aws-cdk-lib 2.175.1__py3-none-any.whl → 2.177.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -977,6 +977,28 @@ Read more about [Using the Amazon Cognito
 Domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html) and [Using Your Own
 Domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html).
 
+You can use the [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) page provided by Amazon Cognito to sign in users. The managed login page has two versions: a classic version and a new version. You can switch between the two versions by using the `managedLoginVersion` property.
+
+```python
+pool = cognito.UserPool(self, "Pool")
+
+# Use the new managed login page
+pool.add_domain("CognitoDomainWithBlandingDesignManagedLogin",
+    cognito_domain=cognito.CognitoDomainOptions(
+        domain_prefix="blanding-design-ui"
+    ),
+    managed_login_version=cognito.ManagedLoginVersion.NEWER_MANAGED_LOGIN
+)
+
+# Use the classic hosted UI
+pool.add_domain("DomainWithClassicHostedUi",
+    cognito_domain=cognito.CognitoDomainOptions(
+        domain_prefix="classic-hosted-ui"
+    ),
+    managed_login_version=cognito.ManagedLoginVersion.CLASSIC_HOSTED_UI
+)
+```
+
 The `signInUrl()` methods returns the fully qualified URL to the login page for the user pool. This page comes from the
 hosted UI configured with Cognito. Learn more at [Hosted UI with the Amazon Cognito
 Console](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html#cognito-user-pools-create-an-app-integration).
@@ -3494,7 +3516,7 @@ class CfnLogDeliveryConfiguration(
 ):
     '''Sets up or modifies the logging configuration of a user pool.
 
-    User pools can export user notification logs and advanced security features user activity logs.
+    User pools can export user notification logs and, when threat protection is active, user-activity logs. For more information, see `Exporting user pool logs <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html
     :cloudformationResource: AWS::Cognito::LogDeliveryConfiguration
@@ -3691,9 +3713,9 @@ class CfnLogDeliveryConfiguration(
     )
     class FirehoseConfigurationProperty:
         def __init__(self, *, stream_arn: typing.Optional[builtins.str] = None) -> None:
-            '''Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
+            '''Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
 
-            :param stream_arn: The ARN of an Amazon Data Firehose stream that's the destination for advanced security features log export.
+            :param stream_arn: The ARN of an Amazon Data Firehose stream that's the destination for threat protection log export.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -3717,7 +3739,7 @@ class CfnLogDeliveryConfiguration(
 
         @builtins.property
         def stream_arn(self) -> typing.Optional[builtins.str]:
-            '''The ARN of an Amazon Data Firehose stream that's the destination for advanced security features log export.
+            '''The ARN of an Amazon Data Firehose stream that's the destination for threat protection log export.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html#cfn-cognito-logdeliveryconfiguration-firehoseconfiguration-streamarn
             '''
@@ -3758,13 +3780,11 @@ class CfnLogDeliveryConfiguration(
         ) -> None:
             '''The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.
 
-            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
-
-            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features. This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
+            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
             :param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to ``userAuthEvents`` .
-            :param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
+            :param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
             :param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from threat protection with the Plus feature plan, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
-            :param s3_configuration: Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.
+            :param s3_configuration: Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -3814,8 +3834,6 @@ class CfnLogDeliveryConfiguration(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.CloudWatchLogsConfigurationProperty"]]:
             '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
 
-            This data type is a request parameter of `SetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html>`_ and a response parameter of `GetLogDeliveryConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html>`_ .
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-cloudwatchlogsconfiguration
             '''
             result = self._values.get("cloud_watch_logs_configuration")
@@ -3836,7 +3854,7 @@ class CfnLogDeliveryConfiguration(
         def firehose_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.FirehoseConfigurationProperty"]]:
-            '''Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
+            '''Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-firehoseconfiguration
             '''
@@ -3858,7 +3876,7 @@ class CfnLogDeliveryConfiguration(
         def s3_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.S3ConfigurationProperty"]]:
-            '''Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.
+            '''Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-s3configuration
             '''
@@ -3883,9 +3901,9 @@ class CfnLogDeliveryConfiguration(
     )
     class S3ConfigurationProperty:
         def __init__(self, *, bucket_arn: typing.Optional[builtins.str] = None) -> None:
-            '''Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.
+            '''Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
 
-            :param bucket_arn: The ARN of an Amazon S3 bucket that's the destination for advanced security features log export.
+            :param bucket_arn: The ARN of an Amazon S3 bucket that's the destination for threat protection log export.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html
             :exampleMetadata: fixture=_generated
@@ -3909,7 +3927,7 @@ class CfnLogDeliveryConfiguration(
 
         @builtins.property
         def bucket_arn(self) -> typing.Optional[builtins.str]:
-            '''The ARN of an Amazon S3 bucket that's the destination for advanced security features log export.
+            '''The ARN of an Amazon S3 bucket that's the destination for threat protection log export.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html#cfn-cognito-logdeliveryconfiguration-s3configuration-bucketarn
             '''
@@ -4266,8 +4284,6 @@ class CfnManagedLoginBranding(
         ) -> None:
             '''An image file from a managed login branding style in a user pool.
 
-            This data type is a request parameter of `CreateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html>`_ and `UpdateManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html>`_ , and a response parameter of `DescribeManagedLoginBranding <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html>`_ .
-
             :param category: The category that the image corresponds to in your managed login configuration. Managed login has asset categories for different types of logos, backgrounds, and icons.
             :param color_mode: The display-mode target of the asset: light, dark, or browser-adaptive. For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
             :param extension: The file type of the image file.
@@ -4729,9 +4745,9 @@ class CfnUserPool(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
-        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
-        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
+        :param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
+        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
         :param email_authentication_message: 
@@ -4741,17 +4757,17 @@ class CfnUserPool(
         :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
-        :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
-        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+        :param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements.
         :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
-        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
+        :param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
         :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
         :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
         :param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
-        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
-        :param user_pool_name: A friendlhy name for your user pool.
+        :param user_pool_add_ons: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
+        :param user_pool_name: A friendly name for your user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
         :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
@@ -5080,10 +5096,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="mfaConfiguration")
     def mfa_configuration(self) -> typing.Optional[builtins.str]:
-        '''The multi-factor authentication (MFA) configuration.
-
-        Valid values include:.
-        '''
+        '''Displays the state of multi-factor authentication (MFA) as on, off, or optional.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "mfaConfiguration"))
 
     @mfa_configuration.setter
@@ -5098,10 +5111,7 @@ class CfnUserPool(
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]]:
-        '''A list of user pool policies.
-
-        Contains the policy that sets password-complexity requirements.
-        '''
+        '''A list of user pool policies.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]], jsii.get(self, "policies"))
 
     @policies.setter
@@ -5150,7 +5160,7 @@ class CfnUserPool(
     def sms_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SmsConfigurationProperty"]]:
-        '''The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.'''
+        '''The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SmsConfigurationProperty"]], jsii.get(self, "smsConfiguration"))
 
     @sms_configuration.setter
@@ -5233,7 +5243,7 @@ class CfnUserPool(
     def user_pool_add_ons(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UserPoolAddOnsProperty"]]:
-        '''User pool add-ons.'''
+        '''Contains settings for activation of threat protection, including the operating mode and additional authentication types.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UserPoolAddOnsProperty"]], jsii.get(self, "userPoolAddOns"))
 
     @user_pool_add_ons.setter
@@ -5249,7 +5259,7 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="userPoolName")
     def user_pool_name(self) -> typing.Optional[builtins.str]:
-        '''A friendlhy name for your user pool.'''
+        '''A friendly name for your user pool.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userPoolName"))
 
     @user_pool_name.setter
@@ -5414,11 +5424,9 @@ class CfnUserPool(
 
             Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
-            :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
+            :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the ``SignUp`` operation.
             :param invite_message_template: The template for the welcome message to new users. This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
-            :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
+            :param unused_account_validity_days: This parameter is no longer in use. The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
             :exampleMetadata: fixture=_generated
@@ -5458,7 +5466,7 @@ class CfnUserPool(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''The setting for allowing self-service sign-up.
 
-            When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the `SignUp <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html>`_ operation.
+            When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the ``SignUp`` operation.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-allowadmincreateuseronly
             '''
@@ -5484,8 +5492,6 @@ class CfnUserPool(
         def unused_account_validity_days(self) -> typing.Optional[jsii.Number]:
             '''This parameter is no longer in use.
 
-            Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of `PasswordPolicyType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html>`_ . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` .
-
             The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter.
 
             The default value for this parameter is 7.
@@ -5517,9 +5523,9 @@ class CfnUserPool(
             *,
             custom_auth_mode: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
+            '''Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
 
-            :param custom_auth_mode: The operating mode of advanced security features in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
+            :param custom_auth_mode: The operating mode of threat protection in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html
             :exampleMetadata: fixture=_generated
@@ -5543,7 +5549,7 @@ class CfnUserPool(
 
         @builtins.property
         def custom_auth_mode(self) -> typing.Optional[builtins.str]:
-            '''The operating mode of advanced security features in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
+            '''The operating mode of threat protection in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html#cfn-cognito-userpool-advancedsecurityadditionalflows-customauthmode
             '''
@@ -5730,17 +5736,8 @@ class CfnUserPool(
         ) -> None:
             '''The device-remembering configuration for a user pool.
 
-            A `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a `ConfirmDevice <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html>`_ API request. Additionally. when the property ``DeviceOnlyRememberedOnUserPrompt`` is ``true`` , you must follow ``ConfirmDevice`` with an `UpdateDeviceStatus <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html>`_ API request that sets the user's device to ``remembered`` or ``not_remembered`` .
-
-            To sign in with a remembered device, include ``DEVICE_KEY`` in the authentication parameters in your user's `InitiateAuth <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html>`_ request. If your app doesn't include a ``DEVICE_KEY`` parameter, the `response <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax>`_ from Amazon Cognito includes newly-generated ``DEVICE_KEY`` and ``DEVICE_GROUP_KEY`` values under ``NewDeviceMetadata`` . Store these values to use in future device-authentication requests.
-            .. epigraph::
-
-               When you provide a value for any property of ``DeviceConfiguration`` , you activate the device remembering for the user pool.
-
-               This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param challenge_required_on_new_device: When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA). .. epigraph:: Whether or not ``ChallengeRequiredOnNewDevice`` is true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
-            :param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a `ConfirmDevice <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html>`_ API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an `UpdateDeviceStatus <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html>`_ API request. When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
+            :param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a ``ConfirmDevice`` API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an ``UpdateDeviceStatus`` API request. When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-deviceconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -5785,7 +5782,9 @@ class CfnUserPool(
         def device_only_remembered_on_user_prompt(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a `ConfirmDevice <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html>`_ API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an `UpdateDeviceStatus <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html>`_ API request.
+            '''When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a ``ConfirmDevice`` API request.
+
+            In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an ``UpdateDeviceStatus`` API request.
 
             When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
 
@@ -6096,8 +6095,6 @@ class CfnUserPool(
 
             Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param create_auth_challenge: The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
             :param custom_email_sender: The configuration of a custom email sender Lambda trigger. This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
             :param custom_message: A custom message Lambda trigger. This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
@@ -6359,8 +6356,6 @@ class CfnUserPool(
         ) -> None:
             '''The minimum and maximum values of an attribute that is of the number type, for example ``custom:age`` .
 
-            This data type is part of `SchemaAttributeType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html>`_ . It defines the length constraints on number-type attributes that you configure in `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and displays the length constraints of all number-type attributes in the response to `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_
-
             :param max_value: The maximum length of a number attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_value: The minimum value of an attribute that is of the number data type.
 
@@ -6446,10 +6441,8 @@ class CfnUserPool(
         ) -> None:
             '''The password policy settings for a user pool, including complexity, history, and length requirements.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param minimum_length: The minimum length of the password in the policy that you have set. This value can't be less than 6.
-            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
+            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
             :param require_lowercase: The requirement in a password policy that users must include at least one lowercase letter in their password.
             :param require_numbers: The requirement in a password policy that users must include at least one number in their password.
             :param require_symbols: The requirement in a password policy that users must include at least one symbol in their password.
@@ -6517,8 +6510,6 @@ class CfnUserPool(
 
             Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
 
-            Password history isn't enforced and isn't displayed in `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize
             '''
             result = self._values.get("password_history_size")
@@ -6608,12 +6599,12 @@ class CfnUserPool(
             password_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.PasswordPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             sign_in_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.SignInPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
+            '''A list of user pool policies.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+            Contains the policy that sets password-complexity requirements.
 
             :param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
-            :param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+            :param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
             :exampleMetadata: fixture=_generated
@@ -6668,8 +6659,6 @@ class CfnUserPool(
 
             To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
             '''
             result = self._values.get("sign_in_policy")
@@ -6700,8 +6689,6 @@ class CfnUserPool(
         ) -> None:
             '''The properties of a pre token generation Lambda trigger.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
             :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
 
@@ -6780,8 +6767,6 @@ class CfnUserPool(
 
             For example, if ``verified_email`` has a priority of ``1`` and ``verified_phone_number`` has a priority of ``2`` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The ``admin_only`` option prevents self-service account recovery.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param name: The recovery method that this object sets a recovery option for.
             :param priority: Your priority preference for using the specified attribute in account recovery. The highest priority is ``1`` .
 
@@ -6871,8 +6856,6 @@ class CfnUserPool(
 
             Developer-only ``dev:`` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param attribute_data_type: The data format of the values for your attribute. When you choose an ``AttributeDataType`` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example ``"custom:isMember" : "true"`` or ``"custom:YearsAsMember" : "12"`` .
             :param developer_only_attribute: .. epigraph:: You should use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, ``DeveloperOnlyAttribute`` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
             :param mutable: Specifies whether the value of the attribute can be changed. Any user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of ``true`` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see `Specifying Identity Provider Attribute Mappings for Your User Pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
@@ -7042,8 +7025,6 @@ class CfnUserPool(
 
             To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param allowed_first_auth_factors: The sign-in methods that a user pool supports as the first factor. You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors. Supports values of ``EMAIL_OTP`` , ``SMS_OTP`` , ``WEB_AUTHN`` and ``PASSWORD`` ,
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html
@@ -7113,8 +7094,6 @@ class CfnUserPool(
 
             To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
 
-            This data type is a request parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ , `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ , and a response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ , `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and `GetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html>`_ .
-
             :param external_id: The external ID provides additional security for your IAM role. You can use an ``ExternalId`` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the ``ExternalID`` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the ``ExternalId`` . For more information about the ``ExternalId`` of a role, see `How to use an external ID when granting access to your AWS resources to a third party <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ .
             :param sns_caller_arn: The Amazon Resource Name (ARN) of the Amazon SNS caller. This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a `spending limit <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html>`_ .
             :param sns_region: The AWS Region to use with Amazon SNS integration. You can choose the same Region as your user pool, or a supported *Legacy Amazon SNS alternate Region* . Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see `SMS message settings for Amazon Cognito user pools <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
@@ -7209,8 +7188,6 @@ class CfnUserPool(
         ) -> None:
             '''The minimum and maximum length values of an attribute that is of the string type, for example ``custom:department`` .
 
-            This data type is part of `SchemaAttributeType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html>`_ . It defines the length constraints on string-type attributes that you configure in `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and displays the length constraints of all string-type attributes in the response to `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_
-
             :param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_length: The minimum length of a string attribute value.
 
@@ -7288,7 +7265,7 @@ class CfnUserPool(
             a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
             more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
 
-            :param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. You can verify an updated email address or phone number with a `VerifyUserAttribute <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html>`_ API request. You can also call the `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ API and set ``email_verified`` or ``phone_number_verified`` to true. When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
+            :param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html
             :exampleMetadata: fixture=_generated
@@ -7318,8 +7295,6 @@ class CfnUserPool(
 
             When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
 
-            You can verify an updated email address or phone number with a `VerifyUserAttribute <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html>`_ API request. You can also call the `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ API and set ``email_verified`` or ``phone_number_verified`` to true.
-
             When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html#cfn-cognito-userpool-userattributeupdatesettings-attributesrequireverificationbeforeupdate
@@ -7360,10 +7335,8 @@ class CfnUserPool(
 
             For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
-            :param advanced_security_additional_flows: Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
-            :param advanced_security_mode: The operating mode of advanced security features for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
+            :param advanced_security_additional_flows: Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
+            :param advanced_security_mode: The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
             :exampleMetadata: fixture=_generated
@@ -7395,7 +7368,7 @@ class CfnUserPool(
         def advanced_security_additional_flows(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AdvancedSecurityAdditionalFlowsProperty"]]:
-            '''Advanced security configuration options for additional authentication types in your user pool, including custom authentication.
+            '''Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecurityadditionalflows
             '''
@@ -7404,7 +7377,7 @@ class CfnUserPool(
 
         @builtins.property
         def advanced_security_mode(self) -> typing.Optional[builtins.str]:
-            '''The operating mode of advanced security features for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
+            '''The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
             '''
@@ -7437,8 +7410,6 @@ class CfnUserPool(
 
             When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
 
-            This configuration is immutable after you set it. For more information, see `UsernameConfigurationType <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html>`_ .
-
             :param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html
@@ -7515,8 +7486,6 @@ class CfnUserPool(
         ) -> None:
             '''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
 
-            This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
             :param default_email_option: The configuration of verification emails to contain a clickable link or a verification code. For link, your template body must contain link text in the format ``{##Click here##}`` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format ``{####}`` .
             :param email_message: The template for email messages that Amazon Cognito sends to your users. You can set an ``EmailMessage`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
             :param email_message_by_link: The email message template for sending a confirmation link to the user. You can set an ``EmailMessageByLink`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
@@ -7750,26 +7719,26 @@ class CfnUserPoolClient(
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The ID of the user pool where you want to create an app client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
-        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
-        :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
-        :param allowed_o_auth_scopes: The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate for clients in managed login authentication. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
+        :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 authorization server features in your app client. This parameter must have a value of ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
+        :param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
-        :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
-        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
+        :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_token_revocation: Activates or deactivates token revocation. If you don't include this parameter, token revocation is automatically activated for the new user pool client.
+        :param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
-        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
+        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
-        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
-        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__87712ca9ae8faf9f73a6c5d11987fcf280543ea093bcc4253c800c0151725828)
@@ -7891,7 +7860,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="allowedOAuthFlows")
     def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The OAuth grant types that you want your app client to generate.'''
+        '''The OAuth grant types that you want your app client to generate for clients in managed login authentication.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthFlows"))
 
     @allowed_o_auth_flows.setter
@@ -7909,7 +7878,7 @@ class CfnUserPoolClient(
     def allowed_o_auth_flows_user_pool_client(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Set to ``true`` to use OAuth 2.0 features in your user pool app client.'''
+        '''Set to ``true`` to use OAuth 2.0 authorization server features in your app client.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "allowedOAuthFlowsUserPoolClient"))
 
     @allowed_o_auth_flows_user_pool_client.setter
@@ -7925,7 +7894,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="allowedOAuthScopes")
     def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.'''
+        '''The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthScopes"))
 
     @allowed_o_auth_scopes.setter
@@ -7972,7 +7941,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="callbackUrLs")
     def callback_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of allowed redirect (callback) URLs for the IdPs.'''
+        '''A list of allowed redirect, or callback, URLs for managed login authentication.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "callbackUrLs"))
 
     @callback_ur_ls.setter
@@ -8013,7 +7982,7 @@ class CfnUserPoolClient(
     def enable_propagate_additional_user_context_data(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates the propagation of additional user context data.'''
+        '''When ``true`` , your application can include additional ``UserContextData`` in authentication requests.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enablePropagateAdditionalUserContextData"))
 
     @enable_propagate_additional_user_context_data.setter
@@ -8031,10 +8000,7 @@ class CfnUserPoolClient(
     def enable_token_revocation(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates or deactivates token revocation.
-
-        For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ .
-        '''
+        '''Activates or deactivates token revocation.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enableTokenRevocation"))
 
     @enable_token_revocation.setter
@@ -8050,7 +8016,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="explicitAuthFlows")
     def explicit_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The authentication flows that you want your user pool client to support.'''
+        '''The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "explicitAuthFlows"))
 
     @explicit_auth_flows.setter
@@ -8231,8 +8197,6 @@ class CfnUserPoolClient(
 
             Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see `Amazon Cognito and Amazon Pinpoint Region availability <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings>`_ .
 
-            This data type is a request parameter of `CreateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html>`_ and `UpdateUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html>`_ , and a response parameter of `DescribeUserPoolClient <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html>`_ .
-
             :param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that ``ApplicationArn`` declares. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
             :param application_id: Your Amazon Pinpoint project ID.
             :param external_id: The `external ID <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
@@ -8352,9 +8316,9 @@ class CfnUserPoolClient(
             id_token: typing.Optional[builtins.str] = None,
             refresh_token: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The time units you use when you set the duration of ID, access, and refresh tokens.
+            '''The units that validity times are represented in.
 
-            The default unit for RefreshToken is days, and the default for ID and access tokens is hours.
+            The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
 
             :param access_token: A time unit for the value that you set in the ``AccessTokenValidity`` parameter. The default ``AccessTokenValidity`` time unit is ``hours`` . ``AccessTokenValidity`` duration can range from five minutes to one day.
             :param id_token: A time unit for the value that you set in the ``IdTokenValidity`` parameter. The default ``IdTokenValidity`` time unit is ``hours`` . ``IdTokenValidity`` duration can range from five minutes to one day.
@@ -8492,26 +8456,26 @@ class CfnUserPoolClientProps:
 
         :param user_pool_id: The ID of the user pool where you want to create an app client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
-        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
-        :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
-        :param allowed_o_auth_scopes: The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate for clients in managed login authentication. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
+        :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 authorization server features in your app client. This parameter must have a value of ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
+        :param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect (callback) URLs for the IdPs. A redirect URI must: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
-        :param enable_propagate_additional_user_context_data: Activates the propagation of additional user context data. For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
-        :param enable_token_revocation: Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-        :param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . Valid values include: - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
-        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
+        :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        :param enable_token_revocation: Activates or deactivates token revocation. If you don't include this parameter, token revocation is automatically activated for the new user pool client.
+        :param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
+        :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
-        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
+        :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
-        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
-        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
         :exampleMetadata: fixture=_generated
@@ -8660,13 +8624,13 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The OAuth grant types that you want your app client to generate.
+        '''The OAuth grant types that you want your app client to generate for clients in managed login authentication.
 
         To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow.
 
         - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint.
-        - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
-        - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
+        - **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user.
+        - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows
         '''
@@ -8677,16 +8641,16 @@ class CfnUserPoolClientProps:
     def allowed_o_auth_flows_user_pool_client(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Set to ``true`` to use OAuth 2.0 features in your user pool app client.
+        '''Set to ``true`` to use OAuth 2.0 authorization server features in your app client.
 
-        ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client.
+        This parameter must have a value of ``true`` before you can configure the following features in your app client.
 
         - ``CallBackURLs`` : Callback URLs.
         - ``LogoutURLs`` : Sign-out redirect URLs.
         - ``AllowedOAuthScopes`` : OAuth 2.0 scopes.
         - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
 
-        To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
+        To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflowsuserpoolclient
         '''
@@ -8695,7 +8659,9 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
+        '''The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.
+
+        Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
         '''
@@ -8728,9 +8694,11 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def callback_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''A list of allowed redirect (callback) URLs for the IdPs.
+        '''A list of allowed redirect, or callback, URLs for managed login authentication.
 
-        A redirect URI must:
+        These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes.
+
+        A redirect URI must meet the following requirements:
 
         - Be an absolute URI.
         - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter.
@@ -8771,9 +8739,9 @@ class CfnUserPoolClientProps:
     def enable_propagate_additional_user_context_data(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates the propagation of additional user context data.
+        '''When ``true`` , your application can include additional ``UserContextData`` in authentication requests.
 
-        For more information about propagation of user context data, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html>`_ . If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
+        This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enablepropagateadditionalusercontextdata
         '''
@@ -8784,7 +8752,7 @@ class CfnUserPoolClientProps:
     def enable_token_revocation(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates or deactivates token revocation. For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ .
+        '''Activates or deactivates token revocation.
 
         If you don't include this parameter, token revocation is automatically activated for the new user pool client.
 
@@ -8795,14 +8763,13 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def explicit_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The authentication flows that you want your user pool client to support.
+        '''The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
 
-        For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
         .. epigraph::
 
-           If you don't specify a value for ``ExplicitAuthFlows`` , your user client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` .
+           If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` .
 
-        Valid values include:
+        The values for authentication flow options include the following.
 
         - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` .
 
@@ -8828,7 +8795,7 @@ class CfnUserPoolClientProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''When ``true`` , generates a client secret for the app client.
 
-        Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
+        Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-generatesecret
         '''
@@ -8857,7 +8824,7 @@ class CfnUserPoolClientProps:
     def logout_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
         '''A list of allowed logout URLs for managed login authentication.
 
-        For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
+        When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-logouturls
         '''
@@ -8886,7 +8853,7 @@ class CfnUserPoolClientProps:
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The list of user attributes that you want your app client to have read access to.
 
-        After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a `GetUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html>`_ API request to retrieve and display your user's profile data.
+        After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information.
 
         When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
 
@@ -8922,7 +8889,7 @@ class CfnUserPoolClientProps:
 
         The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
 
-        This setting applies to providers that you can access with `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ . The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent API-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
+        This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
         '''
@@ -8946,7 +8913,7 @@ class CfnUserPoolClientProps:
     def write_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The list of user attributes that you want your app client to have write access to.
 
-        After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ API request and sets ``family_name`` to the new value.
+        After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.
 
         When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes.
 
@@ -9012,9 +8979,9 @@ class CfnUserPoolDomain(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
-        :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
+        :param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
         :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
         '''
         if __debug__:
@@ -9086,7 +9053,7 @@ class CfnUserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="domain")
     def domain(self) -> builtins.str:
-        '''The domain name for the custom domain that hosts the sign-up and sign-in pages for your application.'''
+        '''The name of the domain that you want to update.'''
         return typing.cast(builtins.str, jsii.get(self, "domain"))
 
     @domain.setter
@@ -9099,7 +9066,7 @@ class CfnUserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The ID of the user pool that is associated with the custom domain whose certificate you're updating.'''
+        '''The ID of the user pool that is associated with the domain you're updating.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -9153,8 +9120,6 @@ class CfnUserPoolDomain(
         ) -> None:
             '''The configuration for a hosted UI custom domain.
 
-            This data type is a request parameter of `CreateUserPoolDomain <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html>`_ and `UpdateUserPoolDomain <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html>`_ .
-
             :param certificate_arn: The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooldomain-customdomainconfigtype.html
@@ -9221,9 +9186,9 @@ class CfnUserPoolDomainProps:
     ) -> None:
         '''Properties for defining a ``CfnUserPoolDomain``.
 
-        :param domain: The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. One example might be ``auth.example.com`` . This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
-        :param user_pool_id: The ID of the user pool that is associated with the custom domain whose certificate you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        :param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
+        :param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
         :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
@@ -9263,11 +9228,9 @@ class CfnUserPoolDomainProps:
 
     @builtins.property
     def domain(self) -> builtins.str:
-        '''The domain name for the custom domain that hosts the sign-up and sign-in pages for your application.
-
-        One example might be ``auth.example.com`` .
+        '''The name of the domain that you want to update.
 
-        This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
+        For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-domain
         '''
@@ -9277,7 +9240,7 @@ class CfnUserPoolDomainProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The ID of the user pool that is associated with the custom domain whose certificate you're updating.
+        '''The ID of the user pool that is associated with the domain you're updating.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-userpoolid
         '''
@@ -9293,7 +9256,7 @@ class CfnUserPoolDomainProps:
 
         Use this object to specify an SSL certificate that is managed by ACM.
 
-        When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a `SetUserPoolMfaConfig <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html>`_ request.
+        When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
         '''
@@ -9333,8 +9296,6 @@ class CfnUserPoolGroup(
 
     Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
 
-    This data type is a response parameter of `AdminListGroupsForUser <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html>`_ , `CreateGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html>`_ , `GetGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html>`_ , `ListGroups <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html>`_ , and `UpdateGroup <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html>`_ .
-
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
     :cloudformationResource: AWS::Cognito::UserPoolGroup
     :exampleMetadata: fixture=_generated
@@ -10072,9 +10033,9 @@ class CfnUserPoolProps:
         '''Properties for defining a ``CfnUserPool``.
 
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
-        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-        :param alias_attributes: Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
-        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
+        :param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
+        :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
         :param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
         :param email_authentication_message: 
@@ -10084,17 +10045,17 @@ class CfnUserPoolProps:
         :param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
-        :param mfa_configuration: The multi-factor authentication (MFA) configuration. Valid values include:. - ``OFF`` MFA won't be used for any users. - ``ON`` MFA is required for all users to sign in. - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
-        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+        :param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements.
         :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
-        :param sms_configuration: The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
+        :param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
         :param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
         :param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
         :param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
         :param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
-        :param user_pool_add_ons: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
-        :param user_pool_name: A friendlhy name for your user pool.
+        :param user_pool_add_ons: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
+        :param user_pool_name: A friendly name for your user pool.
         :param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
         :param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
         :param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
@@ -10349,8 +10310,6 @@ class CfnUserPoolProps:
 
         Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
 
-        This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-admincreateuserconfig
         '''
         result = self._values.get("admin_create_user_config")
@@ -10360,7 +10319,7 @@ class CfnUserPoolProps:
     def alias_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Attributes supported as an alias for this user pool.
 
-        Possible values: *phone_number* , *email* , or *preferred_username* . For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
+        For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-aliasattributes
         '''
@@ -10371,7 +10330,7 @@ class CfnUserPoolProps:
     def auto_verified_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The attributes that you want your user pool to automatically verify.
 
-        Possible values: *email* , *phone_number* . For more information see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
+        For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-autoverifiedattributes
         '''
@@ -10491,11 +10450,11 @@ class CfnUserPoolProps:
 
     @builtins.property
     def mfa_configuration(self) -> typing.Optional[builtins.str]:
-        '''The multi-factor authentication (MFA) configuration. Valid values include:.
+        '''Displays the state of multi-factor authentication (MFA) as on, off, or optional.
 
-        - ``OFF`` MFA won't be used for any users.
-        - ``ON`` MFA is required for all users to sign in.
-        - ``OPTIONAL`` MFA will be required only for individual users who have an MFA factor activated.
+        When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` .
+
+        When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-mfaconfiguration
         '''
@@ -10506,9 +10465,9 @@ class CfnUserPoolProps:
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.PoliciesProperty]]:
-        '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
+        '''A list of user pool policies.
 
-        This data type is a request and response parameter of `CreateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ and `UpdateUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html>`_ , and a response parameter of `DescribeUserPool <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html>`_ .
+        Contains the policy that sets password-complexity requirements.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-policies
         '''
@@ -10541,7 +10500,7 @@ class CfnUserPoolProps:
     def sms_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.SmsConfigurationProperty]]:
-        '''The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.
+        '''The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.
 
         To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
 
@@ -10606,9 +10565,9 @@ class CfnUserPoolProps:
     def user_pool_add_ons(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.UserPoolAddOnsProperty]]:
-        '''User pool add-ons.
+        '''Contains settings for activation of threat protection, including the operating mode and additional authentication types.
 
-        Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
+        To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` .
 
         For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
 
@@ -10619,7 +10578,7 @@ class CfnUserPoolProps:
 
     @builtins.property
     def user_pool_name(self) -> typing.Optional[builtins.str]:
-        '''A friendlhy name for your user pool.
+        '''A friendly name for your user pool.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpoolname
         '''
@@ -10869,8 +10828,6 @@ class CfnUserPoolResourceServer(
 
             This data type is a member of ``ResourceServerScopeType`` . For more information, see `Scopes, M2M, and API authorization with resource servers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html>`_ .
 
-            This data type is a request parameter of `CreateResourceServer <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html>`_ and a response parameter of `DescribeResourceServer <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html>`_ .
-
             :param scope_description: A friendly description of a custom scope.
             :param scope_name: The name of the scope. Amazon Cognito renders custom scopes in the format ``resourceServerIdentifier/ScopeName`` . For example, if this parameter is ``exampleScope`` in the resource server with the identifier ``exampleResourceServer`` , you request and receive the scope ``exampleResourceServer/exampleScope`` .
 
@@ -11153,8 +11110,8 @@ class CfnUserPoolRiskConfigurationAttachment(
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
         :param user_pool_id: The ID of the user pool that has the risk configuration applied.
-        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
-        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
+        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with threat protection.
+        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
         :param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
         '''
         if __debug__:
@@ -11237,7 +11194,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     def account_takeover_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]]:
-        '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.'''
+        '''The settings for automated responses and notification templates for adaptive authentication with threat protection.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]], jsii.get(self, "accountTakeoverRiskConfiguration"))
 
     @account_takeover_risk_configuration.setter
@@ -11255,7 +11212,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     def compromised_credentials_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]]:
-        '''Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.'''
+        '''Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]], jsii.get(self, "compromisedCredentialsRiskConfiguration"))
 
     @compromised_credentials_risk_configuration.setter
@@ -11302,8 +11259,6 @@ class CfnUserPoolRiskConfigurationAttachment(
 
             You can assign an action to each risk level that advanced security features evaluates.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param event_action: The action to take for the attempted account takeover action for the associated risk level. Valid values are as follows: - ``BLOCK`` : Block the request. - ``MFA_IF_CONFIGURED`` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request. - ``MFA_REQUIRED`` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor. - ``NO_ACTION`` : Take no action. Permit sign-in.
             :param notify: Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
 
@@ -11387,11 +11342,9 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
-            :param high_action: The action that you assign to a high-risk assessment by advanced security features.
-            :param low_action: The action that you assign to a low-risk assessment by advanced security features.
-            :param medium_action: The action that you assign to a medium-risk assessment by advanced security features.
+            :param high_action: The action that you assign to a high-risk assessment by threat protection.
+            :param low_action: The action that you assign to a low-risk assessment by threat protection.
+            :param medium_action: The action that you assign to a medium-risk assessment by threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html
             :exampleMetadata: fixture=_generated
@@ -11434,7 +11387,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def high_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''The action that you assign to a high-risk assessment by advanced security features.
+            '''The action that you assign to a high-risk assessment by threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-highaction
             '''
@@ -11445,7 +11398,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def low_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''The action that you assign to a low-risk assessment by advanced security features.
+            '''The action that you assign to a low-risk assessment by threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-lowaction
             '''
@@ -11456,7 +11409,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def medium_action(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
-            '''The action that you assign to a medium-risk assessment by advanced security features.
+            '''The action that you assign to a medium-risk assessment by threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-mediumaction
             '''
@@ -11491,10 +11444,8 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
-            :param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
-            :param notify_configuration: The settings for composing and sending an email message when advanced security features assesses a risk level with adaptive authentication. When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
+            :param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
+            :param notify_configuration: The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication. When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -11566,7 +11517,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def actions(
             self,
         ) -> typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty"]:
-            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
+            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-actions
             '''
@@ -11578,7 +11529,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         def notify_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty"]]:
-            '''The settings for composing and sending an email message when advanced security features assesses a risk level with adaptive authentication.
+            '''The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication.
 
             When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
 
@@ -11607,8 +11558,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         def __init__(self, *, event_action: builtins.str) -> None:
             '''Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function ``ENFORCED`` mode.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param event_action: The action that Amazon Cognito takes when it detects compromised credentials.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype.html
@@ -11666,8 +11615,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function ``ENFORCED`` mode.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param actions: Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
             :param event_filter: Settings for the sign-in activity where you want to configure compromised-credentials actions. Defaults to all events.
 
@@ -11758,8 +11705,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param source_arn: The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the ``From`` parameter.
             :param block_email: The template for the email message that your user pool sends when a detected risk event is blocked.
             :param from_: The email address that sends the email message. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
@@ -11922,8 +11867,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param subject: The subject of the threat protection email notification.
             :param html_body: The body of an email notification formatted in HTML. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
             :param text_body: The body of an email notification formatted in plaintext. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
@@ -12018,8 +11961,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
 
-            This data type is a request parameter of `SetRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html>`_ and a response parameter of `DescribeRiskConfiguration <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html>`_ .
-
             :param blocked_ip_range_list: An always-block IP address list. Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
             :param skipped_ip_range_list: An always-allow IP address list. Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
 
@@ -12106,8 +12047,8 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
 
         :param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
         :param user_pool_id: The ID of the user pool that has the risk configuration applied.
-        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with advanced security features.
-        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
+        :param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with threat protection.
+        :param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
         :param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html
@@ -12228,7 +12169,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     def account_takeover_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty]]:
-        '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.
+        '''The settings for automated responses and notification templates for adaptive authentication with threat protection.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfiguration
         '''
@@ -12239,7 +12180,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
     def compromised_credentials_risk_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty]]:
-        '''Settings for compromised-credentials actions and authentication types with advanced security features in full-function ``ENFORCED`` mode.
+        '''Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfiguration
         '''
@@ -12277,8 +12218,6 @@ class CfnUserPoolUICustomizationAttachment(
 ):
     '''A container for the UI customization information for the hosted UI in a user pool.
 
-    This data type is a response parameter of `GetUICustomization <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html>`_ .
-
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
     :cloudformationResource: AWS::Cognito::UserPoolUICustomizationAttachment
     :exampleMetadata: fixture=_generated
@@ -12311,8 +12250,8 @@ class CfnUserPoolUICustomizationAttachment(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
-        :param user_pool_id: The ID of the user pool.
-        :param css: The CSS values in the UI customization.
+        :param user_pool_id: The ID of the user pool where you want to apply branding to the classic hosted UI.
+        :param css: A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client. To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__bf3306ea8a9b6f4ebe73eb42059e52138281652a9e2e36e507fd8658eb5da33a)
@@ -12375,7 +12314,7 @@ class CfnUserPoolUICustomizationAttachment(
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
-        '''The ID of the user pool.'''
+        '''The ID of the user pool where you want to apply branding to the classic hosted UI.'''
         return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
 
     @user_pool_id.setter
@@ -12388,7 +12327,7 @@ class CfnUserPoolUICustomizationAttachment(
     @builtins.property
     @jsii.member(jsii_name="css")
     def css(self) -> typing.Optional[builtins.str]:
-        '''The CSS values in the UI customization.'''
+        '''A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "css"))
 
     @css.setter
@@ -12415,8 +12354,8 @@ class CfnUserPoolUICustomizationAttachmentProps:
         '''Properties for defining a ``CfnUserPoolUICustomizationAttachment``.
 
         :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
-        :param user_pool_id: The ID of the user pool.
-        :param css: The CSS values in the UI customization.
+        :param user_pool_id: The ID of the user pool where you want to apply branding to the classic hosted UI.
+        :param css: A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client. To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
         :exampleMetadata: fixture=_generated
@@ -12461,7 +12400,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
 
     @builtins.property
     def user_pool_id(self) -> builtins.str:
-        '''The ID of the user pool.
+        '''The ID of the user pool where you want to apply branding to the classic hosted UI.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-userpoolid
         '''
@@ -12471,7 +12410,9 @@ class CfnUserPoolUICustomizationAttachmentProps:
 
     @builtins.property
     def css(self) -> typing.Optional[builtins.str]:
-        '''The CSS values in the UI customization.
+        '''A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.
+
+        To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-css
         '''
@@ -12552,9 +12493,9 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
-        :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
+        :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__392de74de1133635a0d4d21dbd0cb3290007171e021625ff9a125983463dd374)
@@ -12749,8 +12690,6 @@ class CfnUserPoolUser(
         ) -> None:
             '''The name and value of a user attribute.
 
-            This data type is a request parameter of `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ and `UpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html>`_ .
-
             :param name: The name of the attribute.
             :param value: The value of the attribute.
 
@@ -12842,9 +12781,9 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
-        :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
+        :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html
         :exampleMetadata: fixture=_generated
@@ -12989,7 +12928,7 @@ class CfnUserPoolUserProps:
 
         You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` .
 
-        In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . You can also do this by calling `AdminUpdateUserAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .
+        In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` .
 
         - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
@@ -13022,7 +12961,7 @@ class CfnUserPoolUserProps:
 
         This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.
 
-        Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.
+        Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs.
 
         For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -13989,12 +13928,14 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional["ManagedLoginVersion"] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
         '''
@@ -14176,12 +14117,14 @@ class _IUserPoolProxy(
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional["ManagedLoginVersion"] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
         '''
@@ -14189,7 +14132,9 @@ class _IUserPoolProxy(
             type_hints = typing.get_type_hints(_typecheckingstub__792921e0d9eecd6253eadd31c7fba82fdce9c0ba38f25dcba7dcd063e7b1a458)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolDomainOptions(
-            cognito_domain=cognito_domain, custom_domain=custom_domain
+            cognito_domain=cognito_domain,
+            custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
@@ -14580,6 +14525,39 @@ class LambdaVersion(enum.Enum):
     '''
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.ManagedLoginVersion")
+class ManagedLoginVersion(enum.Enum):
+    '''The branding version of managed login for the domain.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        pool = cognito.UserPool(self, "Pool")
+        
+        # Use the new managed login page
+        pool.add_domain("CognitoDomainWithBlandingDesignManagedLogin",
+            cognito_domain=cognito.CognitoDomainOptions(
+                domain_prefix="blanding-design-ui"
+            ),
+            managed_login_version=cognito.ManagedLoginVersion.NEWER_MANAGED_LOGIN
+        )
+        
+        # Use the classic hosted UI
+        pool.add_domain("DomainWithClassicHostedUi",
+            cognito_domain=cognito.CognitoDomainOptions(
+                domain_prefix="classic-hosted-ui"
+            ),
+            managed_login_version=cognito.ManagedLoginVersion.CLASSIC_HOSTED_UI
+        )
+    '''
+
+    CLASSIC_HOSTED_UI = "CLASSIC_HOSTED_UI"
+    '''The classic hosted UI.'''
+    NEWER_MANAGED_LOGIN = "NEWER_MANAGED_LOGIN"
+    '''The newer managed login with the branding designer.'''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.Mfa")
 class Mfa(enum.Enum):
     '''The different ways in which a user pool's MFA enforcement can be configured.
@@ -17441,18 +17419,22 @@ class UserPool(
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f9659a33214c6a8f47e5cc02aec61f89c8bd48113d0c9b3e32a81fef2d48a103)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolDomainOptions(
-            cognito_domain=cognito_domain, custom_domain=custom_domain
+            cognito_domain=cognito_domain,
+            custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
@@ -18505,6 +18487,7 @@ class UserPoolDomain(
         user_pool: IUserPool,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> None:
         '''
         :param scope: -
@@ -18512,6 +18495,7 @@ class UserPoolDomain(
         :param user_pool: The user pool to which this domain should be associated.
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__370554f0c705ae872638d9d90d00b13abf8230d3666aa0d882b882f94152b471)
@@ -18521,6 +18505,7 @@ class UserPoolDomain(
             user_pool=user_pool,
             cognito_domain=cognito_domain,
             custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -18614,7 +18599,11 @@ class UserPoolDomain(
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.UserPoolDomainOptions",
     jsii_struct_bases=[],
-    name_mapping={"cognito_domain": "cognitoDomain", "custom_domain": "customDomain"},
+    name_mapping={
+        "cognito_domain": "cognitoDomain",
+        "custom_domain": "customDomain",
+        "managed_login_version": "managedLoginVersion",
+    },
 )
 class UserPoolDomainOptions:
     def __init__(
@@ -18622,11 +18611,13 @@ class UserPoolDomainOptions:
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> None:
         '''Options to create a UserPoolDomain.
 
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :exampleMetadata: infused
 
@@ -18658,11 +18649,14 @@ class UserPoolDomainOptions:
             type_hints = typing.get_type_hints(_typecheckingstub__4a5105d96e2071a7239518797c0a84f12539bde7c8fda8d40c7b23af679070c0)
             check_type(argname="argument cognito_domain", value=cognito_domain, expected_type=type_hints["cognito_domain"])
             check_type(argname="argument custom_domain", value=custom_domain, expected_type=type_hints["custom_domain"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if cognito_domain is not None:
             self._values["cognito_domain"] = cognito_domain
         if custom_domain is not None:
             self._values["custom_domain"] = custom_domain
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def cognito_domain(self) -> typing.Optional[CognitoDomainOptions]:
@@ -18686,6 +18680,19 @@ class UserPoolDomainOptions:
         result = self._values.get("custom_domain")
         return typing.cast(typing.Optional[CustomDomainOptions], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[ManagedLoginVersion]:
+        '''A version that indicates the state of managed login.
+
+        This choice applies to all app clients that host services at the domain.
+
+        :default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[ManagedLoginVersion], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -18704,6 +18711,7 @@ class UserPoolDomainOptions:
     name_mapping={
         "cognito_domain": "cognitoDomain",
         "custom_domain": "customDomain",
+        "managed_login_version": "managedLoginVersion",
         "user_pool": "userPool",
     },
 )
@@ -18713,12 +18721,14 @@ class UserPoolDomainProps(UserPoolDomainOptions):
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
         user_pool: IUserPool,
     ) -> None:
         '''Props for UserPoolDomain construct.
 
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         :param user_pool: The user pool to which this domain should be associated.
 
         :exampleMetadata: infused
@@ -18791,6 +18801,7 @@ class UserPoolDomainProps(UserPoolDomainOptions):
             type_hints = typing.get_type_hints(_typecheckingstub__4336d5dce146abd75b1697dd55937affe308b1524f218d9eb3835531c34f7baa)
             check_type(argname="argument cognito_domain", value=cognito_domain, expected_type=type_hints["cognito_domain"])
             check_type(argname="argument custom_domain", value=custom_domain, expected_type=type_hints["custom_domain"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
             check_type(argname="argument user_pool", value=user_pool, expected_type=type_hints["user_pool"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "user_pool": user_pool,
@@ -18799,6 +18810,8 @@ class UserPoolDomainProps(UserPoolDomainOptions):
             self._values["cognito_domain"] = cognito_domain
         if custom_domain is not None:
             self._values["custom_domain"] = custom_domain
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def cognito_domain(self) -> typing.Optional[CognitoDomainOptions]:
@@ -18822,6 +18835,19 @@ class UserPoolDomainProps(UserPoolDomainOptions):
         result = self._values.get("custom_domain")
         return typing.cast(typing.Optional[CustomDomainOptions], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[ManagedLoginVersion]:
+        '''A version that indicates the state of managed login.
+
+        This choice applies to all app clients that host services at the domain.
+
+        :default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[ManagedLoginVersion], result)
+
     @builtins.property
     def user_pool(self) -> IUserPool:
         '''The user pool to which this domain should be associated.'''
@@ -22924,6 +22950,7 @@ __all__ = [
     "IUserPoolResourceServer",
     "KeepOriginalAttrs",
     "LambdaVersion",
+    "ManagedLoginVersion",
     "Mfa",
     "MfaSecondFactor",
     "NumberAttribute",
@@ -24851,6 +24878,7 @@ def _typecheckingstub__792921e0d9eecd6253eadd31c7fba82fdce9c0ba38f25dcba7dcd063e
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25171,6 +25199,7 @@ def _typecheckingstub__f9659a33214c6a8f47e5cc02aec61f89c8bd48113d0c9b3e32a81fef2
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25305,6 +25334,7 @@ def _typecheckingstub__370554f0c705ae872638d9d90d00b13abf8230d3666aa0d882b882f94
     user_pool: IUserPool,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25331,6 +25361,7 @@ def _typecheckingstub__4a5105d96e2071a7239518797c0a84f12539bde7c8fda8d40c7b23af6
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25339,6 +25370,7 @@ def _typecheckingstub__4336d5dce146abd75b1697dd55937affe308b1524f218d9eb3835531c
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     user_pool: IUserPool,
 ) -> None:
     """Type checking stubs"""