aws-cdk-lib 2.158.0__py3-none-any.whl → 2.159.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -3365,7 +3365,7 @@ class CfnLogDeliveryConfiguration(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnLogDeliveryConfiguration",
 ):
-    '''The logging parameters of a user pool returned in response to ``GetLogDeliveryConfiguration`` .
+    '''The logging parameters of a user pool, as returned in the response to a `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ request.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html
     :cloudformationResource: AWS::Cognito::LogDeliveryConfiguration
@@ -3509,6 +3509,8 @@ class CfnLogDeliveryConfiguration(
         ) -> None:
             '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
 
+            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
+
             :param log_group_arn: The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool. To send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with ``/aws/vendedlogs`` . For more information, see `Enabling logging from certain AWS services <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html
@@ -3627,9 +3629,11 @@ class CfnLogDeliveryConfiguration(
             log_level: typing.Optional[builtins.str] = None,
             s3_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLogDeliveryConfiguration.S3ConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''The logging parameters of a user pool.
+            '''The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.
+
+            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
 
-            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
+            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features. This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
             :param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about advanced security features user activity, set to ``userAuthEvents`` .
             :param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
             :param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from advanced security features, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
@@ -3683,6 +3687,8 @@ class CfnLogDeliveryConfiguration(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.CloudWatchLogsConfigurationProperty"]]:
             '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
 
+            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-cloudwatchlogsconfiguration
             '''
             result = self._values.get("cloud_watch_logs_configuration")
@@ -3936,6 +3942,8 @@ class CfnUserPool(
                 challenge_required_on_new_device=False,
                 device_only_remembered_on_user_prompt=False
             ),
+            email_authentication_message="emailAuthenticationMessage",
+            email_authentication_subject="emailAuthenticationSubject",
             email_configuration=cognito.CfnUserPool.EmailConfigurationProperty(
                 configuration_set="configurationSet",
                 email_sending_account="emailSendingAccount",
@@ -4042,6 +4050,8 @@ class CfnUserPool(
         auto_verified_attributes: typing.Optional[typing.Sequence[builtins.str]] = None,
         deletion_protection: typing.Optional[builtins.str] = None,
         device_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.DeviceConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        email_authentication_message: typing.Optional[builtins.str] = None,
+        email_authentication_subject: typing.Optional[builtins.str] = None,
         email_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.EmailConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         email_verification_message: typing.Optional[builtins.str] = None,
         email_verification_subject: typing.Optional[builtins.str] = None,
@@ -4065,18 +4075,20 @@ class CfnUserPool(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param account_recovery_setting: Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
-        :param admin_create_user_config: The configuration for creating a new user profile.
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
         :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . .. epigraph:: This user pool property cannot be updated.
         :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
+        :param email_authentication_message: 
+        :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
         :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
         :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
         :param enabled_mfas: Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values: - ``SMS_MFA`` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA``
-        :param lambda_config: The Lambda trigger configuration information for the new user pool. .. epigraph:: In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function. For more information on using the Lambda API to add permission, see `AddPermission <https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html>`_ . For adding permission using the AWS CLI , see `add-permission <https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html>`_ .
+        :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
-        :param policies: The policy associated with a user pool.
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
         :param schema: The schema attributes for the new user pool. These attributes can be standard or custom attributes. .. epigraph:: During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
         :param sms_authentication_message: A string representing the SMS authentication message.
         :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
@@ -4087,7 +4099,7 @@ class CfnUserPool(
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
-        :param verification_message_template: The template for the verification message that the user sees when the app requests permission to access the user's information.
+        :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc37ee551)
@@ -4100,6 +4112,8 @@ class CfnUserPool(
             auto_verified_attributes=auto_verified_attributes,
             deletion_protection=deletion_protection,
             device_configuration=device_configuration,
+            email_authentication_message=email_authentication_message,
+            email_authentication_subject=email_authentication_subject,
             email_configuration=email_configuration,
             email_verification_message=email_verification_message,
             email_verification_subject=email_verification_subject,
@@ -4222,7 +4236,7 @@ class CfnUserPool(
     def admin_create_user_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AdminCreateUserConfigProperty"]]:
-        '''The configuration for creating a new user profile.'''
+        '''The settings for administrator creation of users in a user pool.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AdminCreateUserConfigProperty"]], jsii.get(self, "adminCreateUserConfig"))
 
     @admin_create_user_config.setter
@@ -4301,6 +4315,36 @@ class CfnUserPool(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "deviceConfiguration", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="emailAuthenticationMessage")
+    def email_authentication_message(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "emailAuthenticationMessage"))
+
+    @email_authentication_message.setter
+    def email_authentication_message(
+        self,
+        value: typing.Optional[builtins.str],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3cf4765f879f49f79c6984252af6993fe6fdf6838989608b11e192c544fce53c)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "emailAuthenticationMessage", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="emailAuthenticationSubject")
+    def email_authentication_subject(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "emailAuthenticationSubject"))
+
+    @email_authentication_subject.setter
+    def email_authentication_subject(
+        self,
+        value: typing.Optional[builtins.str],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1e1d4523d17f0641e76142be67287be5dc758d191f5eba3fa217d8c5d0170791)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "emailAuthenticationSubject", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="emailConfiguration")
     def email_configuration(
@@ -4363,7 +4407,7 @@ class CfnUserPool(
     def lambda_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.LambdaConfigProperty"]]:
-        '''The Lambda trigger configuration information for the new user pool.'''
+        '''A collection of user pool Lambda triggers.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.LambdaConfigProperty"]], jsii.get(self, "lambdaConfig"))
 
     @lambda_config.setter
@@ -4397,7 +4441,10 @@ class CfnUserPool(
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]]:
-        '''The policy associated with a user pool.'''
+        '''A list of user pool policies.
+
+        Contains the policy that sets password-complexity requirements.
+        '''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]], jsii.get(self, "policies"))
 
     @policies.setter
@@ -4576,7 +4623,7 @@ class CfnUserPool(
     def verification_message_template(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.VerificationMessageTemplateProperty"]]:
-        '''The template for the verification message that the user sees when the app requests permission to access the user's information.'''
+        '''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.VerificationMessageTemplateProperty"]], jsii.get(self, "verificationMessageTemplate"))
 
     @verification_message_template.setter
@@ -4670,9 +4717,9 @@ class CfnUserPool(
         ) -> None:
             '''The configuration for ``AdminCreateUser`` requests.
 
-            :param allow_admin_create_user_only: Set to ``True`` if only the administrator is allowed to create user profiles. Set to ``False`` if users can sign themselves up via an app.
+            :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
             :param invite_message_template: The message template to be used for the welcome message to new users. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
-            :param unused_account_validity_days: The user account expiration limit, in days, after which a new account that hasn't signed in is no longer usable. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``"RESEND"`` for the ``MessageAction`` parameter. The default value for this parameter is 7. .. epigraph:: If you set a value for ``TemporaryPasswordValidityDays`` in ``PasswordPolicy`` , that value will be used, and ``UnusedAccountValidityDays`` will be no longer be an available parameter for that user pool.
+            :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
             :exampleMetadata: fixture=_generated
@@ -4710,9 +4757,9 @@ class CfnUserPool(
         def allow_admin_create_user_only(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''Set to ``True`` if only the administrator is allowed to create user profiles.
+            '''The setting for allowing self-service sign-up.
 
-            Set to ``False`` if users can sign themselves up via an app.
+            When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-allowadmincreateuseronly
             '''
@@ -4734,12 +4781,13 @@ class CfnUserPool(
 
         @builtins.property
         def unused_account_validity_days(self) -> typing.Optional[jsii.Number]:
-            '''The user account expiration limit, in days, after which a new account that hasn't signed in is no longer usable.
+            '''This parameter is no longer in use.
 
-            To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``"RESEND"`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
-            .. epigraph::
+            Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` .
 
-               If you set a value for ``TemporaryPasswordValidityDays`` in ``PasswordPolicy`` , that value will be used, and ``UnusedAccountValidityDays`` will be no longer be an available parameter for that user pool.
+            The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter.
+
+            The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-unusedaccountvaliditydays
             '''
@@ -4978,6 +5026,8 @@ class CfnUserPool(
 
                When you provide a value for any property of ``DeviceConfiguration`` , you activate the device remembering for the user pool.
 
+               This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
             :param challenge_required_on_new_device: When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA). .. epigraph:: Whether or not ``ChallengeRequiredOnNewDevice`` is true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
             :param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a `ConfirmDevice <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html>`_ API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an `UpdateDeviceStatus <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html>`_ API request. When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
 
@@ -5212,7 +5262,7 @@ class CfnUserPool(
             email_subject: typing.Optional[builtins.str] = None,
             sms_message: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The message template to be used for the welcome message to new users.
+            '''The template for the welcome message to new users.
 
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
@@ -5329,22 +5379,26 @@ class CfnUserPool(
             user_migration: typing.Optional[builtins.str] = None,
             verify_auth_challenge_response: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Specifies the configuration for AWS Lambda triggers.
+            '''A collection of user pool Lambda triggers.
+
+            Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.
 
-            :param create_auth_challenge: Creates an authentication challenge.
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
+            :param create_auth_challenge: The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
             :param custom_email_sender: A custom email sender AWS Lambda trigger.
-            :param custom_message: A custom Message AWS Lambda trigger.
+            :param custom_message: A custom message Lambda trigger. This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
             :param custom_sms_sender: A custom SMS sender AWS Lambda trigger.
-            :param define_auth_challenge: Defines the authentication challenge.
+            :param define_auth_challenge: The configuration of a define auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
             :param kms_key_id: The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key. Amazon Cognito uses the key to encrypt codes and temporary passwords sent to ``CustomEmailSender`` and ``CustomSMSSender`` .
-            :param post_authentication: A post-authentication AWS Lambda trigger.
-            :param post_confirmation: A post-confirmation AWS Lambda trigger.
-            :param pre_authentication: A pre-authentication AWS Lambda trigger.
-            :param pre_sign_up: A pre-registration AWS Lambda trigger.
-            :param pre_token_generation: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. Set this parameter for legacy purposes. If you also set an ARN in ``PreTokenGenerationConfig`` , its value must be identical to ``PreTokenGeneration`` . For new instances of pre token generation triggers, set the ``LambdaArn`` of ``PreTokenGenerationConfig`` . You can set ``
-            :param pre_token_generation_config: The detailed configuration of a pre token generation trigger. If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
-            :param user_migration: The user migration Lambda config type.
-            :param verify_auth_challenge_response: Verifies the authentication challenge response.
+            :param post_authentication: The configuration of a `post authentication Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html>`_ in a user pool. This trigger can take custom actions after a user signs in.
+            :param post_confirmation: The configuration of a `post confirmation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html>`_ in a user pool. This trigger can take custom actions after a user confirms their user account and their email address or phone number.
+            :param pre_authentication: The configuration of a `pre authentication trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html>`_ in a user pool. This trigger can evaluate and modify user sign-in events.
+            :param pre_sign_up: The configuration of a `pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ in a user pool. This trigger evaluates new users and can bypass confirmation, `link a federated user profile <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html>`_ , or block sign-up requests.
+            :param pre_token_generation: The legacy configuration of a `pre token generation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html>`_ in a user pool. Set this parameter for legacy purposes. If you also set an ARN in ``PreTokenGenerationConfig`` , its value must be identical to ``PreTokenGeneration`` . For new instances of pre token generation triggers, set the ``LambdaArn`` of ``PreTokenGenerationConfig`` .
+            :param pre_token_generation_config: The detailed configuration of a `pre token generation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html>`_ in a user pool. If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
+            :param user_migration: The configuration of a `migrate user Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html>`_ in a user pool. This trigger can create user profiles when users sign in or attempt to reset their password with credentials that don't exist yet.
+            :param verify_auth_challenge_response: The configuration of a verify auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html
             :exampleMetadata: fixture=_generated
@@ -5429,7 +5483,7 @@ class CfnUserPool(
 
         @builtins.property
         def create_auth_challenge(self) -> typing.Optional[builtins.str]:
-            '''Creates an authentication challenge.
+            '''The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-createauthchallenge
             '''
@@ -5449,7 +5503,9 @@ class CfnUserPool(
 
         @builtins.property
         def custom_message(self) -> typing.Optional[builtins.str]:
-            '''A custom Message AWS Lambda trigger.
+            '''A custom message Lambda trigger.
+
+            This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-custommessage
             '''
@@ -5469,7 +5525,7 @@ class CfnUserPool(
 
         @builtins.property
         def define_auth_challenge(self) -> typing.Optional[builtins.str]:
-            '''Defines the authentication challenge.
+            '''The configuration of a define auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-defineauthchallenge
             '''
@@ -5489,7 +5545,7 @@ class CfnUserPool(
 
         @builtins.property
         def post_authentication(self) -> typing.Optional[builtins.str]:
-            '''A post-authentication AWS Lambda trigger.
+            '''The configuration of a `post authentication Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html>`_ in a user pool. This trigger can take custom actions after a user signs in.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-postauthentication
             '''
@@ -5498,7 +5554,7 @@ class CfnUserPool(
 
         @builtins.property
         def post_confirmation(self) -> typing.Optional[builtins.str]:
-            '''A post-confirmation AWS Lambda trigger.
+            '''The configuration of a `post confirmation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html>`_ in a user pool. This trigger can take custom actions after a user confirms their user account and their email address or phone number.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-postconfirmation
             '''
@@ -5507,7 +5563,7 @@ class CfnUserPool(
 
         @builtins.property
         def pre_authentication(self) -> typing.Optional[builtins.str]:
-            '''A pre-authentication AWS Lambda trigger.
+            '''The configuration of a `pre authentication trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html>`_ in a user pool. This trigger can evaluate and modify user sign-in events.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-preauthentication
             '''
@@ -5516,7 +5572,7 @@ class CfnUserPool(
 
         @builtins.property
         def pre_sign_up(self) -> typing.Optional[builtins.str]:
-            '''A pre-registration AWS Lambda trigger.
+            '''The configuration of a `pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ in a user pool. This trigger evaluates new users and can bypass confirmation, `link a federated user profile <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html>`_ , or block sign-up requests.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-presignup
             '''
@@ -5525,12 +5581,10 @@ class CfnUserPool(
 
         @builtins.property
         def pre_token_generation(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
+            '''The legacy configuration of a `pre token generation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html>`_ in a user pool.
 
             Set this parameter for legacy purposes. If you also set an ARN in ``PreTokenGenerationConfig`` , its value must be identical to ``PreTokenGeneration`` . For new instances of pre token generation triggers, set the ``LambdaArn`` of ``PreTokenGenerationConfig`` .
 
-            You can set ``
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-pretokengeneration
             '''
             result = self._values.get("pre_token_generation")
@@ -5540,9 +5594,7 @@ class CfnUserPool(
         def pre_token_generation_config(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PreTokenGenerationConfigProperty"]]:
-            '''The detailed configuration of a pre token generation trigger.
-
-            If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
+            '''The detailed configuration of a `pre token generation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html>`_ in a user pool. If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-pretokengenerationconfig
             '''
@@ -5551,7 +5603,7 @@ class CfnUserPool(
 
         @builtins.property
         def user_migration(self) -> typing.Optional[builtins.str]:
-            '''The user migration Lambda config type.
+            '''The configuration of a `migrate user Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html>`_ in a user pool. This trigger can create user profiles when users sign in or attempt to reset their password with credentials that don't exist yet.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-usermigration
             '''
@@ -5560,7 +5612,7 @@ class CfnUserPool(
 
         @builtins.property
         def verify_auth_challenge_response(self) -> typing.Optional[builtins.str]:
-            '''Verifies the authentication challenge response.
+            '''The configuration of a verify auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-verifyauthchallengeresponse
             '''
@@ -5590,7 +5642,9 @@ class CfnUserPool(
             max_value: typing.Optional[builtins.str] = None,
             min_value: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The minimum and maximum values of an attribute that is of the number data type.
+            '''The minimum and maximum values of an attribute that is of the number type, for example ``custom:age`` .
+
+            This data type is part of `SchemaAttributeType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html>`_ . It defines the length constraints on number-type attributes that you configure in `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and displays the length constraints of all number-type attributes in the response to `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_
 
             :param max_value: The maximum length of a number attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_value: The minimum value of an attribute that is of the number data type.
@@ -5675,14 +5729,16 @@ class CfnUserPool(
             require_uppercase: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             temporary_password_validity_days: typing.Optional[jsii.Number] = None,
         ) -> None:
-            '''The password policy type.
+            '''The password policy settings for a user pool, including complexity, history, and length requirements.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param minimum_length: The minimum length of the password in the policy that you have set. This value can't be less than 6.
             :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, `advanced security features <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ must be active in your user pool.
-            :param require_lowercase: In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
-            :param require_numbers: In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
-            :param require_symbols: In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
-            :param require_uppercase: In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
+            :param require_lowercase: The requirement in a password policy that users must include at least one lowercase letter in their password.
+            :param require_numbers: The requirement in a password policy that users must include at least one number in their password.
+            :param require_symbols: The requirement in a password policy that users must include at least one symbol in their password.
+            :param require_uppercase: The requirement in a password policy that users must include at least one uppercase letter in their password.
             :param temporary_password_validity_days: The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to ``7`` . If you submit a value of ``0`` , Amazon Cognito treats it as a null value and sets ``TemporaryPasswordValidityDays`` to its default value. .. epigraph:: When you set ``TemporaryPasswordValidityDays`` for a user pool, you can no longer set a value for the legacy ``UnusedAccountValidityDays`` parameter in that user pool.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html
@@ -5757,7 +5813,7 @@ class CfnUserPool(
         def require_lowercase(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
+            '''The requirement in a password policy that users must include at least one lowercase letter in their password.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirelowercase
             '''
@@ -5768,7 +5824,7 @@ class CfnUserPool(
         def require_numbers(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
+            '''The requirement in a password policy that users must include at least one number in their password.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirenumbers
             '''
@@ -5779,7 +5835,7 @@ class CfnUserPool(
         def require_symbols(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
+            '''The requirement in a password policy that users must include at least one symbol in their password.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requiresymbols
             '''
@@ -5790,7 +5846,7 @@ class CfnUserPool(
         def require_uppercase(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
+            '''The requirement in a password policy that users must include at least one uppercase letter in their password.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requireuppercase
             '''
@@ -5833,9 +5889,11 @@ class CfnUserPool(
             *,
             password_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.PasswordPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''The policy associated with a user pool.
+            '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
 
-            :param password_policy: The password policy.
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
+            :param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
             :exampleMetadata: fixture=_generated
@@ -5869,7 +5927,7 @@ class CfnUserPool(
         def password_policy(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PasswordPolicyProperty"]]:
-            '''The password policy.
+            '''The password policy settings for a user pool, including complexity, history, and length requirements.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-passwordpolicy
             '''
@@ -5901,6 +5959,8 @@ class CfnUserPool(
         ) -> None:
             '''The properties of a pre token generation Lambda trigger.
 
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
             :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
             :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
 
@@ -6060,7 +6120,9 @@ class CfnUserPool(
 
             The attribute schema contains standard attributes, custom attributes with a ``custom:`` prefix, and developer attributes with a ``dev:`` prefix. For more information, see `User pool attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
 
-            Developer-only attributes are a legacy feature of user pools, are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.
+            Developer-only ``dev:`` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param attribute_data_type: The data format of the values for your attribute. When you choose an ``AttributeDataType`` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example ``"custom:isMember" : "true"`` or ``"custom:YearsAsMember" : "12"`` .
             :param developer_only_attribute: .. epigraph:: We recommend that you use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.
@@ -6332,7 +6394,7 @@ class CfnUserPool(
             ``StringAttributeConstraints`` is a subproperty of the `SchemaAttribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html>`_ property type.
 
             :param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
-            :param min_length: The minimum length.
+            :param min_length: The minimum length of a string attribute value.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html
             :exampleMetadata: fixture=_generated
@@ -6371,7 +6433,7 @@ class CfnUserPool(
 
         @builtins.property
         def min_length(self) -> typing.Optional[builtins.str]:
-            '''The minimum length.
+            '''The minimum length of a string attribute value.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html#cfn-cognito-userpool-stringattributeconstraints-minlength
             '''
@@ -6480,6 +6542,8 @@ class CfnUserPool(
 
             For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
 
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
             :param advanced_security_additional_flows: 
             :param advanced_security_mode: The operating mode of advanced security features for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
 
@@ -6552,7 +6616,7 @@ class CfnUserPool(
         ) -> None:
             '''The ``UsernameConfiguration`` property type specifies case sensitivity on the username input for the selected sign-in option.
 
-            :param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **True** - Enables case sensitivity for all username input. When this option is set to ``True`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **False** - Enables case insensitivity for all username input. For example, when this option is set to ``False`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
+            :param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -6584,8 +6648,8 @@ class CfnUserPool(
 
             Valid values include:
 
-            - **True** - Enables case sensitivity for all username input. When this option is set to ``True`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value.
-            - **False** - Enables case insensitivity for all username input. For example, when this option is set to ``False`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
+            - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value.
+            - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html#cfn-cognito-userpool-usernameconfiguration-casesensitive
             '''
@@ -6626,9 +6690,11 @@ class CfnUserPool(
             email_subject_by_link: typing.Optional[builtins.str] = None,
             sms_message: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The template for verification messages.
+            '''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
 
-            :param default_email_option: The default email option.
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
+            :param default_email_option: The configuration of verification emails to contain a clickable link or a verification code. For link, your template body must contain link text in the format ``{##Click here##}`` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format ``{####}`` .
             :param email_message: The template for email messages that Amazon Cognito sends to your users. You can set an ``EmailMessage`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
             :param email_message_by_link: The email message template for sending a confirmation link to the user. You can set an ``EmailMessageByLink`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
             :param email_subject: The subject line for the email message template. You can set an ``EmailSubject`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
@@ -6677,7 +6743,9 @@ class CfnUserPool(
 
         @builtins.property
         def default_email_option(self) -> typing.Optional[builtins.str]:
-            '''The default email option.
+            '''The configuration of verification emails to contain a clickable link or a verification code.
+
+            For link, your template body must contain link text in the format ``{##Click here##}`` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format ``{####}`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-defaultemailoption
             '''
@@ -6874,7 +6942,7 @@ class CfnUserPoolClient(
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
-        :param read_attributes: The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
@@ -7235,7 +7303,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="readAttributes")
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The list of user attributes that you want your app client to have read-only access to.'''
+        '''The list of user attributes that you want your app client to have read access to.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "readAttributes"))
 
     @read_attributes.setter
@@ -7334,16 +7402,18 @@ class CfnUserPoolClient(
             role_arn: typing.Optional[builtins.str] = None,
             user_data_shared: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         ) -> None:
-            '''The Amazon Pinpoint analytics configuration necessary to collect metrics for a user pool.
+            '''The settings for Amazon Pinpoint analytics configuration.
 
-            .. epigraph::
+            With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign.
+
+            Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see `Amazon Cognito and Amazon Pinpoint Region availability <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings>`_ .
 
-               In Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
+            This data type is a request parameter of `CreateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html>`_ and `UpdateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html>`_ , and a response parameter of `DescribeUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html>`_ .
 
             :param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.
-            :param application_id: The application ID for an Amazon Pinpoint application.
-            :param external_id: The external ID.
-            :param role_arn: The ARN of an AWS Identity and Access Management role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
+            :param application_id: Your Amazon Pinpoint project ID.
+            :param external_id: The `external ID <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
+            :param role_arn: The ARN of an AWS Identity and Access Management role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
             :param user_data_shared: If ``UserDataShared`` is ``true`` , Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html
@@ -7395,7 +7465,7 @@ class CfnUserPoolClient(
 
         @builtins.property
         def application_id(self) -> typing.Optional[builtins.str]:
-            '''The application ID for an Amazon Pinpoint application.
+            '''Your Amazon Pinpoint project ID.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-applicationid
             '''
@@ -7404,7 +7474,7 @@ class CfnUserPoolClient(
 
         @builtins.property
         def external_id(self) -> typing.Optional[builtins.str]:
-            '''The external ID.
+            '''The `external ID <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-externalid
             '''
@@ -7413,7 +7483,7 @@ class CfnUserPoolClient(
 
         @builtins.property
         def role_arn(self) -> typing.Optional[builtins.str]:
-            '''The ARN of an AWS Identity and Access Management role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
+            '''The ARN of an AWS Identity and Access Management role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-rolearn
             '''
@@ -7463,9 +7533,9 @@ class CfnUserPoolClient(
 
             The default unit for RefreshToken is days, and the default for ID and access tokens is hours.
 
-            :param access_token: A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``AccessTokenValidity`` parameter. The default ``AccessTokenValidity`` time unit is hours. ``AccessTokenValidity`` duration can range from five minutes to one day.
-            :param id_token: A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``IdTokenValidity`` parameter. The default ``IdTokenValidity`` time unit is hours. ``IdTokenValidity`` duration can range from five minutes to one day.
-            :param refresh_token: A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``RefreshTokenValidity`` parameter. The default ``RefreshTokenValidity`` time unit is days. ``RefreshTokenValidity`` duration can range from 60 minutes to 10 years.
+            :param access_token: A time unit for the value that you set in the ``AccessTokenValidity`` parameter. The default ``AccessTokenValidity`` time unit is ``hours`` . ``AccessTokenValidity`` duration can range from five minutes to one day.
+            :param id_token: A time unit for the value that you set in the ``IdTokenValidity`` parameter. The default ``IdTokenValidity`` time unit is ``hours`` . ``IdTokenValidity`` duration can range from five minutes to one day.
+            :param refresh_token: A time unit for the value that you set in the ``RefreshTokenValidity`` parameter. The default ``RefreshTokenValidity`` time unit is ``days`` . ``RefreshTokenValidity`` duration can range from 60 minutes to 10 years.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html
             :exampleMetadata: fixture=_generated
@@ -7497,9 +7567,9 @@ class CfnUserPoolClient(
 
         @builtins.property
         def access_token(self) -> typing.Optional[builtins.str]:
-            '''A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``AccessTokenValidity`` parameter.
+            '''A time unit for the value that you set in the ``AccessTokenValidity`` parameter.
 
-            The default ``AccessTokenValidity`` time unit is hours. ``AccessTokenValidity`` duration can range from five minutes to one day.
+            The default ``AccessTokenValidity`` time unit is ``hours`` . ``AccessTokenValidity`` duration can range from five minutes to one day.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-accesstoken
             '''
@@ -7508,9 +7578,9 @@ class CfnUserPoolClient(
 
         @builtins.property
         def id_token(self) -> typing.Optional[builtins.str]:
-            '''A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``IdTokenValidity`` parameter.
+            '''A time unit for the value that you set in the ``IdTokenValidity`` parameter.
 
-            The default ``IdTokenValidity`` time unit is hours. ``IdTokenValidity`` duration can range from five minutes to one day.
+            The default ``IdTokenValidity`` time unit is ``hours`` . ``IdTokenValidity`` duration can range from five minutes to one day.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-idtoken
             '''
@@ -7519,9 +7589,9 @@ class CfnUserPoolClient(
 
         @builtins.property
         def refresh_token(self) -> typing.Optional[builtins.str]:
-            '''A time unit of ``seconds`` , ``minutes`` , ``hours`` , or ``days`` for the value that you set in the ``RefreshTokenValidity`` parameter.
+            '''A time unit for the value that you set in the ``RefreshTokenValidity`` parameter.
 
-            The default ``RefreshTokenValidity`` time unit is days. ``RefreshTokenValidity`` duration can range from 60 minutes to 10 years.
+            The default ``RefreshTokenValidity`` time unit is ``days`` . ``RefreshTokenValidity`` duration can range from 60 minutes to 10 years.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-refreshtoken
             '''
@@ -7614,7 +7684,7 @@ class CfnUserPoolClientProps:
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
-        :param read_attributes: The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
@@ -7985,11 +8055,11 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The list of user attributes that you want your app client to have read-only access to.
+        '''The list of user attributes that you want your app client to have read access to.
 
         After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data.
 
-        When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-readattributes
         '''
@@ -8229,7 +8299,9 @@ class CfnUserPoolDomain(
             *,
             certificate_arn: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.
+            '''The configuration for a hosted UI custom domain.
+
+            This data type is a request parameter of `CreateUserPoolDomain <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html>`_ and `UpdateUserPoolDomain <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html>`_ .
 
             :param certificate_arn: The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
 
@@ -9061,6 +9133,8 @@ class CfnUserPoolIdentityProviderProps:
         "auto_verified_attributes": "autoVerifiedAttributes",
         "deletion_protection": "deletionProtection",
         "device_configuration": "deviceConfiguration",
+        "email_authentication_message": "emailAuthenticationMessage",
+        "email_authentication_subject": "emailAuthenticationSubject",
         "email_configuration": "emailConfiguration",
         "email_verification_message": "emailVerificationMessage",
         "email_verification_subject": "emailVerificationSubject",
@@ -9091,6 +9165,8 @@ class CfnUserPoolProps:
         auto_verified_attributes: typing.Optional[typing.Sequence[builtins.str]] = None,
         deletion_protection: typing.Optional[builtins.str] = None,
         device_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.DeviceConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        email_authentication_message: typing.Optional[builtins.str] = None,
+        email_authentication_subject: typing.Optional[builtins.str] = None,
         email_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.EmailConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         email_verification_message: typing.Optional[builtins.str] = None,
         email_verification_subject: typing.Optional[builtins.str] = None,
@@ -9113,18 +9189,20 @@ class CfnUserPoolProps:
         '''Properties for defining a ``CfnUserPool``.
 
         :param account_recovery_setting: Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
-        :param admin_create_user_config: The configuration for creating a new user profile.
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
         :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . .. epigraph:: This user pool property cannot be updated.
         :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
+        :param email_authentication_message: 
+        :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
         :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
         :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
         :param enabled_mfas: Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values: - ``SMS_MFA`` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA``
-        :param lambda_config: The Lambda trigger configuration information for the new user pool. .. epigraph:: In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function. For more information on using the Lambda API to add permission, see `AddPermission <https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html>`_ . For adding permission using the AWS CLI , see `add-permission <https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html>`_ .
+        :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
-        :param policies: The policy associated with a user pool.
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
         :param schema: The schema attributes for the new user pool. These attributes can be standard or custom attributes. .. epigraph:: During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
         :param sms_authentication_message: A string representing the SMS authentication message.
         :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
@@ -9135,7 +9213,7 @@ class CfnUserPoolProps:
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
-        :param verification_message_template: The template for the verification message that the user sees when the app requests permission to access the user's information.
+        :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
         :exampleMetadata: fixture=_generated
@@ -9171,6 +9249,8 @@ class CfnUserPoolProps:
                     challenge_required_on_new_device=False,
                     device_only_remembered_on_user_prompt=False
                 ),
+                email_authentication_message="emailAuthenticationMessage",
+                email_authentication_subject="emailAuthenticationSubject",
                 email_configuration=cognito.CfnUserPool.EmailConfigurationProperty(
                     configuration_set="configurationSet",
                     email_sending_account="emailSendingAccount",
@@ -9273,6 +9353,8 @@ class CfnUserPoolProps:
             check_type(argname="argument auto_verified_attributes", value=auto_verified_attributes, expected_type=type_hints["auto_verified_attributes"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
             check_type(argname="argument device_configuration", value=device_configuration, expected_type=type_hints["device_configuration"])
+            check_type(argname="argument email_authentication_message", value=email_authentication_message, expected_type=type_hints["email_authentication_message"])
+            check_type(argname="argument email_authentication_subject", value=email_authentication_subject, expected_type=type_hints["email_authentication_subject"])
             check_type(argname="argument email_configuration", value=email_configuration, expected_type=type_hints["email_configuration"])
             check_type(argname="argument email_verification_message", value=email_verification_message, expected_type=type_hints["email_verification_message"])
             check_type(argname="argument email_verification_subject", value=email_verification_subject, expected_type=type_hints["email_verification_subject"])
@@ -9304,6 +9386,10 @@ class CfnUserPoolProps:
             self._values["deletion_protection"] = deletion_protection
         if device_configuration is not None:
             self._values["device_configuration"] = device_configuration
+        if email_authentication_message is not None:
+            self._values["email_authentication_message"] = email_authentication_message
+        if email_authentication_subject is not None:
+            self._values["email_authentication_subject"] = email_authentication_subject
         if email_configuration is not None:
             self._values["email_configuration"] = email_configuration
         if email_verification_message is not None:
@@ -9358,7 +9444,11 @@ class CfnUserPoolProps:
     def admin_create_user_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.AdminCreateUserConfigProperty]]:
-        '''The configuration for creating a new user profile.
+        '''The settings for administrator creation of users in a user pool.
+
+        Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
+
+        This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-admincreateuserconfig
         '''
@@ -9419,6 +9509,22 @@ class CfnUserPoolProps:
         result = self._values.get("device_configuration")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.DeviceConfigurationProperty]], result)
 
+    @builtins.property
+    def email_authentication_message(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailauthenticationmessage
+        '''
+        result = self._values.get("email_authentication_message")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def email_authentication_subject(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailauthenticationsubject
+        '''
+        result = self._values.get("email_authentication_subject")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def email_configuration(
         self,
@@ -9474,15 +9580,9 @@ class CfnUserPoolProps:
     def lambda_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.LambdaConfigProperty]]:
-        '''The Lambda trigger configuration information for the new user pool.
+        '''A collection of user pool Lambda triggers.
 
-        .. epigraph::
-
-           In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.
-
-           For more information on using the Lambda API to add permission, see `AddPermission <https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html>`_ .
-
-           For adding permission using the AWS CLI , see `add-permission <https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html>`_ .
+        Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-lambdaconfig
         '''
@@ -9506,7 +9606,9 @@ class CfnUserPoolProps:
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.PoliciesProperty]]:
-        '''The policy associated with a user pool.
+        '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
+
+        This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-policies
         '''
@@ -9641,7 +9743,9 @@ class CfnUserPoolProps:
     def verification_message_template(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.VerificationMessageTemplateProperty]]:
-        '''The template for the verification message that the user sees when the app requests permission to access the user's information.
+        '''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
+
+        Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-verificationmessagetemplate
         '''
@@ -9830,10 +9934,14 @@ class CfnUserPoolResourceServer(
             scope_description: builtins.str,
             scope_name: builtins.str,
         ) -> None:
-            '''A resource server scope.
+            '''One custom scope associated with a user pool resource server.
+
+            This data type is a member of ``ResourceServerScopeType`` . For more information, see `Scopes, M2M, and API authorization with resource servers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html>`_ .
 
-            :param scope_description: A description of the scope.
-            :param scope_name: The name of the scope.
+            This data type is a request parameter of `CreateResourceServer <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html>`_ and a response parameter of `DescribeResourceServer <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html>`_ .
+
+            :param scope_description: A friendly description of a custom scope.
+            :param scope_name: The name of the scope. Amazon Cognito renders custom scopes in the format ``resourceServerIdentifier/ScopeName`` . For example, if this parameter is ``exampleScope`` in the resource server with the identifier ``exampleResourceServer`` , you request and receive the scope ``exampleResourceServer/exampleScope`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html
             :exampleMetadata: fixture=_generated
@@ -9860,7 +9968,7 @@ class CfnUserPoolResourceServer(
 
         @builtins.property
         def scope_description(self) -> builtins.str:
-            '''A description of the scope.
+            '''A friendly description of a custom scope.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html#cfn-cognito-userpoolresourceserver-resourceserverscopetype-scopedescription
             '''
@@ -9872,6 +9980,8 @@ class CfnUserPoolResourceServer(
         def scope_name(self) -> builtins.str:
             '''The name of the scope.
 
+            Amazon Cognito renders custom scopes in the format ``resourceServerIdentifier/ScopeName`` . For example, if this parameter is ``exampleScope`` in the resource server with the identifier ``exampleResourceServer`` , you request and receive the scope ``exampleResourceServer/exampleScope`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html#cfn-cognito-userpoolresourceserver-resourceserverscopetype-scopename
             '''
             result = self._values.get("scope_name")
@@ -10109,10 +10219,10 @@ class CfnUserPoolRiskConfigurationAttachment(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ``ALL`` ).
-        :param user_pool_id: The user pool ID.
-        :param account_takeover_risk_configuration: The account takeover risk configuration object, including the ``NotifyConfiguration`` object and ``Actions`` to take if there is an account takeover.
-        :param compromised_credentials_risk_configuration: The compromised credentials risk configuration object, including the ``EventFilter`` and the ``EventAction`` .
-        :param risk_exception_configuration: The configuration to override the risk decision.
+        :param user_pool_id: The ID of the user pool that has the risk configuration applied.
+        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
+        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
+        :param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e3245a667ca916eabc555ef843b4a36bfcb47060fa353bd730066a76dcad5a96)
@@ -10179,7 +10289,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID.'''
+        '''The ID of the user pool that has the risk configuration applied.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -10194,7 +10304,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     def account_takeover_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]]:
-        '''The account takeover risk configuration object, including the ``NotifyConfiguration`` object and ``Actions`` to take if there is an account takeover.'''
+        '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]], jsii.get(self, "accountTakeoverRiskConfiguration"))
 
     @account_takeover_risk_configuration.setter
@@ -10212,7 +10322,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     def compromised_credentials_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]]:
-        '''The compromised credentials risk configuration object, including the ``EventFilter`` and the ``EventAction`` .'''
+        '''Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]], jsii.get(self, "compromisedCredentialsRiskConfiguration"))
 
     @compromised_credentials_risk_configuration.setter
@@ -10230,7 +10340,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     def risk_exception_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty"]]:
-        '''The configuration to override the risk decision.'''
+        '''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty"]], jsii.get(self, "riskExceptionConfiguration"))
 
     @risk_exception_configuration.setter
@@ -10255,10 +10365,14 @@ class CfnUserPoolRiskConfigurationAttachment(
             event_action: builtins.str,
             notify: typing.Union[builtins.bool, _IResolvable_da3f097b],
         ) -> None:
-            '''Account takeover action type.
+            '''The automated response to a risk level for adaptive authentication in full-function, or ``ENFORCED`` , mode.
 
-            :param event_action: The action to take in response to the account takeover action. Valid values are as follows:. - ``BLOCK`` Choosing this action will block the request. - ``MFA_IF_CONFIGURED`` Present an MFA challenge if user has configured it, else allow the request. - ``MFA_REQUIRED`` Present an MFA challenge if user has configured it, else block the request. - ``NO_ACTION`` Allow the user to sign in.
-            :param notify: Flag specifying whether to send a notification.
+            You can assign an action to each risk level that advanced security features evaluates.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
+
+            :param event_action: The action to take for the attempted account takeover action for the associated risk level. Valid values are as follows: - ``BLOCK`` : Block the request. - ``MFA_IF_CONFIGURED`` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request. - ``MFA_REQUIRED`` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor. - ``NO_ACTION`` : Take no action. Permit sign-in.
+            :param notify: Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html
             :exampleMetadata: fixture=_generated
@@ -10285,12 +10399,14 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def event_action(self) -> builtins.str:
-            '''The action to take in response to the account takeover action. Valid values are as follows:.
+            '''The action to take for the attempted account takeover action for the associated risk level.
 
-            - ``BLOCK`` Choosing this action will block the request.
-            - ``MFA_IF_CONFIGURED`` Present an MFA challenge if user has configured it, else allow the request.
-            - ``MFA_REQUIRED`` Present an MFA challenge if user has configured it, else block the request.
-            - ``NO_ACTION`` Allow the user to sign in.
+            Valid values are as follows:
+
+            - ``BLOCK`` : Block the request.
+            - ``MFA_IF_CONFIGURED`` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request.
+            - ``MFA_REQUIRED`` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor.
+            - ``NO_ACTION`` : Take no action. Permit sign-in.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype-eventaction
             '''
@@ -10300,7 +10416,7 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def notify(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
-            '''Flag specifying whether to send a notification.
+            '''Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype-notify
             '''
@@ -10336,11 +10452,13 @@ class CfnUserPoolRiskConfigurationAttachment(
             low_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             medium_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Account takeover actions type.
+            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
 
-            :param high_action: Action to take for a high risk.
-            :param low_action: Action to take for a low risk.
-            :param medium_action: Action to take for a medium risk.
+            :param high_action: The action that you assign to a high-risk assessment by advanced security features.
+            :param low_action: The action that you assign to a low-risk assessment by advanced security features.
+            :param medium_action: The action that you assign to a medium-risk assessment by advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html
             :exampleMetadata: fixture=_generated
@@ -10383,7 +10501,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def high_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''Action to take for a high risk.
+            '''The action that you assign to a high-risk assessment by advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-highaction
             '''
@@ -10394,7 +10512,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def low_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''Action to take for a low risk.
+            '''The action that you assign to a low-risk assessment by advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-lowaction
             '''
@@ -10405,7 +10523,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def medium_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''Action to take for a medium risk.
+            '''The action that you assign to a medium-risk assessment by advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-mediumaction
             '''
@@ -10438,10 +10556,12 @@ class CfnUserPoolRiskConfigurationAttachment(
             actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
             notify_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''Configuration for mitigation actions and notification for different levels of risk detected for a potential account takeover.
+            '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.
 
-            :param actions: Account takeover risk configuration actions.
-            :param notify_configuration: The notify configuration used to construct email notifications.
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
+
+            :param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
+            :param notify_configuration: The settings for composing and sending an email message when advanced security features assesses a risk level with adaptive authentication. When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -10513,7 +10633,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def actions(
             self,
         ) -> typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty"]:
-            '''Account takeover risk configuration actions.
+            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-actions
             '''
@@ -10525,7 +10645,9 @@ class CfnUserPoolRiskConfigurationAttachment(
         def notify_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty"]]:
-            '''The notify configuration used to construct email notifications.
+            '''The settings for composing and sending an email message when advanced security features assesses a risk level with adaptive authentication.
+
+            When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-notifyconfiguration
             '''
@@ -10550,9 +10672,11 @@ class CfnUserPoolRiskConfigurationAttachment(
     )
     class CompromisedCredentialsActionsTypeProperty:
         def __init__(self, *, event_action: builtins.str) -> None:
-            '''The compromised credentials actions type.
+            '''Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function ``ENFORCED`` mode.
 
-            :param event_action: The event action.
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
+
+            :param event_action: The action that Amazon Cognito takes when it detects compromised credentials.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype.html
             :exampleMetadata: fixture=_generated
@@ -10576,7 +10700,7 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def event_action(self) -> builtins.str:
-            '''The event action.
+            '''The action that Amazon Cognito takes when it detects compromised credentials.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype-eventaction
             '''
@@ -10607,10 +10731,12 @@ class CfnUserPoolRiskConfigurationAttachment(
             actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
             event_filter: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''The compromised credentials risk configuration type.
+            '''Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function ``ENFORCED`` mode.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
 
-            :param actions: The compromised credentials risk configuration actions.
-            :param event_filter: Perform the action for these events. The default is to perform all events if no event filter is specified.
+            :param actions: Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
+            :param event_filter: Settings for the sign-in activity where you want to configure compromised-credentials actions. Defaults to all events.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -10644,7 +10770,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def actions(
             self,
         ) -> typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty"]:
-            '''The compromised credentials risk configuration actions.
+            '''Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype-actions
             '''
@@ -10654,9 +10780,9 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def event_filter(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''Perform the action for these events.
+            '''Settings for the sign-in activity where you want to configure compromised-credentials actions.
 
-            The default is to perform all events if no event filter is specified.
+            Defaults to all events.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype-eventfilter
             '''
@@ -10697,14 +10823,16 @@ class CfnUserPoolRiskConfigurationAttachment(
             no_action_email: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             reply_to: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The notify configuration type.
+            '''The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
 
             :param source_arn: The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the ``From`` parameter.
-            :param block_email: Email template used when a detected risk event is blocked.
-            :param from_: The email address that is sending the email. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
-            :param mfa_email: The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk.
-            :param no_action_email: The email template used when a detected risk event is allowed.
-            :param reply_to: The destination to which the receiver of an email should reply to.
+            :param block_email: The template for the email message that your user pool sends when a detected risk event is blocked.
+            :param from_: The email address that sends the email message. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
+            :param mfa_email: The template for the email message that your user pool sends when MFA is challenged in response to a detected risk.
+            :param no_action_email: The template for the email message that your user pool sends when no action is taken in response to a detected risk.
+            :param reply_to: The reply-to email address of an email template.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -10782,7 +10910,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def block_email(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty"]]:
-            '''Email template used when a detected risk event is blocked.
+            '''The template for the email message that your user pool sends when a detected risk event is blocked.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-blockemail
             '''
@@ -10791,7 +10919,7 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def from_(self) -> typing.Optional[builtins.str]:
-            '''The email address that is sending the email.
+            '''The email address that sends the email message.
 
             The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
 
@@ -10804,7 +10932,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def mfa_email(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty"]]:
-            '''The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk.
+            '''The template for the email message that your user pool sends when MFA is challenged in response to a detected risk.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-mfaemail
             '''
@@ -10815,7 +10943,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def no_action_email(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty"]]:
-            '''The email template used when a detected risk event is allowed.
+            '''The template for the email message that your user pool sends when no action is taken in response to a detected risk.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-noactionemail
             '''
@@ -10824,7 +10952,7 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def reply_to(self) -> typing.Optional[builtins.str]:
-            '''The destination to which the receiver of an email should reply to.
+            '''The reply-to email address of an email template.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-replyto
             '''
@@ -10859,11 +10987,13 @@ class CfnUserPoolRiskConfigurationAttachment(
             html_body: typing.Optional[builtins.str] = None,
             text_body: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The notify email type.
+            '''The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
 
-            :param subject: The email subject.
-            :param html_body: The email HTML body.
-            :param text_body: The email text body.
+            :param subject: The subject of the threat protection email notification.
+            :param html_body: The body of an email notification formatted in HTML. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
+            :param text_body: The body of an email notification formatted in plaintext. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html
             :exampleMetadata: fixture=_generated
@@ -10897,7 +11027,7 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def subject(self) -> builtins.str:
-            '''The email subject.
+            '''The subject of the threat protection email notification.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-subject
             '''
@@ -10907,7 +11037,9 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def html_body(self) -> typing.Optional[builtins.str]:
-            '''The email HTML body.
+            '''The body of an email notification formatted in HTML.
+
+            Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-htmlbody
             '''
@@ -10916,7 +11048,9 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def text_body(self) -> typing.Optional[builtins.str]:
-            '''The email text body.
+            '''The body of an email notification formatted in plaintext.
+
+            Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-textbody
             '''
@@ -10949,10 +11083,12 @@ class CfnUserPoolRiskConfigurationAttachment(
             blocked_ip_range_list: typing.Optional[typing.Sequence[builtins.str]] = None,
             skipped_ip_range_list: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''The type of the configuration to override the risk decision.
+            '''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
+
+            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
 
-            :param blocked_ip_range_list: Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix.
-            :param skipped_ip_range_list: Risk detection isn't performed on the IP addresses in this range list. The IP range is in CIDR notation.
+            :param blocked_ip_range_list: An always-block IP address list. Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
+            :param skipped_ip_range_list: An always-allow IP address list. Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -10980,9 +11116,9 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def blocked_ip_range_list(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''Overrides the risk decision to always block the pre-authentication requests.
+            '''An always-block IP address list.
 
-            The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix.
+            Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype-blockediprangelist
             '''
@@ -10991,9 +11127,9 @@ class CfnUserPoolRiskConfigurationAttachment(
 
         @builtins.property
         def skipped_ip_range_list(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''Risk detection isn't performed on the IP addresses in this range list.
+            '''An always-allow IP address list.
 
-            The IP range is in CIDR notation.
+            Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype-skippediprangelist
             '''
@@ -11036,10 +11172,10 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
         '''Properties for defining a ``CfnUserPoolRiskConfigurationAttachment``.
 
         :param client_id: The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ``ALL`` ).
-        :param user_pool_id: The user pool ID.
-        :param account_takeover_risk_configuration: The account takeover risk configuration object, including the ``NotifyConfiguration`` object and ``Actions`` to take if there is an account takeover.
-        :param compromised_credentials_risk_configuration: The compromised credentials risk configuration object, including the ``EventFilter`` and the ``EventAction`` .
-        :param risk_exception_configuration: The configuration to override the risk decision.
+        :param user_pool_id: The ID of the user pool that has the risk configuration applied.
+        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
+        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
+        :param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html
         :exampleMetadata: fixture=_generated
@@ -11147,7 +11283,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID.
+        '''The ID of the user pool that has the risk configuration applied.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-userpoolid
         '''
@@ -11159,7 +11295,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     def account_takeover_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty]]:
-        '''The account takeover risk configuration object, including the ``NotifyConfiguration`` object and ``Actions`` to take if there is an account takeover.
+        '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfiguration
         '''
@@ -11170,7 +11306,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     def compromised_credentials_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty]]:
-        '''The compromised credentials risk configuration object, including the ``EventFilter`` and the ``EventAction`` .
+        '''Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfiguration
         '''
@@ -11181,7 +11317,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     def risk_exception_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty]]:
-        '''The configuration to override the risk decision.
+        '''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfiguration
         '''
@@ -11683,7 +11819,9 @@ class CfnUserPoolUser(
             name: typing.Optional[builtins.str] = None,
             value: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Specifies whether the attribute is standard or custom.
+            '''The name and value of a user attribute.
+
+            This data type is a request parameter of `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ and `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ .
 
             :param name: The name of the attribute.
             :param value: The value of the attribute.
@@ -17740,15 +17878,16 @@ class UserPoolIdentityProviderApple(
 
         # The code below shows an example of how to instantiate this type.
         # The values are placeholders you should change.
+        import aws_cdk as cdk
         from aws_cdk import aws_cognito as cognito
         
         # provider_attribute: cognito.ProviderAttribute
+        # secret_value: cdk.SecretValue
         # user_pool: cognito.UserPool
         
         user_pool_identity_provider_apple = cognito.UserPoolIdentityProviderApple(self, "MyUserPoolIdentityProviderApple",
             client_id="clientId",
             key_id="keyId",
-            private_key="privateKey",
             team_id="teamId",
             user_pool=user_pool,
         
@@ -17775,6 +17914,8 @@ class UserPoolIdentityProviderApple(
                 timezone=provider_attribute,
                 website=provider_attribute
             ),
+            private_key="privateKey",
+            private_key_value=secret_value,
             scopes=["scopes"]
         )
     '''
@@ -17786,8 +17927,9 @@ class UserPoolIdentityProviderApple(
         *,
         client_id: builtins.str,
         key_id: builtins.str,
-        private_key: builtins.str,
         team_id: builtins.str,
+        private_key: typing.Optional[builtins.str] = None,
+        private_key_value: typing.Optional[_SecretValue_3dd0ddae] = None,
         scopes: typing.Optional[typing.Sequence[builtins.str]] = None,
         user_pool: IUserPool,
         attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -17797,8 +17939,9 @@ class UserPoolIdentityProviderApple(
         :param id: -
         :param client_id: The client id recognized by Apple APIs.
         :param key_id: The keyId (of the same key, which content has to be later supplied as ``privateKey``) for Apple APIs to authenticate the client.
-        :param private_key: The privateKey content for Apple APIs to authenticate the client.
         :param team_id: The teamId for Apple APIs to authenticate the client.
+        :param private_key: (deprecated) The privateKey content for Apple APIs to authenticate the client. Default: none
+        :param private_key_value: The privateKey content for Apple APIs to authenticate the client. Default: none
         :param scopes: The list of apple permissions to obtain for getting access to the apple profile. Default: [ name ]
         :param user_pool: The user pool to which this construct provides identities.
         :param attribute_mapping: Mapping attributes from the identity provider to standard and custom attributes of the user pool. Default: - no attribute mapping
@@ -17810,8 +17953,9 @@ class UserPoolIdentityProviderApple(
         props = UserPoolIdentityProviderAppleProps(
             client_id=client_id,
             key_id=key_id,
-            private_key=private_key,
             team_id=team_id,
+            private_key=private_key,
+            private_key_value=private_key_value,
             scopes=scopes,
             user_pool=user_pool,
             attribute_mapping=attribute_mapping,
@@ -20339,8 +20483,9 @@ class UserPoolIdentityProviderAmazonProps(UserPoolIdentityProviderProps):
         "attribute_mapping": "attributeMapping",
         "client_id": "clientId",
         "key_id": "keyId",
-        "private_key": "privateKey",
         "team_id": "teamId",
+        "private_key": "privateKey",
+        "private_key_value": "privateKeyValue",
         "scopes": "scopes",
     },
 )
@@ -20352,8 +20497,9 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
         attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
         client_id: builtins.str,
         key_id: builtins.str,
-        private_key: builtins.str,
         team_id: builtins.str,
+        private_key: typing.Optional[builtins.str] = None,
+        private_key_value: typing.Optional[_SecretValue_3dd0ddae] = None,
         scopes: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
         '''Properties to initialize UserPoolAppleIdentityProvider.
@@ -20362,8 +20508,9 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
         :param attribute_mapping: Mapping attributes from the identity provider to standard and custom attributes of the user pool. Default: - no attribute mapping
         :param client_id: The client id recognized by Apple APIs.
         :param key_id: The keyId (of the same key, which content has to be later supplied as ``privateKey``) for Apple APIs to authenticate the client.
-        :param private_key: The privateKey content for Apple APIs to authenticate the client.
         :param team_id: The teamId for Apple APIs to authenticate the client.
+        :param private_key: (deprecated) The privateKey content for Apple APIs to authenticate the client. Default: none
+        :param private_key_value: The privateKey content for Apple APIs to authenticate the client. Default: none
         :param scopes: The list of apple permissions to obtain for getting access to the apple profile. Default: [ name ]
 
         :exampleMetadata: fixture=_generated
@@ -20372,15 +20519,16 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
 
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
+            import aws_cdk as cdk
             from aws_cdk import aws_cognito as cognito
             
             # provider_attribute: cognito.ProviderAttribute
+            # secret_value: cdk.SecretValue
             # user_pool: cognito.UserPool
             
             user_pool_identity_provider_apple_props = cognito.UserPoolIdentityProviderAppleProps(
                 client_id="clientId",
                 key_id="keyId",
-                private_key="privateKey",
                 team_id="teamId",
                 user_pool=user_pool,
             
@@ -20407,6 +20555,8 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
                     timezone=provider_attribute,
                     website=provider_attribute
                 ),
+                private_key="privateKey",
+                private_key_value=secret_value,
                 scopes=["scopes"]
             )
         '''
@@ -20418,18 +20568,22 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
             check_type(argname="argument attribute_mapping", value=attribute_mapping, expected_type=type_hints["attribute_mapping"])
             check_type(argname="argument client_id", value=client_id, expected_type=type_hints["client_id"])
             check_type(argname="argument key_id", value=key_id, expected_type=type_hints["key_id"])
-            check_type(argname="argument private_key", value=private_key, expected_type=type_hints["private_key"])
             check_type(argname="argument team_id", value=team_id, expected_type=type_hints["team_id"])
+            check_type(argname="argument private_key", value=private_key, expected_type=type_hints["private_key"])
+            check_type(argname="argument private_key_value", value=private_key_value, expected_type=type_hints["private_key_value"])
             check_type(argname="argument scopes", value=scopes, expected_type=type_hints["scopes"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "user_pool": user_pool,
             "client_id": client_id,
             "key_id": key_id,
-            "private_key": private_key,
             "team_id": team_id,
         }
         if attribute_mapping is not None:
             self._values["attribute_mapping"] = attribute_mapping
+        if private_key is not None:
+            self._values["private_key"] = private_key
+        if private_key_value is not None:
+            self._values["private_key_value"] = private_key_value
         if scopes is not None:
             self._values["scopes"] = scopes
 
@@ -20466,13 +20620,6 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
         assert result is not None, "Required property 'key_id' is missing"
         return typing.cast(builtins.str, result)
 
-    @builtins.property
-    def private_key(self) -> builtins.str:
-        '''The privateKey content for Apple APIs to authenticate the client.'''
-        result = self._values.get("private_key")
-        assert result is not None, "Required property 'private_key' is missing"
-        return typing.cast(builtins.str, result)
-
     @builtins.property
     def team_id(self) -> builtins.str:
         '''The teamId for Apple APIs to authenticate the client.'''
@@ -20480,6 +20627,28 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
         assert result is not None, "Required property 'team_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def private_key(self) -> typing.Optional[builtins.str]:
+        '''(deprecated) The privateKey content for Apple APIs to authenticate the client.
+
+        :default: none
+
+        :deprecated: use privateKeyValue
+
+        :stability: deprecated
+        '''
+        result = self._values.get("private_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def private_key_value(self) -> typing.Optional[_SecretValue_3dd0ddae]:
+        '''The privateKey content for Apple APIs to authenticate the client.
+
+        :default: none
+        '''
+        result = self._values.get("private_key_value")
+        return typing.cast(typing.Optional[_SecretValue_3dd0ddae], result)
+
     @builtins.property
     def scopes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The list of apple permissions to obtain for getting access to the apple profile.
@@ -21566,6 +21735,8 @@ def _typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc
     auto_verified_attributes: typing.Optional[typing.Sequence[builtins.str]] = None,
     deletion_protection: typing.Optional[builtins.str] = None,
     device_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.DeviceConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    email_authentication_message: typing.Optional[builtins.str] = None,
+    email_authentication_subject: typing.Optional[builtins.str] = None,
     email_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.EmailConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     email_verification_message: typing.Optional[builtins.str] = None,
     email_verification_subject: typing.Optional[builtins.str] = None,
@@ -21636,6 +21807,18 @@ def _typecheckingstub__7eb821a70b459056b6d26722d06f8b948b315111a936804d8aba0e7ff
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__3cf4765f879f49f79c6984252af6993fe6fdf6838989608b11e192c544fce53c(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1e1d4523d17f0641e76142be67287be5dc758d191f5eba3fa217d8c5d0170791(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__32d0b53f74dc294b25f20f54bcdaf8477a3dfc8b505387d70f97f7febe6ae209(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.EmailConfigurationProperty]],
 ) -> None:
@@ -22366,6 +22549,8 @@ def _typecheckingstub__00bbdbd31eb8d7342ce9883d0851b853acf61f6b243c0aa4323c025da
     auto_verified_attributes: typing.Optional[typing.Sequence[builtins.str]] = None,
     deletion_protection: typing.Optional[builtins.str] = None,
     device_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.DeviceConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    email_authentication_message: typing.Optional[builtins.str] = None,
+    email_authentication_subject: typing.Optional[builtins.str] = None,
     email_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.EmailConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     email_verification_message: typing.Optional[builtins.str] = None,
     email_verification_subject: typing.Optional[builtins.str] = None,
@@ -23370,8 +23555,9 @@ def _typecheckingstub__61dda0b78f30fe868c5e696b0c3d3ee7c446cd2575608fc4036cf6dac
     *,
     client_id: builtins.str,
     key_id: builtins.str,
-    private_key: builtins.str,
     team_id: builtins.str,
+    private_key: typing.Optional[builtins.str] = None,
+    private_key_value: typing.Optional[_SecretValue_3dd0ddae] = None,
     scopes: typing.Optional[typing.Sequence[builtins.str]] = None,
     user_pool: IUserPool,
     attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -23611,8 +23797,9 @@ def _typecheckingstub__ca5d3950db19200b5bbdc4fb3e51e3c9b38fc4572683061b8e4485d0f
     attribute_mapping: typing.Optional[typing.Union[AttributeMapping, typing.Dict[builtins.str, typing.Any]]] = None,
     client_id: builtins.str,
     key_id: builtins.str,
-    private_key: builtins.str,
     team_id: builtins.str,
+    private_key: typing.Optional[builtins.str] = None,
+    private_key_value: typing.Optional[_SecretValue_3dd0ddae] = None,
     scopes: typing.Optional[typing.Sequence[builtins.str]] = None,
 ) -> None:
     """Type checking stubs"""