aws-sdk-cognitoidentityprovider 1.70.0 → 1.71.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1de940aa4198a67bc226ccb78d804e5915412e4b6b106b9dc3b05952c7cdec81
-  data.tar.gz: eca470406c2e4a4a50859eb8d453c6d1fe69f210fc1df8e5b8902cc5e6af4a80
+  metadata.gz: 390ff4767100b25fe34e4e87de3a85abc461fe848b76839de7dc9e1ba6e0c18c
+  data.tar.gz: 54bfe00cc0f1ba95b07a5fa20d46a2ec3d1ddcbd6cc3d0a3898ad289839451c1
 SHA512:
-  metadata.gz: 77b66cec3d3b6820f4d6bce2b21f38d18b3f51e1cd3c3c0f23990339b0b7cb28988926de5bc33980a274c989fba643d4028225f3e4433688f506a52f3fa07e5e
-  data.tar.gz: 7a2e44f6160c961fd17deddb48f12e1b577864c74cfc590b6b10bc02128a8911bf9b9ef9c8c5f71d39d835758f978572119412cdfe71d30dc81e5ef8867c737d
+  metadata.gz: f775c3a1ed63da810a0fd3afa8525069fa127482124ce7fe6a9467c61f3fefc46b00d2f524be1e5596b62b09a31d9997f9cb08b9df59861e2f8e6c1546845ec4
+  data.tar.gz: af7590d16b8cdd2c65950cf592bf9ad063cfe8c31d5de1f6097b55e16b4dc0bd5e0304465e150b88af5f506b55700b1973811066395195bcd869f4bb99e8fa32

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.71.0 (2022-10-21)
+------------------
+
+* Feature - This release adds a new "DeletionProtection" field to the UserPool in Cognito. Application admins can configure this value with either ACTIVE or INACTIVE value. Setting this field to ACTIVE will prevent a user pool from accidental deletion.
+
 1.70.0 (2022-09-02)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.70.0
+1.71.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -873,9 +873,12 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Disables the specified user.
+    # Deactivates a user and revokes all access tokens for the user. A
+    # deactivated user can't sign in, but still appears in the responses to
+    # `GetUser` and `ListUsers` API requests.
     #
-    # Calling this action requires developer credentials.
+    # You must make this API request with Amazon Web Services credentials
+    # that have `cognito-idp:AdminDisableUser` permissions.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to disable the user.
@@ -1500,7 +1503,9 @@ module Aws::CognitoIdentityProvider
     #   The user pool username or an alias.
     #
     # @option params [Integer] :max_results
-    #   The maximum number of authentication events to return.
+    #   The maximum number of authentication events to return. Returns 60
+    #   events if you set `MaxResults` to 0, or if you don't include a
+    #   `MaxResults` parameter.
     #
     # @option params [String] :next_token
     #   A pagination token.
@@ -2970,6 +2975,17 @@ module Aws::CognitoIdentityProvider
     # @option params [Types::UserPoolPolicyType] :policies
     #   The policies associated with the new user pool.
     #
+    # @option params [String] :deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of your
+    #   user pool. Before you can delete a user pool that you have protected
+    #   against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool` API
+    #   request, Amazon Cognito returns an `InvalidParameterException` error.
+    #   To delete a protected user pool, send a new `DeleteUserPool` request
+    #   after you deactivate deletion protection in an `UpdateUserPool` API
+    #   request.
+    #
     # @option params [Types::LambdaConfigType] :lambda_config
     #   The Lambda trigger configuration information for the new user pool.
     #
@@ -3128,6 +3144,7 @@ module Aws::CognitoIdentityProvider
     #         temporary_password_validity_days: 1,
     #       },
     #     },
+    #     deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #     lambda_config: {
     #       pre_sign_up: "ArnType",
     #       custom_message: "ArnType",
@@ -3239,6 +3256,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.policies.password_policy.require_numbers #=> Boolean
     #   resp.user_pool.policies.password_policy.require_symbols #=> Boolean
     #   resp.user_pool.policies.password_policy.temporary_password_validity_days #=> Integer
+    #   resp.user_pool.deletion_protection #=> String, one of "ACTIVE", "INACTIVE"
     #   resp.user_pool.lambda_config.pre_sign_up #=> String
     #   resp.user_pool.lambda_config.custom_message #=> String
     #   resp.user_pool.lambda_config.post_confirmation #=> String
@@ -3360,6 +3378,9 @@ module Aws::CognitoIdentityProvider
     #   Cognito overrides the value with the default value of 30 days. *Valid
     #   range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
+    #
     # @option params [Integer] :access_token_validity
     #   The access token time limit. After this limit expires, your user
     #   can't use their access token. To specify the time unit for
@@ -3373,6 +3394,9 @@ module Aws::CognitoIdentityProvider
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
+    #
     # @option params [Integer] :id_token_validity
     #   The ID token time limit. After this limit expires, your user can't
     #   use their ID token. To specify the time unit for `IdTokenValidity` as
@@ -3386,6 +3410,9 @@ module Aws::CognitoIdentityProvider
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
+    #
     # @option params [Types::TokenValidityUnitsType] :token_validity_units
     #   The units in which the validity times are represented. The default
     #   unit for RefreshToken is days, and default for ID and access tokens
@@ -3410,45 +3437,43 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
     #
     # @option params [Array<String>] :explicit_auth_flows
-    #   The authentication flows that are supported by the user pool clients.
-    #   Flow names without the `ALLOW_` prefix are no longer supported, in
-    #   favor of new names with the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a user
+    #   name and Secure Remote Password (SRP), a user name and password, or a
+    #   custom authentication process that you define with Lambda functions.
     #
-    #   <note markdown="1"> Values with `ALLOW_` prefix must be used only along with the `ALLOW_`
-    #   prefix.
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`, and
+    #   `ALLOW_CUSTOM_AUTH`.
     #
     #    </note>
     #
     #   Valid values include:
     #
-    #   ALLOW\_ADMIN\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable admin based user password authentication flow
-    #     `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the
-    #     `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     Secure Remote Password (SRP) protocol to verify passwords.
-    #
-    #   ALLOW\_CUSTOM\_AUTH
-    #
-    #   : Enable Lambda trigger based authentication.
-    #
-    #   ALLOW\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable user password-based authentication. In this flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     SRP protocol to verify passwords.
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user password
+    #     authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting
+    #     replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication
+    #     flow, your app passes a user name and password to Amazon Cognito in
+    #     the request, instead of using the Secure Remote Password (SRP)
+    #     protocol to securely transmit the password.
     #
-    #   ALLOW\_USER\_SRP\_AUTH
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
-    #   : Enable SRP-based authentication.
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Amazon Cognito receives the password
+    #     in the request instead of using the SRP protocol to verify
+    #     passwords.
     #
-    #   ALLOW\_REFRESH\_TOKEN\_AUTH
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
-    #   : Enable the authflow that refreshes tokens.
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
-    #   If you don't specify a value for `ExplicitAuthFlows`, your user
-    #   client supports `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`.
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #
     # @option params [Array<String>] :supported_identity_providers
     #   A list of provider names for the identity providers (IdPs) that are
@@ -4158,6 +4183,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.policies.password_policy.require_numbers #=> Boolean
     #   resp.user_pool.policies.password_policy.require_symbols #=> Boolean
     #   resp.user_pool.policies.password_policy.temporary_password_validity_days #=> Integer
+    #   resp.user_pool.deletion_protection #=> String, one of "ACTIVE", "INACTIVE"
     #   resp.user_pool.lambda_config.pre_sign_up #=> String
     #   resp.user_pool.lambda_config.custom_message #=> String
     #   resp.user_pool.lambda_config.post_confirmation #=> String
@@ -4668,6 +4694,12 @@ module Aws::CognitoIdentityProvider
     end
 
     # This method takes a user pool ID, and returns the signing certificate.
+    # The issued certificate is valid for 10 years from the date of issue.
+    #
+    # Amazon Cognito issues and assigns a new signing certificate annually.
+    # This process returns a new value in the response to
+    # `GetSigningCertificate`, but doesn't invalidate the original
+    # certificate.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -4920,11 +4952,9 @@ module Aws::CognitoIdentityProvider
     end
 
     # Signs out users from all devices. It also invalidates all refresh
-    # tokens that Amazon Cognito has issued to a user. The user's current
-    # access and ID tokens remain valid until their expiry. By default,
-    # access and ID tokens expire one hour after Amazon Cognito issues them.
-    # A user can still use a hosted UI cookie to retrieve new tokens for the
-    # duration of the cookie validity period of 1 hour.
+    # tokens that Amazon Cognito has issued to a user. A user can still use
+    # a hosted UI cookie to retrieve new tokens for the duration of the
+    # 1-hour cookie validity period.
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user who you
@@ -6049,9 +6079,10 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Revokes all of the access tokens generated by the specified refresh
-    # token. After the token is revoked, you can't use the revoked token to
-    # access Amazon Cognito authenticated APIs.
+    # Revokes all of the access tokens generated by, and at the same time
+    # as, the specified refresh token. After a token is revoked, you can't
+    # use the revoked token to access Amazon Cognito user APIs, or to
+    # authorize access to your resource server.
     #
     # @option params [required, String] :token
     #   The refresh token that you want to revoke.
@@ -6354,8 +6385,7 @@ module Aws::CognitoIdentityProvider
     # @option params [String] :mfa_configuration
     #   The MFA configuration. If you set the MfaConfiguration value to ‘ON’,
     #   only users who have set up an MFA factor can sign in. To learn more,
-    #   see [Adding Multi-Factor Authentication (MFA) to a user
-    #   pool](cognito/latest/developerguide/user-pool-settings-mfa.html).
+    #   see [Adding Multi-Factor Authentication (MFA) to a user pool][1].
     #   Valid values include:
     #
     #   * `OFF` MFA won't be used for any users.
@@ -6365,6 +6395,10 @@ module Aws::CognitoIdentityProvider
     #   * `OPTIONAL` MFA will be required only for individual users who have
     #     an MFA factor activated.
     #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
+    #
     # @return [Types::SetUserPoolMfaConfigResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::SetUserPoolMfaConfigResponse#sms_mfa_configuration #sms_mfa_configuration} => Types::SmsMfaConfigType
@@ -7163,6 +7197,17 @@ module Aws::CognitoIdentityProvider
     # @option params [Types::UserPoolPolicyType] :policies
     #   A container with the policies you want to update in a user pool.
     #
+    # @option params [String] :deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of your
+    #   user pool. Before you can delete a user pool that you have protected
+    #   against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool` API
+    #   request, Amazon Cognito returns an `InvalidParameterException` error.
+    #   To delete a protected user pool, send a new `DeleteUserPool` request
+    #   after you deactivate deletion protection in an `UpdateUserPool` API
+    #   request.
+    #
     # @option params [Types::LambdaConfigType] :lambda_config
     #   The Lambda configuration information from the request to update the
     #   user pool.
@@ -7293,6 +7338,7 @@ module Aws::CognitoIdentityProvider
     #         temporary_password_validity_days: 1,
     #       },
     #     },
+    #     deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #     lambda_config: {
     #       pre_sign_up: "ArnType",
     #       custom_message: "ArnType",
@@ -7422,6 +7468,9 @@ module Aws::CognitoIdentityProvider
     #   Cognito overrides the value with the default value of 30 days. *Valid
     #   range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
+    #
     # @option params [Integer] :access_token_validity
     #   The access token time limit. After this limit expires, your user
     #   can't use their access token. To specify the time unit for
@@ -7435,6 +7484,9 @@ module Aws::CognitoIdentityProvider
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
+    #
     # @option params [Integer] :id_token_validity
     #   The ID token time limit. After this limit expires, your user can't
     #   use their ID token. To specify the time unit for `IdTokenValidity` as
@@ -7448,6 +7500,9 @@ module Aws::CognitoIdentityProvider
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
     #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
+    #
     # @option params [Types::TokenValidityUnitsType] :token_validity_units
     #   The units in which the validity times are represented. The default
     #   unit for RefreshToken is days, and the default for ID and access
@@ -7460,19 +7515,26 @@ module Aws::CognitoIdentityProvider
     #   The writeable attributes of the user pool.
     #
     # @option params [Array<String>] :explicit_auth_flows
-    #   The authentication flows that are supported by the user pool clients.
-    #   Flow names without the `ALLOW_` prefix are no longer supported in
-    #   favor of new names with the `ALLOW_` prefix. Note that values with
-    #   `ALLOW_` prefix must be used only along with values with the `ALLOW_`
-    #   prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a user
+    #   name and Secure Remote Password (SRP), a user name and password, or a
+    #   custom authentication process that you define with Lambda functions.
+    #
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`, and
+    #   `ALLOW_CUSTOM_AUTH`.
+    #
+    #    </note>
     #
     #   Valid values include:
     #
     #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user password
     #     authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting
     #     replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication
-    #     flow, Amazon Cognito receives the password in the request instead of
-    #     using the Secure Remote Password (SRP) protocol to verify passwords.
+    #     flow, your app passes a user name and password to Amazon Cognito in
+    #     the request, instead of using the Secure Remote Password (SRP)
+    #     protocol to securely transmit the password.
     #
     #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
@@ -7485,6 +7547,12 @@ module Aws::CognitoIdentityProvider
     #
     #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
+    #
     # @option params [Array<String>] :supported_identity_providers
     #   A list of provider names for the IdPs that this client supports. The
     #   following are supported: `COGNITO`, `Facebook`, `Google`,
@@ -7902,7 +7970,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.70.0'
+      context[:gem_version] = '1.71.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -167,6 +167,7 @@ module Aws::CognitoIdentityProvider
     DeleteUserPoolDomainResponse = Shapes::StructureShape.new(name: 'DeleteUserPoolDomainResponse')
     DeleteUserPoolRequest = Shapes::StructureShape.new(name: 'DeleteUserPoolRequest')
     DeleteUserRequest = Shapes::StructureShape.new(name: 'DeleteUserRequest')
+    DeletionProtectionType = Shapes::StringShape.new(name: 'DeletionProtectionType')
     DeliveryMediumListType = Shapes::ListShape.new(name: 'DeliveryMediumListType')
     DeliveryMediumType = Shapes::StringShape.new(name: 'DeliveryMediumType')
     DescribeIdentityProviderRequest = Shapes::StructureShape.new(name: 'DescribeIdentityProviderRequest')
@@ -947,6 +948,7 @@ module Aws::CognitoIdentityProvider
 
     CreateUserPoolRequest.add_member(:pool_name, Shapes::ShapeRef.new(shape: UserPoolNameType, required: true, location_name: "PoolName"))
     CreateUserPoolRequest.add_member(:policies, Shapes::ShapeRef.new(shape: UserPoolPolicyType, location_name: "Policies"))
+    CreateUserPoolRequest.add_member(:deletion_protection, Shapes::ShapeRef.new(shape: DeletionProtectionType, location_name: "DeletionProtection"))
     CreateUserPoolRequest.add_member(:lambda_config, Shapes::ShapeRef.new(shape: LambdaConfigType, location_name: "LambdaConfig"))
     CreateUserPoolRequest.add_member(:auto_verified_attributes, Shapes::ShapeRef.new(shape: VerifiedAttributesListType, location_name: "AutoVerifiedAttributes"))
     CreateUserPoolRequest.add_member(:alias_attributes, Shapes::ShapeRef.new(shape: AliasAttributesListType, location_name: "AliasAttributes"))
@@ -1806,6 +1808,7 @@ module Aws::CognitoIdentityProvider
 
     UpdateUserPoolRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     UpdateUserPoolRequest.add_member(:policies, Shapes::ShapeRef.new(shape: UserPoolPolicyType, location_name: "Policies"))
+    UpdateUserPoolRequest.add_member(:deletion_protection, Shapes::ShapeRef.new(shape: DeletionProtectionType, location_name: "DeletionProtection"))
     UpdateUserPoolRequest.add_member(:lambda_config, Shapes::ShapeRef.new(shape: LambdaConfigType, location_name: "LambdaConfig"))
     UpdateUserPoolRequest.add_member(:auto_verified_attributes, Shapes::ShapeRef.new(shape: VerifiedAttributesListType, location_name: "AutoVerifiedAttributes"))
     UpdateUserPoolRequest.add_member(:sms_verification_message, Shapes::ShapeRef.new(shape: SmsVerificationMessageType, location_name: "SmsVerificationMessage"))
@@ -1928,6 +1931,7 @@ module Aws::CognitoIdentityProvider
     UserPoolType.add_member(:id, Shapes::ShapeRef.new(shape: UserPoolIdType, location_name: "Id"))
     UserPoolType.add_member(:name, Shapes::ShapeRef.new(shape: UserPoolNameType, location_name: "Name"))
     UserPoolType.add_member(:policies, Shapes::ShapeRef.new(shape: UserPoolPolicyType, location_name: "Policies"))
+    UserPoolType.add_member(:deletion_protection, Shapes::ShapeRef.new(shape: DeletionProtectionType, location_name: "DeletionProtection"))
     UserPoolType.add_member(:lambda_config, Shapes::ShapeRef.new(shape: LambdaConfigType, location_name: "LambdaConfig"))
     UserPoolType.add_member(:status, Shapes::ShapeRef.new(shape: StatusType, location_name: "Status"))
     UserPoolType.add_member(:last_modified_date, Shapes::ShapeRef.new(shape: DateType, location_name: "LastModifiedDate"))
@@ -2704,6 +2708,7 @@ module Aws::CognitoIdentityProvider
         o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: UnsupportedIdentityProviderException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
@@ -2783,6 +2788,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
       end)
 
@@ -3565,6 +3571,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: UnsupportedIdentityProviderException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -1480,7 +1480,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   The maximum number of authentication events to return.
+    #   The maximum number of authentication events to return. Returns 60
+    #   events if you set `MaxResults` to 0, or if you don't include a
+    #   `MaxResults` parameter.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
@@ -3432,6 +3434,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -3446,6 +3451,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -3460,6 +3468,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -3489,45 +3500,44 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported, in favor of new names with the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
     #
-    #   <note markdown="1"> Values with `ALLOW_` prefix must be used only along with the
-    #   `ALLOW_` prefix.
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
     #
     #    </note>
     #
     #   Valid values include:
     #
-    #   ALLOW\_ADMIN\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable admin based user password authentication flow
-    #     `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the
-    #     `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     Secure Remote Password (SRP) protocol to verify passwords.
-    #
-    #   ALLOW\_CUSTOM\_AUTH
-    #
-    #   : Enable Lambda trigger based authentication.
-    #
-    #   ALLOW\_USER\_PASSWORD\_AUTH
-    #
-    #   : Enable user password-based authentication. In this flow, Amazon
-    #     Cognito receives the password in the request instead of using the
-    #     SRP protocol to verify passwords.
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
+    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
+    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
-    #   ALLOW\_USER\_SRP\_AUTH
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
-    #   : Enable SRP-based authentication.
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Amazon Cognito receives the password
+    #     in the request instead of using the SRP protocol to verify
+    #     passwords.
     #
-    #   ALLOW\_REFRESH\_TOKEN\_AUTH
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
-    #   : Enable the authflow that refreshes tokens.
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
-    #   If you don't specify a value for `ExplicitAuthFlows`, your user
-    #   client supports `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`.
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -3806,6 +3816,7 @@ module Aws::CognitoIdentityProvider
     #             temporary_password_validity_days: 1,
     #           },
     #         },
+    #         deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #         lambda_config: {
     #           pre_sign_up: "ArnType",
     #           custom_message: "ArnType",
@@ -3915,6 +3926,18 @@ module Aws::CognitoIdentityProvider
     #   The policies associated with the new user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda trigger configuration information for the new user pool.
     #
@@ -4080,6 +4103,7 @@ module Aws::CognitoIdentityProvider
     class CreateUserPoolRequest < Struct.new(
       :pool_name,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :auto_verified_attributes,
       :alias_attributes,
@@ -4444,7 +4468,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP that was deleted.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
@@ -4963,7 +4987,7 @@ module Aws::CognitoIdentityProvider
     #     configuration.
     #
     #     To look up the email delivery limit for the default option, see
-    #     [Limits in ][1] in the <i> Developer Guide</i>.
+    #     [Limits][1] in the *Amazon Cognito Developer Guide*.
     #
     #     The default FROM address is `no-reply@verificationemail.com`. To
     #     customize the FROM address, provide the Amazon Resource Name (ARN)
@@ -4985,12 +5009,12 @@ module Aws::CognitoIdentityProvider
     #     Before Amazon Cognito can email your users, it requires additional
     #     permissions to call Amazon SES on your behalf. When you update
     #     your user pool with this option, Amazon Cognito creates a
-    #     *service-linked role*, which is a type of role, in your Amazon Web
-    #     Services account. This role contains the permissions that allow to
-    #     access Amazon SES and send email messages with your address. For
-    #     more information about the service-linked role that Amazon Cognito
-    #     creates, see [Using Service-Linked Roles for Amazon Cognito][2] in
-    #     the *Amazon Cognito Developer Guide*.
+    #     *service-linked role*, which is a type of role in your Amazon Web
+    #     Services account. This role contains the permissions that allow
+    #     you to access Amazon SES and send email messages from your email
+    #     address. For more information about the service-linked role that
+    #     Amazon Cognito creates, see [Using Service-Linked Roles for Amazon
+    #     Cognito][2] in the *Amazon Cognito Developer Guide*.
     #
     #
     #
@@ -5463,7 +5487,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP object.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
@@ -8442,8 +8466,7 @@ module Aws::CognitoIdentityProvider
     #   The MFA configuration. If you set the MfaConfiguration value to
     #   ‘ON’, only users who have set up an MFA factor can sign in. To learn
     #   more, see [Adding Multi-Factor Authentication (MFA) to a user
-    #   pool](cognito/latest/developerguide/user-pool-settings-mfa.html).
-    #   Valid values include:
+    #   pool][1]. Valid values include:
     #
     #   * `OFF` MFA won't be used for any users.
     #
@@ -8451,6 +8474,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `OPTIONAL` MFA will be required only for individual users who have
     #     an MFA factor activated.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigRequest AWS API Documentation
@@ -9450,7 +9477,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # @!attribute [rw] identity_provider
-    #   The IdP object.
+    #   The identity provider details.
     #   @return [Types::IdentityProviderType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
@@ -9684,6 +9711,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -9698,6 +9728,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -9712,6 +9745,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -9729,20 +9765,27 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported in favor of new names with the `ALLOW_` prefix. Note that
-    #   values with `ALLOW_` prefix must be used only along with values with
-    #   the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
+    #
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
+    #
+    #    </note>
     #
     #   Valid values include:
     #
     #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
     #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
     #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
-    #     authentication flow, Amazon Cognito receives the password in the
-    #     request instead of using the Secure Remote Password (SRP) protocol
-    #     to verify passwords.
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
     #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
@@ -9754,6 +9797,12 @@ module Aws::CognitoIdentityProvider
     #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
     #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
+    #
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -10029,6 +10078,7 @@ module Aws::CognitoIdentityProvider
     #             temporary_password_validity_days: 1,
     #           },
     #         },
+    #         deletion_protection: "ACTIVE", # accepts ACTIVE, INACTIVE
     #         lambda_config: {
     #           pre_sign_up: "ArnType",
     #           custom_message: "ArnType",
@@ -10116,6 +10166,18 @@ module Aws::CognitoIdentityProvider
     #   A container with the policies you want to update in a user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda configuration information from the request to update the
     #   user pool.
@@ -10251,6 +10313,7 @@ module Aws::CognitoIdentityProvider
     class UpdateUserPoolRequest < Struct.new(
       :user_pool_id,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :auto_verified_attributes,
       :sms_verification_message,
@@ -10625,6 +10688,9 @@ module Aws::CognitoIdentityProvider
     #   is days. You can't set `RefreshTokenValidity` to 0. If you do,
     #   Amazon Cognito overrides the value with the default value of 30
     #   days. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your refresh tokens are valid for 30 days.
     #   @return [Integer]
     #
     # @!attribute [rw] access_token_validity
@@ -10639,6 +10705,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your access tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] id_token_validity
@@ -10653,6 +10722,9 @@ module Aws::CognitoIdentityProvider
     #
     #   The default time unit for `AccessTokenValidity` in an API request is
     #   hours. *Valid range* is displayed below in seconds.
+    #
+    #   If you don't specify otherwise in the configuration of your app
+    #   client, your ID tokens are valid for one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] token_validity_units
@@ -10669,20 +10741,27 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The authentication flows that are supported by the user pool
-    #   clients. Flow names without the `ALLOW_` prefix are no longer
-    #   supported in favor of new names with the `ALLOW_` prefix. Note that
-    #   values with `ALLOW_` prefix must be used only along with values
-    #   including the `ALLOW_` prefix.
+    #   The authentication flows that you want your user pool client to
+    #   support. For each app client in your user pool, you can sign in your
+    #   users with any combination of one or more flows, including with a
+    #   user name and Secure Remote Password (SRP), a user name and
+    #   password, or a custom authentication process that you define with
+    #   Lambda functions.
+    #
+    #   <note markdown="1"> If you don't specify a value for `ExplicitAuthFlows`, your user
+    #   client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`,
+    #   and `ALLOW_CUSTOM_AUTH`.
+    #
+    #    </note>
     #
     #   Valid values include:
     #
     #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
     #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
     #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
-    #     authentication flow, Amazon Cognito receives the password in the
-    #     request instead of using the Secure Remote Password (SRP) protocol
-    #     to verify passwords.
+    #     authentication flow, your app passes a user name and password to
+    #     Amazon Cognito in the request, instead of using the Secure Remote
+    #     Password (SRP) protocol to securely transmit the password.
     #
     #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
     #
@@ -10694,6 +10773,12 @@ module Aws::CognitoIdentityProvider
     #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
     #
     #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
+    #
+    #   In some environments, you will see the values `ADMIN_NO_SRP_AUTH`,
+    #   `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign
+    #   these legacy `ExplicitAuthFlows` values to user pool clients at the
+    #   same time as values that begin with `ALLOW_`, like
+    #   `ALLOW_USER_SRP_AUTH`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -10989,6 +11074,18 @@ module Aws::CognitoIdentityProvider
     #   The policies associated with the user pool.
     #   @return [Types::UserPoolPolicyType]
     #
+    # @!attribute [rw] deletion_protection
+    #   When active, `DeletionProtection` prevents accidental deletion of
+    #   your user pool. Before you can delete a user pool that you have
+    #   protected against deletion, you must deactivate this feature.
+    #
+    #   When you try to delete a protected user pool in a `DeleteUserPool`
+    #   API request, Amazon Cognito returns an `InvalidParameterException`
+    #   error. To delete a protected user pool, send a new `DeleteUserPool`
+    #   request after you deactivate deletion protection in an
+    #   `UpdateUserPool` API request.
+    #   @return [String]
+    #
     # @!attribute [rw] lambda_config
     #   The Lambda triggers associated with the user pool.
     #   @return [Types::LambdaConfigType]
@@ -11213,6 +11310,7 @@ module Aws::CognitoIdentityProvider
       :id,
       :name,
       :policies,
+      :deletion_protection,
       :lambda_config,
       :status,
       :last_modified_date,

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-cognitoidentityprovider/customizations'
 # @!group service
 module Aws::CognitoIdentityProvider
 
-  GEM_VERSION = '1.70.0'
+  GEM_VERSION = '1.71.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-cognitoidentityprovider
 version: !ruby/object:Gem::Version
-  version: 1.70.0
+  version: 1.71.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-02 00:00:00.000000000 Z
+date: 2022-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core