aws-cdk-lib 2.173.4__py3-none-any.whl → 2.174.1__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -84,7 +84,7 @@ user_pool.grant(role, "cognito-idp:AdminCreateUser")
 ### User pool feature plans
 
 Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.
-Lean more aboug [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
+Learn more about [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
 
 * *Lite* - a low-cost feature plan for user pools with lower numbers of monthly active users.
 * *Essentials* - all of the latest user pool authentication features.
@@ -3761,9 +3761,9 @@ class CfnLogDeliveryConfiguration(
             This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
 
             :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features. This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
-            :param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about advanced security features user activity, set to ``userAuthEvents`` .
+            :param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to ``userAuthEvents`` .
             :param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
-            :param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from advanced security features, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
+            :param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from threat protection with the Plus feature plan, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
             :param s3_configuration: Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html
@@ -3825,7 +3825,7 @@ class CfnLogDeliveryConfiguration(
         def event_source(self) -> typing.Optional[builtins.str]:
             '''The source of events that your user pool sends for logging.
 
-            To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about advanced security features user activity, set to ``userAuthEvents`` .
+            To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to ``userAuthEvents`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-eventsource
             '''
@@ -3847,7 +3847,7 @@ class CfnLogDeliveryConfiguration(
         def log_level(self) -> typing.Optional[builtins.str]:
             '''The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging.
 
-            To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/tracking-quotas-and-usage-in-cloud-watch-logs.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from advanced security features, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
+            To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from threat protection with the Plus feature plan, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-loglevel
             '''
@@ -4036,13 +4036,6 @@ class CfnManagedLoginBranding(
     This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
 
     As a best practice, modify the output of `DescribeManagedLoginBrandingByClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html>`_ into the request parameters for this operation. To get all settings, set ``ReturnMergedResources`` to ``true`` . For more information, see `API and SDK operations for managed login branding <https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api>`_
-    .. epigraph::
-
-       Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
-
-       **Learn more** - `Signing AWS API Requests <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html>`_
-
-       - `Using the Amazon Cognito user pools API and user pool endpoints <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html>`_
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
     :cloudformationResource: AWS::Cognito::ManagedLoginBranding
@@ -4093,10 +4086,10 @@ class CfnManagedLoginBranding(
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The user pool where the branding style is assigned.
         :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
-        :param client_id: 
-        :param return_merged_resources: 
+        :param client_id: The app client that's assigned to the branding style that you want more information about.
+        :param return_merged_resources: When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults. When ``false`` or when you omit this parameter, returns only values that you customized in your branding style.
         :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
-        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer. When you specify ``true`` for this option, you must also omit values for ``Settings`` and ``Assets`` in the request.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__478f8899894ffccc3f20b06ae18c36beb41bf5c5c9aa65a99dbdbf95ce00be03)
@@ -4191,6 +4184,7 @@ class CfnManagedLoginBranding(
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> typing.Optional[builtins.str]:
+        '''The app client that's assigned to the branding style that you want more information about.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientId"))
 
     @client_id.setter
@@ -4205,6 +4199,7 @@ class CfnManagedLoginBranding(
     def return_merged_resources(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "returnMergedResources"))
 
     @return_merged_resources.setter
@@ -4406,10 +4401,10 @@ class CfnManagedLoginBrandingProps:
 
         :param user_pool_id: The user pool where the branding style is assigned.
         :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
-        :param client_id: 
-        :param return_merged_resources: 
+        :param client_id: The app client that's assigned to the branding style that you want more information about.
+        :param return_merged_resources: When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults. When ``false`` or when you omit this parameter, returns only values that you customized in your branding style.
         :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
-        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to a "blank" style that you can modify later in the branding designer.
+        :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer. When you specify ``true`` for this option, you must also omit values for ``Settings`` and ``Assets`` in the request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
         :exampleMetadata: fixture=_generated
@@ -4488,7 +4483,8 @@ class CfnManagedLoginBrandingProps:
 
     @builtins.property
     def client_id(self) -> typing.Optional[builtins.str]:
-        '''
+        '''The app client that's assigned to the branding style that you want more information about.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-clientid
         '''
         result = self._values.get("client_id")
@@ -4498,7 +4494,10 @@ class CfnManagedLoginBrandingProps:
     def return_merged_resources(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''
+        '''When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults.
+
+        When ``false`` or when you omit this parameter, returns only values that you customized in your branding style.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-returnmergedresources
         '''
         result = self._values.get("return_merged_resources")
@@ -4519,7 +4518,9 @@ class CfnManagedLoginBrandingProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''When true, applies the default branding style options.
 
-        This option reverts to a "blank" style that you can modify later in the branding designer.
+        This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer.
+
+        When you specify ``true`` for this option, you must also omit values for ``Settings`` and ``Assets`` in the request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-usecognitoprovidedvalues
         '''
@@ -4729,10 +4730,10 @@ class CfnUserPool(
         :param id: Construct identifier for this resource (unique in its scope).
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
         :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
-        :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
+        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
+        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
-        :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
+        :param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
         :param email_authentication_message: 
         :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
@@ -4742,20 +4743,20 @@ class CfnUserPool(
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
         :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param schema: An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
+        :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
-        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
+        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
         :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
         :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
-        :param username_configuration: Case sensitivity on the username input for the selected sign-in option. When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
-        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
-        :param user_pool_name: A string used to name the user pool.
+        :param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
+        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
+        :param user_pool_name: A friendlhy name for your user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
         :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
-        :param web_authn_relying_party_id: 
-        :param web_authn_user_verification: 
+        :param web_authn_relying_party_id: Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI.
+        :param web_authn_user_verification: When ``required`` , users can only register and sign in users with passkeys that are capable of `user verification <https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement>`_ . When ``preferred`` , your user pool doesn't require the use of authenticators with user verification but encourages it.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc37ee551)
@@ -4927,7 +4928,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="autoVerifiedAttributes")
     def auto_verified_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The attributes to be auto-verified.'''
+        '''The attributes that you want your user pool to automatically verify.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "autoVerifiedAttributes"))
 
     @auto_verified_attributes.setter
@@ -5118,7 +5119,7 @@ class CfnUserPool(
     def schema(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SchemaAttributeProperty"]]]]:
-        '''An array of schema attributes for the new user pool.'''
+        '''An array of attributes for the new user pool.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SchemaAttributeProperty"]]]], jsii.get(self, "schema"))
 
     @schema.setter
@@ -5214,7 +5215,7 @@ class CfnUserPool(
     def username_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UsernameConfigurationProperty"]]:
-        '''Case sensitivity on the username input for the selected sign-in option.'''
+        '''Sets the case sensitivity option for sign-in usernames.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UsernameConfigurationProperty"]], jsii.get(self, "usernameConfiguration"))
 
     @username_configuration.setter
@@ -5248,7 +5249,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="userPoolName")
     def user_pool_name(self) -> typing.Optional[builtins.str]:
-        '''A string used to name the user pool.'''
+        '''A friendlhy name for your user pool.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userPoolName"))
 
     @user_pool_name.setter
@@ -5305,6 +5306,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="webAuthnRelyingPartyId")
     def web_authn_relying_party_id(self) -> typing.Optional[builtins.str]:
+        '''Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "webAuthnRelyingPartyId"))
 
     @web_authn_relying_party_id.setter
@@ -5317,6 +5319,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="webAuthnUserVerification")
     def web_authn_user_verification(self) -> typing.Optional[builtins.str]:
+        '''When ``required`` , users can only register and sign in users with passkeys that are capable of `user verification <https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement>`_ . When ``preferred`` , your user pool doesn't require the use of authenticators with user verification but encourages it.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "webAuthnUserVerification"))
 
     @web_authn_user_verification.setter
@@ -5514,8 +5517,9 @@ class CfnUserPool(
             *,
             custom_auth_mode: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param custom_auth_mode: 
+            '''Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
+
+            :param custom_auth_mode: The operating mode of advanced security features in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html
             :exampleMetadata: fixture=_generated
@@ -5539,7 +5543,8 @@ class CfnUserPool(
 
         @builtins.property
         def custom_auth_mode(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The operating mode of advanced security features in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html#cfn-cognito-userpool-advancedsecurityadditionalflows-customauthmode
             '''
             result = self._values.get("custom_auth_mode")
@@ -6444,7 +6449,7 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param minimum_length: The minimum length of the password in the policy that you have set. This value can't be less than 6.
-            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, `advanced security features <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ must be active in your user pool.
+            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
             :param require_lowercase: The requirement in a password policy that users must include at least one lowercase letter in their password.
             :param require_numbers: The requirement in a password policy that users must include at least one number in their password.
             :param require_symbols: The requirement in a password policy that users must include at least one symbol in their password.
@@ -6512,7 +6517,7 @@ class CfnUserPool(
 
             Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
 
-            Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, `advanced security features <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ must be active in your user pool.
+            Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize
             '''
@@ -6608,7 +6613,7 @@ class CfnUserPool(
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
-            :param sign_in_policy: 
+            :param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
             :exampleMetadata: fixture=_generated
@@ -6659,7 +6664,12 @@ class CfnUserPool(
         def sign_in_policy(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SignInPolicyProperty"]]:
-            '''
+            '''The policy for allowed types of authentication in a user pool.
+
+            To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
             '''
             result = self._values.get("sign_in_policy")
@@ -7028,8 +7038,13 @@ class CfnUserPool(
             *,
             allowed_first_auth_factors: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''
-            :param allowed_first_auth_factors: 
+            '''The policy for allowed types of authentication in a user pool.
+
+            To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
+
+            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+
+            :param allowed_first_auth_factors: The sign-in methods that a user pool supports as the first factor. You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors. Supports values of ``EMAIL_OTP`` , ``SMS_OTP`` , ``WEB_AUTHN`` and ``PASSWORD`` ,
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html
             :exampleMetadata: fixture=_generated
@@ -7055,7 +7070,12 @@ class CfnUserPool(
         def allowed_first_auth_factors(
             self,
         ) -> typing.Optional[typing.List[builtins.str]]:
-            '''
+            '''The sign-in methods that a user pool supports as the first factor.
+
+            You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors.
+
+            Supports values of ``EMAIL_OTP`` , ``SMS_OTP`` , ``WEB_AUTHN`` and ``PASSWORD`` ,
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors
             '''
             result = self._values.get("allowed_first_auth_factors")
@@ -7336,13 +7356,13 @@ class CfnUserPool(
         ) -> None:
             '''User pool add-ons.
 
-            Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
+            Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
 
-            For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
+            For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
 
             This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
 
-            :param advanced_security_additional_flows: 
+            :param advanced_security_additional_flows: Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
             :param advanced_security_mode: The operating mode of advanced security features for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
@@ -7375,7 +7395,8 @@ class CfnUserPool(
         def advanced_security_additional_flows(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AdvancedSecurityAdditionalFlowsProperty"]]:
-            '''
+            '''Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecurityadditionalflows
             '''
             result = self._values.get("advanced_security_additional_flows")
@@ -7727,27 +7748,27 @@ class CfnUserPoolClient(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
+        :param user_pool_id: The ID of the user pool where you want to create an app client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
         :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
-        :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
-        :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. .. epigraph:: In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
+        :param allowed_o_auth_scopes: The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param client_name: The client name for the user pool client you would like to create.
-        :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param client_name: A friendly name for the app client that you want to create.
+        :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
-        :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
-        :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
+        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
-        :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
         if __debug__:
@@ -7844,7 +7865,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where you want to create a user pool client.'''
+        '''The ID of the user pool where you want to create an app client.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -7904,7 +7925,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="allowedOAuthScopes")
     def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The allowed OAuth scopes.'''
+        '''The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthScopes"))
 
     @allowed_o_auth_scopes.setter
@@ -7964,7 +7985,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="clientName")
     def client_name(self) -> typing.Optional[builtins.str]:
-        '''The client name for the user pool client you would like to create.'''
+        '''A friendly name for the app client that you want to create.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientName"))
 
     @client_name.setter
@@ -8047,7 +8068,7 @@ class CfnUserPoolClient(
     def generate_secret(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Boolean to specify whether you want to generate a secret for the user pool client being created.'''
+        '''When ``true`` , generates a client secret for the app client.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "generateSecret"))
 
     @generate_secret.setter
@@ -8076,7 +8097,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="logoutUrLs")
     def logout_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of allowed logout URLs for the IdPs.'''
+        '''A list of allowed logout URLs for managed login authentication.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "logoutUrLs"))
 
     @logout_ur_ls.setter
@@ -8154,7 +8175,7 @@ class CfnUserPoolClient(
     def token_validity_units(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolClient.TokenValidityUnitsProperty"]]:
-        '''The units in which the validity times are represented.'''
+        '''The units that validity times are represented in.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolClient.TokenValidityUnitsProperty"]], jsii.get(self, "tokenValidityUnits"))
 
     @token_validity_units.setter
@@ -8469,27 +8490,27 @@ class CfnUserPoolClientProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolClient``.
 
-        :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
+        :param user_pool_id: The ID of the user pool where you want to create an app client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
         :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
-        :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
-        :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. .. epigraph:: In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
+        :param allowed_o_auth_scopes: The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
-        :param client_name: The client name for the user pool client you would like to create.
-        :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. - Not include a fragment component. For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param client_name: A friendly name for the app client that you want to create.
+        :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
         :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
-        :param generate_secret: Boolean to specify whether you want to generate a secret for the user pool client being created.
+        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
-        :param logout_ur_ls: A list of allowed logout URLs for the IdPs.
+        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
-        :param token_validity_units: The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
         :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
@@ -8610,7 +8631,7 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where you want to create a user pool client.
+        '''The ID of the user pool where you want to create an app client.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-userpoolid
         '''
@@ -8674,9 +8695,7 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The allowed OAuth scopes.
-
-        Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        '''The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
         '''
@@ -8689,9 +8708,7 @@ class CfnUserPoolClientProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolClient.AnalyticsConfigurationProperty]]:
         '''The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
 
-        .. epigraph::
-
-           In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
+        In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-analyticsconfiguration
         '''
@@ -8716,7 +8733,7 @@ class CfnUserPoolClientProps:
         A redirect URI must:
 
         - Be an absolute URI.
-        - Be registered with the authorization server.
+        - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter.
         - Not include a fragment component.
 
         See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ .
@@ -8732,7 +8749,7 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def client_name(self) -> typing.Optional[builtins.str]:
-        '''The client name for the user pool client you would like to create.
+        '''A friendly name for the app client that you want to create.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-clientname
         '''
@@ -8745,18 +8762,6 @@ class CfnUserPoolClientProps:
 
         In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
 
-        A redirect URI must:
-
-        - Be an absolute URI.
-        - Be registered with the authorization server.
-        - Not include a fragment component.
-
-        For more information, see `Default redirect URI <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#cognito-user-pools-app-idp-settings-about>`_ .
-
-        Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
-
-        App callback URLs such as myapp://example are also supported.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-defaultredirecturi
         '''
         result = self._values.get("default_redirect_uri")
@@ -8800,6 +8805,9 @@ class CfnUserPoolClientProps:
         Valid values include:
 
         - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` .
+
+        To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
+
         - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
         - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication.
         - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
@@ -8818,7 +8826,9 @@ class CfnUserPoolClientProps:
     def generate_secret(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Boolean to specify whether you want to generate a secret for the user pool client being created.
+        '''When ``true`` , generates a client secret for the app client.
+
+        Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-generatesecret
         '''
@@ -8845,7 +8855,9 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def logout_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of allowed logout URLs for the IdPs.
+        '''A list of allowed logout URLs for managed login authentication.
+
+        For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-logouturls
         '''
@@ -8910,7 +8922,7 @@ class CfnUserPoolClientProps:
 
         The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
 
-        This setting applies to providers that you can access with the `hosted UI and OAuth 2.0 authorization server <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
         '''
@@ -8921,9 +8933,9 @@ class CfnUserPoolClientProps:
     def token_validity_units(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolClient.TokenValidityUnitsProperty]]:
-        '''The units in which the validity times are represented.
+        '''The units that validity times are represented in.
 
-        The default unit for RefreshToken is days, and default for ID and access tokens are hours.
+        The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-tokenvalidityunits
         '''
@@ -9358,11 +9370,11 @@ class CfnUserPoolGroup(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param user_pool_id: The user pool ID for the user pool.
-        :param description: A string containing the description of the group.
-        :param group_name: The name of the group. Must be unique.
+        :param user_pool_id: The ID of the user pool where you want to create a user group.
+        :param description: A description of the group that you're creating.
+        :param group_name: A name for the group. This name must be unique in your user pool.
         :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower ``Precedence`` values take precedence over groups with higher or null ``Precedence`` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the ``cognito:roles`` and ``cognito:preferred_role`` claims. Two groups can have the same ``Precedence`` value. If this happens, neither group takes precedence over the other. If two groups with the same ``Precedence`` have the same role ARN, that role is used in the ``cognito:preferred_role`` claim in tokens for users in each group. If the two groups have different role ARNs, the ``cognito:preferred_role`` claim isn't set in users' tokens. The default ``Precedence`` value is null. The maximum ``Precedence`` value is ``2^31-1`` .
-        :param role_arn: The role Amazon Resource Name (ARN) for the group.
+        :param role_arn: The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a ``cognito:preferred_role`` claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a ``cognito:groups`` claim that list all the groups that a user is a member of.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__64c0c3e44e677deced2e13e5ab4d3c7550518140bbe9dfaf681651d95cc8ab55)
@@ -9416,7 +9428,7 @@ class CfnUserPoolGroup(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.'''
+        '''The ID of the user pool where you want to create a user group.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -9429,7 +9441,7 @@ class CfnUserPoolGroup(
     @builtins.property
     @jsii.member(jsii_name="description")
     def description(self) -> typing.Optional[builtins.str]:
-        '''A string containing the description of the group.'''
+        '''A description of the group that you're creating.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "description"))
 
     @description.setter
@@ -9442,7 +9454,7 @@ class CfnUserPoolGroup(
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> typing.Optional[builtins.str]:
-        '''The name of the group.'''
+        '''A name for the group.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "groupName"))
 
     @group_name.setter
@@ -9468,7 +9480,7 @@ class CfnUserPoolGroup(
     @builtins.property
     @jsii.member(jsii_name="roleArn")
     def role_arn(self) -> typing.Optional[builtins.str]:
-        '''The role Amazon Resource Name (ARN) for the group.'''
+        '''The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "roleArn"))
 
     @role_arn.setter
@@ -9502,11 +9514,11 @@ class CfnUserPoolGroupProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolGroup``.
 
-        :param user_pool_id: The user pool ID for the user pool.
-        :param description: A string containing the description of the group.
-        :param group_name: The name of the group. Must be unique.
+        :param user_pool_id: The ID of the user pool where you want to create a user group.
+        :param description: A description of the group that you're creating.
+        :param group_name: A name for the group. This name must be unique in your user pool.
         :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower ``Precedence`` values take precedence over groups with higher or null ``Precedence`` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the ``cognito:roles`` and ``cognito:preferred_role`` claims. Two groups can have the same ``Precedence`` value. If this happens, neither group takes precedence over the other. If two groups with the same ``Precedence`` have the same role ARN, that role is used in the ``cognito:preferred_role`` claim in tokens for users in each group. If the two groups have different role ARNs, the ``cognito:preferred_role`` claim isn't set in users' tokens. The default ``Precedence`` value is null. The maximum ``Precedence`` value is ``2^31-1`` .
-        :param role_arn: The role Amazon Resource Name (ARN) for the group.
+        :param role_arn: The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a ``cognito:preferred_role`` claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a ``cognito:groups`` claim that list all the groups that a user is a member of.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
         :exampleMetadata: fixture=_generated
@@ -9548,7 +9560,7 @@ class CfnUserPoolGroupProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.
+        '''The ID of the user pool where you want to create a user group.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-userpoolid
         '''
@@ -9558,7 +9570,7 @@ class CfnUserPoolGroupProps:
 
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
-        '''A string containing the description of the group.
+        '''A description of the group that you're creating.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-description
         '''
@@ -9567,9 +9579,9 @@ class CfnUserPoolGroupProps:
 
     @builtins.property
     def group_name(self) -> typing.Optional[builtins.str]:
-        '''The name of the group.
+        '''A name for the group.
 
-        Must be unique.
+        This name must be unique in your user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-groupname
         '''
@@ -9593,7 +9605,9 @@ class CfnUserPoolGroupProps:
 
     @builtins.property
     def role_arn(self) -> typing.Optional[builtins.str]:
-        '''The role Amazon Resource Name (ARN) for the group.
+        '''The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group.
+
+        A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a ``cognito:preferred_role`` claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a ``cognito:groups`` claim that list all the groups that a user is a member of.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-rolearn
         '''
@@ -9661,11 +9675,11 @@ class CfnUserPoolIdentityProvider(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
-        :param provider_name: The IdP name.
-        :param provider_type: The IdP type.
-        :param user_pool_id: The user pool ID.
-        :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
-        :param idp_identifiers: A list of IdP identifiers.
+        :param provider_name: The name that you want to assign to the IdP. You can pass the identity provider name in the ``identity_provider`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP.
+        :param provider_type: The type of IdP that you want to add. Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.
+        :param user_pool_id: The Id of the user pool where you want to create an IdP.
+        :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.
+        :param idp_identifiers: An array of IdP identifiers, for example ``"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`` . Identifiers are friendly names that you can pass in the ``idp_identifier`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of `email-address matching with SAML providers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f606483634)
@@ -9733,7 +9747,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
-        '''The IdP name.'''
+        '''The name that you want to assign to the IdP.'''
         return typing.cast(builtins.str, jsii.get(self, "providerName"))
 
     @provider_name.setter
@@ -9746,7 +9760,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="providerType")
     def provider_type(self) -> builtins.str:
-        '''The IdP type.'''
+        '''The type of IdP that you want to add.'''
         return typing.cast(builtins.str, jsii.get(self, "providerType"))
 
     @provider_type.setter
@@ -9759,7 +9773,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID.'''
+        '''The Id of the user pool where you want to create an IdP.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -9785,7 +9799,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="idpIdentifiers")
     def idp_identifiers(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of IdP identifiers.'''
+        '''An array of IdP identifiers, for example ``"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`` .'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "idpIdentifiers"))
 
     @idp_identifiers.setter
@@ -9825,11 +9839,11 @@ class CfnUserPoolIdentityProviderProps:
         '''Properties for defining a ``CfnUserPoolIdentityProvider``.
 
         :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
-        :param provider_name: The IdP name.
-        :param provider_type: The IdP type.
-        :param user_pool_id: The user pool ID.
-        :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
-        :param idp_identifiers: A list of IdP identifiers.
+        :param provider_name: The name that you want to assign to the IdP. You can pass the identity provider name in the ``identity_provider`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP.
+        :param provider_type: The type of IdP that you want to add. Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.
+        :param user_pool_id: The Id of the user pool where you want to create an IdP.
+        :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.
+        :param idp_identifiers: An array of IdP identifiers, for example ``"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`` . Identifiers are friendly names that you can pass in the ``idp_identifier`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of `email-address matching with SAML providers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html
         :exampleMetadata: fixture=_generated
@@ -9920,7 +9934,9 @@ class CfnUserPoolIdentityProviderProps:
 
     @builtins.property
     def provider_name(self) -> builtins.str:
-        '''The IdP name.
+        '''The name that you want to assign to the IdP.
+
+        You can pass the identity provider name in the ``identity_provider`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providername
         '''
@@ -9930,7 +9946,9 @@ class CfnUserPoolIdentityProviderProps:
 
     @builtins.property
     def provider_type(self) -> builtins.str:
-        '''The IdP type.
+        '''The type of IdP that you want to add.
+
+        Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providertype
         '''
@@ -9940,7 +9958,7 @@ class CfnUserPoolIdentityProviderProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID.
+        '''The Id of the user pool where you want to create an IdP.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-userpoolid
         '''
@@ -9952,6 +9970,8 @@ class CfnUserPoolIdentityProviderProps:
     def attribute_mapping(self) -> typing.Any:
         '''A mapping of IdP attributes to standard and custom user pool attributes.
 
+        Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-attributemapping
         '''
         result = self._values.get("attribute_mapping")
@@ -9959,7 +9979,9 @@ class CfnUserPoolIdentityProviderProps:
 
     @builtins.property
     def idp_identifiers(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of IdP identifiers.
+        '''An array of IdP identifiers, for example ``"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`` .
+
+        Identifiers are friendly names that you can pass in the ``idp_identifier`` query parameter of requests to the `Authorize endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html>`_ to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of `email-address matching with SAML providers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-idpidentifiers
         '''
@@ -10051,10 +10073,10 @@ class CfnUserPoolProps:
 
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
         :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
-        :param auto_verified_attributes: The attributes to be auto-verified. Possible values: *email* , *phone_number* .
+        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
+        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
-        :param device_configuration: The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
+        :param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
         :param email_authentication_message: 
         :param email_authentication_subject: 
         :param email_configuration: The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
@@ -10064,20 +10086,20 @@ class CfnUserPoolProps:
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
         :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param schema: An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
+        :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
-        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
+        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
         :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
         :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
-        :param username_configuration: Case sensitivity on the username input for the selected sign-in option. When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
-        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
-        :param user_pool_name: A string used to name the user pool.
+        :param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
+        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
+        :param user_pool_name: A friendlhy name for your user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
         :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
-        :param web_authn_relying_party_id: 
-        :param web_authn_user_verification: 
+        :param web_authn_relying_party_id: Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI.
+        :param web_authn_user_verification: When ``required`` , users can only register and sign in users with passkeys that are capable of `user verification <https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement>`_ . When ``preferred`` , your user pool doesn't require the use of authenticators with user verification but encourages it.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
         :exampleMetadata: fixture=_generated
@@ -10338,7 +10360,7 @@ class CfnUserPoolProps:
     def alias_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Attributes supported as an alias for this user pool.
 
-        Possible values: *phone_number* , *email* , or *preferred_username* .
+        Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-aliasattributes
         '''
@@ -10347,9 +10369,9 @@ class CfnUserPoolProps:
 
     @builtins.property
     def auto_verified_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The attributes to be auto-verified.
+        '''The attributes that you want your user pool to automatically verify.
 
-        Possible values: *email* , *phone_number* .
+        Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-autoverifiedattributes
         '''
@@ -10376,10 +10398,10 @@ class CfnUserPoolProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.DeviceConfigurationProperty]]:
         '''The device-remembering configuration for a user pool.
 
-        A null value indicates that you have deactivated device remembering in your user pool.
+        Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool.
         .. epigraph::
 
-           When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature.
+           When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-deviceconfiguration
         '''
@@ -10497,9 +10519,9 @@ class CfnUserPoolProps:
     def schema(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnUserPool.SchemaAttributeProperty]]]]:
-        '''An array of schema attributes for the new user pool.
+        '''An array of attributes for the new user pool.
 
-        These attributes can be standard or custom attributes.
+        You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-schema
         '''
@@ -10521,7 +10543,7 @@ class CfnUserPoolProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.SmsConfigurationProperty]]:
         '''The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.
 
-        To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
+        To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsconfiguration
         '''
@@ -10567,11 +10589,13 @@ class CfnUserPoolProps:
     def username_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.UsernameConfigurationProperty]]:
-        '''Case sensitivity on the username input for the selected sign-in option.
+        '''Sets the case sensitivity option for sign-in usernames.
 
-        When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
+        When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
 
-        This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
+        When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users.
+
+        This configuration is immutable after you set it.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-usernameconfiguration
         '''
@@ -10584,9 +10608,9 @@ class CfnUserPoolProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.UserPoolAddOnsProperty]]:
         '''User pool add-ons.
 
-        Contains settings for activation of advanced security features. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
+        Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
 
-        For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ .
+        For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooladdons
         '''
@@ -10595,7 +10619,7 @@ class CfnUserPoolProps:
 
     @builtins.property
     def user_pool_name(self) -> typing.Optional[builtins.str]:
-        '''A string used to name the user pool.
+        '''A friendlhy name for your user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpoolname
         '''
@@ -10637,7 +10661,14 @@ class CfnUserPoolProps:
 
     @builtins.property
     def web_authn_relying_party_id(self) -> typing.Optional[builtins.str]:
-        '''
+        '''Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration.
+
+        Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain:
+
+        - The user pool is configured for passkey authentication.
+        - The user pool has a custom domain, whether or not it also has a prefix domain.
+        - Your application performs authentication with managed login or the classic hosted UI.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnrelyingpartyid
         '''
         result = self._values.get("web_authn_relying_party_id")
@@ -10645,7 +10676,8 @@ class CfnUserPoolProps:
 
     @builtins.property
     def web_authn_user_verification(self) -> typing.Optional[builtins.str]:
-        '''
+        '''When ``required`` , users can only register and sign in users with passkeys that are capable of `user verification <https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement>`_ . When ``preferred`` , your user pool doesn't require the use of authenticators with user verification but encourages it.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnuserverification
         '''
         result = self._values.get("web_authn_user_verification")
@@ -10713,7 +10745,7 @@ class CfnUserPoolResourceServer(
         :param id: Construct identifier for this resource (unique in its scope).
         :param identifier: A unique resource server identifier for the resource server. The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier. Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
         :param name: A friendly name for the resource server.
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool where you want to create a resource server.
         :param scopes: A list of scopes. Each scope is a map with keys ``ScopeName`` and ``ScopeDescription`` .
         '''
         if __debug__:
@@ -10790,7 +10822,7 @@ class CfnUserPoolResourceServer(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.'''
+        '''The ID of the user pool where you want to create a resource server.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -10922,7 +10954,7 @@ class CfnUserPoolResourceServerProps:
 
         :param identifier: A unique resource server identifier for the resource server. The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier. Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
         :param name: A friendly name for the resource server.
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool where you want to create a resource server.
         :param scopes: A list of scopes. Each scope is a map with keys ``ScopeName`` and ``ScopeDescription`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html
@@ -10986,7 +11018,7 @@ class CfnUserPoolResourceServerProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.
+        '''The ID of the user pool where you want to create a resource server.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-userpoolid
         '''
@@ -12279,7 +12311,7 @@ class CfnUserPoolUICustomizationAttachment(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool.
         :param css: The CSS values in the UI customization.
         '''
         if __debug__:
@@ -12343,7 +12375,7 @@ class CfnUserPoolUICustomizationAttachment(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.'''
+        '''The ID of the user pool.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -12383,7 +12415,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
         '''Properties for defining a ``CfnUserPoolUICustomizationAttachment``.
 
         :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool.
         :param css: The CSS values in the UI customization.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
@@ -12429,7 +12461,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.
+        '''The ID of the user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-userpoolid
         '''
@@ -12515,11 +12547,11 @@ class CfnUserPoolUser(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param user_pool_id: The user pool ID for the user pool where the user will be created.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following: - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose. - Validate the ClientMetadata value. - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
-        :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
-        :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
-        :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
+        :param user_pool_id: The ID of the user pool where you want to create a user.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
+        :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
+        :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
+        :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
         :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
@@ -12579,7 +12611,7 @@ class CfnUserPoolUser(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where the user will be created.'''
+        '''The ID of the user pool where you want to create a user.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -12610,7 +12642,7 @@ class CfnUserPoolUser(
     @builtins.property
     @jsii.member(jsii_name="desiredDeliveryMediums")
     def desired_delivery_mediums(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specify ``"EMAIL"`` if email will be used to send the welcome message.'''
+        '''Specify ``EMAIL`` if email will be used to send the welcome message.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "desiredDeliveryMediums"))
 
     @desired_delivery_mediums.setter
@@ -12644,7 +12676,7 @@ class CfnUserPoolUser(
     @builtins.property
     @jsii.member(jsii_name="messageAction")
     def message_action(self) -> typing.Optional[builtins.str]:
-        '''Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account.'''
+        '''Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "messageAction"))
 
     @message_action.setter
@@ -12805,11 +12837,11 @@ class CfnUserPoolUserProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolUser``.
 
-        :param user_pool_id: The user pool ID for the user pool where the user will be created.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following: - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose. - Validate the ClientMetadata value. - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
-        :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
-        :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
-        :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
+        :param user_pool_id: The ID of the user pool where you want to create a user.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
+        :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
+        :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
+        :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
         :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
@@ -12874,7 +12906,7 @@ class CfnUserPoolUserProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool where the user will be created.
+        '''The ID of the user pool where you want to create a user.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userpoolid
         '''
@@ -12888,16 +12920,16 @@ class CfnUserPoolUserProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
         '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
 
-        You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
+        You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
 
-        For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* .
+        For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* .
         .. epigraph::
 
-           When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
+           When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following:
 
-           - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
-           - Validate the ClientMetadata value.
-           - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
+           - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose.
+           - Validate the ``ClientMetadata`` value.
+           - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-clientmetadata
         '''
@@ -12906,9 +12938,9 @@ class CfnUserPoolUserProps:
 
     @builtins.property
     def desired_delivery_mediums(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''Specify ``"EMAIL"`` if email will be used to send the welcome message.
+        '''Specify ``EMAIL`` if email will be used to send the welcome message.
 
-        Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
+        Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-desireddeliverymediums
         '''
@@ -12923,7 +12955,7 @@ class CfnUserPoolUserProps:
 
         Otherwise, it is ignored.
 
-        If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.
+        If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias.
 
         If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
 
@@ -12934,7 +12966,7 @@ class CfnUserPoolUserProps:
 
     @builtins.property
     def message_action(self) -> typing.Optional[builtins.str]:
-        '''Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account.
+        '''Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password.
 
         Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
 
@@ -13059,7 +13091,7 @@ class CfnUserPoolUserToGroupAttachment(
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group that you want to add your user to.
         :param username: The user's username.
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool that contains the group that you want to add the user to.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__a7364d75afc292798863e1183adee778bee531b8ea162e2882fe2861f9b8e33c)
@@ -13135,7 +13167,7 @@ class CfnUserPoolUserToGroupAttachment(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.'''
+        '''The ID of the user pool that contains the group that you want to add the user to.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -13167,7 +13199,7 @@ class CfnUserPoolUserToGroupAttachmentProps:
 
         :param group_name: The name of the group that you want to add your user to.
         :param username: The user's username.
-        :param user_pool_id: The user pool ID for the user pool.
+        :param user_pool_id: The ID of the user pool that contains the group that you want to add the user to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html
         :exampleMetadata: fixture=_generated
@@ -13217,7 +13249,7 @@ class CfnUserPoolUserToGroupAttachmentProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The user pool ID for the user pool.
+        '''The ID of the user pool that contains the group that you want to add the user to.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-userpoolid
         '''