aws-cdk-lib 2.162.1__py3-none-any.whl → 2.163.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -990,6 +990,23 @@ userpool = cognito.UserPool(self, "UserPool",
 ```
 
 By default deletion protection is disabled.
+
+### `email_verified` Attribute Mapping
+
+If you use a third-party identity provider, you can specify the `email_verified` attribute in attributeMapping.
+
+```python
+userpool = cognito.UserPool(self, "Pool")
+
+cognito.UserPoolIdentityProviderGoogle(self, "google",
+    user_pool=userpool,
+    client_id="google-client-id",
+    attribute_mapping=cognito.AttributeMapping(
+        email=cognito.ProviderAttribute.GOOGLE_EMAIL,
+        email_verified=cognito.ProviderAttribute.GOOGLE_EMAIL_VERIFIED
+    )
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -1116,6 +1133,7 @@ class AdvancedSecurityMode(enum.Enum):
         "birthdate": "birthdate",
         "custom": "custom",
         "email": "email",
+        "email_verified": "emailVerified",
         "family_name": "familyName",
         "fullname": "fullname",
         "gender": "gender",
@@ -1140,6 +1158,7 @@ class AttributeMapping:
         birthdate: typing.Optional["ProviderAttribute"] = None,
         custom: typing.Optional[typing.Mapping[builtins.str, "ProviderAttribute"]] = None,
         email: typing.Optional["ProviderAttribute"] = None,
+        email_verified: typing.Optional["ProviderAttribute"] = None,
         family_name: typing.Optional["ProviderAttribute"] = None,
         fullname: typing.Optional["ProviderAttribute"] = None,
         gender: typing.Optional["ProviderAttribute"] = None,
@@ -1161,6 +1180,7 @@ class AttributeMapping:
         :param birthdate: The user's birthday. Default: - not mapped
         :param custom: Specify custom attribute mapping here and mapping for any standard attributes not supported yet. Default: - no custom attribute mapping
         :param email: The user's e-mail address. Default: - not mapped
+        :param email_verified: The user's e-mail address is verification. Default: - not mapped
         :param family_name: The surname or last name of user. Default: - not mapped
         :param fullname: The user's full name in displayable form. Default: - not mapped
         :param gender: The user's gender. Default: - not mapped
@@ -1202,6 +1222,7 @@ class AttributeMapping:
             check_type(argname="argument birthdate", value=birthdate, expected_type=type_hints["birthdate"])
             check_type(argname="argument custom", value=custom, expected_type=type_hints["custom"])
             check_type(argname="argument email", value=email, expected_type=type_hints["email"])
+            check_type(argname="argument email_verified", value=email_verified, expected_type=type_hints["email_verified"])
             check_type(argname="argument family_name", value=family_name, expected_type=type_hints["family_name"])
             check_type(argname="argument fullname", value=fullname, expected_type=type_hints["fullname"])
             check_type(argname="argument gender", value=gender, expected_type=type_hints["gender"])
@@ -1225,6 +1246,8 @@ class AttributeMapping:
             self._values["custom"] = custom
         if email is not None:
             self._values["email"] = email
+        if email_verified is not None:
+            self._values["email_verified"] = email_verified
         if family_name is not None:
             self._values["family_name"] = family_name
         if fullname is not None:
@@ -1292,6 +1315,15 @@ class AttributeMapping:
         result = self._values.get("email")
         return typing.cast(typing.Optional["ProviderAttribute"], result)
 
+    @builtins.property
+    def email_verified(self) -> typing.Optional["ProviderAttribute"]:
+        '''The user's e-mail address is verification.
+
+        :default: - not mapped
+        '''
+        result = self._values.get("email_verified")
+        return typing.cast(typing.Optional["ProviderAttribute"], result)
+
     @builtins.property
     def family_name(self) -> typing.Optional["ProviderAttribute"]:
         '''The surname or last name of user.
@@ -3365,7 +3397,9 @@ class CfnLogDeliveryConfiguration(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnLogDeliveryConfiguration",
 ):
-    '''The logging parameters of a user pool, as returned in the response to a `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ request.
+    '''Sets up or modifies the logging configuration of a user pool.
+
+    User pools can export user notification logs and advanced security features user activity logs.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html
     :cloudformationResource: AWS::Cognito::LogDeliveryConfiguration
@@ -3509,8 +3543,6 @@ class CfnLogDeliveryConfiguration(
         ) -> None:
             '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
 
-            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
-
             :param log_group_arn: The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs. The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool. To send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with ``/aws/vendedlogs`` . For more information, see `Enabling logging from certain AWS services <https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html
@@ -4074,28 +4106,28 @@ class CfnUserPool(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param account_recovery_setting: Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
+        :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
         :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . .. epigraph:: This user pool property cannot be updated.
+        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
         :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
         :param email_authentication_message: 
         :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
-        :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
-        :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
-        :param enabled_mfas: Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values: - ``SMS_MFA`` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA``
+        :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
+        :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
+        :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
         :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param schema: The schema attributes for the new user pool. These attributes can be standard or custom attributes. .. epigraph:: During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
-        :param sms_authentication_message: A string representing the SMS authentication message.
+        :param schema: An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
+        :param sms_authentication_message: The contents of the SMS authentication message.
         :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
-        :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
+        :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
-        :param username_attributes: Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values: ``phone_number`` or ``email`` . This user pool property cannot be updated.
-        :param username_configuration: You can choose to set case sensitivity on the username input for the selected sign-in option. For example, when this is set to ``False`` , users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.
+        :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
+        :param username_configuration: Case sensitivity on the username input for the selected sign-in option. When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
@@ -4178,7 +4210,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="attrProviderName")
     def attr_provider_name(self) -> builtins.str:
-        '''The provider name of the Amazon Cognito user pool, specified as a ``String`` .
+        '''A friendly name for the IdP.
 
         :cloudformationAttribute: ProviderName
         '''
@@ -4218,7 +4250,7 @@ class CfnUserPool(
     def account_recovery_setting(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AccountRecoverySettingProperty"]]:
-        '''Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` .'''
+        '''The available verified method a user can use to recover their password when they call ``ForgotPassword`` .'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AccountRecoverySettingProperty"]], jsii.get(self, "accountRecoverySetting"))
 
     @account_recovery_setting.setter
@@ -4252,10 +4284,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="aliasAttributes")
     def alias_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Attributes supported as an alias for this user pool.
-
-        Possible values: *phone_number* , *email* , or *preferred_username* .
-        '''
+        '''Attributes supported as an alias for this user pool.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "aliasAttributes"))
 
     @alias_attributes.setter
@@ -4392,7 +4421,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="enabledMfas")
     def enabled_mfas(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Enables MFA on a specified user pool.'''
+        '''Set enabled MFA options on a specified user pool.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "enabledMfas"))
 
     @enabled_mfas.setter
@@ -4462,10 +4491,7 @@ class CfnUserPool(
     def schema(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SchemaAttributeProperty"]]]]:
-        '''The schema attributes for the new user pool.
-
-        These attributes can be standard or custom attributes.
-        '''
+        '''An array of schema attributes for the new user pool.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SchemaAttributeProperty"]]]], jsii.get(self, "schema"))
 
     @schema.setter
@@ -4481,7 +4507,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="smsAuthenticationMessage")
     def sms_authentication_message(self) -> typing.Optional[builtins.str]:
-        '''A string representing the SMS authentication message.'''
+        '''The contents of the SMS authentication message.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "smsAuthenticationMessage"))
 
     @sms_authentication_message.setter
@@ -4543,7 +4569,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="usernameAttributes")
     def username_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Determines whether email addresses or phone numbers can be specified as user names when a user signs up.'''
+        '''Specifies whether a user can use an email address or phone number as a username when they sign up.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "usernameAttributes"))
 
     @username_attributes.setter
@@ -4561,7 +4587,7 @@ class CfnUserPool(
     def username_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UsernameConfigurationProperty"]]:
-        '''You can choose to set case sensitivity on the username input for the selected sign-in option.'''
+        '''Case sensitivity on the username input for the selected sign-in option.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UsernameConfigurationProperty"]], jsii.get(self, "usernameConfiguration"))
 
     @username_configuration.setter
@@ -4647,11 +4673,11 @@ class CfnUserPool(
             *,
             recovery_mechanisms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.RecoveryOptionProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         ) -> None:
-            '''Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` .
+            '''The available verified method a user can use to recover their password when they call ``ForgotPassword`` .
 
-            It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
+            You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
 
-            :param recovery_mechanisms: The list of ``RecoveryOptionTypes`` .
+            :param recovery_mechanisms: The list of options and priorities for user message delivery in forgot-password operations. Sets or displays user pool preferences for email or SMS message priority, whether users should fall back to a second delivery method, and whether passwords should only be reset by administrators.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-accountrecoverysetting.html
             :exampleMetadata: fixture=_generated
@@ -4680,7 +4706,9 @@ class CfnUserPool(
         def recovery_mechanisms(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPool.RecoveryOptionProperty"]]]]:
-            '''The list of ``RecoveryOptionTypes`` .
+            '''The list of options and priorities for user message delivery in forgot-password operations.
+
+            Sets or displays user pool preferences for email or SMS message priority, whether users should fall back to a second delivery method, and whether passwords should only be reset by administrators.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-accountrecoverysetting.html#cfn-cognito-userpool-accountrecoverysetting-recoverymechanisms
             '''
@@ -4715,10 +4743,14 @@ class CfnUserPool(
             invite_message_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.InviteMessageTemplateProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             unused_account_validity_days: typing.Optional[jsii.Number] = None,
         ) -> None:
-            '''The configuration for ``AdminCreateUser`` requests.
+            '''The settings for administrator creation of users in a user pool.
+
+            Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
-            :param invite_message_template: The message template to be used for the welcome message to new users. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
+            :param invite_message_template: The template for the welcome message to new users. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
             :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
@@ -4770,7 +4802,7 @@ class CfnUserPool(
         def invite_message_template(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.InviteMessageTemplateProperty"]]:
-            '''The message template to be used for the welcome message to new users.
+            '''The template for the welcome message to new users.
 
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
@@ -4870,10 +4902,12 @@ class CfnUserPool(
             lambda_arn: typing.Optional[builtins.str] = None,
             lambda_version: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''A custom email sender AWS Lambda trigger.
+            '''The configuration of a custom email sender Lambda trigger.
 
-            :param lambda_arn: The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send email notifications to users.
-            :param lambda_version: The Lambda version represents the signature of the "request" attribute in the "event" information that Amazon Cognito passes to your custom email sender AWS Lambda function. The only supported value is ``V1_0`` .
+            This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
+
+            :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
+            :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features. You must use a ``LambdaVersion`` of ``V1_0`` with a custom sender function.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html
             :exampleMetadata: fixture=_generated
@@ -4901,7 +4935,7 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_arn(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send email notifications to users.
+            '''The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html#cfn-cognito-userpool-customemailsender-lambdaarn
             '''
@@ -4910,9 +4944,11 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_version(self) -> typing.Optional[builtins.str]:
-            '''The Lambda version represents the signature of the "request" attribute in the "event" information that Amazon Cognito passes to your custom email sender AWS Lambda function.
+            '''The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
 
-            The only supported value is ``V1_0`` .
+            Higher-numbered versions add fields that support new features.
+
+            You must use a ``LambdaVersion`` of ``V1_0`` with a custom sender function.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html#cfn-cognito-userpool-customemailsender-lambdaversion
             '''
@@ -4942,10 +4978,12 @@ class CfnUserPool(
             lambda_arn: typing.Optional[builtins.str] = None,
             lambda_version: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''A custom SMS sender AWS Lambda trigger.
+            '''The configuration of a custom SMS sender Lambda trigger.
+
+            This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.
 
-            :param lambda_arn: The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send SMS notifications to users.
-            :param lambda_version: The Lambda version represents the signature of the "request" attribute in the "event" information Amazon Cognito passes to your custom SMS sender Lambda function. The only supported value is ``V1_0`` .
+            :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
+            :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features. You must use a ``LambdaVersion`` of ``V1_0`` with a custom sender function.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html
             :exampleMetadata: fixture=_generated
@@ -4973,7 +5011,7 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_arn(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send SMS notifications to users.
+            '''The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html#cfn-cognito-userpool-customsmssender-lambdaarn
             '''
@@ -4982,9 +5020,11 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_version(self) -> typing.Optional[builtins.str]:
-            '''The Lambda version represents the signature of the "request" attribute in the "event" information Amazon Cognito passes to your custom SMS sender Lambda function.
+            '''The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
+
+            Higher-numbered versions add fields that support new features.
 
-            The only supported value is ``V1_0`` .
+            You must use a ``LambdaVersion`` of ``V1_0`` with a custom sender function.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html#cfn-cognito-userpool-customsmssender-lambdaversion
             '''
@@ -5119,9 +5159,9 @@ class CfnUserPool(
 
             The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
 
-            :param configuration_set: The set of configuration rules that can be applied to emails sent using Amazon SES. A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails: - Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as SNS and CloudWatch. - IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
+            :param configuration_set: The set of configuration rules that can be applied to emails sent using Amazon Simple Email Service. A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails: - **Event publishing** - Amazon Simple Email Service can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as and Amazon CloudWatch - **IP pool management** - When leasing dedicated IP addresses with Amazon Simple Email Service, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
             :param email_sending_account: Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values: - **COGNITO_DEFAULT** - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration. To look up the email delivery limit for the default option, see `Limits <https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html>`_ in the *Amazon Cognito Developer Guide* . The default FROM address is ``no-reply@verificationemail.com`` . To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the ``SourceArn`` parameter. - **DEVELOPER** - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account . If you use this option, provide the ARN of an Amazon SES verified email address for the ``SourceArn`` parameter. Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a *service-linked role* , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see `Using Service-Linked Roles for Amazon Cognito <https://docs.aws.amazon.com/cognito/latest/developerguide/using-service-linked-roles.html>`_ in the *Amazon Cognito Developer Guide* .
-            :param from_: Identifies either the sender's email address or the sender's name with their email address. For example, ``testuser@example.com`` or ``Test User <testuser@example.com>`` . This address appears before the body of the email.
+            :param from_: Either the sender’s email address or the sender’s name with their email address. For example, ``testuser@example.com`` or ``Test User <testuser@example.com>`` . This address appears before the body of the email.
             :param reply_to_email_address: The destination to which the receiver of the email should reply.
             :param source_arn: The ARN of a verified email address or an address from a verified domain in Amazon SES. You can set a ``SourceArn`` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the ``EmailSendingAccount`` parameter: - If you specify ``COGNITO_DEFAULT`` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account. - If you specify ``DEVELOPER`` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf. The Region value of the ``SourceArn`` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the ``SourceArn`` and the user pool Region are the same. For more information, see `Amazon SES email configuration regions <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping>`_ in the `Amazon Cognito Developer Guide <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html>`_ .
 
@@ -5163,12 +5203,12 @@ class CfnUserPool(
 
         @builtins.property
         def configuration_set(self) -> typing.Optional[builtins.str]:
-            '''The set of configuration rules that can be applied to emails sent using Amazon SES.
+            '''The set of configuration rules that can be applied to emails sent using Amazon Simple Email Service.
 
             A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails:
 
-            - Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as SNS and CloudWatch.
-            - IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
+            - **Event publishing** - Amazon Simple Email Service can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as and Amazon CloudWatch
+            - **IP pool management** - When leasing dedicated IP addresses with Amazon Simple Email Service, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-configurationset
             '''
@@ -5200,7 +5240,7 @@ class CfnUserPool(
 
         @builtins.property
         def from_(self) -> typing.Optional[builtins.str]:
-            '''Identifies either the sender's email address or the sender's name with their email address.
+            '''Either the sender’s email address or the sender’s name with their email address.
 
             For example, ``testuser@example.com`` or ``Test User <testuser@example.com>`` . This address appears before the body of the email.
 
@@ -5386,11 +5426,11 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param create_auth_challenge: The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
-            :param custom_email_sender: A custom email sender AWS Lambda trigger.
+            :param custom_email_sender: The configuration of a custom email sender Lambda trigger. This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
             :param custom_message: A custom message Lambda trigger. This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
-            :param custom_sms_sender: A custom SMS sender AWS Lambda trigger.
+            :param custom_sms_sender: The configuration of a custom SMS sender Lambda trigger. This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.
             :param define_auth_challenge: The configuration of a define auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
-            :param kms_key_id: The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key. Amazon Cognito uses the key to encrypt codes and temporary passwords sent to ``CustomEmailSender`` and ``CustomSMSSender`` .
+            :param kms_key_id: The ARN of an `KMS key <https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#master_keys>`_ . Amazon Cognito uses the key to encrypt codes and temporary passwords sent to custom sender Lambda triggers.
             :param post_authentication: The configuration of a `post authentication Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html>`_ in a user pool. This trigger can take custom actions after a user signs in.
             :param post_confirmation: The configuration of a `post confirmation Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html>`_ in a user pool. This trigger can take custom actions after a user confirms their user account and their email address or phone number.
             :param pre_authentication: The configuration of a `pre authentication trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html>`_ in a user pool. This trigger can evaluate and modify user sign-in events.
@@ -5494,7 +5534,9 @@ class CfnUserPool(
         def custom_email_sender(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.CustomEmailSenderProperty"]]:
-            '''A custom email sender AWS Lambda trigger.
+            '''The configuration of a custom email sender Lambda trigger.
+
+            This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customemailsender
             '''
@@ -5516,7 +5558,9 @@ class CfnUserPool(
         def custom_sms_sender(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.CustomSMSSenderProperty"]]:
-            '''A custom SMS sender AWS Lambda trigger.
+            '''The configuration of a custom SMS sender Lambda trigger.
+
+            This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customsmssender
             '''
@@ -5534,9 +5578,7 @@ class CfnUserPool(
 
         @builtins.property
         def kms_key_id(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key.
-
-            Amazon Cognito uses the key to encrypt codes and temporary passwords sent to ``CustomEmailSender`` and ``CustomSMSSender`` .
+            '''The ARN of an `KMS key <https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#master_keys>`_ . Amazon Cognito uses the key to encrypt codes and temporary passwords sent to custom sender Lambda triggers.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-kmskeyid
             '''
@@ -6033,10 +6075,16 @@ class CfnUserPool(
             name: typing.Optional[builtins.str] = None,
             priority: typing.Optional[jsii.Number] = None,
         ) -> None:
-            '''A map containing a priority as a key, and recovery method name as a value.
+            '''A recovery option for a user.
+
+            The ``AccountRecoverySettingType`` data type is an array of this object. Each ``RecoveryOptionType`` has a priority property that determines whether it is a primary or secondary option.
 
-            :param name: Specifies the recovery method for a user.
-            :param priority: A positive integer specifying priority of a method with 1 being the highest priority.
+            For example, if ``verified_email`` has a priority of ``1`` and ``verified_phone_number`` has a priority of ``2`` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The ``admin_only`` option prevents self-service account recovery.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
+            :param name: The recovery method that this object sets a recovery option for.
+            :param priority: Your priority preference for using the specified attribute in account recovery. The highest priority is ``1`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html
             :exampleMetadata: fixture=_generated
@@ -6064,7 +6112,7 @@ class CfnUserPool(
 
         @builtins.property
         def name(self) -> typing.Optional[builtins.str]:
-            '''Specifies the recovery method for a user.
+            '''The recovery method that this object sets a recovery option for.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html#cfn-cognito-userpool-recoveryoption-name
             '''
@@ -6073,7 +6121,9 @@ class CfnUserPool(
 
         @builtins.property
         def priority(self) -> typing.Optional[jsii.Number]:
-            '''A positive integer specifying priority of a method with 1 being the highest priority.
+            '''Your priority preference for using the specified attribute in account recovery.
+
+            The highest priority is ``1`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html#cfn-cognito-userpool-recoveryoption-priority
             '''
@@ -6125,7 +6175,7 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param attribute_data_type: The data format of the values for your attribute. When you choose an ``AttributeDataType`` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example ``"custom:isMember" : "true"`` or ``"custom:YearsAsMember" : "12"`` .
-            :param developer_only_attribute: .. epigraph:: We recommend that you use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.
+            :param developer_only_attribute: .. epigraph:: You should use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, ``DeveloperOnlyAttribute`` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
             :param mutable: Specifies whether the value of the attribute can be changed. Any user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of ``true`` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see `Specifying Identity Provider Attribute Mappings for Your User Pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
             :param name: The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a ``Name`` value of ``MyAttribute`` , Amazon Cognito creates the custom attribute ``custom:MyAttribute`` . When ``DeveloperOnlyAttribute`` is ``true`` , Amazon Cognito creates your attribute as ``dev:MyAttribute`` . In an operation that describes a user pool, Amazon Cognito returns this value as ``value`` for standard attributes, ``custom:value`` for custom attributes, and ``dev:value`` for developer-only attributes..
             :param number_attribute_constraints: Specifies the constraints for an attribute of the number type.
@@ -6199,9 +6249,9 @@ class CfnUserPool(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''.. epigraph::
 
-   We recommend that you use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` .
+   You should use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` .
 
-            Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.
+            Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, ``DeveloperOnlyAttribute`` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-developeronlyattribute
             '''
@@ -6295,11 +6345,13 @@ class CfnUserPool(
             sns_caller_arn: typing.Optional[builtins.str] = None,
             sns_region: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The SMS configuration type that includes the settings the Cognito User Pool needs to call for the Amazon SNS service to send an SMS message from your AWS account .
+            '''User pool configuration for delivery of SMS messages with Amazon Simple Notification Service.
+
+            To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
 
-            The Cognito User Pool makes the request to the Amazon SNS Service by using an IAM role that you provide for your AWS account .
+            This data type is a request parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ , `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ , and a response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ , `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and `GetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html>`_ .
 
-            :param external_id: The external ID is a value. We recommend you use ``ExternalId`` to add security to your IAM role, which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , the Cognito User Pool uses it when attempting to assume your IAM role. You can also set your roles trust policy to require the ``ExternalID`` . If you use the Cognito Management Console to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy that uses ``ExternalId`` .
+            :param external_id: The external ID provides additional security for your IAM role. You can use an ``ExternalId`` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the ``ExternalID`` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the ``ExternalId`` . For more information about the ``ExternalId`` of a role, see `How to use an external ID when granting access to your AWS resources to a third party <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ .
             :param sns_caller_arn: The Amazon Resource Name (ARN) of the Amazon SNS caller. This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a `spending limit <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html>`_ .
             :param sns_region: The AWS Region to use with Amazon SNS integration. You can choose the same Region as your user pool, or a supported *Legacy Amazon SNS alternate Region* . Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see `SMS message settings for Amazon Cognito user pools <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
 
@@ -6333,9 +6385,11 @@ class CfnUserPool(
 
         @builtins.property
         def external_id(self) -> typing.Optional[builtins.str]:
-            '''The external ID is a value.
+            '''The external ID provides additional security for your IAM role.
 
-            We recommend you use ``ExternalId`` to add security to your IAM role, which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , the Cognito User Pool uses it when attempting to assume your IAM role. You can also set your roles trust policy to require the ``ExternalID`` . If you use the Cognito Management Console to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy that uses ``ExternalId`` .
+            You can use an ``ExternalId`` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the ``ExternalID`` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the ``ExternalId`` .
+
+            For more information about the ``ExternalId`` of a role, see `How to use an external ID when granting access to your AWS resources to a third party <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-smsconfiguration.html#cfn-cognito-userpool-smsconfiguration-externalid
             '''
@@ -6389,9 +6443,9 @@ class CfnUserPool(
             max_length: typing.Optional[builtins.str] = None,
             min_length: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The ``StringAttributeConstraints`` property type defines the string attribute constraints of an Amazon Cognito user pool.
+            '''The minimum and maximum length values of an attribute that is of the string type, for example ``custom:department`` .
 
-            ``StringAttributeConstraints`` is a subproperty of the `SchemaAttribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html>`_ property type.
+            This data type is part of `SchemaAttributeType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html>`_ . It defines the length constraints on string-type attributes that you configure in `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and displays the length constraints of all string-type attributes in the response to `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_
 
             :param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_length: The minimum length of a string attribute value.
@@ -6614,7 +6668,11 @@ class CfnUserPool(
             *,
             case_sensitive: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         ) -> None:
-            '''The ``UsernameConfiguration`` property type specifies case sensitivity on the username input for the selected sign-in option.
+            '''Case sensitivity of the username input for the selected sign-in option.
+
+            When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
+
+            This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
 
             :param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
 
@@ -6926,7 +6984,7 @@ class CfnUserPoolClient(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
-        :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours.
+        :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
         :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
         :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
@@ -6939,11 +6997,11 @@ class CfnUserPoolClient(
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
         :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
-        :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
+        :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
-        :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
+        :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
-        :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
+        :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
@@ -7287,7 +7345,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="preventUserExistenceErrors")
     def prevent_user_existence_errors(self) -> typing.Optional[builtins.str]:
-        '''Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool.'''
+        '''Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "preventUserExistenceErrors"))
 
     @prevent_user_existence_errors.setter
@@ -7410,7 +7468,7 @@ class CfnUserPoolClient(
 
             This data type is a request parameter of `CreateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html>`_ and `UpdateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html>`_ , and a response parameter of `DescribeUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html>`_ .
 
-            :param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.
+            :param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that ``ApplicationArn`` declares. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
             :param application_id: Your Amazon Pinpoint project ID.
             :param external_id: The `external ID <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
             :param role_arn: The ARN of an AWS Identity and Access Management role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
@@ -7454,9 +7512,9 @@ class CfnUserPoolClient(
 
         @builtins.property
         def application_arn(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name (ARN) of an Amazon Pinpoint project.
+            '''The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client.
 
-            You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.
+            Amazon Cognito publishes events to the Amazon Pinpoint project that ``ApplicationArn`` declares. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-applicationarn
             '''
@@ -7668,7 +7726,7 @@ class CfnUserPoolClientProps:
         '''Properties for defining a ``CfnUserPoolClient``.
 
         :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
-        :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours.
+        :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
         :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
         :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
@@ -7681,11 +7739,11 @@ class CfnUserPoolClientProps:
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
         :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
-        :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours.
+        :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
-        :param prevent_user_existence_errors: Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
+        :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
-        :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
+        :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
@@ -7822,9 +7880,13 @@ class CfnUserPoolClientProps:
 
         After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request.
 
-        For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours.
+        For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with
+        their access token for 10 hours.
 
-        The default time unit for ``AccessTokenValidity`` in an API request is hours.
+        The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds.
+
+        If you don't specify otherwise in the configuration of your app client, your access
+        tokens are valid for one hour.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-accesstokenvalidity
         '''
@@ -8026,7 +8088,10 @@ class CfnUserPoolClientProps:
 
         For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours.
 
-        The default time unit for ``IdTokenValidity`` in an API request is hours.
+        The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds.
+
+        If you don't specify otherwise in the configuration of your app client, your ID
+        tokens are valid for one hour.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-idtokenvalidity
         '''
@@ -8044,9 +8109,16 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def prevent_user_existence_errors(self) -> typing.Optional[builtins.str]:
-        '''Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool.
+        '''Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.
 
-        When set to ``ENABLED`` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs will return a ``UserNotFoundException`` exception if the user does not exist in the user pool.
+        When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool.
+
+        Valid values include:
+
+        - ``ENABLED`` - This prevents user existence-related errors.
+        - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
+
+        Defaults to ``LEGACY`` when you don't provide a value.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-preventuserexistenceerrors
         '''
@@ -8072,9 +8144,13 @@ class CfnUserPoolClientProps:
 
         After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request.
 
-        For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days.
+        For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session
+        and retrieve new access and ID tokens for 10 days.
 
-        The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
+        The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds.
+
+        If you don't specify otherwise in the configuration of your app client, your refresh
+        tokens are valid for 30 days.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-refreshtokenvalidity
         '''
@@ -8175,8 +8251,8 @@ class CfnUserPoolDomain(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param domain: The domain name for the domain that hosts the sign-up and sign-in pages for your application. For example: ``auth.example.com`` . If you're using a prefix domain, this field denotes the first part of the domain before ``.auth.[region].amazoncognito.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
-        :param user_pool_id: The user pool ID for the user pool where you want to associate a user pool domain.
+        :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
+        :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
         :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
         '''
         if __debug__:
@@ -8247,7 +8323,7 @@ class CfnUserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="domain")
     def domain(self) -> builtins.str:
-        '''The domain name for the domain that hosts the sign-up and sign-in pages for your application.'''
+        '''The domain name for the custom domain that hosts the sign-up and sign-in pages for your application.'''
         return typing.cast(builtins.str, jsii.get(self, "domain"))
 
     @domain.setter
@@ -8260,7 +8336,7 @@ class CfnUserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where you want to associate a user pool domain.'''
+        '''The ID of the user pool that is associated with the custom domain whose certificate you're updating.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -8367,8 +8443,8 @@ class CfnUserPoolDomainProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolDomain``.
 
-        :param domain: The domain name for the domain that hosts the sign-up and sign-in pages for your application. For example: ``auth.example.com`` . If you're using a prefix domain, this field denotes the first part of the domain before ``.auth.[region].amazoncognito.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
-        :param user_pool_id: The user pool ID for the user pool where you want to associate a user pool domain.
+        :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
+        :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
         :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
@@ -8404,9 +8480,9 @@ class CfnUserPoolDomainProps:
 
     @builtins.property
     def domain(self) -> builtins.str:
-        '''The domain name for the domain that hosts the sign-up and sign-in pages for your application.
+        '''The domain name for the custom domain that hosts the sign-up and sign-in pages for your application.
 
-        For example: ``auth.example.com`` . If you're using a prefix domain, this field denotes the first part of the domain before ``.auth.[region].amazoncognito.com`` .
+        One example might be ``auth.example.com`` .
 
         This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
 
@@ -8418,7 +8494,7 @@ class CfnUserPoolDomainProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where you want to associate a user pool domain.
+        '''The ID of the user pool that is associated with the custom domain whose certificate you're updating.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-userpoolid
         '''
@@ -8457,7 +8533,11 @@ class CfnUserPoolGroup(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolGroup",
 ):
-    '''A user pool group that you can add a user to.
+    '''A user pool group.
+
+    Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
+
+    This data type is a response parameter of `AdminListGroupsForUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html>`_ , `CreateGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html>`_ , `GetGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html>`_ , `ListGroups <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html>`_ , and `UpdateGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
     :cloudformationResource: AWS::Cognito::UserPoolGroup
@@ -9188,28 +9268,28 @@ class CfnUserPoolProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPool``.
 
-        :param account_recovery_setting: Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
+        :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
         :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . .. epigraph:: This user pool property cannot be updated.
+        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
         :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
         :param email_authentication_message: 
         :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
-        :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
-        :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
-        :param enabled_mfas: Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values: - ``SMS_MFA`` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA``
+        :param email_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
+        :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
+        :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
         :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param schema: The schema attributes for the new user pool. These attributes can be standard or custom attributes. .. epigraph:: During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
-        :param sms_authentication_message: A string representing the SMS authentication message.
+        :param schema: An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
+        :param sms_authentication_message: The contents of the SMS authentication message.
         :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
-        :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
+        :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
-        :param username_attributes: Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values: ``phone_number`` or ``email`` . This user pool property cannot be updated.
-        :param username_configuration: You can choose to set case sensitivity on the username input for the selected sign-in option. For example, when this is set to ``False`` , users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.
+        :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
+        :param username_configuration: Case sensitivity on the username input for the selected sign-in option. When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
@@ -9431,9 +9511,9 @@ class CfnUserPoolProps:
     def account_recovery_setting(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.AccountRecoverySettingProperty]]:
-        '''Use this setting to define which verified available method a user can use to recover their password when they call ``ForgotPassword`` .
+        '''The available verified method a user can use to recover their password when they call ``ForgotPassword`` .
 
-        It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
+        You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-accountrecoverysetting
         '''
@@ -9457,11 +9537,9 @@ class CfnUserPoolProps:
 
     @builtins.property
     def alias_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
-
-        .. epigraph::
+        '''Attributes supported as an alias for this user pool.
 
-           This user pool property cannot be updated.
+        Possible values: *phone_number* , *email* , or *preferred_username* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-aliasattributes
         '''
@@ -9542,7 +9620,7 @@ class CfnUserPoolProps:
     def email_verification_message(self) -> typing.Optional[builtins.str]:
         '''This parameter is no longer used.
 
-        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
+        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailverificationmessage
         '''
@@ -9553,7 +9631,7 @@ class CfnUserPoolProps:
     def email_verification_subject(self) -> typing.Optional[builtins.str]:
         '''This parameter is no longer used.
 
-        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
+        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailverificationsubject
         '''
@@ -9562,14 +9640,15 @@ class CfnUserPoolProps:
 
     @builtins.property
     def enabled_mfas(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Enables MFA on a specified user pool.
+        '''Set enabled MFA options on a specified user pool.
 
-        To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values:
+        To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values:
 
-        - ``SMS_MFA`` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided.
+        - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` .
         - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool.
+        - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` .
 
-        Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA``
+        Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
         '''
@@ -9619,11 +9698,9 @@ class CfnUserPoolProps:
     def schema(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnUserPool.SchemaAttributeProperty]]]]:
-        '''The schema attributes for the new user pool. These attributes can be standard or custom attributes.
-
-        .. epigraph::
+        '''An array of schema attributes for the new user pool.
 
-           During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
+        These attributes can be standard or custom attributes.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-schema
         '''
@@ -9632,7 +9709,7 @@ class CfnUserPoolProps:
 
     @builtins.property
     def sms_authentication_message(self) -> typing.Optional[builtins.str]:
-        '''A string representing the SMS authentication message.
+        '''The contents of the SMS authentication message.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsauthenticationmessage
         '''
@@ -9656,7 +9733,7 @@ class CfnUserPoolProps:
     def sms_verification_message(self) -> typing.Optional[builtins.str]:
         '''This parameter is no longer used.
 
-        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html>`_ .
+        See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsverificationmessage
         '''
@@ -9680,11 +9757,7 @@ class CfnUserPoolProps:
 
     @builtins.property
     def username_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Determines whether email addresses or phone numbers can be specified as user names when a user signs up.
-
-        Possible values: ``phone_number`` or ``email`` .
-
-        This user pool property cannot be updated.
+        '''Specifies whether a user can use an email address or phone number as a username when they sign up.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-usernameattributes
         '''
@@ -9695,9 +9768,11 @@ class CfnUserPoolProps:
     def username_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.UsernameConfigurationProperty]]:
-        '''You can choose to set case sensitivity on the username input for the selected sign-in option.
+        '''Case sensitivity on the username input for the selected sign-in option.
 
-        For example, when this is set to ``False`` , users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.
+        When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
+
+        This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-usernameconfiguration
         '''
@@ -9812,7 +9887,7 @@ class CfnUserPoolResourceServer(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param identifier: A unique resource server identifier for the resource server. This could be an HTTPS endpoint where the resource server is located. For example: ``https://my-weather-api.example.com`` .
+        :param identifier: A unique resource server identifier for the resource server. The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier. Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
         :param name: A friendly name for the resource server.
         :param user_pool_id: The user pool ID for the user pool.
         :param scopes: A list of scopes. Each scope is a map with keys ``ScopeName`` and ``ScopeDescription`` .
@@ -10021,7 +10096,7 @@ class CfnUserPoolResourceServerProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolResourceServer``.
 
-        :param identifier: A unique resource server identifier for the resource server. This could be an HTTPS endpoint where the resource server is located. For example: ``https://my-weather-api.example.com`` .
+        :param identifier: A unique resource server identifier for the resource server. The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier. Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
         :param name: A friendly name for the resource server.
         :param user_pool_id: The user pool ID for the user pool.
         :param scopes: A list of scopes. Each scope is a map with keys ``ScopeName`` and ``ScopeDescription`` .
@@ -10065,7 +10140,9 @@ class CfnUserPoolResourceServerProps:
     def identifier(self) -> builtins.str:
         '''A unique resource server identifier for the resource server.
 
-        This could be an HTTPS endpoint where the resource server is located. For example: ``https://my-weather-api.example.com`` .
+        The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier.
+
+        Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-identifier
         '''
@@ -10218,7 +10295,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param client_id: The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ``ALL`` ).
+        :param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
         :param user_pool_id: The ID of the user pool that has the risk configuration applied.
         :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
         :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
@@ -10276,7 +10353,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> builtins.str:
-        '''The app client ID.'''
+        '''The app client where this configuration is applied.'''
         return typing.cast(builtins.str, jsii.get(self, "clientId"))
 
     @client_id.setter
@@ -11171,7 +11248,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolRiskConfigurationAttachment``.
 
-        :param client_id: The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ``ALL`` ).
+        :param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
         :param user_pool_id: The ID of the user pool that has the risk configuration applied.
         :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
         :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
@@ -11271,9 +11348,9 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
 
     @builtins.property
     def client_id(self) -> builtins.str:
-        '''The app client ID.
+        '''The app client where this configuration is applied.
 
-        You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ``ALL`` ).
+        When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-clientid
         '''
@@ -11342,14 +11419,9 @@ class CfnUserPoolUICustomizationAttachment(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolUICustomizationAttachment",
 ):
-    '''The ``AWS::Cognito::UserPoolUICustomizationAttachment`` resource sets the UI customization information for a user pool's built-in app UI.
-
-    You can specify app UI customization settings for a single client (with a specific ``clientId`` ) or for all clients (by setting the ``clientId`` to ``ALL`` ). If you specify ``ALL`` , the default configuration is used for every client that has had no UI customization set previously. If you specify UI customization settings for a particular client, it no longer falls back to the ``ALL`` configuration.
-    .. epigraph::
-
-       Before you create this resource, your user pool must have a domain associated with it. You can create an ``AWS::Cognito::UserPoolDomain`` resource first in this user pool.
+    '''A container for the UI customization information for the hosted UI in a user pool.
 
-    Setting a logo image isn't supported from AWS CloudFormation . Use the Amazon Cognito `SetUICustomization <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUICustomization.html#API_SetUICustomization_RequestSyntax>`_ API operation to set the image.
+    This data type is a response parameter of `GetUICustomization <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
     :cloudformationResource: AWS::Cognito::UserPoolUICustomizationAttachment
@@ -11382,7 +11454,7 @@ class CfnUserPoolUICustomizationAttachment(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param client_id: The client ID for the client app. You can specify the UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ``ALL`` ).
+        :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
         :param user_pool_id: The user pool ID for the user pool.
         :param css: The CSS values in the UI customization.
         '''
@@ -11434,7 +11506,7 @@ class CfnUserPoolUICustomizationAttachment(
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> builtins.str:
-        '''The client ID for the client app.'''
+        '''The app client ID for your UI customization.'''
         return typing.cast(builtins.str, jsii.get(self, "clientId"))
 
     @client_id.setter
@@ -11486,7 +11558,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolUICustomizationAttachment``.
 
-        :param client_id: The client ID for the client app. You can specify the UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ``ALL`` ).
+        :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
         :param user_pool_id: The user pool ID for the user pool.
         :param css: The CSS values in the UI customization.
 
@@ -11521,9 +11593,9 @@ class CfnUserPoolUICustomizationAttachmentProps:
 
     @builtins.property
     def client_id(self) -> builtins.str:
-        '''The client ID for the client app.
+        '''The app client ID for your UI customization.
 
-        You can specify the UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ``ALL`` ).
+        When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-clientid
         '''
@@ -11624,7 +11696,7 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
@@ -11763,7 +11835,7 @@ class CfnUserPoolUser(
     def user_attributes(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPoolUser.AttributeTypeProperty"]]]]:
-        '''An array of name-value pairs that contain user attributes and attribute values.'''
+        '''An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPoolUser.AttributeTypeProperty"]]]], jsii.get(self, "userAttributes"))
 
     @user_attributes.setter
@@ -11914,7 +11986,7 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -12051,7 +12123,18 @@ class CfnUserPoolUserProps:
     def user_attributes(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnUserPoolUser.AttributeTypeProperty]]]]:
-        '''An array of name-value pairs that contain user attributes and attribute values.
+        '''An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created.
+
+        You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message).
+
+        For custom attributes, you must prepend the ``custom:`` prefix to the attribute name.
+
+        To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
+
+        In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .
+
+        - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userattributes
         '''
@@ -12108,7 +12191,16 @@ class CfnUserPoolUserToGroupAttachment(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolUserToGroupAttachment",
 ):
-    '''Adds the specified user to the specified group.
+    '''Adds a user to a group.
+
+    A user who is in a group can present a preferred-role claim to an identity pool, and populates a ``cognito:groups`` claim to their access and identity tokens.
+    .. epigraph::
+
+       Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
+
+       **Learn more** - `Signing AWS API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`_
+
+       - `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`_
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html
     :cloudformationResource: AWS::Cognito::UserPoolUserToGroupAttachment
@@ -12140,7 +12232,7 @@ class CfnUserPoolUserToGroupAttachment(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group that you want to add your user to.
-        :param username: 
+        :param username: The user's username.
         :param user_pool_id: The user pool ID for the user pool.
         '''
         if __debug__:
@@ -12204,6 +12296,7 @@ class CfnUserPoolUserToGroupAttachment(
     @builtins.property
     @jsii.member(jsii_name="username")
     def username(self) -> builtins.str:
+        '''The user's username.'''
         return typing.cast(builtins.str, jsii.get(self, "username"))
 
     @username.setter
@@ -12247,7 +12340,7 @@ class CfnUserPoolUserToGroupAttachmentProps:
         '''Properties for defining a ``CfnUserPoolUserToGroupAttachment``.
 
         :param group_name: The name of the group that you want to add your user to.
-        :param username: 
+        :param username: The user's username.
         :param user_pool_id: The user pool ID for the user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html
@@ -12288,7 +12381,8 @@ class CfnUserPoolUserToGroupAttachmentProps:
 
     @builtins.property
     def username(self) -> builtins.str:
-        '''
+        '''The user's username.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-username
         '''
         result = self._values.get("username")
@@ -14527,6 +14621,12 @@ class ProviderAttribute(
         '''The email attribute provided by Apple.'''
         return typing.cast("ProviderAttribute", jsii.sget(cls, "APPLE_EMAIL"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APPLE_EMAIL_VERIFIED")
+    def APPLE_EMAIL_VERIFIED(cls) -> "ProviderAttribute":
+        '''The email verified atribute provided by Apple.'''
+        return typing.cast("ProviderAttribute", jsii.sget(cls, "APPLE_EMAIL_VERIFIED"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="APPLE_FIRST_NAME")
     def APPLE_FIRST_NAME(cls) -> "ProviderAttribute":
@@ -14611,6 +14711,12 @@ class ProviderAttribute(
         '''The email attribute provided by Google.'''
         return typing.cast("ProviderAttribute", jsii.sget(cls, "GOOGLE_EMAIL"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GOOGLE_EMAIL_VERIFIED")
+    def GOOGLE_EMAIL_VERIFIED(cls) -> "ProviderAttribute":
+        '''The email verified attribute provided by Google.'''
+        return typing.cast("ProviderAttribute", jsii.sget(cls, "GOOGLE_EMAIL_VERIFIED"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="GOOGLE_FAMILY_NAME")
     def GOOGLE_FAMILY_NAME(cls) -> "ProviderAttribute":
@@ -17917,6 +18023,7 @@ class UserPoolIdentityProviderApple(
                     "custom_key": provider_attribute
                 },
                 email=provider_attribute,
+                email_verified=provider_attribute,
                 family_name=provider_attribute,
                 fullname=provider_attribute,
                 gender=provider_attribute,
@@ -18026,6 +18133,7 @@ class UserPoolIdentityProviderFacebook(
                     "custom_key": provider_attribute
                 },
                 email=provider_attribute,
+                email_verified=provider_attribute,
                 family_name=provider_attribute,
                 fullname=provider_attribute,
                 gender=provider_attribute,
@@ -18200,6 +18308,7 @@ class UserPoolIdentityProviderOidc(
                     "custom_key": provider_attribute
                 },
                 email=provider_attribute,
+                email_verified=provider_attribute,
                 family_name=provider_attribute,
                 fullname=provider_attribute,
                 gender=provider_attribute,
@@ -18327,6 +18436,7 @@ class UserPoolIdentityProviderProps:
                         "custom_key": provider_attribute
                     },
                     email=provider_attribute,
+                    email_verified=provider_attribute,
                     family_name=provider_attribute,
                     fullname=provider_attribute,
                     gender=provider_attribute,
@@ -20558,6 +20668,7 @@ class UserPoolIdentityProviderAppleProps(UserPoolIdentityProviderProps):
                         "custom_key": provider_attribute
                     },
                     email=provider_attribute,
+                    email_verified=provider_attribute,
                     family_name=provider_attribute,
                     fullname=provider_attribute,
                     gender=provider_attribute,
@@ -20747,6 +20858,7 @@ class UserPoolIdentityProviderFacebookProps(UserPoolIdentityProviderProps):
                         "custom_key": provider_attribute
                     },
                     email=provider_attribute,
+                    email_verified=provider_attribute,
                     family_name=provider_attribute,
                     fullname=provider_attribute,
                     gender=provider_attribute,
@@ -21065,6 +21177,7 @@ class UserPoolIdentityProviderOidcProps(UserPoolIdentityProviderProps):
                         "custom_key": provider_attribute
                     },
                     email=provider_attribute,
+                    email_verified=provider_attribute,
                     family_name=provider_attribute,
                     fullname=provider_attribute,
                     gender=provider_attribute,
@@ -21343,6 +21456,7 @@ def _typecheckingstub__1994c9f3057f350dfde37c21bef42d2ad1a87ae2900a0e48fd7c2506d
     birthdate: typing.Optional[ProviderAttribute] = None,
     custom: typing.Optional[typing.Mapping[builtins.str, ProviderAttribute]] = None,
     email: typing.Optional[ProviderAttribute] = None,
+    email_verified: typing.Optional[ProviderAttribute] = None,
     family_name: typing.Optional[ProviderAttribute] = None,
     fullname: typing.Optional[ProviderAttribute] = None,
     gender: typing.Optional[ProviderAttribute] = None,