aws-cdk-lib 2.172.0__py3-none-any.whl → 2.173.1__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -20,6 +20,7 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
   * [Table of Contents](#table-of-contents)
   * [User Pools](#user-pools)
 
+    * [User pool feature plans](#user-pool-feature-plans)
     * [Sign Up](#sign-up)
 
       * [Code Verification](#code-verification)
@@ -80,6 +81,20 @@ role = iam.Role(self, "role",
 user_pool.grant(role, "cognito-idp:AdminCreateUser")
 ```
 
+### User pool feature plans
+
+Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.
+Lean more aboug [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
+
+* *Lite* - a low-cost feature plan for user pools with lower numbers of monthly active users.
+* *Essentials* - all of the latest user pool authentication features.
+* *Plus* - includes everything in the Essentials plan and adds advanced security features that protect your users.
+
+The default feature plan is Essentials for newly create user pools.
+For the existing user pools, Lite plan is automatically set.
+
+Previously, some user pool features were included in [an advanced security features](#advanced-security-mode) pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.
+
 ### Sign Up
 
 Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their
@@ -311,8 +326,8 @@ configure an MFA token and use it for sign in. It also allows for the users to u
 [time-based one time password
 (TOTP)](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html).
 
-If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.
-For more information, see [Email MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security-email-mfa.html).
+If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.
+For more information, see [SMS and email message MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html).
 
 ```python
 cognito.UserPool(self, "myuserpool",
@@ -368,6 +383,8 @@ A user will not be allowed to reset their password via phone if they are also us
 
 #### Advanced Security Mode
 
+⚠️ Advanced Security Mode is deprecated in favor of [user pool feature plans](#user-pool-feature-plans).
+
 User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more.
 
 ```python
@@ -1153,9 +1170,12 @@ class AccountRecovery(enum.Enum):
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.AdvancedSecurityMode")
 class AdvancedSecurityMode(enum.Enum):
-    '''The different ways in which a user pool's Advanced Security Mode can be configured.
+    '''(deprecated) The different ways in which a user pool's Advanced Security Mode can be configured.
+
+    :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
 
     :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
+    :stability: deprecated
     :exampleMetadata: infused
 
     Example::
@@ -1167,14 +1187,22 @@ class AdvancedSecurityMode(enum.Enum):
     '''
 
     ENFORCED = "ENFORCED"
-    '''Enable advanced security mode.'''
+    '''(deprecated) Enable advanced security mode.
+
+    :stability: deprecated
+    '''
     AUDIT = "AUDIT"
-    '''gather metrics on detected risks without taking action.
+    '''(deprecated) gather metrics on detected risks without taking action.
 
     Metrics are published to Amazon CloudWatch
+
+    :stability: deprecated
     '''
     OFF = "OFF"
-    '''Advanced security mode is disabled.'''
+    '''(deprecated) Advanced security mode is disabled.
+
+    :stability: deprecated
+    '''
 
 
 @jsii.data_type(
@@ -3999,7 +4027,22 @@ class CfnManagedLoginBranding(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnManagedLoginBranding",
 ):
-    '''Resource Type definition for AWS::Cognito::ManagedLoginBranding.
+    '''Creates a new set of branding settings for a user pool style and associates it with an app client.
+
+    This operation is the programmatic option for the creation of a new style in the branding designer.
+
+    Provides values for UI customization in a ``Settings`` JSON object and image files in an ``Assets`` array. To send the JSON object ``Document`` type parameter in ``Settings`` , you might need to update to the most recent version of your AWS SDK.
+
+    This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
+
+    As a best practice, modify the output of `DescribeManagedLoginBrandingByClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html>`_ into the request parameters for this operation. To get all settings, set ``ReturnMergedResources`` to ``true`` . For more information, see `API and SDK operations for managed login branding <https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api>`_
+    .. epigraph::
+
+       Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
+
+       **Learn more** - `Signing AWS API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`_
+
+       - `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`_
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
     :cloudformationResource: AWS::Cognito::ManagedLoginBranding
@@ -4048,12 +4091,12 @@ class CfnManagedLoginBranding(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param user_pool_id: 
-        :param assets: 
+        :param user_pool_id: The user pool where the branding style is assigned.
+        :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
         :param client_id: 
         :param return_merged_resources: 
-        :param settings: 
-        :param use_cognito_provided_values: 
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__478f8899894ffccc3f20b06ae18c36beb41bf5c5c9aa65a99dbdbf95ce00be03)
@@ -4103,7 +4146,8 @@ class CfnManagedLoginBranding(
     @builtins.property
     @jsii.member(jsii_name="attrManagedLoginBrandingId")
     def attr_managed_login_branding_id(self) -> builtins.str:
-        '''
+        '''The ID of the managed login branding style.
+
         :cloudformationAttribute: ManagedLoginBrandingId
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrManagedLoginBrandingId"))
@@ -4116,6 +4160,7 @@ class CfnManagedLoginBranding(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
+        '''The user pool where the branding style is assigned.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -4130,6 +4175,7 @@ class CfnManagedLoginBranding(
     def assets(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnManagedLoginBranding.AssetTypeProperty"]]]]:
+        '''An array of image files that you want to apply to roles like backgrounds, logos, and icons.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnManagedLoginBranding.AssetTypeProperty"]]]], jsii.get(self, "assets"))
 
     @assets.setter
@@ -4174,6 +4220,7 @@ class CfnManagedLoginBranding(
     @builtins.property
     @jsii.member(jsii_name="settings")
     def settings(self) -> typing.Any:
+        '''A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.'''
         return typing.cast(typing.Any, jsii.get(self, "settings"))
 
     @settings.setter
@@ -4188,6 +4235,7 @@ class CfnManagedLoginBranding(
     def use_cognito_provided_values(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''When true, applies the default branding style options.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "useCognitoProvidedValues"))
 
     @use_cognito_provided_values.setter
@@ -4221,12 +4269,15 @@ class CfnManagedLoginBranding(
             bytes: typing.Optional[builtins.str] = None,
             resource_id: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param category: 
-            :param color_mode: 
-            :param extension: 
-            :param bytes: 
-            :param resource_id: 
+            '''An image file from a managed login branding style in a user pool.
+
+            This data type is a request parameter of `CreateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html>`_ and `UpdateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html>`_ , and a response parameter of `DescribeManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html>`_ .
+
+            :param category: The category that the image corresponds to in your managed login configuration. Managed login has asset categories for different types of logos, backgrounds, and icons.
+            :param color_mode: The display-mode target of the asset: light, dark, or browser-adaptive. For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
+            :param extension: The file type of the image file.
+            :param bytes: The image file, in Base64-encoded binary.
+            :param resource_id: The ID of the asset.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html
             :exampleMetadata: fixture=_generated
@@ -4266,7 +4317,10 @@ class CfnManagedLoginBranding(
 
         @builtins.property
         def category(self) -> builtins.str:
-            '''
+            '''The category that the image corresponds to in your managed login configuration.
+
+            Managed login has asset categories for different types of logos, backgrounds, and icons.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-category
             '''
             result = self._values.get("category")
@@ -4275,7 +4329,10 @@ class CfnManagedLoginBranding(
 
         @builtins.property
         def color_mode(self) -> builtins.str:
-            '''
+            '''The display-mode target of the asset: light, dark, or browser-adaptive.
+
+            For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-colormode
             '''
             result = self._values.get("color_mode")
@@ -4284,7 +4341,8 @@ class CfnManagedLoginBranding(
 
         @builtins.property
         def extension(self) -> builtins.str:
-            '''
+            '''The file type of the image file.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-extension
             '''
             result = self._values.get("extension")
@@ -4293,7 +4351,8 @@ class CfnManagedLoginBranding(
 
         @builtins.property
         def bytes(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The image file, in Base64-encoded binary.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-bytes
             '''
             result = self._values.get("bytes")
@@ -4301,7 +4360,8 @@ class CfnManagedLoginBranding(
 
         @builtins.property
         def resource_id(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The ID of the asset.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-resourceid
             '''
             result = self._values.get("resource_id")
@@ -4344,12 +4404,12 @@ class CfnManagedLoginBrandingProps:
     ) -> None:
         '''Properties for defining a ``CfnManagedLoginBranding``.
 
-        :param user_pool_id: 
-        :param assets: 
+        :param user_pool_id: The user pool where the branding style is assigned.
+        :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
         :param client_id: 
         :param return_merged_resources: 
-        :param settings: 
-        :param use_cognito_provided_values: 
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
         :exampleMetadata: fixture=_generated
@@ -4405,7 +4465,8 @@ class CfnManagedLoginBrandingProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''
+        '''The user pool where the branding style is assigned.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-userpoolid
         '''
         result = self._values.get("user_pool_id")
@@ -4416,7 +4477,10 @@ class CfnManagedLoginBrandingProps:
     def assets(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnManagedLoginBranding.AssetTypeProperty]]]]:
-        '''
+        '''An array of image files that you want to apply to roles like backgrounds, logos, and icons.
+
+        Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-assets
         '''
         result = self._values.get("assets")
@@ -4442,7 +4506,8 @@ class CfnManagedLoginBrandingProps:
 
     @builtins.property
     def settings(self) -> typing.Any:
-        '''
+        '''A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-settings
         '''
         result = self._values.get("settings")
@@ -4452,7 +4517,10 @@ class CfnManagedLoginBrandingProps:
     def use_cognito_provided_values(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''
+        '''When true, applies the default branding style options.
+
+        This option reverts to a "blank" style that you can modify later in the branding designer.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-usecognitoprovidedvalues
         '''
         result = self._values.get("use_cognito_provided_values")
@@ -4684,7 +4752,7 @@ class CfnUserPool(
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
-        :param user_pool_tier: 
+        :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
         :param web_authn_relying_party_id: 
         :param web_authn_user_verification: 
@@ -5206,6 +5274,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="userPoolTier")
     def user_pool_tier(self) -> typing.Optional[builtins.str]:
+        '''The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userPoolTier"))
 
     @user_pool_tier.setter
@@ -5345,7 +5414,7 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
-            :param invite_message_template: The template for the welcome message to new users. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
+            :param invite_message_template: The template for the welcome message to new users. This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
             :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
@@ -5399,6 +5468,8 @@ class CfnUserPool(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.InviteMessageTemplateProperty"]]:
             '''The template for the welcome message to new users.
 
+            This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.
+
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-invitemessagetemplate
@@ -5899,6 +5970,8 @@ class CfnUserPool(
         ) -> None:
             '''The template for the welcome message to new users.
 
+            This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.
+
             See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
 
             :param email_message: The message template for email messages. EmailMessage is allowed only if `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is DEVELOPER.
@@ -7664,16 +7737,16 @@ class CfnUserPoolClient(
         :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: The client name for the user pool client you would like to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
@@ -8406,16 +8479,16 @@ class CfnUserPoolClientProps:
         :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: The client name for the user pool client you would like to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
@@ -8695,7 +8768,7 @@ class CfnUserPoolClientProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''Activates the propagation of additional user context data.
 
-        For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enablepropagateadditionalusercontextdata
         '''
@@ -8726,6 +8799,7 @@ class CfnUserPoolClientProps:
 
         Valid values include:
 
+        - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` .
         - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
         - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication.
         - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
@@ -8836,6 +8910,8 @@ class CfnUserPoolClientProps:
 
         The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
 
+        This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
         '''
         result = self._values.get("supported_identity_providers")
@@ -8906,7 +8982,8 @@ class CfnUserPoolDomain(
             # the properties below are optional
             custom_domain_config=cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty(
                 certificate_arn="certificateArn"
-            )
+            ),
+            managed_login_version=123
         )
     '''
 
@@ -8918,13 +8995,15 @@ class CfnUserPoolDomain(
         domain: builtins.str,
         user_pool_id: builtins.str,
         custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolDomain.CustomDomainConfigTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        managed_login_version: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
         :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6e0b36c4d155cfdfa9801e3f221c4fe6c5403bf24a64d17bd90fb5386301d675)
@@ -8934,6 +9013,7 @@ class CfnUserPoolDomain(
             domain=domain,
             user_pool_id=user_pool_id,
             custom_domain_config=custom_domain_config,
+            managed_login_version=managed_login_version,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -9035,6 +9115,19 @@ class CfnUserPoolDomain(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "customDomainConfig", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="managedLoginVersion")
+    def managed_login_version(self) -> typing.Optional[jsii.Number]:
+        '''A version number that indicates the state of managed login for your domain.'''
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "managedLoginVersion"))
+
+    @managed_login_version.setter
+    def managed_login_version(self, value: typing.Optional[jsii.Number]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b1d6e8e96816f3572291ff67691b98d76a166cf058320e0e73e58062b8093526)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "managedLoginVersion", value) # pyright: ignore[reportArgumentType]
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty",
         jsii_struct_bases=[],
@@ -9102,6 +9195,7 @@ class CfnUserPoolDomain(
         "domain": "domain",
         "user_pool_id": "userPoolId",
         "custom_domain_config": "customDomainConfig",
+        "managed_login_version": "managedLoginVersion",
     },
 )
 class CfnUserPoolDomainProps:
@@ -9111,12 +9205,14 @@ class CfnUserPoolDomainProps:
         domain: builtins.str,
         user_pool_id: builtins.str,
         custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        managed_login_version: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''Properties for defining a ``CfnUserPoolDomain``.
 
         :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
         :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
         :exampleMetadata: fixture=_generated
@@ -9134,7 +9230,8 @@ class CfnUserPoolDomainProps:
                 # the properties below are optional
                 custom_domain_config=cognito.CfnUserPoolDomain.CustomDomainConfigTypeProperty(
                     certificate_arn="certificateArn"
-                )
+                ),
+                managed_login_version=123
             )
         '''
         if __debug__:
@@ -9142,12 +9239,15 @@ class CfnUserPoolDomainProps:
             check_type(argname="argument domain", value=domain, expected_type=type_hints["domain"])
             check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
             check_type(argname="argument custom_domain_config", value=custom_domain_config, expected_type=type_hints["custom_domain_config"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "domain": domain,
             "user_pool_id": user_pool_id,
         }
         if custom_domain_config is not None:
             self._values["custom_domain_config"] = custom_domain_config
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def domain(self) -> builtins.str:
@@ -9181,11 +9281,24 @@ class CfnUserPoolDomainProps:
 
         Use this object to specify an SSL certificate that is managed by ACM.
 
+        When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
         '''
         result = self._values.get("custom_domain_config")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolDomain.CustomDomainConfigTypeProperty]], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[jsii.Number]:
+        '''A version number that indicates the state of managed login for your domain.
+
+        Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-managedloginversion
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -9961,7 +10074,7 @@ class CfnUserPoolProps:
         :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
         :param user_pool_name: A string used to name the user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
-        :param user_pool_tier: 
+        :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
         :param web_authn_relying_party_id: 
         :param web_authn_user_verification: 
@@ -10502,7 +10615,8 @@ class CfnUserPoolProps:
 
     @builtins.property
     def user_pool_tier(self) -> typing.Optional[builtins.str]:
-        '''
+        '''The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooltier
         '''
         result = self._values.get("user_pool_tier")
@@ -12406,7 +12520,7 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
@@ -12696,7 +12810,7 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -12841,6 +12955,8 @@ class CfnUserPoolUserProps:
 
         To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
 
+        You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` .
+
         In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .
 
         - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
@@ -13714,6 +13830,21 @@ class EmailSettings:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.FeaturePlan")
+class FeaturePlan(enum.Enum):
+    '''The user pool feature plan, or tier.
+
+    :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
+    '''
+
+    LITE = "LITE"
+    '''Lite feature plan.'''
+    ESSENTIALS = "ESSENTIALS"
+    '''Essentials feature plan.'''
+    PLUS = "PLUS"
+    '''Plus feature plan.'''
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_cognito.ICustomAttribute")
 class ICustomAttribute(typing_extensions.Protocol):
     '''Represents a custom attribute type.'''
@@ -14462,7 +14593,7 @@ class MfaSecondFactor:
 
         :param otp: The MFA token is a time-based one time password that is generated by a hardware or software token. Default: false
         :param sms: The MFA token is sent to the user via SMS to their verified phone numbers. Default: true
-        :param email: The MFA token is sent to the user via EMAIL. To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration and set ``advancedSecurityMode`` to ``AdvancedSecurity.ENFORCED`` or ``AdvancedSecurity.AUDIT`` Default: false
+        :param email: The MFA token is sent to the user via EMAIL. To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration and set ``feturePlan`` to ``FeaturePlan.ESSENTIALS`` or ``FeaturePlan.PLUS`` Default: false
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
         :exampleMetadata: infused
@@ -14520,7 +14651,7 @@ class MfaSecondFactor:
         '''The MFA token is sent to the user via EMAIL.
 
         To enable email-based MFA, set ``email`` property to the Amazon SES email-sending configuration
-        and set ``advancedSecurityMode`` to ``AdvancedSecurity.ENFORCED`` or ``AdvancedSecurity.AUDIT``
+        and set ``feturePlan`` to ``FeaturePlan.ESSENTIALS`` or ``FeaturePlan.PLUS``
 
         :default: false
 
@@ -17080,6 +17211,7 @@ class UserPool(
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional["UserPoolEmail"] = None,
         enable_sms_role: typing.Optional[builtins.bool] = None,
+        feature_plan: typing.Optional[FeaturePlan] = None,
         keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         lambda_triggers: typing.Optional[typing.Union["UserPoolTriggers", typing.Dict[builtins.str, typing.Any]]] = None,
         mfa: typing.Optional[Mfa] = None,
@@ -17102,7 +17234,7 @@ class UserPool(
         :param scope: -
         :param id: -
         :param account_recovery: How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
-        :param advanced_security_mode: The user pool's Advanced Security Mode. Default: - no value
+        :param advanced_security_mode: (deprecated) The user pool's Advanced Security Mode. Default: - no value
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
@@ -17110,6 +17242,7 @@ class UserPool(
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
         :param enable_sms_role: Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
+        :param feature_plan: The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
         :param keep_original: Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.
         :param lambda_triggers: Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
@@ -17142,6 +17275,7 @@ class UserPool(
             device_tracking=device_tracking,
             email=email,
             enable_sms_role=enable_sms_role,
+            feature_plan=feature_plan,
             keep_original=keep_original,
             lambda_triggers=lambda_triggers,
             mfa=mfa,
@@ -20385,6 +20519,7 @@ class UserPoolOperation(
         "device_tracking": "deviceTracking",
         "email": "email",
         "enable_sms_role": "enableSmsRole",
+        "feature_plan": "featurePlan",
         "keep_original": "keepOriginal",
         "lambda_triggers": "lambdaTriggers",
         "mfa": "mfa",
@@ -20417,6 +20552,7 @@ class UserPoolProps:
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
         email: typing.Optional[UserPoolEmail] = None,
         enable_sms_role: typing.Optional[builtins.bool] = None,
+        feature_plan: typing.Optional[FeaturePlan] = None,
         keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         lambda_triggers: typing.Optional[typing.Union["UserPoolTriggers", typing.Dict[builtins.str, typing.Any]]] = None,
         mfa: typing.Optional[Mfa] = None,
@@ -20438,7 +20574,7 @@ class UserPoolProps:
         '''Props for the UserPool construct.
 
         :param account_recovery: How will a user be able to recover their account? Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
-        :param advanced_security_mode: The user pool's Advanced Security Mode. Default: - no value
+        :param advanced_security_mode: (deprecated) The user pool's Advanced Security Mode. Default: - no value
         :param auto_verify: Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options. Default: - If ``signInAlias`` includes email and/or phone, they will be included in ``autoVerifiedAttributes`` by default. If absent, no attributes will be auto-verified.
         :param custom_attributes: Define a set of custom attributes that can be configured for each user in the user pool. Default: - No custom attributes.
         :param custom_sender_kms_key: This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates. Default: - no key ID configured
@@ -20446,6 +20582,7 @@ class UserPoolProps:
         :param device_tracking: Device tracking settings. Default: - see defaults on each property of DeviceTracking.
         :param email: Email settings for a user pool. Default: - cognito will use the default email configuration
         :param enable_sms_role: Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not. Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
+        :param feature_plan: The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
         :param keep_original: Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes. EMAIL and PHONE are the only available options. Default: - Nothing is kept.
         :param lambda_triggers: Lambda functions to use for supported Cognito triggers. Default: - No Lambda triggers.
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
@@ -20510,6 +20647,7 @@ class UserPoolProps:
             check_type(argname="argument device_tracking", value=device_tracking, expected_type=type_hints["device_tracking"])
             check_type(argname="argument email", value=email, expected_type=type_hints["email"])
             check_type(argname="argument enable_sms_role", value=enable_sms_role, expected_type=type_hints["enable_sms_role"])
+            check_type(argname="argument feature_plan", value=feature_plan, expected_type=type_hints["feature_plan"])
             check_type(argname="argument keep_original", value=keep_original, expected_type=type_hints["keep_original"])
             check_type(argname="argument lambda_triggers", value=lambda_triggers, expected_type=type_hints["lambda_triggers"])
             check_type(argname="argument mfa", value=mfa, expected_type=type_hints["mfa"])
@@ -20546,6 +20684,8 @@ class UserPoolProps:
             self._values["email"] = email
         if enable_sms_role is not None:
             self._values["enable_sms_role"] = enable_sms_role
+        if feature_plan is not None:
+            self._values["feature_plan"] = feature_plan
         if keep_original is not None:
             self._values["keep_original"] = keep_original
         if lambda_triggers is not None:
@@ -20592,9 +20732,13 @@ class UserPoolProps:
 
     @builtins.property
     def advanced_security_mode(self) -> typing.Optional[AdvancedSecurityMode]:
-        '''The user pool's Advanced Security Mode.
+        '''(deprecated) The user pool's Advanced Security Mode.
 
         :default: - no value
+
+        :deprecated: Advanced Security Mode is deprecated in favor of user pool feature plans.
+
+        :stability: deprecated
         '''
         result = self._values.get("advanced_security_mode")
         return typing.cast(typing.Optional[AdvancedSecurityMode], result)
@@ -20673,6 +20817,19 @@ class UserPoolProps:
         result = self._values.get("enable_sms_role")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def feature_plan(self) -> typing.Optional[FeaturePlan]:
+        '''The user pool feature plan, or tier.
+
+        This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection.
+
+        :default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
+        '''
+        result = self._values.get("feature_plan")
+        return typing.cast(typing.Optional[FeaturePlan], result)
+
     @builtins.property
     def keep_original(self) -> typing.Optional[KeepOriginalAttrs]:
         '''Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
@@ -22725,6 +22882,7 @@ __all__ = [
     "DateTimeAttribute",
     "DeviceTracking",
     "EmailSettings",
+    "FeaturePlan",
     "ICustomAttribute",
     "IUserPool",
     "IUserPoolClient",
@@ -23948,6 +24106,7 @@ def _typecheckingstub__6e0b36c4d155cfdfa9801e3f221c4fe6c5403bf24a64d17bd90fb5386
     domain: builtins.str,
     user_pool_id: builtins.str,
     custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    managed_login_version: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23982,6 +24141,12 @@ def _typecheckingstub__534c4957c36eac9a89217ff1b762b65d25e33f26c5048218fc840dc7f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b1d6e8e96816f3572291ff67691b98d76a166cf058320e0e73e58062b8093526(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__dde97995e450b3b0c5468a27b415565086c00f64bdc255f297a8471e77b85243(
     *,
     certificate_arn: typing.Optional[builtins.str] = None,
@@ -23994,6 +24159,7 @@ def _typecheckingstub__fe5ef2b7c4347565bc988b8d9120bbd5feadcfadd061512019de1519e
     domain: builtins.str,
     user_pool_id: builtins.str,
     custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnUserPoolDomain.CustomDomainConfigTypeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    managed_login_version: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -24908,6 +25074,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
     enable_sms_role: typing.Optional[builtins.bool] = None,
+    feature_plan: typing.Optional[FeaturePlan] = None,
     keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     lambda_triggers: typing.Optional[typing.Union[UserPoolTriggers, typing.Dict[builtins.str, typing.Any]]] = None,
     mfa: typing.Optional[Mfa] = None,
@@ -25356,6 +25523,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
     email: typing.Optional[UserPoolEmail] = None,
     enable_sms_role: typing.Optional[builtins.bool] = None,
+    feature_plan: typing.Optional[FeaturePlan] = None,
     keep_original: typing.Optional[typing.Union[KeepOriginalAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     lambda_triggers: typing.Optional[typing.Union[UserPoolTriggers, typing.Dict[builtins.str, typing.Any]]] = None,
     mfa: typing.Optional[Mfa] = None,