aws-cdk-lib 2.178.2__py3-none-any.whl → 2.180.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -26,6 +26,8 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
       * [Code Verification](#code-verification)
       * [Link Verification](#link-verification)
     * [Sign In](#sign-in)
+
+      * [Choise-based authentication](#choice-based-authentication-passwordless-sign-in--passkey-sign-in)
     * [Attributes](#attributes)
     * [Attribute verification](#attribute-verification)
     * [Security](#security)
@@ -44,6 +46,10 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
     * [Resource Servers](#resource-servers)
     * [Domains](#domains)
     * [Deletion protection](#deletion-protection)
+    * [Analytics Configuration](#analytics-configuration)
+
+      * [When specifying a Pinpoint application from the same account](#when-specifying-a-pinpoint-application-from-the-same-account)
+      * [When specifying a Pinpoint application from a different account](#when-specifying-a-pinpoint-application-from-a-different-account)
 
 ## User Pools
 
@@ -214,6 +220,85 @@ cognito.UserPool(self, "myuserpool",
 A user pool can optionally ignore case when evaluating sign-ins. When `signInCaseSensitive` is false, Cognito will not
 check the capitalization of the alias when signing in. Default is true.
 
+#### Choice-based authentication: passwordless sign-in / passkey sign-in
+
+User pools can be configured to allow the following authentication methods in choice-based authentication:
+
+* Passwordless sign-in with email message one-time password
+* Passwordless sign-in with SMS message one-time password
+* Passkey (WebAuthn) sign-in
+
+To use choice-based authentication, [User pool feature plan](#user-pool-feature-plans) should be Essentials or higher.
+
+For details of authentication methods and client implementation, see [Manage authentication methods in AWS SDKs](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html).
+
+The following code configures a user pool with choice-based authentication enabled:
+
+```python
+user_pool = cognito.UserPool(self, "myuserpool",
+    sign_in_policy=cognito.SignInPolicy(
+        allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(
+            password=True,  # password authentication must be enabled
+            email_otp=True,  # enables email message one-time password
+            sms_otp=True,  # enables SMS message one-time password
+            passkey=True
+        )
+    )
+)
+
+# You should also configure the user pool client with USER_AUTH authentication flow allowed
+user_pool.add_client("myclient",
+    auth_flows=cognito.AuthFlow(user=True)
+)
+```
+
+⚠️ Enabling SMS message one-time password requires the AWS account be activated to SMS message sending.
+Learn more about [SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html).
+
+When enabling passkey sign-in, you should specify the authentication domain used as the relying party ID.
+Learn more about [passkey sign-in of user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey) and [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
+
+```python
+# Use the hosted Amazon Cognito domain as the relying party ID
+cognito.UserPool(self, "myuserpool",
+    sign_in_policy=cognito.SignInPolicy(
+        allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+    ),
+    passkey_relying_party_id="myclientname.auth.region-name.amazoncognito.com"
+)
+
+# Use the custom domain as the relying party ID
+cognito.UserPool(self, "myuserpool",
+    sign_in_policy=cognito.SignInPolicy(
+        allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+    ),
+    passkey_relying_party_id="auth.example.com"
+)
+```
+
+You can configure user verification to be preferred (default) or required. When you set user verification to preferred, users can set up authenticators that don't have the user verification capability, and registration and authentication operations can succeed without user verification. To mandate user verification in passkey registration and authentication, specify `passkeyUserVerification` to `PasskeyUserVerification.REQUIRED`.
+
+```python
+cognito.UserPool(self, "myuserpool",
+    sign_in_policy=cognito.SignInPolicy(
+        allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+    ),
+    passkey_relying_party_id="auth.example.com",
+    passkey_user_verification=cognito.PasskeyUserVerification.REQUIRED
+)
+```
+
+To disable choice-based authentication explicitly, specify `password` only.
+
+```python
+cognito.UserPool(self, "myuserpool",
+    sign_in_policy=cognito.SignInPolicy(
+        allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True)
+    ),
+    feature_plan=cognito.FeaturePlan.LITE
+)
+```
+
 ### Attributes
 
 Attributes represent the various properties of each user that's collected and stored in the user pool. Cognito
@@ -1102,6 +1187,71 @@ user_pool.add_group("AnotherUserPoolGroup",
     group_name="another-group-name"
 )
 ```
+
+### Analytics Configuration
+
+User pool clients can be configured with Amazon Pinpoint analytics to collect user activity metrics. This integration enables you to track user engagement and campaign effectiveness.
+
+📝 Note: Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings).
+
+The following example shows how to configure analytics for a user pool client:
+
+#### When specifying a Pinpoint application from the same account
+
+If you specify the `application` property, do not specify the `applicationId`, `externalId`, or `roleArn` properties.
+
+```python
+import aws_cdk.aws_pinpoint as pinpoint
+
+# user_pool: cognito.UserPool
+# pinpoint_app: pinpoint.CfnApp
+# pinpoint_role: iam.Role
+
+
+cognito.UserPoolClient(self, "Client",
+    user_pool=user_pool,
+    analytics=cognito.AnalyticsConfiguration(
+        # Your Pinpoint project
+        application=pinpoint_app,
+
+        # Whether to include user data in analytics events
+        share_user_data=True
+    )
+)
+```
+
+#### When specifying a Pinpoint application from a different account
+
+If you specify the `applicationId`, `externalId`, or `roleArn` properties, do not specify the `application` property.
+(In this case, the `applicationId`, `externalId`, and `roleArn` must all be specified.)
+
+Those three attributes are for the cases when Cognito user pool need to be connected to Pinpoint app in other account.
+
+```python
+import aws_cdk.aws_pinpoint as pinpoint
+
+# user_pool: cognito.UserPool
+# pinpoint_app: pinpoint.CfnApp
+# pinpoint_role: iam.Role
+
+
+cognito.UserPoolClient(self, "Client",
+    user_pool=user_pool,
+    analytics=cognito.AnalyticsConfiguration(
+        # Your Pinpoint project ID
+        application_id=pinpoint_app.ref,
+
+        # External ID for the IAM role
+        external_id="sample-external-id",
+
+        # IAM role that Cognito can assume to publish to Pinpoint
+        role=pinpoint_role,
+
+        # Whether to include user data in analytics events
+        share_user_data=True
+    )
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -1159,6 +1309,7 @@ from ..aws_iam import (
 )
 from ..aws_kms import IKey as _IKey_5f11635f
 from ..aws_lambda import IFunction as _IFunction_6adb0ab8
+from ..aws_pinpoint import CfnApp as _CfnApp_e8bac60b
 
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.AccountRecovery")
@@ -1231,6 +1382,247 @@ class AdvancedSecurityMode(enum.Enum):
     '''
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.AllowedFirstAuthFactors",
+    jsii_struct_bases=[],
+    name_mapping={
+        "password": "password",
+        "email_otp": "emailOtp",
+        "passkey": "passkey",
+        "sms_otp": "smsOtp",
+    },
+)
+class AllowedFirstAuthFactors:
+    def __init__(
+        self,
+        *,
+        password: builtins.bool,
+        email_otp: typing.Optional[builtins.bool] = None,
+        passkey: typing.Optional[builtins.bool] = None,
+        sms_otp: typing.Optional[builtins.bool] = None,
+    ) -> None:
+        '''The types of authentication that you want to allow for users' first authentication prompt.
+
+        :param password: Whether the password authentication is allowed. This must be true.
+        :param email_otp: Whether the email message one-time password is allowed. Default: false
+        :param passkey: Whether the Passkey (WebAuthn) is allowed. Default: false
+        :param sms_otp: Whether the SMS message one-time password is allowed. Default: false
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice
+        :exampleMetadata: infused
+
+        Example::
+
+            cognito.UserPool(self, "myuserpool",
+                sign_in_policy=cognito.SignInPolicy(
+                    allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+                ),
+                passkey_relying_party_id="auth.example.com",
+                passkey_user_verification=cognito.PasskeyUserVerification.REQUIRED
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8a30a69cc954e920b5bb7f1163c7b6bd8507e3477eca92e83467d77025b4258f)
+            check_type(argname="argument password", value=password, expected_type=type_hints["password"])
+            check_type(argname="argument email_otp", value=email_otp, expected_type=type_hints["email_otp"])
+            check_type(argname="argument passkey", value=passkey, expected_type=type_hints["passkey"])
+            check_type(argname="argument sms_otp", value=sms_otp, expected_type=type_hints["sms_otp"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "password": password,
+        }
+        if email_otp is not None:
+            self._values["email_otp"] = email_otp
+        if passkey is not None:
+            self._values["passkey"] = passkey
+        if sms_otp is not None:
+            self._values["sms_otp"] = sms_otp
+
+    @builtins.property
+    def password(self) -> builtins.bool:
+        '''Whether the password authentication is allowed.
+
+        This must be true.
+        '''
+        result = self._values.get("password")
+        assert result is not None, "Required property 'password' is missing"
+        return typing.cast(builtins.bool, result)
+
+    @builtins.property
+    def email_otp(self) -> typing.Optional[builtins.bool]:
+        '''Whether the email message one-time password is allowed.
+
+        :default: false
+        '''
+        result = self._values.get("email_otp")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def passkey(self) -> typing.Optional[builtins.bool]:
+        '''Whether the Passkey (WebAuthn) is allowed.
+
+        :default: false
+        '''
+        result = self._values.get("passkey")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def sms_otp(self) -> typing.Optional[builtins.bool]:
+        '''Whether the SMS message one-time password is allowed.
+
+        :default: false
+        '''
+        result = self._values.get("sms_otp")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AllowedFirstAuthFactors(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.AnalyticsConfiguration",
+    jsii_struct_bases=[],
+    name_mapping={
+        "application": "application",
+        "application_id": "applicationId",
+        "external_id": "externalId",
+        "role": "role",
+        "share_user_data": "shareUserData",
+    },
+)
+class AnalyticsConfiguration:
+    def __init__(
+        self,
+        *,
+        application: typing.Optional[_CfnApp_e8bac60b] = None,
+        application_id: typing.Optional[builtins.str] = None,
+        external_id: typing.Optional[builtins.str] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+        share_user_data: typing.Optional[builtins.bool] = None,
+    ) -> None:
+        '''The settings for Amazon Pinpoint analytics configuration.
+
+        With an analytics configuration, your application can collect user-activity metrics for user notifications with an Amazon Pinpoint campaign.
+        Amazon Pinpoint isn't available in all AWS Regions.
+        For a list of available Regions, see Amazon Cognito and Amazon Pinpoint Region availability: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings.
+
+        :param application: The Amazon Pinpoint project that you want to connect to your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications. Default: - no configuration, you need to specify either ``application`` or all of ``applicationId``, ``externalId``, and ``role``.
+        :param application_id: Your Amazon Pinpoint project ID. Default: - no configuration, you need to specify either this property along with ``externalId`` and ``role`` or ``application``.
+        :param external_id: The external ID of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint. More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html Default: - no configuration, you need to specify either this property along with ``applicationId`` and ``role`` or ``application``.
+        :param role: The IAM role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics. Default: - no configuration, you need to specify either this property along with ``applicationId`` and ``externalId`` or ``application``.
+        :param share_user_data: If ``true``, Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics. Default: - false
+
+        :exampleMetadata: infused
+
+        Example::
+
+            import aws_cdk.aws_pinpoint as pinpoint
+            
+            # user_pool: cognito.UserPool
+            # pinpoint_app: pinpoint.CfnApp
+            # pinpoint_role: iam.Role
+            
+            
+            cognito.UserPoolClient(self, "Client",
+                user_pool=user_pool,
+                analytics=cognito.AnalyticsConfiguration(
+                    # Your Pinpoint project
+                    application=pinpoint_app,
+            
+                    # Whether to include user data in analytics events
+                    share_user_data=True
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f67277ee392b3c256b3bd87e4afcb7bb83df8d226097757f9c92610348c4456b)
+            check_type(argname="argument application", value=application, expected_type=type_hints["application"])
+            check_type(argname="argument application_id", value=application_id, expected_type=type_hints["application_id"])
+            check_type(argname="argument external_id", value=external_id, expected_type=type_hints["external_id"])
+            check_type(argname="argument role", value=role, expected_type=type_hints["role"])
+            check_type(argname="argument share_user_data", value=share_user_data, expected_type=type_hints["share_user_data"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if application is not None:
+            self._values["application"] = application
+        if application_id is not None:
+            self._values["application_id"] = application_id
+        if external_id is not None:
+            self._values["external_id"] = external_id
+        if role is not None:
+            self._values["role"] = role
+        if share_user_data is not None:
+            self._values["share_user_data"] = share_user_data
+
+    @builtins.property
+    def application(self) -> typing.Optional[_CfnApp_e8bac60b]:
+        '''The Amazon Pinpoint project that you want to connect to your user pool app client.
+
+        Amazon Cognito publishes events to the Amazon Pinpoint project.
+        You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations.
+        The endpoint ID is information about the destination for push notifications.
+
+        :default: - no configuration, you need to specify either ``application`` or all of ``applicationId``, ``externalId``, and ``role``.
+        '''
+        result = self._values.get("application")
+        return typing.cast(typing.Optional[_CfnApp_e8bac60b], result)
+
+    @builtins.property
+    def application_id(self) -> typing.Optional[builtins.str]:
+        '''Your Amazon Pinpoint project ID.
+
+        :default: - no configuration, you need to specify either this property along with ``externalId`` and ``role`` or ``application``.
+        '''
+        result = self._values.get("application_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def external_id(self) -> typing.Optional[builtins.str]:
+        '''The external ID of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
+
+        More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+
+        :default: - no configuration, you need to specify either this property along with ``applicationId`` and ``role`` or ``application``.
+        '''
+        result = self._values.get("external_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
+
+        :default: - no configuration, you need to specify either this property along with ``applicationId`` and ``externalId`` or ``application``.
+        '''
+        result = self._values.get("role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
+    @builtins.property
+    def share_user_data(self) -> typing.Optional[builtins.bool]:
+        '''If ``true``, Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
+
+        :default: - false
+        '''
+        result = self._values.get("share_user_data")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "AnalyticsConfiguration(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.AttributeMapping",
     jsii_struct_bases=[],
@@ -1602,13 +1994,21 @@ class AuthFlow:
 
         Example::
 
-            pool = cognito.UserPool(self, "pool")
-            pool.add_client("app-client",
-                auth_flows=cognito.AuthFlow(
-                    user_password=True,
-                    user_srp=True
+            user_pool = cognito.UserPool(self, "myuserpool",
+                sign_in_policy=cognito.SignInPolicy(
+                    allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(
+                        password=True,  # password authentication must be enabled
+                        email_otp=True,  # enables email message one-time password
+                        sms_otp=True,  # enables SMS message one-time password
+                        passkey=True
+                    )
                 )
             )
+            
+            # You should also configure the user pool client with USER_AUTH authentication flow allowed
+            user_pool.add_client("myclient",
+                auth_flows=cognito.AuthFlow(user=True)
+            )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3dd38e6e4617deee919f37d20a9ae635331043b4cf42c8d31fdbb0d3c29baeda)
@@ -9040,15 +9440,6 @@ class CfnUserPoolDomain(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrCloudFrontDistribution"))
 
-    @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''The resource ID.
-
-        :cloudformationAttribute: Id
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
-
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -13810,6 +14201,16 @@ class FeaturePlan(enum.Enum):
     '''The user pool feature plan, or tier.
 
     :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
+    :exampleMetadata: infused
+
+    Example::
+
+        cognito.UserPool(self, "myuserpool",
+            sign_in_policy=cognito.SignInPolicy(
+                allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True)
+            ),
+            feature_plan=cognito.FeaturePlan.LITE
+        )
     '''
 
     LITE = "LITE"
@@ -13887,6 +14288,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         id: builtins.str,
         *,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -13906,6 +14308,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
 
         :param id: -
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -14055,6 +14458,7 @@ class _IUserPoolProxy(
         id: builtins.str,
         *,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -14074,6 +14478,7 @@ class _IUserPoolProxy(
 
         :param id: -
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -14096,6 +14501,7 @@ class _IUserPoolProxy(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolClientOptions(
             access_token_validity=access_token_validity,
+            analytics=analytics,
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
@@ -15382,6 +15788,30 @@ class OidcEndpoints:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.PasskeyUserVerification")
+class PasskeyUserVerification(enum.Enum):
+    '''The user-pool treatment for MFA with a passkey.
+
+    :see: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey
+    :exampleMetadata: infused
+
+    Example::
+
+        cognito.UserPool(self, "myuserpool",
+            sign_in_policy=cognito.SignInPolicy(
+                allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+            ),
+            passkey_relying_party_id="auth.example.com",
+            passkey_user_verification=cognito.PasskeyUserVerification.REQUIRED
+        )
+    '''
+
+    PREFERRED = "PREFERRED"
+    '''Passkey MFA is preferred.'''
+    REQUIRED = "REQUIRED"
+    '''Passkey MFA is required.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.PasswordPolicy",
     jsii_struct_bases=[],
@@ -16003,6 +16433,65 @@ class SignInAliases:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.SignInPolicy",
+    jsii_struct_bases=[],
+    name_mapping={"allowed_first_auth_factors": "allowedFirstAuthFactors"},
+)
+class SignInPolicy:
+    def __init__(
+        self,
+        *,
+        allowed_first_auth_factors: typing.Optional[typing.Union[AllowedFirstAuthFactors, typing.Dict[builtins.str, typing.Any]]] = None,
+    ) -> None:
+        '''Sign-in policy for User Pools.
+
+        :param allowed_first_auth_factors: The types of authentication that you want to allow for users' first authentication prompt. Default: - Password only
+
+        :exampleMetadata: infused
+
+        Example::
+
+            cognito.UserPool(self, "myuserpool",
+                sign_in_policy=cognito.SignInPolicy(
+                    allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+                ),
+                passkey_relying_party_id="auth.example.com",
+                passkey_user_verification=cognito.PasskeyUserVerification.REQUIRED
+            )
+        '''
+        if isinstance(allowed_first_auth_factors, dict):
+            allowed_first_auth_factors = AllowedFirstAuthFactors(**allowed_first_auth_factors)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5bda8a1a812b13ba6dfe14c09bb234238503bd86905d8f363571b49c270280f4)
+            check_type(argname="argument allowed_first_auth_factors", value=allowed_first_auth_factors, expected_type=type_hints["allowed_first_auth_factors"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if allowed_first_auth_factors is not None:
+            self._values["allowed_first_auth_factors"] = allowed_first_auth_factors
+
+    @builtins.property
+    def allowed_first_auth_factors(self) -> typing.Optional[AllowedFirstAuthFactors]:
+        '''The types of authentication that you want to allow for users' first authentication prompt.
+
+        :default: - Password only
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice
+        '''
+        result = self._values.get("allowed_first_auth_factors")
+        return typing.cast(typing.Optional[AllowedFirstAuthFactors], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "SignInPolicy(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.SignInUrlOptions",
     jsii_struct_bases=[BaseUrlOptions],
@@ -17248,11 +17737,14 @@ class UserPool(
         mfa: typing.Optional[Mfa] = None,
         mfa_message: typing.Optional[builtins.str] = None,
         mfa_second_factor: typing.Optional[typing.Union[MfaSecondFactor, typing.Dict[builtins.str, typing.Any]]] = None,
+        passkey_relying_party_id: typing.Optional[builtins.str] = None,
+        passkey_user_verification: typing.Optional[PasskeyUserVerification] = None,
         password_policy: typing.Optional[typing.Union[PasswordPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         self_sign_up_enabled: typing.Optional[builtins.bool] = None,
         sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
         sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
+        sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
         sms_role: typing.Optional[_IRole_235f5d8e] = None,
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
@@ -17279,11 +17771,14 @@ class UserPool(
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
         :param mfa_message: The SMS message template sent during MFA verification. Use '{####}' in the template where Cognito should insert the verification code. Default: 'Your authentication code is {####}.'
         :param mfa_second_factor: Configure the MFA types that users can use in this user pool. Ignored if ``mfa`` is set to ``OFF``. Default: - { sms: true, otp: false, email: false }, if ``mfa`` is set to ``OPTIONAL`` or ``REQUIRED``. { sms: false, otp: false, email:false }, otherwise
+        :param passkey_relying_party_id: The authentication domain that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI. Default: - No authentication domain
+        :param passkey_user_verification: Your user-pool treatment for MFA with a passkey. You can override other MFA options and require passkey MFA, or you can set it as preferred. When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in. Default: - Cognito default setting is PasskeyUserVerification.PREFERRED
         :param password_policy: Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.
         :param removal_policy: Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAIN
         :param self_sign_up_enabled: Whether self sign-up should be enabled. To configure self sign-up configuration use the ``userVerification`` property. Default: - false
         :param sign_in_aliases: Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with 'Option 1' in the above link, with a verified email, this property should be set to ``{ username: true, email: true }``. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to ``{ email: true, phone: true }``. Default: { username: true }
         :param sign_in_case_sensitive: Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either ``MyUsername`` or ``myusername``. Default: true
+        :param sign_in_policy: Sign-in policy for this user pool. Default: - see defaults on each property of SignInPolicy.
         :param sms_role: The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created.
         :param sms_role_external_id: The 'ExternalId' that Cognito service must be using when assuming the ``smsRole``, if the role is restricted with an 'sts:ExternalId' conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if ``smsRole`` is not specified. Default: - No external id will be configured.
         :param sns_region: The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
@@ -17312,11 +17807,14 @@ class UserPool(
             mfa=mfa,
             mfa_message=mfa_message,
             mfa_second_factor=mfa_second_factor,
+            passkey_relying_party_id=passkey_relying_party_id,
+            passkey_user_verification=passkey_user_verification,
             password_policy=password_policy,
             removal_policy=removal_policy,
             self_sign_up_enabled=self_sign_up_enabled,
             sign_in_aliases=sign_in_aliases,
             sign_in_case_sensitive=sign_in_case_sensitive,
+            sign_in_policy=sign_in_policy,
             sms_role=sms_role,
             sms_role_external_id=sms_role_external_id,
             sns_region=sns_region,
@@ -17376,6 +17874,7 @@ class UserPool(
         id: builtins.str,
         *,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -17395,6 +17894,7 @@ class UserPool(
 
         :param id: -
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -17415,6 +17915,7 @@ class UserPool(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = UserPoolClientOptions(
             access_token_validity=access_token_validity,
+            analytics=analytics,
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
@@ -17639,6 +18140,7 @@ class UserPoolClient(
         *,
         user_pool: IUserPool,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -17659,6 +18161,7 @@ class UserPoolClient(
         :param id: -
         :param user_pool: The UserPool resource this client will have access to.
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -17681,6 +18184,7 @@ class UserPoolClient(
         props = UserPoolClientProps(
             user_pool=user_pool,
             access_token_validity=access_token_validity,
+            analytics=analytics,
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
@@ -17832,6 +18336,7 @@ class UserPoolClientIdentityProvider(
     jsii_struct_bases=[],
     name_mapping={
         "access_token_validity": "accessTokenValidity",
+        "analytics": "analytics",
         "auth_flows": "authFlows",
         "auth_session_validity": "authSessionValidity",
         "disable_o_auth": "disableOAuth",
@@ -17853,6 +18358,7 @@ class UserPoolClientOptions:
         self,
         *,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -17871,6 +18377,7 @@ class UserPoolClientOptions:
         '''Options to create a UserPoolClient.
 
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -17902,6 +18409,8 @@ class UserPoolClientOptions:
                 )
             )
         '''
+        if isinstance(analytics, dict):
+            analytics = AnalyticsConfiguration(**analytics)
         if isinstance(auth_flows, dict):
             auth_flows = AuthFlow(**auth_flows)
         if isinstance(o_auth, dict):
@@ -17909,6 +18418,7 @@ class UserPoolClientOptions:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__80185296586b917ea24ebc48255c627ce95ec5c85ae2ab4e52736240b27429fc)
             check_type(argname="argument access_token_validity", value=access_token_validity, expected_type=type_hints["access_token_validity"])
+            check_type(argname="argument analytics", value=analytics, expected_type=type_hints["analytics"])
             check_type(argname="argument auth_flows", value=auth_flows, expected_type=type_hints["auth_flows"])
             check_type(argname="argument auth_session_validity", value=auth_session_validity, expected_type=type_hints["auth_session_validity"])
             check_type(argname="argument disable_o_auth", value=disable_o_auth, expected_type=type_hints["disable_o_auth"])
@@ -17926,6 +18436,8 @@ class UserPoolClientOptions:
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if access_token_validity is not None:
             self._values["access_token_validity"] = access_token_validity
+        if analytics is not None:
+            self._values["analytics"] = analytics
         if auth_flows is not None:
             self._values["auth_flows"] = auth_flows
         if auth_session_validity is not None:
@@ -17968,6 +18480,15 @@ class UserPoolClientOptions:
         result = self._values.get("access_token_validity")
         return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
+    @builtins.property
+    def analytics(self) -> typing.Optional[AnalyticsConfiguration]:
+        '''The analytics configuration for this client.
+
+        :default: - no analytics configuration
+        '''
+        result = self._values.get("analytics")
+        return typing.cast(typing.Optional[AnalyticsConfiguration], result)
+
     @builtins.property
     def auth_flows(self) -> typing.Optional[AuthFlow]:
         '''The set of OAuth authentication flows to enable on the client.
@@ -18148,6 +18669,7 @@ class UserPoolClientOptions:
     jsii_struct_bases=[UserPoolClientOptions],
     name_mapping={
         "access_token_validity": "accessTokenValidity",
+        "analytics": "analytics",
         "auth_flows": "authFlows",
         "auth_session_validity": "authSessionValidity",
         "disable_o_auth": "disableOAuth",
@@ -18170,6 +18692,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         self,
         *,
         access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+        analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -18189,6 +18712,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         '''Properties for the UserPoolClient construct.
 
         :param access_token_validity: Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
+        :param analytics: The analytics configuration for this client. Default: - no analytics configuration
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
@@ -18209,17 +18733,32 @@ class UserPoolClientProps(UserPoolClientOptions):
 
         Example::
 
-            # imported_pool: cognito.UserPool
+            import aws_cdk.aws_pinpoint as pinpoint
             
+            # user_pool: cognito.UserPool
+            # pinpoint_app: pinpoint.CfnApp
+            # pinpoint_role: iam.Role
             
-            user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
-                user_pool=imported_pool,
-                generate_secret=True
-            )
             
-            # Allows you to pass the generated secret to other pieces of infrastructure
-            secret = user_pool_client.user_pool_client_secret
+            cognito.UserPoolClient(self, "Client",
+                user_pool=user_pool,
+                analytics=cognito.AnalyticsConfiguration(
+                    # Your Pinpoint project ID
+                    application_id=pinpoint_app.ref,
+            
+                    # External ID for the IAM role
+                    external_id="sample-external-id",
+            
+                    # IAM role that Cognito can assume to publish to Pinpoint
+                    role=pinpoint_role,
+            
+                    # Whether to include user data in analytics events
+                    share_user_data=True
+                )
+            )
         '''
+        if isinstance(analytics, dict):
+            analytics = AnalyticsConfiguration(**analytics)
         if isinstance(auth_flows, dict):
             auth_flows = AuthFlow(**auth_flows)
         if isinstance(o_auth, dict):
@@ -18227,6 +18766,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__95c8cad8419f2fd5def82ad39281b322b9ec6b2f7d891de939bf1e9036145948)
             check_type(argname="argument access_token_validity", value=access_token_validity, expected_type=type_hints["access_token_validity"])
+            check_type(argname="argument analytics", value=analytics, expected_type=type_hints["analytics"])
             check_type(argname="argument auth_flows", value=auth_flows, expected_type=type_hints["auth_flows"])
             check_type(argname="argument auth_session_validity", value=auth_session_validity, expected_type=type_hints["auth_session_validity"])
             check_type(argname="argument disable_o_auth", value=disable_o_auth, expected_type=type_hints["disable_o_auth"])
@@ -18247,6 +18787,8 @@ class UserPoolClientProps(UserPoolClientOptions):
         }
         if access_token_validity is not None:
             self._values["access_token_validity"] = access_token_validity
+        if analytics is not None:
+            self._values["analytics"] = analytics
         if auth_flows is not None:
             self._values["auth_flows"] = auth_flows
         if auth_session_validity is not None:
@@ -18289,6 +18831,15 @@ class UserPoolClientProps(UserPoolClientOptions):
         result = self._values.get("access_token_validity")
         return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
+    @builtins.property
+    def analytics(self) -> typing.Optional[AnalyticsConfiguration]:
+        '''The analytics configuration for this client.
+
+        :default: - no analytics configuration
+        '''
+        result = self._values.get("analytics")
+        return typing.cast(typing.Optional[AnalyticsConfiguration], result)
+
     @builtins.property
     def auth_flows(self) -> typing.Optional[AuthFlow]:
         '''The set of OAuth authentication flows to enable on the client.
@@ -20604,11 +21155,14 @@ class UserPoolOperation(
         "mfa": "mfa",
         "mfa_message": "mfaMessage",
         "mfa_second_factor": "mfaSecondFactor",
+        "passkey_relying_party_id": "passkeyRelyingPartyId",
+        "passkey_user_verification": "passkeyUserVerification",
         "password_policy": "passwordPolicy",
         "removal_policy": "removalPolicy",
         "self_sign_up_enabled": "selfSignUpEnabled",
         "sign_in_aliases": "signInAliases",
         "sign_in_case_sensitive": "signInCaseSensitive",
+        "sign_in_policy": "signInPolicy",
         "sms_role": "smsRole",
         "sms_role_external_id": "smsRoleExternalId",
         "sns_region": "snsRegion",
@@ -20637,11 +21191,14 @@ class UserPoolProps:
         mfa: typing.Optional[Mfa] = None,
         mfa_message: typing.Optional[builtins.str] = None,
         mfa_second_factor: typing.Optional[typing.Union[MfaSecondFactor, typing.Dict[builtins.str, typing.Any]]] = None,
+        passkey_relying_party_id: typing.Optional[builtins.str] = None,
+        passkey_user_verification: typing.Optional[PasskeyUserVerification] = None,
         password_policy: typing.Optional[typing.Union[PasswordPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         self_sign_up_enabled: typing.Optional[builtins.bool] = None,
         sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
         sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
+        sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
         sms_role: typing.Optional[_IRole_235f5d8e] = None,
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
@@ -20667,11 +21224,14 @@ class UserPoolProps:
         :param mfa: Configure whether users of this user pool can or are required use MFA to sign in. Default: Mfa.OFF
         :param mfa_message: The SMS message template sent during MFA verification. Use '{####}' in the template where Cognito should insert the verification code. Default: 'Your authentication code is {####}.'
         :param mfa_second_factor: Configure the MFA types that users can use in this user pool. Ignored if ``mfa`` is set to ``OFF``. Default: - { sms: true, otp: false, email: false }, if ``mfa`` is set to ``OPTIONAL`` or ``REQUIRED``. { sms: false, otp: false, email:false }, otherwise
+        :param passkey_relying_party_id: The authentication domain that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI. Default: - No authentication domain
+        :param passkey_user_verification: Your user-pool treatment for MFA with a passkey. You can override other MFA options and require passkey MFA, or you can set it as preferred. When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in. Default: - Cognito default setting is PasskeyUserVerification.PREFERRED
         :param password_policy: Password policy for this user pool. Default: - see defaults on each property of PasswordPolicy.
         :param removal_policy: Policy to apply when the user pool is removed from the stack. Default: RemovalPolicy.RETAIN
         :param self_sign_up_enabled: Whether self sign-up should be enabled. To configure self sign-up configuration use the ``userVerification`` property. Default: - false
         :param sign_in_aliases: Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with 'Option 1' in the above link, with a verified email, this property should be set to ``{ username: true, email: true }``. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to ``{ email: true, phone: true }``. Default: { username: true }
         :param sign_in_case_sensitive: Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either ``MyUsername`` or ``myusername``. Default: true
+        :param sign_in_policy: Sign-in policy for this user pool. Default: - see defaults on each property of SignInPolicy.
         :param sms_role: The IAM role that Cognito will assume while sending SMS messages. Default: - a new IAM role is created.
         :param sms_role_external_id: The 'ExternalId' that Cognito service must be using when assuming the ``smsRole``, if the role is restricted with an 'sts:ExternalId' conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if ``smsRole`` is not specified. Default: - No external id will be configured.
         :param sns_region: The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured. Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
@@ -20685,14 +21245,11 @@ class UserPoolProps:
         Example::
 
             cognito.UserPool(self, "myuserpool",
-                # ...
-                self_sign_up_enabled=True,
-                user_verification=cognito.UserVerificationConfig(
-                    email_subject="Verify your email for our awesome app!",
-                    email_body="Thanks for signing up to our awesome app! Your verification code is {####}",
-                    email_style=cognito.VerificationEmailStyle.CODE,
-                    sms_message="Thanks for signing up to our awesome app! Your verification code is {####}"
-                )
+                sign_in_policy=cognito.SignInPolicy(
+                    allowed_first_auth_factors=cognito.AllowedFirstAuthFactors(password=True, passkey=True)
+                ),
+                passkey_relying_party_id="auth.example.com",
+                passkey_user_verification=cognito.PasskeyUserVerification.REQUIRED
             )
         '''
         if isinstance(auto_verify, dict):
@@ -20709,6 +21266,8 @@ class UserPoolProps:
             password_policy = PasswordPolicy(**password_policy)
         if isinstance(sign_in_aliases, dict):
             sign_in_aliases = SignInAliases(**sign_in_aliases)
+        if isinstance(sign_in_policy, dict):
+            sign_in_policy = SignInPolicy(**sign_in_policy)
         if isinstance(standard_attributes, dict):
             standard_attributes = StandardAttributes(**standard_attributes)
         if isinstance(user_invitation, dict):
@@ -20732,11 +21291,14 @@ class UserPoolProps:
             check_type(argname="argument mfa", value=mfa, expected_type=type_hints["mfa"])
             check_type(argname="argument mfa_message", value=mfa_message, expected_type=type_hints["mfa_message"])
             check_type(argname="argument mfa_second_factor", value=mfa_second_factor, expected_type=type_hints["mfa_second_factor"])
+            check_type(argname="argument passkey_relying_party_id", value=passkey_relying_party_id, expected_type=type_hints["passkey_relying_party_id"])
+            check_type(argname="argument passkey_user_verification", value=passkey_user_verification, expected_type=type_hints["passkey_user_verification"])
             check_type(argname="argument password_policy", value=password_policy, expected_type=type_hints["password_policy"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument self_sign_up_enabled", value=self_sign_up_enabled, expected_type=type_hints["self_sign_up_enabled"])
             check_type(argname="argument sign_in_aliases", value=sign_in_aliases, expected_type=type_hints["sign_in_aliases"])
             check_type(argname="argument sign_in_case_sensitive", value=sign_in_case_sensitive, expected_type=type_hints["sign_in_case_sensitive"])
+            check_type(argname="argument sign_in_policy", value=sign_in_policy, expected_type=type_hints["sign_in_policy"])
             check_type(argname="argument sms_role", value=sms_role, expected_type=type_hints["sms_role"])
             check_type(argname="argument sms_role_external_id", value=sms_role_external_id, expected_type=type_hints["sms_role_external_id"])
             check_type(argname="argument sns_region", value=sns_region, expected_type=type_hints["sns_region"])
@@ -20775,6 +21337,10 @@ class UserPoolProps:
             self._values["mfa_message"] = mfa_message
         if mfa_second_factor is not None:
             self._values["mfa_second_factor"] = mfa_second_factor
+        if passkey_relying_party_id is not None:
+            self._values["passkey_relying_party_id"] = passkey_relying_party_id
+        if passkey_user_verification is not None:
+            self._values["passkey_user_verification"] = passkey_user_verification
         if password_policy is not None:
             self._values["password_policy"] = password_policy
         if removal_policy is not None:
@@ -20785,6 +21351,8 @@ class UserPoolProps:
             self._values["sign_in_aliases"] = sign_in_aliases
         if sign_in_case_sensitive is not None:
             self._values["sign_in_case_sensitive"] = sign_in_case_sensitive
+        if sign_in_policy is not None:
+            self._values["sign_in_policy"] = sign_in_policy
         if sms_role is not None:
             self._values["sms_role"] = sms_role
         if sms_role_external_id is not None:
@@ -20965,6 +21533,33 @@ class UserPoolProps:
         result = self._values.get("mfa_second_factor")
         return typing.cast(typing.Optional[MfaSecondFactor], result)
 
+    @builtins.property
+    def passkey_relying_party_id(self) -> typing.Optional[builtins.str]:
+        '''The authentication domain that passkey providers must use as a relying party (RP) in their configuration.
+
+        Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain:
+
+        - The user pool is configured for passkey authentication.
+        - The user pool has a custom domain, whether or not it also has a prefix domain.
+        - Your application performs authentication with managed login or the classic hosted UI.
+
+        :default: - No authentication domain
+        '''
+        result = self._values.get("passkey_relying_party_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def passkey_user_verification(self) -> typing.Optional[PasskeyUserVerification]:
+        '''Your user-pool treatment for MFA with a passkey.
+
+        You can override other MFA options and require passkey MFA, or you can set it as preferred.
+        When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.
+
+        :default: - Cognito default setting is PasskeyUserVerification.PREFERRED
+        '''
+        result = self._values.get("passkey_user_verification")
+        return typing.cast(typing.Optional[PasskeyUserVerification], result)
+
     @builtins.property
     def password_policy(self) -> typing.Optional[PasswordPolicy]:
         '''Password policy for this user pool.
@@ -21023,6 +21618,15 @@ class UserPoolProps:
         result = self._values.get("sign_in_case_sensitive")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def sign_in_policy(self) -> typing.Optional[SignInPolicy]:
+        '''Sign-in policy for this user pool.
+
+        :default: - see defaults on each property of SignInPolicy.
+        '''
+        result = self._values.get("sign_in_policy")
+        return typing.cast(typing.Optional[SignInPolicy], result)
+
     @builtins.property
     def sms_role(self) -> typing.Optional[_IRole_235f5d8e]:
         '''The IAM role that Cognito will assume while sending SMS messages.
@@ -22918,6 +23522,8 @@ class UserPoolIdentityProviderOidcProps(UserPoolIdentityProviderProps):
 __all__ = [
     "AccountRecovery",
     "AdvancedSecurityMode",
+    "AllowedFirstAuthFactors",
+    "AnalyticsConfiguration",
     "AttributeMapping",
     "AuthFlow",
     "AutoVerifiedAttrs",
@@ -22982,11 +23588,13 @@ __all__ = [
     "OAuthSettings",
     "OidcAttributeRequestMethod",
     "OidcEndpoints",
+    "PasskeyUserVerification",
     "PasswordPolicy",
     "ProviderAttribute",
     "ResourceServerScope",
     "ResourceServerScopeProps",
     "SignInAliases",
+    "SignInPolicy",
     "SignInUrlOptions",
     "SigningAlgorithm",
     "StandardAttribute",
@@ -23038,6 +23646,27 @@ __all__ = [
 
 publication.publish()
 
+def _typecheckingstub__8a30a69cc954e920b5bb7f1163c7b6bd8507e3477eca92e83467d77025b4258f(
+    *,
+    password: builtins.bool,
+    email_otp: typing.Optional[builtins.bool] = None,
+    passkey: typing.Optional[builtins.bool] = None,
+    sms_otp: typing.Optional[builtins.bool] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f67277ee392b3c256b3bd87e4afcb7bb83df8d226097757f9c92610348c4456b(
+    *,
+    application: typing.Optional[_CfnApp_e8bac60b] = None,
+    application_id: typing.Optional[builtins.str] = None,
+    external_id: typing.Optional[builtins.str] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+    share_user_data: typing.Optional[builtins.bool] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1994c9f3057f350dfde37c21bef42d2ad1a87ae2900a0e48fd7c2506ddbeca5d(
     *,
     address: typing.Optional[ProviderAttribute] = None,
@@ -24876,6 +25505,7 @@ def _typecheckingstub__6eaa0ebaf797c6ac4bac11bd73d9ad61c50892a9450e0ff5880903434
     id: builtins.str,
     *,
     access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+    analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -25052,6 +25682,13 @@ def _typecheckingstub__1f85eb7769fbc2d73d7ddedb7d58312be06c85b0446415fcf926cc1e5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__5bda8a1a812b13ba6dfe14c09bb234238503bd86905d8f363571b49c270280f4(
+    *,
+    allowed_first_auth_factors: typing.Optional[typing.Union[AllowedFirstAuthFactors, typing.Dict[builtins.str, typing.Any]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__27aae9c398fe91d31540649394c2469df625de6993272c3b3cff19edc49ec8fa(
     *,
     fips: typing.Optional[builtins.bool] = None,
@@ -25162,11 +25799,14 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     mfa: typing.Optional[Mfa] = None,
     mfa_message: typing.Optional[builtins.str] = None,
     mfa_second_factor: typing.Optional[typing.Union[MfaSecondFactor, typing.Dict[builtins.str, typing.Any]]] = None,
+    passkey_relying_party_id: typing.Optional[builtins.str] = None,
+    passkey_user_verification: typing.Optional[PasskeyUserVerification] = None,
     password_policy: typing.Optional[typing.Union[PasswordPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     self_sign_up_enabled: typing.Optional[builtins.bool] = None,
     sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
     sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
+    sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
     sms_role: typing.Optional[_IRole_235f5d8e] = None,
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,
@@ -25198,6 +25838,7 @@ def _typecheckingstub__b4ce1f762a6eeaca3920ca827a1685cfa2b670f96aa13d8cfdded4055
     id: builtins.str,
     *,
     access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+    analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -25274,6 +25915,7 @@ def _typecheckingstub__e654de9921a676ab8214720f2ab2c7f212d67a62531595c721560e88c
     *,
     user_pool: IUserPool,
     access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+    analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -25309,6 +25951,7 @@ def _typecheckingstub__14e7f4addf6b16821bea1f99db58ec36907e80587b70ed61044c1372d
 def _typecheckingstub__80185296586b917ea24ebc48255c627ce95ec5c85ae2ab4e52736240b27429fc(
     *,
     access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+    analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -25330,6 +25973,7 @@ def _typecheckingstub__80185296586b917ea24ebc48255c627ce95ec5c85ae2ab4e52736240b
 def _typecheckingstub__95c8cad8419f2fd5def82ad39281b322b9ec6b2f7d891de939bf1e9036145948(
     *,
     access_token_validity: typing.Optional[_Duration_4839e8c3] = None,
+    analytics: typing.Optional[typing.Union[AnalyticsConfiguration, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
@@ -25615,11 +26259,14 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     mfa: typing.Optional[Mfa] = None,
     mfa_message: typing.Optional[builtins.str] = None,
     mfa_second_factor: typing.Optional[typing.Union[MfaSecondFactor, typing.Dict[builtins.str, typing.Any]]] = None,
+    passkey_relying_party_id: typing.Optional[builtins.str] = None,
+    passkey_user_verification: typing.Optional[PasskeyUserVerification] = None,
     password_policy: typing.Optional[typing.Union[PasswordPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     self_sign_up_enabled: typing.Optional[builtins.bool] = None,
     sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
     sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
+    sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
     sms_role: typing.Optional[_IRole_235f5d8e] = None,
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,