIT" | "ENFORCED"),
+                                advanced_security_additional_flows: {
+                                  custom_auth_mode: ("AUDIT" | "ENFORCED")?
+                                }?
                               },
                               ?account_recovery_setting: {
                                 recovery_mechanisms: Array[

data/sig/errors.rbs

@@ -74,6 +74,9 @@ module Aws
       class NotAuthorizedException < ::Aws::Errors::ServiceError
         def message: () -> ::String
       end
+      class PasswordHistoryPolicyViolationException < ::Aws::Errors::ServiceError
+        def message: () -> ::String
+      end
       class PasswordResetRequiredException < ::Aws::Errors::ServiceError
         def message: () -> ::String
       end

data/sig/types.rbs

@@ -346,6 +346,11 @@ module Aws::CognitoIdentityProvider
     class AdminUserGlobalSignOutResponse < Aws::EmptyStructure
     end
 
+    class AdvancedSecurityAdditionalFlowsType
+      attr_accessor custom_auth_mode: ("AUDIT" | "ENFORCED")
+      SENSITIVE: []
+    end
+
     class AliasExistsException
       attr_accessor message: ::String
       SENSITIVE: []
@@ -864,6 +869,11 @@ module Aws::CognitoIdentityProvider
       SENSITIVE: []
     end
 
+    class FirehoseConfigurationType
+      attr_accessor stream_arn: ::String
+      SENSITIVE: []
+    end
+
     class ForbiddenException
       attr_accessor message: ::String
       SENSITIVE: []
@@ -1261,9 +1271,11 @@ module Aws::CognitoIdentityProvider
     end
 
     class LogConfigurationType
-      attr_accessor log_level: ("ERROR")
-      attr_accessor event_source: ("userNotification")
+      attr_accessor log_level: ("ERROR" | "INFO")
+      attr_accessor event_source: ("userNotification" | "userAuthEvents")
       attr_accessor cloud_watch_logs_configuration: Types::CloudWatchLogsConfigurationType
+      attr_accessor s3_configuration: Types::S3ConfigurationType
+      attr_accessor firehose_configuration: Types::FirehoseConfigurationType
       SENSITIVE: []
     end
 
@@ -1325,12 +1337,18 @@ module Aws::CognitoIdentityProvider
       SENSITIVE: []
     end
 
+    class PasswordHistoryPolicyViolationException
+      attr_accessor message: ::String
+      SENSITIVE: []
+    end
+
     class PasswordPolicyType
       attr_accessor minimum_length: ::Integer
       attr_accessor require_uppercase: bool
       attr_accessor require_lowercase: bool
       attr_accessor require_numbers: bool
       attr_accessor require_symbols: bool
+      attr_accessor password_history_size: ::Integer
       attr_accessor temporary_password_validity_days: ::Integer
       SENSITIVE: []
     end
@@ -1451,6 +1469,11 @@ module Aws::CognitoIdentityProvider
       SENSITIVE: []
     end
 
+    class S3ConfigurationType
+      attr_accessor bucket_arn: ::String
+      SENSITIVE: []
+    end
+
     class SMSMfaSettingsType
       attr_accessor enabled: bool
       attr_accessor preferred_mfa: bool
@@ -1897,6 +1920,7 @@ module Aws::CognitoIdentityProvider
 
     class UserPoolAddOnsType
       attr_accessor advanced_security_mode: ("OFF" | "AUDIT" | "ENFORCED")
+      attr_accessor advanced_security_additional_flows: Types::AdvancedSecurityAdditionalFlowsType
       SENSITIVE: []
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-cognitoidentityprovider
 version: !ruby/object:Gem::Version
-  version: 1.97.0
+  version: 1.99.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-02 00:00:00.000000000 Z
+date: 2024-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core