aws-cdk-lib 2.176.0__py3-none-any.whl → 2.178.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -326,7 +326,7 @@ configure an MFA token and use it for sign in. It also allows for the users to u
 [time-based one time password
 (TOTP)](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html).
 
-If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.
+If you want to enable email-based MFA, set `email` property to the Amazon SES email-sending configuration and set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.
 For more information, see [SMS and email message MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html).
 
 ```python
@@ -348,6 +348,10 @@ Further to this, it can also be configured with the validity of the auto-generat
 password is generated by the user pool either when an admin signs up a user or when a password reset is requested.
 The validity of this password dictates how long to give the user to use this password before expiring it.
 
+You can also set a policy for password reuse by setting the `passwordHistorySize` property.
+You can prevent a user from resetting their password to a new password that matches their current password or any of up to 23 additional previous passwords, for a maximum total of 24.
+The `passwordHistorySize` property can not be set when `featurePlan` is `FeaturePlan.LITE`.
+
 The following code snippet configures these properties -
 
 ```python
@@ -847,7 +851,7 @@ configured for a client.
 ```python
 pool = cognito.UserPool(self, "Pool")
 
-client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favouritePizza", "favouriteBeverage")
+client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favoritePizza", "favoriteBeverage")
 
 client_read_attributes = client_write_attributes.with_standard_attributes(email_verified=True).with_custom_attributes("pointsEarned")
 
@@ -977,6 +981,28 @@ Read more about [Using the Amazon Cognito
 Domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html) and [Using Your Own
 Domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html).
 
+You can use the [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) page provided by Amazon Cognito to sign in users. The managed login page has two versions: a classic version and a new version. You can switch between the two versions by using the `managedLoginVersion` property.
+
+```python
+pool = cognito.UserPool(self, "Pool")
+
+# Use the new managed login page
+pool.add_domain("CognitoDomainWithBlandingDesignManagedLogin",
+    cognito_domain=cognito.CognitoDomainOptions(
+        domain_prefix="blanding-design-ui"
+    ),
+    managed_login_version=cognito.ManagedLoginVersion.NEWER_MANAGED_LOGIN
+)
+
+# Use the classic hosted UI
+pool.add_domain("DomainWithClassicHostedUi",
+    cognito_domain=cognito.CognitoDomainOptions(
+        domain_prefix="classic-hosted-ui"
+    ),
+    managed_login_version=cognito.ManagedLoginVersion.CLASSIC_HOSTED_UI
+)
+```
+
 The `signInUrl()` methods returns the fully qualified URL to the login page for the user pool. This page comes from the
 hosted UI configured with Cognito. Learn more at [Hosted UI with the Amazon Cognito
 Console](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html#cognito-user-pools-create-an-app-integration).
@@ -3758,9 +3784,7 @@ class CfnLogDeliveryConfiguration(
         ) -> None:
             '''The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.
 
-            This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
-
-            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with threat protection. This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
+            :param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
             :param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to ``userAuthEvents`` .
             :param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
             :param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from threat protection with the Plus feature plan, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
@@ -3812,9 +3836,7 @@ class CfnLogDeliveryConfiguration(
         def cloud_watch_logs_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.CloudWatchLogsConfigurationProperty"]]:
-            '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with threat protection.
-
-            This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
+            '''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-cloudwatchlogsconfiguration
             '''
@@ -4266,8 +4288,6 @@ class CfnManagedLoginBranding(
         ) -> None:
             '''An image file from a managed login branding style in a user pool.
 
-            This data type is a request parameter of ``API_CreateManagedLoginBranding`` and ``API_UpdateManagedLoginBranding`` , and a response parameter of ``API_DescribeManagedLoginBranding`` .
-
             :param category: The category that the image corresponds to in your managed login configuration. Managed login has asset categories for different types of logos, backgrounds, and icons.
             :param color_mode: The display-mode target of the asset: light, dark, or browser-adaptive. For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
             :param extension: The file type of the image file.
@@ -4729,7 +4749,7 @@ class CfnUserPool(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
-        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
         :param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
@@ -4742,7 +4762,7 @@ class CfnUserPool(
         :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
-        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements.
         :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
         :param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
@@ -5095,10 +5115,7 @@ class CfnUserPool(
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]]:
-        '''A list of user pool policies.
-
-        Contains the policy that sets password-complexity requirements.
-        '''
+        '''A list of user pool policies.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PoliciesProperty"]], jsii.get(self, "policies"))
 
     @policies.setter
@@ -5411,11 +5428,9 @@ class CfnUserPool(
 
             Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the ``SignUp`` operation.
             :param invite_message_template: The template for the welcome message to new users. This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
-            :param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of ``API_PasswordPolicyType`` . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
+            :param unused_account_validity_days: This parameter is no longer in use. The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
             :exampleMetadata: fixture=_generated
@@ -5481,8 +5496,6 @@ class CfnUserPool(
         def unused_account_validity_days(self) -> typing.Optional[jsii.Number]:
             '''This parameter is no longer in use.
 
-            Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of ``API_PasswordPolicyType`` . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` .
-
             The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter.
 
             The default value for this parameter is 7.
@@ -5727,15 +5740,6 @@ class CfnUserPool(
         ) -> None:
             '''The device-remembering configuration for a user pool.
 
-            A ``API_DescribeUserPool`` request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a ``API_ConfirmDevice`` API request. Additionally. when the property ``DeviceOnlyRememberedOnUserPrompt`` is ``true`` , you must follow ``ConfirmDevice`` with an ``API_UpdateDeviceStatus`` API request that sets the user's device to ``remembered`` or ``not_remembered`` .
-
-            To sign in with a remembered device, include ``DEVICE_KEY`` in the authentication parameters in your user's ``API_InitiateAuth`` request. If your app doesn't include a ``DEVICE_KEY`` parameter, the ``API_InitiateAuth`` from Amazon Cognito includes newly-generated ``DEVICE_KEY`` and ``DEVICE_GROUP_KEY`` values under ``NewDeviceMetadata`` . Store these values to use in future device-authentication requests.
-            .. epigraph::
-
-               When you provide a value for any property of ``DeviceConfiguration`` , you activate the device remembering for the user pool.
-
-               This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param challenge_required_on_new_device: When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA). .. epigraph:: Whether or not ``ChallengeRequiredOnNewDevice`` is true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
             :param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a ``ConfirmDevice`` API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an ``UpdateDeviceStatus`` API request. When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
 
@@ -6095,8 +6099,6 @@ class CfnUserPool(
 
             Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param create_auth_challenge: The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
             :param custom_email_sender: The configuration of a custom email sender Lambda trigger. This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
             :param custom_message: A custom message Lambda trigger. This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
@@ -6358,8 +6360,6 @@ class CfnUserPool(
         ) -> None:
             '''The minimum and maximum values of an attribute that is of the number type, for example ``custom:age`` .
 
-            This data type is part of ``API_SchemaAttributeType`` . It defines the length constraints on number-type attributes that you configure in ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and displays the length constraints of all number-type attributes in the response to ``API_DescribeUserPool``
-
             :param max_value: The maximum length of a number attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_value: The minimum value of an attribute that is of the number data type.
 
@@ -6445,10 +6445,8 @@ class CfnUserPool(
         ) -> None:
             '''The password policy settings for a user pool, including complexity, history, and length requirements.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param minimum_length: The minimum length of the password in the policy that you have set. This value can't be less than 6.
-            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in ``API_DescribeUserPool`` responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
+            :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
             :param require_lowercase: The requirement in a password policy that users must include at least one lowercase letter in their password.
             :param require_numbers: The requirement in a password policy that users must include at least one number in their password.
             :param require_symbols: The requirement in a password policy that users must include at least one symbol in their password.
@@ -6516,8 +6514,6 @@ class CfnUserPool(
 
             Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
 
-            Password history isn't enforced and isn't displayed in ``API_DescribeUserPool`` responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize
             '''
             result = self._values.get("password_history_size")
@@ -6607,12 +6603,12 @@ class CfnUserPool(
             password_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.PasswordPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             sign_in_policy: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.SignInPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
+            '''A list of user pool policies.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+            Contains the policy that sets password-complexity requirements.
 
             :param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
-            :param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+            :param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
             :exampleMetadata: fixture=_generated
@@ -6667,8 +6663,6 @@ class CfnUserPool(
 
             To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
             '''
             result = self._values.get("sign_in_policy")
@@ -6699,8 +6693,6 @@ class CfnUserPool(
         ) -> None:
             '''The properties of a pre token generation Lambda trigger.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
             :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
 
@@ -6779,8 +6771,6 @@ class CfnUserPool(
 
             For example, if ``verified_email`` has a priority of ``1`` and ``verified_phone_number`` has a priority of ``2`` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The ``admin_only`` option prevents self-service account recovery.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param name: The recovery method that this object sets a recovery option for.
             :param priority: Your priority preference for using the specified attribute in account recovery. The highest priority is ``1`` .
 
@@ -6870,8 +6860,6 @@ class CfnUserPool(
 
             Developer-only ``dev:`` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param attribute_data_type: The data format of the values for your attribute. When you choose an ``AttributeDataType`` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example ``"custom:isMember" : "true"`` or ``"custom:YearsAsMember" : "12"`` .
             :param developer_only_attribute: .. epigraph:: You should use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, ``DeveloperOnlyAttribute`` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
             :param mutable: Specifies whether the value of the attribute can be changed. Any user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of ``true`` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see `Specifying Identity Provider Attribute Mappings for Your User Pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
@@ -7041,8 +7029,6 @@ class CfnUserPool(
 
             To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param allowed_first_auth_factors: The sign-in methods that a user pool supports as the first factor. You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors. Supports values of ``EMAIL_OTP`` , ``SMS_OTP`` , ``WEB_AUTHN`` and ``PASSWORD`` ,
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html
@@ -7112,8 +7098,6 @@ class CfnUserPool(
 
             To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
 
-            This data type is a request parameter of ``API_CreateUserPool`` , ``API_UpdateUserPool`` , and ``API_SetUserPoolMfaConfig`` , and a response parameter of ``API_CreateUserPool`` , ``API_UpdateUserPool`` , and ``API_GetUserPoolMfaConfig`` .
-
             :param external_id: The external ID provides additional security for your IAM role. You can use an ``ExternalId`` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the ``ExternalID`` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the ``ExternalId`` . For more information about the ``ExternalId`` of a role, see `How to use an external ID when granting access to your AWS resources to a third party <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ .
             :param sns_caller_arn: The Amazon Resource Name (ARN) of the Amazon SNS caller. This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a `spending limit <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html>`_ .
             :param sns_region: The AWS Region to use with Amazon SNS integration. You can choose the same Region as your user pool, or a supported *Legacy Amazon SNS alternate Region* . Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see `SMS message settings for Amazon Cognito user pools <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
@@ -7208,8 +7192,6 @@ class CfnUserPool(
         ) -> None:
             '''The minimum and maximum length values of an attribute that is of the string type, for example ``custom:department`` .
 
-            This data type is part of ``API_SchemaAttributeType`` . It defines the length constraints on string-type attributes that you configure in ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and displays the length constraints of all string-type attributes in the response to ``API_DescribeUserPool``
-
             :param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
             :param min_length: The minimum length of a string attribute value.
 
@@ -7287,7 +7269,7 @@ class CfnUserPool(
             a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
             more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
 
-            :param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. You can verify an updated email address or phone number with a ``API_VerifyUserAttribute`` API request. You can also call the ``API_AdminUpdateUserAttributes`` API and set ``email_verified`` or ``phone_number_verified`` to true. When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
+            :param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html
             :exampleMetadata: fixture=_generated
@@ -7317,8 +7299,6 @@ class CfnUserPool(
 
             When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
 
-            You can verify an updated email address or phone number with a ``API_VerifyUserAttribute`` API request. You can also call the ``API_AdminUpdateUserAttributes`` API and set ``email_verified`` or ``phone_number_verified`` to true.
-
             When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html#cfn-cognito-userpool-userattributeupdatesettings-attributesrequireverificationbeforeupdate
@@ -7353,14 +7333,12 @@ class CfnUserPool(
             advanced_security_additional_flows: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.AdvancedSecurityAdditionalFlowsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             advanced_security_mode: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Contains settings for activation of threat protection, including the operating mode and additional authentication types.
+            '''User pool add-ons.
 
-            To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` .
+            Contains settings for activation of threat protection. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to risky traffic to your user pool, set to ``ENFORCED`` .
 
             For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param advanced_security_additional_flows: Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
             :param advanced_security_mode: The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
 
@@ -7436,8 +7414,6 @@ class CfnUserPool(
 
             When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
 
-            This configuration is immutable after you set it. For more information, see ``API_UsernameConfigurationType`` .
-
             :param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html
@@ -7514,8 +7490,6 @@ class CfnUserPool(
         ) -> None:
             '''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
 
-            This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
             :param default_email_option: The configuration of verification emails to contain a clickable link or a verification code. For link, your template body must contain link text in the format ``{##Click here##}`` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format ``{####}`` .
             :param email_message: The template for email messages that Amazon Cognito sends to your users. You can set an ``EmailMessage`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
             :param email_message_by_link: The email message template for sending a confirmation link to the user. You can set an ``EmailMessageByLink`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
@@ -7758,17 +7732,17 @@ class CfnUserPoolClient(
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
-        :param enable_token_revocation: Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client. Revoke tokens with ``API_RevokeToken`` . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
+        :param enable_token_revocation: Activates or deactivates token revocation. If you don't include this parameter, token revocation is automatically activated for the new user pool client.
         :param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
-        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
-        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__87712ca9ae8faf9f73a6c5d11987fcf280543ea093bcc4253c800c0151725828)
@@ -8030,7 +8004,7 @@ class CfnUserPoolClient(
     def enable_token_revocation(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client.'''
+        '''Activates or deactivates token revocation.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enableTokenRevocation"))
 
     @enable_token_revocation.setter
@@ -8227,8 +8201,6 @@ class CfnUserPoolClient(
 
             Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see `Amazon Cognito and Amazon Pinpoint Region availability <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings>`_ .
 
-            This data type is a request parameter of ``API_CreateUserPoolClient`` and ``API_UpdateUserPoolClient`` , and a response parameter of ``API_DescribeUserPoolClient`` .
-
             :param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that ``ApplicationArn`` declares. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
             :param application_id: Your Amazon Pinpoint project ID.
             :param external_id: The `external ID <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
@@ -8497,17 +8469,17 @@ class CfnUserPoolClientProps:
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
-        :param enable_token_revocation: Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client. Revoke tokens with ``API_RevokeToken`` . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
+        :param enable_token_revocation: Activates or deactivates token revocation. If you don't include this parameter, token revocation is automatically activated for the new user pool client.
         :param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
         :param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
         :param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
         :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
-        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
-        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
+        :param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
         :exampleMetadata: fixture=_generated
@@ -8784,9 +8756,7 @@ class CfnUserPoolClientProps:
     def enable_token_revocation(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client.
-
-        Revoke tokens with ``API_RevokeToken`` .
+        '''Activates or deactivates token revocation.
 
         If you don't include this parameter, token revocation is automatically activated for the new user pool client.
 
@@ -8887,11 +8857,9 @@ class CfnUserPoolClientProps:
     def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The list of user attributes that you want your app client to have read access to.
 
-        After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list.
-
-        An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data.
+        After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information.
 
-        When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
+        When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-readattributes
         '''
@@ -8951,8 +8919,6 @@ class CfnUserPoolClientProps:
 
         After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.
 
-        An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value.
-
         When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes.
 
         If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
@@ -9019,7 +8985,7 @@ class CfnUserPoolDomain(
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
         :param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts managed login for your application. In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` . When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
         :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
         '''
         if __debug__:
@@ -9119,7 +9085,7 @@ class CfnUserPoolDomain(
     def custom_domain_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolDomain.CustomDomainConfigTypeProperty"]]:
-        '''The configuration for a custom domain that hosts managed login for your application.'''
+        '''The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolDomain.CustomDomainConfigTypeProperty"]], jsii.get(self, "customDomainConfig"))
 
     @custom_domain_config.setter
@@ -9158,8 +9124,6 @@ class CfnUserPoolDomain(
         ) -> None:
             '''The configuration for a hosted UI custom domain.
 
-            This data type is a request parameter of ``API_CreateUserPoolDomain`` and ``API_UpdateUserPoolDomain`` .
-
             :param certificate_arn: The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooldomain-customdomainconfigtype.html
@@ -9228,7 +9192,7 @@ class CfnUserPoolDomainProps:
 
         :param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
         :param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
-        :param custom_domain_config: The configuration for a custom domain that hosts managed login for your application. In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` . When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
+        :param custom_domain_config: The configuration for a custom domain that hosts the sign-up and sign-in pages for your application. Use this object to specify an SSL certificate that is managed by ACM. When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
         :param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
@@ -9292,14 +9256,12 @@ class CfnUserPoolDomainProps:
     def custom_domain_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolDomain.CustomDomainConfigTypeProperty]]:
-        '''The configuration for a custom domain that hosts managed login for your application.
+        '''The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
 
-        In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` .
+        Use this object to specify an SSL certificate that is managed by ACM.
 
         When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
 
-        Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
         '''
         result = self._values.get("custom_domain_config")
@@ -9338,8 +9300,6 @@ class CfnUserPoolGroup(
 
     Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
 
-    This data type is a response parameter of ``API_AdminListGroupsForUser`` , ``API_CreateGroup`` , ``API_GetGroup`` , ``API_ListGroups`` , and ``API_UpdateGroup`` .
-
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
     :cloudformationResource: AWS::Cognito::UserPoolGroup
     :exampleMetadata: fixture=_generated
@@ -10077,7 +10037,7 @@ class CfnUserPoolProps:
         '''Properties for defining a ``CfnUserPool``.
 
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
-        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+        :param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
         :param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
         :param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
@@ -10090,7 +10050,7 @@ class CfnUserPoolProps:
         :param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
         :param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
         :param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
-        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+        :param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements.
         :param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
         :param sms_authentication_message: The contents of the SMS authentication message.
         :param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
@@ -10354,8 +10314,6 @@ class CfnUserPoolProps:
 
         Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
 
-        This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-admincreateuserconfig
         '''
         result = self._values.get("admin_create_user_config")
@@ -10511,9 +10469,9 @@ class CfnUserPoolProps:
     def policies(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.PoliciesProperty]]:
-        '''A list of user pool policies. Contains the policy that sets password-complexity requirements.
+        '''A list of user pool policies.
 
-        This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
+        Contains the policy that sets password-complexity requirements.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-policies
         '''
@@ -10874,8 +10832,6 @@ class CfnUserPoolResourceServer(
 
             This data type is a member of ``ResourceServerScopeType`` . For more information, see `Scopes, M2M, and API authorization with resource servers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html>`_ .
 
-            This data type is a request parameter of ``API_CreateResourceServer`` and a response parameter of ``API_DescribeResourceServer`` .
-
             :param scope_description: A friendly description of a custom scope.
             :param scope_name: The name of the scope. Amazon Cognito renders custom scopes in the format ``resourceServerIdentifier/ScopeName`` . For example, if this parameter is ``exampleScope`` in the resource server with the identifier ``exampleResourceServer`` , you request and receive the scope ``exampleResourceServer/exampleScope`` .
 
@@ -11305,9 +11261,7 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''The automated response to a risk level for adaptive authentication in full-function, or ``ENFORCED`` , mode.
 
-            You can assign an action to each risk level that threat protection evaluates.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            You can assign an action to each risk level that advanced security features evaluates.
 
             :param event_action: The action to take for the attempted account takeover action for the associated risk level. Valid values are as follows: - ``BLOCK`` : Block the request. - ``MFA_IF_CONFIGURED`` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request. - ``MFA_REQUIRED`` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor. - ``NO_ACTION`` : Take no action. Permit sign-in.
             :param notify: Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
@@ -11390,9 +11344,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             low_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             medium_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection features.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.
 
             :param high_action: The action that you assign to a high-risk assessment by threat protection.
             :param low_action: The action that you assign to a low-risk assessment by threat protection.
@@ -11494,9 +11446,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
             notify_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''The settings for automated responses and notification templates for adaptive authentication with threat protection features.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''The settings for automated responses and notification templates for adaptive authentication with advanced security features.
 
             :param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
             :param notify_configuration: The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication. When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
@@ -11610,9 +11560,7 @@ class CfnUserPoolRiskConfigurationAttachment(
     )
     class CompromisedCredentialsActionsTypeProperty:
         def __init__(self, *, event_action: builtins.str) -> None:
-            '''Settings for user pool actions when Amazon Cognito detects compromised credentials with threat protection in full-function ``ENFORCED`` mode.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function ``ENFORCED`` mode.
 
             :param event_action: The action that Amazon Cognito takes when it detects compromised credentials.
 
@@ -11669,9 +11617,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
             event_filter: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''Settings for compromised-credentials actions and authentication-event sources with threat protection in full-function ``ENFORCED`` mode.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function ``ENFORCED`` mode.
 
             :param actions: Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
             :param event_filter: Settings for the sign-in activity where you want to configure compromised-credentials actions. Defaults to all events.
@@ -11761,9 +11707,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             no_action_email: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             reply_to: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The configuration for Amazon SES email messages that threat protection sends to a user when your adaptive authentication automated response has a *Notify* action.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action.
 
             :param source_arn: The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the ``From`` parameter.
             :param block_email: The template for the email message that your user pool sends when a detected risk event is blocked.
@@ -11925,9 +11869,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             html_body: typing.Optional[builtins.str] = None,
             text_body: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The template for email messages that threat protection sends to a user when your threat protection automated response has a *Notify* action.
-
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
+            '''The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action.
 
             :param subject: The subject of the threat protection email notification.
             :param html_body: The body of an email notification formatted in HTML. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
@@ -12023,8 +11965,6 @@ class CfnUserPoolRiskConfigurationAttachment(
         ) -> None:
             '''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
 
-            This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
-
             :param blocked_ip_range_list: An always-block IP address list. Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
             :param skipped_ip_range_list: An always-allow IP address list. Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
 
@@ -12282,8 +12222,6 @@ class CfnUserPoolUICustomizationAttachment(
 ):
     '''A container for the UI customization information for the hosted UI in a user pool.
 
-    This data type is a response parameter of ``API_DescribeUserPoolClient`` .
-
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
     :cloudformationResource: AWS::Cognito::UserPoolUICustomizationAttachment
     :exampleMetadata: fixture=_generated
@@ -12543,7 +12481,7 @@ class CfnUserPoolUser(
         id: builtins.str,
         *,
         user_pool_id: builtins.str,
-        client_metadata: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+        client_metadata: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
         desired_delivery_mediums: typing.Optional[typing.Sequence[builtins.str]] = None,
         force_alias_creation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         message_action: typing.Optional[builtins.str] = None,
@@ -12559,7 +12497,7 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply: - **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter. - **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter. You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
@@ -12632,14 +12570,14 @@ class CfnUserPoolUser(
     @jsii.member(jsii_name="clientMetadata")
     def client_metadata(
         self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+    ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
         '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.'''
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], jsii.get(self, "clientMetadata"))
+        return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], jsii.get(self, "clientMetadata"))
 
     @client_metadata.setter
     def client_metadata(
         self,
-        value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]],
+        value: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]],
     ) -> None:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__674b44537db9d65119536a886fe3b7990cd0df2f1aa1c3c2880711f8b302ae40)
@@ -12756,8 +12694,6 @@ class CfnUserPoolUser(
         ) -> None:
             '''The name and value of a user attribute.
 
-            This data type is a request parameter of ``API_AdminUpdateUserAttributes`` and ``API_UpdateUserAttributes`` .
-
             :param name: The name of the attribute.
             :param value: The value of the attribute.
 
@@ -12834,7 +12770,7 @@ class CfnUserPoolUserProps:
         self,
         *,
         user_pool_id: builtins.str,
-        client_metadata: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+        client_metadata: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
         desired_delivery_mediums: typing.Optional[typing.Sequence[builtins.str]] = None,
         force_alias_creation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         message_action: typing.Optional[builtins.str] = None,
@@ -12849,7 +12785,7 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply: - **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter. - **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter. You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -12924,7 +12860,7 @@ class CfnUserPoolUserProps:
     @builtins.property
     def client_metadata(
         self,
-    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
+    ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
         '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
 
         You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
@@ -12941,7 +12877,7 @@ class CfnUserPoolUserProps:
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-clientmetadata
         '''
         result = self._values.get("client_metadata")
-        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], result)
+        return typing.cast(typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]], result)
 
     @builtins.property
     def desired_delivery_mediums(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -12996,12 +12932,10 @@ class CfnUserPoolUserProps:
 
         You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` .
 
-        In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply:
-
-        - **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter.
-        - **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter.
+        In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` .
 
-        You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
+        - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userattributes
         '''
@@ -13290,7 +13224,7 @@ class ClientAttributes(
 
         pool = cognito.UserPool(self, "Pool")
         
-        client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favouritePizza", "favouriteBeverage")
+        client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favoritePizza", "favoriteBeverage")
         
         client_read_attributes = client_write_attributes.with_standard_attributes(email_verified=True).with_custom_attributes("pointsEarned")
         
@@ -13364,7 +13298,7 @@ class ClientAttributes(
         :param nickname: The user's nickname or casual name. Default: false
         :param phone_number: The user's telephone number. Default: false
         :param phone_number_verified: Whether the phone number has been verified. Default: false
-        :param preferred_username: The user's preffered username, different from the immutable user name. Default: false
+        :param preferred_username: The user's preferred username, different from the immutable user name. Default: false
         :param profile_page: The URL to the user's profile page. Default: false
         :param profile_picture: The URL to the user's profile picture. Default: false
         :param timezone: The user's time zone. Default: false
@@ -13998,12 +13932,14 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional["ManagedLoginVersion"] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
         '''
@@ -14185,12 +14121,14 @@ class _IUserPoolProxy(
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional["ManagedLoginVersion"] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
         '''
@@ -14198,7 +14136,9 @@ class _IUserPoolProxy(
             type_hints = typing.get_type_hints(_typecheckingstub__792921e0d9eecd6253eadd31c7fba82fdce9c0ba38f25dcba7dcd063e7b1a458)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolDomainOptions(
-            cognito_domain=cognito_domain, custom_domain=custom_domain
+            cognito_domain=cognito_domain,
+            custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
@@ -14589,6 +14529,39 @@ class LambdaVersion(enum.Enum):
     '''
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.ManagedLoginVersion")
+class ManagedLoginVersion(enum.Enum):
+    '''The branding version of managed login for the domain.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        pool = cognito.UserPool(self, "Pool")
+        
+        # Use the new managed login page
+        pool.add_domain("CognitoDomainWithBlandingDesignManagedLogin",
+            cognito_domain=cognito.CognitoDomainOptions(
+                domain_prefix="blanding-design-ui"
+            ),
+            managed_login_version=cognito.ManagedLoginVersion.NEWER_MANAGED_LOGIN
+        )
+        
+        # Use the classic hosted UI
+        pool.add_domain("DomainWithClassicHostedUi",
+            cognito_domain=cognito.CognitoDomainOptions(
+                domain_prefix="classic-hosted-ui"
+            ),
+            managed_login_version=cognito.ManagedLoginVersion.CLASSIC_HOSTED_UI
+        )
+    '''
+
+    CLASSIC_HOSTED_UI = "CLASSIC_HOSTED_UI"
+    '''The classic hosted UI.'''
+    NEWER_MANAGED_LOGIN = "NEWER_MANAGED_LOGIN"
+    '''The newer managed login with the branding designer.'''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.Mfa")
 class Mfa(enum.Enum):
     '''The different ways in which a user pool's MFA enforcement can be configured.
@@ -15414,6 +15387,7 @@ class OidcEndpoints:
     jsii_struct_bases=[],
     name_mapping={
         "min_length": "minLength",
+        "password_history_size": "passwordHistorySize",
         "require_digits": "requireDigits",
         "require_lowercase": "requireLowercase",
         "require_symbols": "requireSymbols",
@@ -15426,6 +15400,7 @@ class PasswordPolicy:
         self,
         *,
         min_length: typing.Optional[jsii.Number] = None,
+        password_history_size: typing.Optional[jsii.Number] = None,
         require_digits: typing.Optional[builtins.bool] = None,
         require_lowercase: typing.Optional[builtins.bool] = None,
         require_symbols: typing.Optional[builtins.bool] = None,
@@ -15435,6 +15410,7 @@ class PasswordPolicy:
         '''Password policy for User Pools.
 
         :param min_length: Minimum length required for a user's password. Default: 8
+        :param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. ``passwordHistorySize`` can not be set when ``featurePlan`` is ``FeaturePlan.LITE``. Default: undefined - Cognito default setting is no restriction
         :param require_digits: Whether the user is required to have digits in their password. Default: true
         :param require_lowercase: Whether the user is required to have lowercase characters in their password. Default: true
         :param require_symbols: Whether the user is required to have symbols in their password. Default: true
@@ -15460,6 +15436,7 @@ class PasswordPolicy:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e884ae0f43a6b00e4ef287afca45bf6a9a7abbd94b7979efb6efa2a9cc11012b)
             check_type(argname="argument min_length", value=min_length, expected_type=type_hints["min_length"])
+            check_type(argname="argument password_history_size", value=password_history_size, expected_type=type_hints["password_history_size"])
             check_type(argname="argument require_digits", value=require_digits, expected_type=type_hints["require_digits"])
             check_type(argname="argument require_lowercase", value=require_lowercase, expected_type=type_hints["require_lowercase"])
             check_type(argname="argument require_symbols", value=require_symbols, expected_type=type_hints["require_symbols"])
@@ -15468,6 +15445,8 @@ class PasswordPolicy:
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if min_length is not None:
             self._values["min_length"] = min_length
+        if password_history_size is not None:
+            self._values["password_history_size"] = password_history_size
         if require_digits is not None:
             self._values["require_digits"] = require_digits
         if require_lowercase is not None:
@@ -15488,6 +15467,17 @@ class PasswordPolicy:
         result = self._values.get("min_length")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def password_history_size(self) -> typing.Optional[jsii.Number]:
+        '''The number of previous passwords that you want Amazon Cognito to restrict each user from reusing.
+
+        ``passwordHistorySize`` can not be set when ``featurePlan`` is ``FeaturePlan.LITE``.
+
+        :default: undefined - Cognito default setting is no restriction
+        '''
+        result = self._values.get("password_history_size")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def require_digits(self) -> typing.Optional[builtins.bool]:
         '''Whether the user is required to have digits in their password.
@@ -15620,7 +15610,7 @@ class ProviderAttribute(
     @jsii.python.classproperty
     @jsii.member(jsii_name="APPLE_EMAIL_VERIFIED")
     def APPLE_EMAIL_VERIFIED(cls) -> "ProviderAttribute":
-        '''The email verified atribute provided by Apple.'''
+        '''The email verified attribute provided by Apple.'''
         return typing.cast("ProviderAttribute", jsii.sget(cls, "APPLE_EMAIL_VERIFIED"))
 
     @jsii.python.classproperty
@@ -16286,7 +16276,7 @@ class StandardAttributes:
         :param middle_name: The user's middle name. Default: - see the defaults under ``StandardAttribute``
         :param nickname: The user's nickname or casual name. Default: - see the defaults under ``StandardAttribute``
         :param phone_number: The user's telephone number. Default: - see the defaults under ``StandardAttribute``
-        :param preferred_username: The user's preffered username, different from the immutable user name. Default: - see the defaults under ``StandardAttribute``
+        :param preferred_username: The user's preferred username, different from the immutable user name. Default: - see the defaults under ``StandardAttribute``
         :param profile_page: The URL to the user's profile page. Default: - see the defaults under ``StandardAttribute``
         :param profile_picture: The URL to the user's profile picture. Default: - see the defaults under ``StandardAttribute``
         :param timezone: The user's time zone. Default: - see the defaults under ``StandardAttribute``
@@ -16516,7 +16506,7 @@ class StandardAttributes:
 
     @builtins.property
     def preferred_username(self) -> typing.Optional[StandardAttribute]:
-        '''The user's preffered username, different from the immutable user name.
+        '''The user's preferred username, different from the immutable user name.
 
         :default: - see the defaults under ``StandardAttribute``
         '''
@@ -16636,7 +16626,7 @@ class StandardAttributesMask:
         :param nickname: The user's nickname or casual name. Default: false
         :param phone_number: The user's telephone number. Default: false
         :param phone_number_verified: Whether the phone number has been verified. Default: false
-        :param preferred_username: The user's preffered username, different from the immutable user name. Default: false
+        :param preferred_username: The user's preferred username, different from the immutable user name. Default: false
         :param profile_page: The URL to the user's profile page. Default: false
         :param profile_picture: The URL to the user's profile picture. Default: false
         :param timezone: The user's time zone. Default: false
@@ -16648,7 +16638,7 @@ class StandardAttributesMask:
 
             pool = cognito.UserPool(self, "Pool")
             
-            client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favouritePizza", "favouriteBeverage")
+            client_write_attributes = (cognito.ClientAttributes()).with_standard_attributes(fullname=True, email=True).with_custom_attributes("favoritePizza", "favoriteBeverage")
             
             client_read_attributes = client_write_attributes.with_standard_attributes(email_verified=True).with_custom_attributes("pointsEarned")
             
@@ -16847,7 +16837,7 @@ class StandardAttributesMask:
 
     @builtins.property
     def preferred_username(self) -> typing.Optional[builtins.bool]:
-        '''The user's preffered username, different from the immutable user name.
+        '''The user's preferred username, different from the immutable user name.
 
         :default: false
         '''
@@ -17450,18 +17440,22 @@ class UserPool(
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> "UserPoolDomain":
         '''Associate a domain to this user pool.
 
         :param id: -
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f9659a33214c6a8f47e5cc02aec61f89c8bd48113d0c9b3e32a81fef2d48a103)
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolDomainOptions(
-            cognito_domain=cognito_domain, custom_domain=custom_domain
+            cognito_domain=cognito_domain,
+            custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
@@ -18514,6 +18508,7 @@ class UserPoolDomain(
         user_pool: IUserPool,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> None:
         '''
         :param scope: -
@@ -18521,6 +18516,7 @@ class UserPoolDomain(
         :param user_pool: The user pool to which this domain should be associated.
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__370554f0c705ae872638d9d90d00b13abf8230d3666aa0d882b882f94152b471)
@@ -18530,6 +18526,7 @@ class UserPoolDomain(
             user_pool=user_pool,
             cognito_domain=cognito_domain,
             custom_domain=custom_domain,
+            managed_login_version=managed_login_version,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -18623,7 +18620,11 @@ class UserPoolDomain(
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.UserPoolDomainOptions",
     jsii_struct_bases=[],
-    name_mapping={"cognito_domain": "cognitoDomain", "custom_domain": "customDomain"},
+    name_mapping={
+        "cognito_domain": "cognitoDomain",
+        "custom_domain": "customDomain",
+        "managed_login_version": "managedLoginVersion",
+    },
 )
 class UserPoolDomainOptions:
     def __init__(
@@ -18631,11 +18632,13 @@ class UserPoolDomainOptions:
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     ) -> None:
         '''Options to create a UserPoolDomain.
 
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
 
         :exampleMetadata: infused
 
@@ -18667,11 +18670,14 @@ class UserPoolDomainOptions:
             type_hints = typing.get_type_hints(_typecheckingstub__4a5105d96e2071a7239518797c0a84f12539bde7c8fda8d40c7b23af679070c0)
             check_type(argname="argument cognito_domain", value=cognito_domain, expected_type=type_hints["cognito_domain"])
             check_type(argname="argument custom_domain", value=custom_domain, expected_type=type_hints["custom_domain"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if cognito_domain is not None:
             self._values["cognito_domain"] = cognito_domain
         if custom_domain is not None:
             self._values["custom_domain"] = custom_domain
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def cognito_domain(self) -> typing.Optional[CognitoDomainOptions]:
@@ -18695,6 +18701,19 @@ class UserPoolDomainOptions:
         result = self._values.get("custom_domain")
         return typing.cast(typing.Optional[CustomDomainOptions], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[ManagedLoginVersion]:
+        '''A version that indicates the state of managed login.
+
+        This choice applies to all app clients that host services at the domain.
+
+        :default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[ManagedLoginVersion], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -18713,6 +18732,7 @@ class UserPoolDomainOptions:
     name_mapping={
         "cognito_domain": "cognitoDomain",
         "custom_domain": "customDomain",
+        "managed_login_version": "managedLoginVersion",
         "user_pool": "userPool",
     },
 )
@@ -18722,12 +18742,14 @@ class UserPoolDomainProps(UserPoolDomainOptions):
         *,
         cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        managed_login_version: typing.Optional[ManagedLoginVersion] = None,
         user_pool: IUserPool,
     ) -> None:
         '''Props for UserPoolDomain construct.
 
         :param cognito_domain: Associate a cognito prefix domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``customDomain`` is specified, otherwise, throws an error.
         :param custom_domain: Associate a custom domain with your user pool Either ``customDomain`` or ``cognitoDomain`` must be specified. Default: - not set if ``cognitoDomain`` is specified, otherwise, throws an error.
+        :param managed_login_version: A version that indicates the state of managed login. This choice applies to all app clients that host services at the domain. Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
         :param user_pool: The user pool to which this domain should be associated.
 
         :exampleMetadata: infused
@@ -18800,6 +18822,7 @@ class UserPoolDomainProps(UserPoolDomainOptions):
             type_hints = typing.get_type_hints(_typecheckingstub__4336d5dce146abd75b1697dd55937affe308b1524f218d9eb3835531c34f7baa)
             check_type(argname="argument cognito_domain", value=cognito_domain, expected_type=type_hints["cognito_domain"])
             check_type(argname="argument custom_domain", value=custom_domain, expected_type=type_hints["custom_domain"])
+            check_type(argname="argument managed_login_version", value=managed_login_version, expected_type=type_hints["managed_login_version"])
             check_type(argname="argument user_pool", value=user_pool, expected_type=type_hints["user_pool"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "user_pool": user_pool,
@@ -18808,6 +18831,8 @@ class UserPoolDomainProps(UserPoolDomainOptions):
             self._values["cognito_domain"] = cognito_domain
         if custom_domain is not None:
             self._values["custom_domain"] = custom_domain
+        if managed_login_version is not None:
+            self._values["managed_login_version"] = managed_login_version
 
     @builtins.property
     def cognito_domain(self) -> typing.Optional[CognitoDomainOptions]:
@@ -18831,6 +18856,19 @@ class UserPoolDomainProps(UserPoolDomainOptions):
         result = self._values.get("custom_domain")
         return typing.cast(typing.Optional[CustomDomainOptions], result)
 
+    @builtins.property
+    def managed_login_version(self) -> typing.Optional[ManagedLoginVersion]:
+        '''A version that indicates the state of managed login.
+
+        This choice applies to all app clients that host services at the domain.
+
+        :default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
+        '''
+        result = self._values.get("managed_login_version")
+        return typing.cast(typing.Optional[ManagedLoginVersion], result)
+
     @builtins.property
     def user_pool(self) -> IUserPool:
         '''The user pool to which this domain should be associated.'''
@@ -22933,6 +22971,7 @@ __all__ = [
     "IUserPoolResourceServer",
     "KeepOriginalAttrs",
     "LambdaVersion",
+    "ManagedLoginVersion",
     "Mfa",
     "MfaSecondFactor",
     "NumberAttribute",
@@ -24636,7 +24675,7 @@ def _typecheckingstub__392de74de1133635a0d4d21dbd0cb3290007171e021625ff9a1259834
     id: builtins.str,
     *,
     user_pool_id: builtins.str,
-    client_metadata: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    client_metadata: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     desired_delivery_mediums: typing.Optional[typing.Sequence[builtins.str]] = None,
     force_alias_creation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     message_action: typing.Optional[builtins.str] = None,
@@ -24666,7 +24705,7 @@ def _typecheckingstub__feefc710cb336bda2be62c58dcbdfc764a535ab2e52aa19e44511aca0
     pass
 
 def _typecheckingstub__674b44537db9d65119536a886fe3b7990cd0df2f1aa1c3c2880711f8b302ae40(
-    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]],
+    value: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -24718,7 +24757,7 @@ def _typecheckingstub__480fd17b16e7156f8c801d35ad2f0806c252a5a32182194061ca2a956
 def _typecheckingstub__382fb58e358860ff3016c5f0203cf6f5b59ab27ba70ef920ce589784afe54f17(
     *,
     user_pool_id: builtins.str,
-    client_metadata: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]] = None,
+    client_metadata: typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]] = None,
     desired_delivery_mediums: typing.Optional[typing.Sequence[builtins.str]] = None,
     force_alias_creation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     message_action: typing.Optional[builtins.str] = None,
@@ -24860,6 +24899,7 @@ def _typecheckingstub__792921e0d9eecd6253eadd31c7fba82fdce9c0ba38f25dcba7dcd063e
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -24978,6 +25018,7 @@ def _typecheckingstub__4661d75bb2c69171e02ca544be91ebb3d950a95f070c8471007dc24e8
 def _typecheckingstub__e884ae0f43a6b00e4ef287afca45bf6a9a7abbd94b7979efb6efa2a9cc11012b(
     *,
     min_length: typing.Optional[jsii.Number] = None,
+    password_history_size: typing.Optional[jsii.Number] = None,
     require_digits: typing.Optional[builtins.bool] = None,
     require_lowercase: typing.Optional[builtins.bool] = None,
     require_symbols: typing.Optional[builtins.bool] = None,
@@ -25180,6 +25221,7 @@ def _typecheckingstub__f9659a33214c6a8f47e5cc02aec61f89c8bd48113d0c9b3e32a81fef2
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25314,6 +25356,7 @@ def _typecheckingstub__370554f0c705ae872638d9d90d00b13abf8230d3666aa0d882b882f94
     user_pool: IUserPool,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25340,6 +25383,7 @@ def _typecheckingstub__4a5105d96e2071a7239518797c0a84f12539bde7c8fda8d40c7b23af6
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25348,6 +25392,7 @@ def _typecheckingstub__4336d5dce146abd75b1697dd55937affe308b1524f218d9eb3835531c
     *,
     cognito_domain: typing.Optional[typing.Union[CognitoDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_domain: typing.Optional[typing.Union[CustomDomainOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    managed_login_version: typing.Optional[ManagedLoginVersion] = None,
     user_pool: IUserPool,
 ) -> None:
     """Type checking stubs"""