aws-cdk-lib 2.171.1__py3-none-any.whl → 2.173.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -20,7 +20,11 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
   * [Table of Contents](#table-of-contents)
   * [User Pools](#user-pools)
 
+    * [User pool feature plans](#user-pool-feature-plans)
     * [Sign Up](#sign-up)
+
+      * [Code Verification](#code-verification)
+      * [Link Verification](#link-verification)
     * [Sign In](#sign-in)
     * [Attributes](#attributes)
     * [Attribute verification](#attribute-verification)
@@ -77,6 +81,20 @@ role = iam.Role(self, "role",
 user_pool.grant(role, "cognito-idp:AdminCreateUser")
 ```
 
+### User pool feature plans
+
+Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.
+Lean more aboug [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
+
+* *Lite* - a low-cost feature plan for user pools with lower numbers of monthly active users.
+* *Essentials* - all of the latest user pool authentication features.
+* *Plus* - includes everything in the Essentials plan and adds advanced security features that protect your users.
+
+The default feature plan is Essentials for newly create user pools.
+For the existing user pools, Lite plan is automatically set.
+
+Previously, some user pool features were included in [an advanced security features](#advanced-security-mode) pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.
+
 ### Sign Up
 
 Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their
@@ -308,8 +326,8 @@ configure an MFA token and use it for sign in. It also allows for the users to u
 [time-based one time password
 (TOTP)](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html).
 
-If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.
-For more information, see [Email MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security-email-mfa.html).
+If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.
+For more information, see [SMS and email message MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html).
 
 ```python
 cognito.UserPool(self, "myuserpool",
@@ -365,6 +383,8 @@ A user will not be allowed to reset their password via phone if they are also us
 
 #### Advanced Security Mode
 
+⚠️ Advanced Security Mode is deprecated in favor of [user pool feature plans](#user-pool-feature-plans).
+
 User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more.
 
 ```python
@@ -698,6 +718,9 @@ Custom authentication protocols can be configured by setting the `custom` proper
 functions for the corresponding user pool [triggers](#lambda-triggers). Learn more at [Custom Authentication
 Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow).
 
+Choice-based authentication can be configured by setting the `user` property under `authFlow`. This enables the
+`USER_AUTH` authentication flow. Learn more at [Choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).
+
 In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for
 authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more
 about the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749) and [Cognito user pool's
@@ -982,6 +1005,21 @@ Existing domains can be imported into CDK apps using `UserPoolDomain.fromDomainN
 my_user_pool_domain = cognito.UserPoolDomain.from_domain_name(self, "my-user-pool-domain", "domain-name")
 ```
 
+To get the domain name of the CloudFront distribution associated with the user pool domain, use `cloudFrontEndpoint` method.
+
+```python
+userpool = cognito.UserPool(self, "UserPool")
+domain = userpool.add_domain("Domain",
+    cognito_domain=cognito.CognitoDomainOptions(
+        domain_prefix="my-awesome-app"
+    )
+)
+
+CfnOutput(self, "CloudFrontEndpoint",
+    value=domain.cloud_front_endpoint
+)
+```
+
 ### Deletion protection
 
 Deletion protection can be enabled on a user pool to prevent accidental deletion:
@@ -1132,9 +1170,12 @@ class AccountRecovery(enum.Enum):
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.AdvancedSecurityMode")
 class AdvancedSecurityMode(enum.Enum):
-    '''The different ways in which a user pool's Advanced Security Mode can be configured.
+    '''(deprecated) The different ways in which a user pool's Advanced Security Mode can be configured.
+
+    :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
 
     :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
+    :stability: deprecated
     :exampleMetadata: infused
 
     Example::
@@ -1146,14 +1187,22 @@ class AdvancedSecurityMode(enum.Enum):
     '''
 
     ENFORCED = "ENFORCED"
-    '''Enable advanced security mode.'''
+    '''(deprecated) Enable advanced security mode.
+
+    :stability: deprecated
+    '''
     AUDIT = "AUDIT"
-    '''gather metrics on detected risks without taking action.
+    '''(deprecated) gather metrics on detected risks without taking action.
 
     Metrics are published to Amazon CloudWatch
+
+    :stability: deprecated
     '''
     OFF = "OFF"
-    '''Advanced security mode is disabled.'''
+    '''(deprecated) Advanced security mode is disabled.
+
+    :stability: deprecated
+    '''
 
 
 @jsii.data_type(
@@ -1499,6 +1548,7 @@ class AttributeMapping:
     name_mapping={
         "admin_user_password": "adminUserPassword",
         "custom": "custom",
+        "user": "user",
         "user_password": "userPassword",
         "user_srp": "userSrp",
     },
@@ -1509,6 +1559,7 @@ class AuthFlow:
         *,
         admin_user_password: typing.Optional[builtins.bool] = None,
         custom: typing.Optional[builtins.bool] = None,
+        user: typing.Optional[builtins.bool] = None,
         user_password: typing.Optional[builtins.bool] = None,
         user_srp: typing.Optional[builtins.bool] = None,
     ) -> None:
@@ -1516,6 +1567,7 @@ class AuthFlow:
 
         :param admin_user_password: Enable admin based user password authentication flow. Default: false
         :param custom: Enable custom authentication flow. Default: false
+        :param user: Enable Choice-based authentication. Default: false
         :param user_password: Enable auth using username & password. Default: false
         :param user_srp: Enable SRP based authentication. Default: false
 
@@ -1536,6 +1588,7 @@ class AuthFlow:
             type_hints = typing.get_type_hints(_typecheckingstub__3dd38e6e4617deee919f37d20a9ae635331043b4cf42c8d31fdbb0d3c29baeda)
             check_type(argname="argument admin_user_password", value=admin_user_password, expected_type=type_hints["admin_user_password"])
             check_type(argname="argument custom", value=custom, expected_type=type_hints["custom"])
+            check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             check_type(argname="argument user_password", value=user_password, expected_type=type_hints["user_password"])
             check_type(argname="argument user_srp", value=user_srp, expected_type=type_hints["user_srp"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
@@ -1543,6 +1596,8 @@ class AuthFlow:
             self._values["admin_user_password"] = admin_user_password
         if custom is not None:
             self._values["custom"] = custom
+        if user is not None:
+            self._values["user"] = user
         if user_password is not None:
             self._values["user_password"] = user_password
         if user_srp is not None:
@@ -1566,6 +1621,15 @@ class AuthFlow:
         result = self._values.get("custom")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def user(self) -> typing.Optional[builtins.bool]:
+        '''Enable Choice-based authentication.
+
+        :default: false
+        '''
+        result = self._values.get("user")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def user_password(self) -> typing.Optional[builtins.bool]:
         '''Enable auth using username & password.
@@ -3913,37 +3977,554 @@ class CfnLogDeliveryConfigurationProps:
             )
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__585789fa8816c3e4ed9b3aa9967435c1474787f750de3db35983f11efef27366)
+            type_hints = typing.get_type_hints(_typecheckingstub__585789fa8816c3e4ed9b3aa9967435c1474787f750de3db35983f11efef27366)
+            check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
+            check_type(argname="argument log_configurations", value=log_configurations, expected_type=type_hints["log_configurations"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "user_pool_id": user_pool_id,
+        }
+        if log_configurations is not None:
+            self._values["log_configurations"] = log_configurations
+
+    @builtins.property
+    def user_pool_id(self) -> builtins.str:
+        '''The ID of the user pool where you configured logging.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-userpoolid
+        '''
+        result = self._values.get("user_pool_id")
+        assert result is not None, "Required property 'user_pool_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def log_configurations(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnLogDeliveryConfiguration.LogConfigurationProperty]]]]:
+        '''A logging destination of a user pool.
+
+        User pools can have multiple logging destinations for message-delivery and user-activity logs.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfigurations
+        '''
+        result = self._values.get("log_configurations")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnLogDeliveryConfiguration.LogConfigurationProperty]]]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnLogDeliveryConfigurationProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnManagedLoginBranding(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cognito.CfnManagedLoginBranding",
+):
+    '''Creates a new set of branding settings for a user pool style and associates it with an app client.
+
+    This operation is the programmatic option for the creation of a new style in the branding designer.
+
+    Provides values for UI customization in a ``Settings`` JSON object and image files in an ``Assets`` array. To send the JSON object ``Document`` type parameter in ``Settings`` , you might need to update to the most recent version of your AWS SDK.
+
+    This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
+
+    As a best practice, modify the output of `DescribeManagedLoginBrandingByClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html>`_ into the request parameters for this operation. To get all settings, set ``ReturnMergedResources`` to ``true`` . For more information, see `API and SDK operations for managed login branding <https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api>`_
+    .. epigraph::
+
+       Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
+
+       **Learn more** - `Signing AWS API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`_
+
+       - `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`_
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
+    :cloudformationResource: AWS::Cognito::ManagedLoginBranding
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_cognito as cognito
+        
+        # settings: Any
+        
+        cfn_managed_login_branding = cognito.CfnManagedLoginBranding(self, "MyCfnManagedLoginBranding",
+            user_pool_id="userPoolId",
+        
+            # the properties below are optional
+            assets=[cognito.CfnManagedLoginBranding.AssetTypeProperty(
+                category="category",
+                color_mode="colorMode",
+                extension="extension",
+        
+                # the properties below are optional
+                bytes="bytes",
+                resource_id="resourceId"
+            )],
+            client_id="clientId",
+            return_merged_resources=False,
+            settings=settings,
+            use_cognito_provided_values=False
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        user_pool_id: builtins.str,
+        assets: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnManagedLoginBranding.AssetTypeProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        client_id: typing.Optional[builtins.str] = None,
+        return_merged_resources: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        settings: typing.Any = None,
+        use_cognito_provided_values: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param user_pool_id: The user pool where the branding style is assigned.
+        :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
+        :param client_id: 
+        :param return_merged_resources: 
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__478f8899894ffccc3f20b06ae18c36beb41bf5c5c9aa65a99dbdbf95ce00be03)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnManagedLoginBrandingProps(
+            user_pool_id=user_pool_id,
+            assets=assets,
+            client_id=client_id,
+            return_merged_resources=return_merged_resources,
+            settings=settings,
+            use_cognito_provided_values=use_cognito_provided_values,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a0d347f9b2c0101529861e949ebe0a802ebc429100648b4c870711c733b50faa)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1112e058064e524fbe515ff8791467e6949341c6ddd8deb9c33af3658b16d447)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrManagedLoginBrandingId")
+    def attr_managed_login_branding_id(self) -> builtins.str:
+        '''The ID of the managed login branding style.
+
+        :cloudformationAttribute: ManagedLoginBrandingId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrManagedLoginBrandingId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="userPoolId")
+    def user_pool_id(self) -> builtins.str:
+        '''The user pool where the branding style is assigned.'''
+        return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
+
+    @user_pool_id.setter
+    def user_pool_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__73b2532ea6e2300654d7fcc90b2b1fd38f772128b765556475cff8c1be577731)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "userPoolId", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="assets")
+    def assets(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnManagedLoginBranding.AssetTypeProperty"]]]]:
+        '''An array of image files that you want to apply to roles like backgrounds, logos, and icons.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnManagedLoginBranding.AssetTypeProperty"]]]], jsii.get(self, "assets"))
+
+    @assets.setter
+    def assets(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnManagedLoginBranding.AssetTypeProperty"]]]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fc790275f28767420e82246bd64663082d888a2c93af667d6c769ece2924f786)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "assets", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="clientId")
+    def client_id(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientId"))
+
+    @client_id.setter
+    def client_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a668420e0b3cbceec0ade65febad3505a8186912fb1310c4ecdfbbcd6bac7dc2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "clientId", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="returnMergedResources")
+    def return_merged_resources(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "returnMergedResources"))
+
+    @return_merged_resources.setter
+    def return_merged_resources(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ea8e49ce2efc2678bcbf1fdf919c5bbeac64755b39b20ef47a3f76532c424dfc)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "returnMergedResources", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="settings")
+    def settings(self) -> typing.Any:
+        '''A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.'''
+        return typing.cast(typing.Any, jsii.get(self, "settings"))
+
+    @settings.setter
+    def settings(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f22fe695e1f64d8a038409355220b2e920e04882727bafb532a5728f1ffe677c)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "settings", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="useCognitoProvidedValues")
+    def use_cognito_provided_values(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''When true, applies the default branding style options.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "useCognitoProvidedValues"))
+
+    @use_cognito_provided_values.setter
+    def use_cognito_provided_values(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4b61f0689e78fea36c23c402c48085be3f2c198b922507818947333d59445895)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "useCognitoProvidedValues", value) # pyright: ignore[reportArgumentType]
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_cognito.CfnManagedLoginBranding.AssetTypeProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "category": "category",
+            "color_mode": "colorMode",
+            "extension": "extension",
+            "bytes": "bytes",
+            "resource_id": "resourceId",
+        },
+    )
+    class AssetTypeProperty:
+        def __init__(
+            self,
+            *,
+            category: builtins.str,
+            color_mode: builtins.str,
+            extension: builtins.str,
+            bytes: typing.Optional[builtins.str] = None,
+            resource_id: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''An image file from a managed login branding style in a user pool.
+
+            This data type is a request parameter of `CreateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html>`_ and `UpdateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html>`_ , and a response parameter of `DescribeManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html>`_ .
+
+            :param category: The category that the image corresponds to in your managed login configuration. Managed login has asset categories for different types of logos, backgrounds, and icons.
+            :param color_mode: The display-mode target of the asset: light, dark, or browser-adaptive. For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
+            :param extension: The file type of the image file.
+            :param bytes: The image file, in Base64-encoded binary.
+            :param resource_id: The ID of the asset.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_cognito as cognito
+                
+                asset_type_property = cognito.CfnManagedLoginBranding.AssetTypeProperty(
+                    category="category",
+                    color_mode="colorMode",
+                    extension="extension",
+                
+                    # the properties below are optional
+                    bytes="bytes",
+                    resource_id="resourceId"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__a8c0b7bdabc4393d484227225be1727f821e164eec56517d614639ac2059509c)
+                check_type(argname="argument category", value=category, expected_type=type_hints["category"])
+                check_type(argname="argument color_mode", value=color_mode, expected_type=type_hints["color_mode"])
+                check_type(argname="argument extension", value=extension, expected_type=type_hints["extension"])
+                check_type(argname="argument bytes", value=bytes, expected_type=type_hints["bytes"])
+                check_type(argname="argument resource_id", value=resource_id, expected_type=type_hints["resource_id"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "category": category,
+                "color_mode": color_mode,
+                "extension": extension,
+            }
+            if bytes is not None:
+                self._values["bytes"] = bytes
+            if resource_id is not None:
+                self._values["resource_id"] = resource_id
+
+        @builtins.property
+        def category(self) -> builtins.str:
+            '''The category that the image corresponds to in your managed login configuration.
+
+            Managed login has asset categories for different types of logos, backgrounds, and icons.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-category
+            '''
+            result = self._values.get("category")
+            assert result is not None, "Required property 'category' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def color_mode(self) -> builtins.str:
+            '''The display-mode target of the asset: light, dark, or browser-adaptive.
+
+            For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-colormode
+            '''
+            result = self._values.get("color_mode")
+            assert result is not None, "Required property 'color_mode' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def extension(self) -> builtins.str:
+            '''The file type of the image file.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-extension
+            '''
+            result = self._values.get("extension")
+            assert result is not None, "Required property 'extension' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def bytes(self) -> typing.Optional[builtins.str]:
+            '''The image file, in Base64-encoded binary.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-bytes
+            '''
+            result = self._values.get("bytes")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def resource_id(self) -> typing.Optional[builtins.str]:
+            '''The ID of the asset.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-resourceid
+            '''
+            result = self._values.get("resource_id")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "AssetTypeProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.CfnManagedLoginBrandingProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "user_pool_id": "userPoolId",
+        "assets": "assets",
+        "client_id": "clientId",
+        "return_merged_resources": "returnMergedResources",
+        "settings": "settings",
+        "use_cognito_provided_values": "useCognitoProvidedValues",
+    },
+)
+class CfnManagedLoginBrandingProps:
+    def __init__(
+        self,
+        *,
+        user_pool_id: builtins.str,
+        assets: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnManagedLoginBranding.AssetTypeProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        client_id: typing.Optional[builtins.str] = None,
+        return_merged_resources: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        settings: typing.Any = None,
+        use_cognito_provided_values: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnManagedLoginBranding``.
+
+        :param user_pool_id: The user pool where the branding style is assigned.
+        :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
+        :param client_id: 
+        :param return_merged_resources: 
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_cognito as cognito
+            
+            # settings: Any
+            
+            cfn_managed_login_branding_props = cognito.CfnManagedLoginBrandingProps(
+                user_pool_id="userPoolId",
+            
+                # the properties below are optional
+                assets=[cognito.CfnManagedLoginBranding.AssetTypeProperty(
+                    category="category",
+                    color_mode="colorMode",
+                    extension="extension",
+            
+                    # the properties below are optional
+                    bytes="bytes",
+                    resource_id="resourceId"
+                )],
+                client_id="clientId",
+                return_merged_resources=False,
+                settings=settings,
+                use_cognito_provided_values=False
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__60e207e1aa2ab8ae23b36c3e1ae73765c6f328b13bf0c7b205865e93adc260df)
             check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
-            check_type(argname="argument log_configurations", value=log_configurations, expected_type=type_hints["log_configurations"])
+            check_type(argname="argument assets", value=assets, expected_type=type_hints["assets"])
+            check_type(argname="argument client_id", value=client_id, expected_type=type_hints["client_id"])
+            check_type(argname="argument return_merged_resources", value=return_merged_resources, expected_type=type_hints["return_merged_resources"])
+            check_type(argname="argument settings", value=settings, expected_type=type_hints["settings"])
+            check_type(argname="argument use_cognito_provided_values", value=use_cognito_provided_values, expected_type=type_hints["use_cognito_provided_values"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "user_pool_id": user_pool_id,
         }
-        if log_configurations is not None:
-            self._values["log_configurations"] = log_configurations
+        if assets is not None:
+            self._values["assets"] = assets
+        if client_id is not None:
+            self._values["client_id"] = client_id
+        if return_merged_resources is not None:
+            self._values["return_merged_resources"] = return_merged_resources
+        if settings is not None:
+            self._values["settings"] = settings
+        if use_cognito_provided_values is not None:
+            self._values["use_cognito_provided_values"] = use_cognito_provided_values
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The ID of the user pool where you configured logging.
+        '''The user pool where the branding style is assigned.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-userpoolid
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-userpoolid
         '''
         result = self._values.get("user_pool_id")
         assert result is not None, "Required property 'user_pool_id' is missing"
         return typing.cast(builtins.str, result)
 
     @builtins.property
-    def log_configurations(
+    def assets(
         self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnLogDeliveryConfiguration.LogConfigurationProperty]]]]:
-        '''A logging destination of a user pool.
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnManagedLoginBranding.AssetTypeProperty]]]]:
+        '''An array of image files that you want to apply to roles like backgrounds, logos, and icons.
 
-        User pools can have multiple logging destinations for message-delivery and user-activity logs.
+        Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfigurations
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-assets
         '''
-        result = self._values.get("log_configurations")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnLogDeliveryConfiguration.LogConfigurationProperty]]]], result)
+        result = self._values.get("assets")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnManagedLoginBranding.AssetTypeProperty]]]], result)
+
+    @builtins.property
+    def client_id(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-clientid
+        '''
+        result = self._values.get("client_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def return_merged_resources(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-returnmergedresources
+        '''
+        result = self._values.get("return_merged_resources")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+    @builtins.property
+    def settings(self) -> typing.Any:
+        '''A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-settings
+        '''
+        result = self._values.get("settings")
+        return typing.cast(typing.Any, result)
+
+    @builtins.property
+    def use_cognito_provided_values(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''When true, applies the default branding style options.
+
+        This option reverts to a "blank" style that you can modify later in the branding designer.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-usecognitoprovidedvalues
+        '''
+        result = self._values.get("use_cognito_provided_values")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -3952,7 +4533,7 @@ class CfnLogDeliveryConfigurationProps:
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "CfnLogDeliveryConfigurationProps(%s)" % ", ".join(
+        return "CfnManagedLoginBrandingProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
@@ -4052,6 +4633,9 @@ class CfnUserPool(
                     require_symbols=False,
                     require_uppercase=False,
                     temporary_password_validity_days=123
+                ),
+                sign_in_policy=cognito.CfnUserPool.SignInPolicyProperty(
+                    allowed_first_auth_factors=["allowedFirstAuthFactors"]
                 )
             ),
             schema=[cognito.CfnUserPool.SchemaAttributeProperty(
@@ -4091,6 +4675,7 @@ class CfnUserPool(
             ),
             user_pool_name="userPoolName",
             user_pool_tags=user_pool_tags,
+            user_pool_tier="userPoolTier",
             verification_message_template=cognito.CfnUserPool.VerificationMessageTemplateProperty(
                 default_email_option="defaultEmailOption",
                 email_message="emailMessage",
@@ -4098,7 +4683,9 @@ class CfnUserPool(
                 email_subject="emailSubject",
                 email_subject_by_link="emailSubjectByLink",
                 sms_message="smsMessage"
-            )
+            ),
+            web_authn_relying_party_id="webAuthnRelyingPartyId",
+            web_authn_user_verification="webAuthnUserVerification"
         )
     '''
 
@@ -4132,7 +4719,10 @@ class CfnUserPool(
         user_pool_add_ons: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.UserPoolAddOnsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         user_pool_name: typing.Optional[builtins.str] = None,
         user_pool_tags: typing.Any = None,
+        user_pool_tier: typing.Optional[builtins.str] = None,
         verification_message_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.VerificationMessageTemplateProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        web_authn_relying_party_id: typing.Optional[builtins.str] = None,
+        web_authn_user_verification: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -4162,7 +4752,10 @@ class CfnUserPool(
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
+        :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
+        :param web_authn_relying_party_id: 
+        :param web_authn_user_verification: 
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc37ee551)
@@ -4194,7 +4787,10 @@ class CfnUserPool(
             user_pool_add_ons=user_pool_add_ons,
             user_pool_name=user_pool_name,
             user_pool_tags=user_pool_tags,
+            user_pool_tier=user_pool_tier,
             verification_message_template=verification_message_template,
+            web_authn_relying_party_id=web_authn_relying_party_id,
+            web_authn_user_verification=web_authn_user_verification,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -4675,6 +5271,19 @@ class CfnUserPool(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "userPoolTagsRaw", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolTier")
+    def user_pool_tier(self) -> typing.Optional[builtins.str]:
+        '''The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userPoolTier"))
+
+    @user_pool_tier.setter
+    def user_pool_tier(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7b34a7e631952732eaf3564630f968b4a1066c2249e1bd77fa5894ac20d552db)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "userPoolTier", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="verificationMessageTemplate")
     def verification_message_template(
@@ -4693,6 +5302,30 @@ class CfnUserPool(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "verificationMessageTemplate", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="webAuthnRelyingPartyId")
+    def web_authn_relying_party_id(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "webAuthnRelyingPartyId"))
+
+    @web_authn_relying_party_id.setter
+    def web_authn_relying_party_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2a2852b3b820fa8903c8ee86e4c615c763dbc2f40270d7dddb4851a596a4b629)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "webAuthnRelyingPartyId", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="webAuthnUserVerification")
+    def web_authn_user_verification(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "webAuthnUserVerification"))
+
+    @web_authn_user_verification.setter
+    def web_authn_user_verification(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__39e1b7a43a4375c7269c036061949915e9a6e4528f8341df4df0a6b046ac6a11)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "webAuthnUserVerification", value) # pyright: ignore[reportArgumentType]
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_cognito.CfnUserPool.AccountRecoverySettingProperty",
         jsii_struct_bases=[],
@@ -4781,7 +5414,7 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
-            :param invite_message_template: The template for the welcome message to new users. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
+            :param invite_message_template: The template for the welcome message to new users. This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
             :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
@@ -4835,6 +5468,8 @@ class CfnUserPool(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.InviteMessageTemplateProperty"]]:
             '''The template for the welcome message to new users.
 
+            This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.
+
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-invitemessagetemplate
@@ -5335,6 +5970,8 @@ class CfnUserPool(
         ) -> None:
             '''The template for the welcome message to new users.
 
+            This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.
+
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
             :param email_message: The message template for email messages. EmailMessage is allowed only if `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is DEVELOPER.
@@ -5954,19 +6591,24 @@ class CfnUserPool(
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_cognito.CfnUserPool.PoliciesProperty",
         jsii_struct_bases=[],
-        name_mapping={"password_policy": "passwordPolicy"},
+        name_mapping={
+            "password_policy": "passwordPolicy",
+            "sign_in_policy": "signInPolicy",
+        },
     )
     class PoliciesProperty:
         def __init__(
             self,
             *,
             password_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.PasswordPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            sign_in_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.SignInPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
             '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
 
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
+            :param sign_in_policy: 
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
             :exampleMetadata: fixture=_generated
@@ -5986,15 +6628,21 @@ class CfnUserPool(
                         require_symbols=False,
                         require_uppercase=False,
                         temporary_password_validity_days=123
+                    ),
+                    sign_in_policy=cognito.CfnUserPool.SignInPolicyProperty(
+                        allowed_first_auth_factors=["allowedFirstAuthFactors"]
                     )
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__9a9937f0b75c9ab1976e5dbd8fe12631390f6d478c894cb0164171b2f9dc39c5)
                 check_type(argname="argument password_policy", value=password_policy, expected_type=type_hints["password_policy"])
+                check_type(argname="argument sign_in_policy", value=sign_in_policy, expected_type=type_hints["sign_in_policy"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
             if password_policy is not None:
                 self._values["password_policy"] = password_policy
+            if sign_in_policy is not None:
+                self._values["sign_in_policy"] = sign_in_policy
 
         @builtins.property
         def password_policy(
@@ -6007,6 +6655,16 @@ class CfnUserPool(
             result = self._values.get("password_policy")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PasswordPolicyProperty"]], result)
 
+        @builtins.property
+        def sign_in_policy(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SignInPolicyProperty"]]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
+            '''
+            result = self._values.get("sign_in_policy")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SignInPolicyProperty"]], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -6359,6 +7017,61 @@ class CfnUserPool(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_cognito.CfnUserPool.SignInPolicyProperty",
+        jsii_struct_bases=[],
+        name_mapping={"allowed_first_auth_factors": "allowedFirstAuthFactors"},
+    )
+    class SignInPolicyProperty:
+        def __init__(
+            self,
+            *,
+            allowed_first_auth_factors: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ) -> None:
+            '''
+            :param allowed_first_auth_factors: 
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_cognito as cognito
+                
+                sign_in_policy_property = cognito.CfnUserPool.SignInPolicyProperty(
+                    allowed_first_auth_factors=["allowedFirstAuthFactors"]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__71f41ee8011d666621169ad6aeb915855a76a5e105809ce7914229f99c53dd8d)
+                check_type(argname="argument allowed_first_auth_factors", value=allowed_first_auth_factors, expected_type=type_hints["allowed_first_auth_factors"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if allowed_first_auth_factors is not None:
+                self._values["allowed_first_auth_factors"] = allowed_first_auth_factors
+
+        @builtins.property
+        def allowed_first_auth_factors(
+            self,
+        ) -> typing.Optional[typing.List[builtins.str]]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors
+            '''
+            result = self._values.get("allowed_first_auth_factors")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SignInPolicyProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_cognito.CfnUserPool.SmsConfigurationProperty",
         jsii_struct_bases=[],
@@ -7024,16 +7737,16 @@ class CfnUserPoolClient(
         :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: The client name for the user pool client you would like to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
@@ -7766,16 +8479,16 @@ class CfnUserPoolClientProps:
         :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: The client name for the user pool client you would like to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
@@ -8055,7 +8768,7 @@ class CfnUserPoolClientProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''Activates the propagation of additional user context data.
 
-        For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enablepropagateadditionalusercontextdata
         '''
@@ -8086,6 +8799,7 @@ class CfnUserPoolClientProps:
 
         Valid values include:
 
+        - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` .
         - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
         - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication.
         - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
@@ -8196,6 +8910,8 @@ class CfnUserPoolClientProps:
 
         The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
 
+        This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
         '''
         result = self._values.get("supported_identity_providers")
@@ -8266,7 +8982,8 @@ class CfnUserPoolDomain(
             # the properties below are optional
             custom_domain_config=cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty(
                 certificate_arn="certificateArn"
-            )
+            ),
+            managed_login_version=123
         )
     '''
 
@@ -8278,13 +8995,15 @@ class CfnUserPoolDomain(
         domain: builtins.str,
         user_pool_id: builtins.str,
         custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolDomain.CustomDomainConfigTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        managed_login_version: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
         :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6e0b36c4d155cfdfa9801e3f221c4fe6c5403bf24a64d17bd90fb5386301d675)
@@ -8294,6 +9013,7 @@ class CfnUserPoolDomain(
             domain=domain,
             user_pool_id=user_pool_id,
             custom_domain_config=custom_domain_config,
+            managed_login_version=managed_login_version,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -8395,6 +9115,19 @@ class CfnUserPoolDomain(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "customDomainConfig", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="managedLoginVersion")
+    def managed_login_version(self) -> typing.Optional[jsii.Number]:
+        '''A version number that indicates the state of managed login for your domain.'''
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "managedLoginVersion"))
+
+    @managed_login_version.setter
+    def managed_login_version(self, value: typing.Optional[jsii.Number]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b1d6e8e96816f3572291ff67691b98d76a166cf058320e0e73e58062b8093526)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "managedLoginVersion", value) # pyright: ignore[reportArgumentType]
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty",
         jsii_struct_bases=[],
@@ -8462,6 +9195,7 @@ class CfnUserPoolDomain(
         "domain": "domain",
         "user_pool_id": "userPoolId",
         "custom_domain_config": "customDomainConfig",
+        "managed_login_version": "managedLoginVersion",
     },
 )
 class CfnUserPoolDomainProps:
@@ -8471,12 +9205,14 @@ class CfnUserPoolDomainProps:
         domain: builtins.str,
         user_pool_id: builtins.str,
         custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        managed_login_version: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''Properties for defining a ``CfnUserPoolDomain``.
 
         :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
         :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
         :exampleMetadata: fixture=_generated
@@ -8494,7 +9230,8 @@ class CfnUserPoolDomainProps:
                 # the properties below are optional
                 custom_domain_config=cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty(
                     certificate_arn="certificateArn"
-                )
+                ),
+                managed_login_version=123
             )
         '''
         if __debug__:
@@ -8502,12 +9239,15 @@ class CfnUserPoolDomainProps:
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
             check_type(argname="argument custom_domain_config", value=custom_domain_config, expected_type=type_hints["custom_domain_config"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "domain": domain,
             "user_pool_id": user_pool_id,
         }
         if custom_domain_config is not None:
             self._values["custom_domain_config"] = custom_domain_config
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def domain(self) -> builtins.str:
@@ -8541,11 +9281,24 @@ class CfnUserPoolDomainProps:
 
         Use this object to specify an SSL certificate that is managed by ACM.
 
+        When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
         '''
         result = self._values.get("custom_domain_config")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolDomain.CustomDomainConfigTypeProperty]], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[jsii.Number]:
+        '''A version number that indicates the state of managed login for your domain.
+
+        Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-managedloginversion
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -9254,7 +10007,10 @@ class CfnUserPoolIdentityProviderProps:
         "user_pool_add_ons": "userPoolAddOns",
         "user_pool_name": "userPoolName",
         "user_pool_tags": "userPoolTags",
+        "user_pool_tier": "userPoolTier",
         "verification_message_template": "verificationMessageTemplate",
+        "web_authn_relying_party_id": "webAuthnRelyingPartyId",
+        "web_authn_user_verification": "webAuthnUserVerification",
     },
 )
 class CfnUserPoolProps:
@@ -9286,7 +10042,10 @@ class CfnUserPoolProps:
         user_pool_add_ons: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.UserPoolAddOnsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         user_pool_name: typing.Optional[builtins.str] = None,
         user_pool_tags: typing.Any = None,
+        user_pool_tier: typing.Optional[builtins.str] = None,
         verification_message_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.VerificationMessageTemplateProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        web_authn_relying_party_id: typing.Optional[builtins.str] = None,
+        web_authn_user_verification: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnUserPool``.
 
@@ -9315,7 +10074,10 @@ class CfnUserPoolProps:
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
+        :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
+        :param web_authn_relying_party_id: 
+        :param web_authn_user_verification: 
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
         :exampleMetadata: fixture=_generated
@@ -9398,6 +10160,9 @@ class CfnUserPoolProps:
                         require_symbols=False,
                         require_uppercase=False,
                         temporary_password_validity_days=123
+                    ),
+                    sign_in_policy=cognito.CfnUserPool.SignInPolicyProperty(
+                        allowed_first_auth_factors=["allowedFirstAuthFactors"]
                     )
                 ),
                 schema=[cognito.CfnUserPool.SchemaAttributeProperty(
@@ -9437,6 +10202,7 @@ class CfnUserPoolProps:
                 ),
                 user_pool_name="userPoolName",
                 user_pool_tags=user_pool_tags,
+                user_pool_tier="userPoolTier",
                 verification_message_template=cognito.CfnUserPool.VerificationMessageTemplateProperty(
                     default_email_option="defaultEmailOption",
                     email_message="emailMessage",
@@ -9444,7 +10210,9 @@ class CfnUserPoolProps:
                     email_subject="emailSubject",
                     email_subject_by_link="emailSubjectByLink",
                     sms_message="smsMessage"
-                )
+                ),
+                web_authn_relying_party_id="webAuthnRelyingPartyId",
+                web_authn_user_verification="webAuthnUserVerification"
             )
         '''
         if __debug__:
@@ -9474,7 +10242,10 @@ class CfnUserPoolProps:
             check_type(argname="argument user_pool_add_ons", value=user_pool_add_ons, expected_type=type_hints["user_pool_add_ons"])
             check_type(argname="argument user_pool_name", value=user_pool_name, expected_type=type_hints["user_pool_name"])
             check_type(argname="argument user_pool_tags", value=user_pool_tags, expected_type=type_hints["user_pool_tags"])
+            check_type(argname="argument user_pool_tier", value=user_pool_tier, expected_type=type_hints["user_pool_tier"])
             check_type(argname="argument verification_message_template", value=verification_message_template, expected_type=type_hints["verification_message_template"])
+            check_type(argname="argument web_authn_relying_party_id", value=web_authn_relying_party_id, expected_type=type_hints["web_authn_relying_party_id"])
+            check_type(argname="argument web_authn_user_verification", value=web_authn_user_verification, expected_type=type_hints["web_authn_user_verification"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if account_recovery_setting is not None:
             self._values["account_recovery_setting"] = account_recovery_setting
@@ -9526,8 +10297,14 @@ class CfnUserPoolProps:
             self._values["user_pool_name"] = user_pool_name
         if user_pool_tags is not None:
             self._values["user_pool_tags"] = user_pool_tags
+        if user_pool_tier is not None:
+            self._values["user_pool_tier"] = user_pool_tier
         if verification_message_template is not None:
             self._values["verification_message_template"] = verification_message_template
+        if web_authn_relying_party_id is not None:
+            self._values["web_authn_relying_party_id"] = web_authn_relying_party_id
+        if web_authn_user_verification is not None:
+            self._values["web_authn_user_verification"] = web_authn_user_verification
 
     @builtins.property
     def account_recovery_setting(
@@ -9836,6 +10613,15 @@ class CfnUserPoolProps:
         result = self._values.get("user_pool_tags")
         return typing.cast(typing.Any, result)
 
+    @builtins.property
+    def user_pool_tier(self) -> typing.Optional[builtins.str]:
+        '''The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooltier
+        '''
+        result = self._values.get("user_pool_tier")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def verification_message_template(
         self,
@@ -9849,6 +10635,22 @@ class CfnUserPoolProps:
         result = self._values.get("verification_message_template")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.VerificationMessageTemplateProperty]], result)
 
+    @builtins.property
+    def web_authn_relying_party_id(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnrelyingpartyid
+        '''
+        result = self._values.get("web_authn_relying_party_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def web_authn_user_verification(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnuserverification
+        '''
+        result = self._values.get("web_authn_user_verification")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -11718,7 +12520,7 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
@@ -12008,7 +12810,7 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -12153,6 +12955,8 @@ class CfnUserPoolUserProps:
 
         To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
 
+        You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` .
+
         In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .
 
         - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
@@ -13026,6 +13830,21 @@ class EmailSettings:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.FeaturePlan")
+class FeaturePlan(enum.Enum):
+    '''The user pool feature plan, or tier.
+
+    :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
+    '''
+
+    LITE = "LITE"
+    '''Lite feature plan.'''
+    ESSENTIALS = "ESSENTIALS"
+    '''Essentials feature plan.'''
+    PLUS = "PLUS"
+    '''Plus feature plan.'''
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_cognito.ICustomAttribute")
 class ICustomAttribute(typing_extensions.Protocol):
     '''Represents a custom attribute type.'''
@@ -13774,7 +14593,7 @@ class MfaSecondFactor:
 
         :param otp: The MFA token is a time-based one time password that is generated by a hardware or software token. Default: false
         :param sms: The MFA token is sent to the user via SMS to their verified phone numbers. Default: true
-        :param email: The MFA token is sent to the user via EMAIL. To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration and set ``advancedSecurityMode`` to ``AdvancedSecurity.ENFORCED`` or ``AdvancedSecurity.AUDIT`` Default: false
+        :param email: The MFA token is sent to the user via EMAIL. To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration and set ``feturePlan`` to ``FeaturePlan.ESSENTIALS`` or ``FeaturePlan.PLUS`` Default: false
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
         :exampleMetadata: infused
@@ -13832,7 +14651,7 @@ class MfaSecondFactor:
         '''The MFA token is sent to the user via EMAIL.
 
         To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration
-        and set ``advancedSecurityMode`` to ``AdvancedSecurity.ENFORCED`` or ``AdvancedSecurity.AUDIT``
+        and set ``feturePlan`` to ``FeaturePlan.ESSENTIALS`` or ``FeaturePlan.PLUS``
 
         :default: false
 
@@ -16392,6 +17211,7 @@ class UserPool(
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional["UserPoolEmail"] = None,
         enable_sms_role: typing.Optional[builtins.bool] = None,
+        feature_plan: typing.Optional[FeaturePlan] = None,
         keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         lambda_triggers: typing.Optional[typing.Union["UserPoolTriggers", typing.Dict[builtins.str, typing.Any]]] = None,
         mfa: typing.Optional[Mfa] = None,
@@ -16414,7 +17234,7 @@ class UserPool(
         :param scope: -
         :param id: -
         :param account_recovery: How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
-        :param advanced_security_mode: The user pool's Advanced Security Mode. Default: - no value
+        :param advanced_security_mode: (deprecated) The user pool's Advanced Security Mode. Default: - no value
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
@@ -16422,6 +17242,7 @@ class UserPool(
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
         :param enable_sms_role: Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
+        :param feature_plan: The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
         :param keep_original: Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.
         :param lambda_triggers: Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
@@ -16454,6 +17275,7 @@ class UserPool(
             device_tracking=device_tracking,
             email=email,
             enable_sms_role=enable_sms_role,
+            feature_plan=feature_plan,
             keep_original=keep_original,
             lambda_triggers=lambda_triggers,
             mfa=mfa,
@@ -17730,9 +18552,22 @@ class UserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="cloudFrontDomainName")
     def cloud_front_domain_name(self) -> builtins.str:
-        '''The domain name of the CloudFront distribution associated with the user pool domain.'''
+        '''(deprecated) The domain name of the CloudFront distribution associated with the user pool domain.
+
+        This method creates a custom resource internally to get the CloudFront domain name.
+
+        :deprecated: use ``cloudFrontEndpoint`` method instead.
+
+        :stability: deprecated
+        '''
         return typing.cast(builtins.str, jsii.get(self, "cloudFrontDomainName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cloudFrontEndpoint")
+    def cloud_front_endpoint(self) -> builtins.str:
+        '''The domain name of the CloudFront distribution associated with the user pool domain.'''
+        return typing.cast(builtins.str, jsii.get(self, "cloudFrontEndpoint"))
+
     @builtins.property
     @jsii.member(jsii_name="domainName")
     def domain_name(self) -> builtins.str:
@@ -19684,6 +20519,7 @@ class UserPoolOperation(
         "device_tracking": "deviceTracking",
         "email": "email",
         "enable_sms_role": "enableSmsRole",
+        "feature_plan": "featurePlan",
         "keep_original": "keepOriginal",
         "lambda_triggers": "lambdaTriggers",
         "mfa": "mfa",
@@ -19716,6 +20552,7 @@ class UserPoolProps:
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional[UserPoolEmail] = None,
         enable_sms_role: typing.Optional[builtins.bool] = None,
+        feature_plan: typing.Optional[FeaturePlan] = None,
         keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         lambda_triggers: typing.Optional[typing.Union["UserPoolTriggers", typing.Dict[builtins.str, typing.Any]]] = None,
         mfa: typing.Optional[Mfa] = None,
@@ -19737,7 +20574,7 @@ class UserPoolProps:
         '''Props for the UserPool construct.
 
         :param account_recovery: How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
-        :param advanced_security_mode: The user pool's Advanced Security Mode. Default: - no value
+        :param advanced_security_mode: (deprecated) The user pool's Advanced Security Mode. Default: - no value
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
@@ -19745,6 +20582,7 @@ class UserPoolProps:
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
         :param enable_sms_role: Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
+        :param feature_plan: The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
         :param keep_original: Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.
         :param lambda_triggers: Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
@@ -19809,6 +20647,7 @@ class UserPoolProps:
             check_type(argname="argument device_tracking", value=device_tracking, expected_type=type_hints["device_tracking"])
             check_type(argname="argument email", value=email, expected_type=type_hints["email"])
             check_type(argname="argument enable_sms_role", value=enable_sms_role, expected_type=type_hints["enable_sms_role"])
+            check_type(argname="argument feature_plan", value=feature_plan, expected_type=type_hints["feature_plan"])
             check_type(argname="argument keep_original", value=keep_original, expected_type=type_hints["keep_original"])
             check_type(argname="argument lambda_triggers", value=lambda_triggers, expected_type=type_hints["lambda_triggers"])
             check_type(argname="argument mfa", value=mfa, expected_type=type_hints["mfa"])
@@ -19845,6 +20684,8 @@ class UserPoolProps:
             self._values["email"] = email
         if enable_sms_role is not None:
             self._values["enable_sms_role"] = enable_sms_role
+        if feature_plan is not None:
+            self._values["feature_plan"] = feature_plan
         if keep_original is not None:
             self._values["keep_original"] = keep_original
         if lambda_triggers is not None:
@@ -19891,9 +20732,13 @@ class UserPoolProps:
 
     @builtins.property
     def advanced_security_mode(self) -> typing.Optional[AdvancedSecurityMode]:
-        '''The user pool's Advanced Security Mode.
+        '''(deprecated) The user pool's Advanced Security Mode.
 
         :default: - no value
+
+        :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
+
+        :stability: deprecated
         '''
         result = self._values.get("advanced_security_mode")
         return typing.cast(typing.Optional[AdvancedSecurityMode], result)
@@ -19972,6 +20817,19 @@ class UserPoolProps:
         result = self._values.get("enable_sms_role")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def feature_plan(self) -> typing.Optional[FeaturePlan]:
+        '''The user pool feature plan, or tier.
+
+        This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection.
+
+        :default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
+        '''
+        result = self._values.get("feature_plan")
+        return typing.cast(typing.Optional[FeaturePlan], result)
+
     @builtins.property
     def keep_original(self) -> typing.Optional[KeepOriginalAttrs]:
         '''Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
@@ -21994,6 +22852,8 @@ __all__ = [
     "CfnIdentityPoolRoleAttachmentProps",
     "CfnLogDeliveryConfiguration",
     "CfnLogDeliveryConfigurationProps",
+    "CfnManagedLoginBranding",
+    "CfnManagedLoginBrandingProps",
     "CfnUserPool",
     "CfnUserPoolClient",
     "CfnUserPoolClientProps",
@@ -22022,6 +22882,7 @@ __all__ = [
     "DateTimeAttribute",
     "DeviceTracking",
     "EmailSettings",
+    "FeaturePlan",
     "ICustomAttribute",
     "IUserPool",
     "IUserPoolClient",
@@ -22126,6 +22987,7 @@ def _typecheckingstub__3dd38e6e4617deee919f37d20a9ae635331043b4cf42c8d31fdbb0d3c
     *,
     admin_user_password: typing.Optional[builtins.bool] = None,
     custom: typing.Optional[builtins.bool] = None,
+    user: typing.Optional[builtins.bool] = None,
     user_password: typing.Optional[builtins.bool] = None,
     user_srp: typing.Optional[builtins.bool] = None,
 ) -> None:
@@ -22504,6 +23366,91 @@ def _typecheckingstub__585789fa8816c3e4ed9b3aa9967435c1474787f750de3db35983f11ef
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__478f8899894ffccc3f20b06ae18c36beb41bf5c5c9aa65a99dbdbf95ce00be03(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    user_pool_id: builtins.str,
+    assets: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnManagedLoginBranding.AssetTypeProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    client_id: typing.Optional[builtins.str] = None,
+    return_merged_resources: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    settings: typing.Any = None,
+    use_cognito_provided_values: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a0d347f9b2c0101529861e949ebe0a802ebc429100648b4c870711c733b50faa(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1112e058064e524fbe515ff8791467e6949341c6ddd8deb9c33af3658b16d447(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__73b2532ea6e2300654d7fcc90b2b1fd38f772128b765556475cff8c1be577731(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__fc790275f28767420e82246bd64663082d888a2c93af667d6c769ece2924f786(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnManagedLoginBranding.AssetTypeProperty]]]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a668420e0b3cbceec0ade65febad3505a8186912fb1310c4ecdfbbcd6bac7dc2(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__ea8e49ce2efc2678bcbf1fdf919c5bbeac64755b39b20ef47a3f76532c424dfc(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f22fe695e1f64d8a038409355220b2e920e04882727bafb532a5728f1ffe677c(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__4b61f0689e78fea36c23c402c48085be3f2c198b922507818947333d59445895(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a8c0b7bdabc4393d484227225be1727f821e164eec56517d614639ac2059509c(
+    *,
+    category: builtins.str,
+    color_mode: builtins.str,
+    extension: builtins.str,
+    bytes: typing.Optional[builtins.str] = None,
+    resource_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__60e207e1aa2ab8ae23b36c3e1ae73765c6f328b13bf0c7b205865e93adc260df(
+    *,
+    user_pool_id: builtins.str,
+    assets: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnManagedLoginBranding.AssetTypeProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    client_id: typing.Optional[builtins.str] = None,
+    return_merged_resources: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    settings: typing.Any = None,
+    use_cognito_provided_values: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc37ee551(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -22533,7 +23480,10 @@ def _typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc
     user_pool_add_ons: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.UserPoolAddOnsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     user_pool_name: typing.Optional[builtins.str] = None,
     user_pool_tags: typing.Any = None,
+    user_pool_tier: typing.Optional[builtins.str] = None,
     verification_message_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.VerificationMessageTemplateProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    web_authn_relying_party_id: typing.Optional[builtins.str] = None,
+    web_authn_user_verification: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22700,12 +23650,30 @@ def _typecheckingstub__c0ac7e31445bc4b1c75709a8cde084565899b188ecd5ed75a434afb3f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__7b34a7e631952732eaf3564630f968b4a1066c2249e1bd77fa5894ac20d552db(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__9163d1ccc0cf294430031f1b8b5289192a6e048b52e8181e9ca8707780aac888(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.VerificationMessageTemplateProperty]],
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__2a2852b3b820fa8903c8ee86e4c615c763dbc2f40270d7dddb4851a596a4b629(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__39e1b7a43a4375c7269c036061949915e9a6e4528f8341df4df0a6b046ac6a11(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__79c7f36a6b9a834beef59493981fd8b3c56dae29d4d3d36bb9b0a65305ebd4ce(
     *,
     recovery_mechanisms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.RecoveryOptionProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
@@ -22817,6 +23785,7 @@ def _typecheckingstub__388245a445a407251a06f0f49f236a6b0a76ff7177f23a1d5cd9d4ffa
 def _typecheckingstub__9a9937f0b75c9ab1976e5dbd8fe12631390f6d478c894cb0164171b2f9dc39c5(
     *,
     password_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.PasswordPolicyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    sign_in_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.SignInPolicyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22850,6 +23819,13 @@ def _typecheckingstub__9814951786a68c04c05f6bdb7eb01a34fa749e2fb6491b5414b8e8e27
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__71f41ee8011d666621169ad6aeb915855a76a5e105809ce7914229f99c53dd8d(
+    *,
+    allowed_first_auth_factors: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7bdd79abbed6d1c2a56f92beb7e51f5c19f5fdeac49af18d379dda0e31605f6e(
     *,
     external_id: typing.Optional[builtins.str] = None,
@@ -23130,6 +24106,7 @@ def _typecheckingstub__6e0b36c4d155cfdfa9801e3f221c4fe6c5403bf24a64d17bd90fb5386
     domain: builtins.str,
     user_pool_id: builtins.str,
     custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    managed_login_version: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23164,6 +24141,12 @@ def _typecheckingstub__534c4957c36eac9a89217ff1b762b65d25e33f26c5048218fc840dc7f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b1d6e8e96816f3572291ff67691b98d76a166cf058320e0e73e58062b8093526(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__dde97995e450b3b0c5468a27b415565086c00f64bdc255f297a8471e77b85243(
     *,
     certificate_arn: typing.Optional[builtins.str] = None,
@@ -23176,6 +24159,7 @@ def _typecheckingstub__fe5ef2b7c4347565bc988b8d9120bbd5feadcfadd061512019de1519e
     domain: builtins.str,
     user_pool_id: builtins.str,
     custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    managed_login_version: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23347,7 +24331,10 @@ def _typecheckingstub__00bbdbd31eb8d7342ce9883d0851b853acf61f6b243c0aa4323c025da
     user_pool_add_ons: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.UserPoolAddOnsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     user_pool_name: typing.Optional[builtins.str] = None,
     user_pool_tags: typing.Any = None,
+    user_pool_tier: typing.Optional[builtins.str] = None,
     verification_message_template: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPool.VerificationMessageTemplateProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    web_authn_relying_party_id: typing.Optional[builtins.str] = None,
+    web_authn_user_verification: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -24087,6 +25074,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
     enable_sms_role: typing.Optional[builtins.bool] = None,
+    feature_plan: typing.Optional[FeaturePlan] = None,
     keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     lambda_triggers: typing.Optional[typing.Union[UserPoolTriggers, typing.Dict[builtins.str, typing.Any]]] = None,
     mfa: typing.Optional[Mfa] = None,
@@ -24535,6 +25523,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
     enable_sms_role: typing.Optional[builtins.bool] = None,
+    feature_plan: typing.Optional[FeaturePlan] = None,
     keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     lambda_triggers: typing.Optional[typing.Union[UserPoolTriggers, typing.Dict[builtins.str, typing.Any]]] = None,
     mfa: typing.Optional[Mfa] = None,