aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -1002,6 +1002,17 @@ user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
 )
 ```
 
+[Refresh token rotation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation)
+can be configured to enable automatic rotation of refresh tokens. By default, refresh token rotation is disabled. When the refreshTokenRotationGracePeriod is 0, the grace period is disabled and a successful request immediately invalidates the submitted refresh token.
+
+```python
+pool = cognito.UserPool(self, "Pool")
+pool.add_client("app-client",
+    # ...
+    refresh_token_rotation_grace_period=Duration.seconds(40)
+)
+```
+
 See [Adding user device and session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint) for more information.
 
 ### Resource Servers
@@ -1313,14 +1324,45 @@ from .. import (
     TreeInspector as _TreeInspector_488e0dd5,
 )
 from ..aws_certificatemanager import ICertificate as _ICertificate_c194c70b
-from ..aws_iam import (
-    Grant as _Grant_a7ae64f8,
-    IGrantable as _IGrantable_71c4f5de,
-    IRole as _IRole_235f5d8e,
-)
-from ..aws_kms import IKey as _IKey_5f11635f
+from ..aws_iam import Grant as _Grant_a7ae64f8, IGrantable as _IGrantable_71c4f5de
 from ..aws_lambda import IFunction as _IFunction_6adb0ab8
 from ..aws_pinpoint import CfnApp as _CfnApp_e8bac60b
+from ..interfaces.aws_cognito import (
+    IIdentityPoolPrincipalTagRef as _IIdentityPoolPrincipalTagRef_9e692705,
+    IIdentityPoolRef as _IIdentityPoolRef_5cf45895,
+    IIdentityPoolRoleAttachmentRef as _IIdentityPoolRoleAttachmentRef_2e8a15ee,
+    ILogDeliveryConfigurationRef as _ILogDeliveryConfigurationRef_0c0b6844,
+    IManagedLoginBrandingRef as _IManagedLoginBrandingRef_2fdc5419,
+    ITermsRef as _ITermsRef_3aea4e86,
+    IUserPoolClientRef as _IUserPoolClientRef_4466eeba,
+    IUserPoolDomainRef as _IUserPoolDomainRef_2fa54b0c,
+    IUserPoolGroupRef as _IUserPoolGroupRef_89b16d48,
+    IUserPoolIdentityProviderRef as _IUserPoolIdentityProviderRef_935eed62,
+    IUserPoolRef as _IUserPoolRef_0b7d02b5,
+    IUserPoolResourceServerRef as _IUserPoolResourceServerRef_fda874c5,
+    IUserPoolRiskConfigurationAttachmentRef as _IUserPoolRiskConfigurationAttachmentRef_b5390b06,
+    IUserPoolUICustomizationAttachmentRef as _IUserPoolUICustomizationAttachmentRef_855e6497,
+    IUserPoolUserRef as _IUserPoolUserRef_cbf1b211,
+    IUserPoolUserToGroupAttachmentRef as _IUserPoolUserToGroupAttachmentRef_04a5a41e,
+    IdentityPoolPrincipalTagReference as _IdentityPoolPrincipalTagReference_aaa53261,
+    IdentityPoolReference as _IdentityPoolReference_3ad34644,
+    IdentityPoolRoleAttachmentReference as _IdentityPoolRoleAttachmentReference_d6aa4828,
+    LogDeliveryConfigurationReference as _LogDeliveryConfigurationReference_3ea56b01,
+    ManagedLoginBrandingReference as _ManagedLoginBrandingReference_f305ff72,
+    TermsReference as _TermsReference_01199e92,
+    UserPoolClientReference as _UserPoolClientReference_2e04ee48,
+    UserPoolDomainReference as _UserPoolDomainReference_8e0aecda,
+    UserPoolGroupReference as _UserPoolGroupReference_5e435fdd,
+    UserPoolIdentityProviderReference as _UserPoolIdentityProviderReference_a5d59f88,
+    UserPoolReference as _UserPoolReference_0ef20aae,
+    UserPoolResourceServerReference as _UserPoolResourceServerReference_5b196bf5,
+    UserPoolRiskConfigurationAttachmentReference as _UserPoolRiskConfigurationAttachmentReference_815104e9,
+    UserPoolUICustomizationAttachmentReference as _UserPoolUICustomizationAttachmentReference_2c1e7860,
+    UserPoolUserReference as _UserPoolUserReference_b50e0a97,
+    UserPoolUserToGroupAttachmentReference as _UserPoolUserToGroupAttachmentReference_fa1a0479,
+)
+from ..interfaces.aws_iam import IRoleRef as _IRoleRef_8400221f
+from ..interfaces.aws_kms import IKeyRef as _IKeyRef_d4fc6ef3
 
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.AccountRecovery")
@@ -1515,7 +1557,7 @@ class AnalyticsConfiguration:
         application: typing.Optional[_CfnApp_e8bac60b] = None,
         application_id: typing.Optional[builtins.str] = None,
         external_id: typing.Optional[builtins.str] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
         share_user_data: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''The settings for Amazon Pinpoint analytics configuration.
@@ -1605,13 +1647,13 @@ class AnalyticsConfiguration:
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+    def role(self) -> typing.Optional[_IRoleRef_8400221f]:
         '''The IAM role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
 
         :default: - no configuration, you need to specify either this property along with ``applicationId`` and ``externalId`` or ``application``.
         '''
         result = self._values.get("role")
-        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+        return typing.cast(typing.Optional[_IRoleRef_8400221f], result)
 
     @builtins.property
     def share_user_data(self) -> typing.Optional[builtins.bool]:
@@ -2219,7 +2261,7 @@ class BaseUrlOptions:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IIdentityPoolRef_5cf45895, _ITaggableV2_4e6798f8)
 class CfnIdentityPool(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2264,7 +2306,8 @@ class CfnIdentityPool(
         saml_provider_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         supported_login_providers: typing.Any = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::IdentityPool``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param allow_unauthenticated_identities: Specifies whether the identity pool supports unauthenticated logins.
@@ -2301,6 +2344,27 @@ class CfnIdentityPool(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromIdentityPoolId")
+    @builtins.classmethod
+    def from_identity_pool_id(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        identity_pool_id: builtins.str,
+    ) -> _IIdentityPoolRef_5cf45895:
+        '''Creates a new IIdentityPoolRef from a identityPoolId.
+
+        :param scope: -
+        :param id: -
+        :param identity_pool_id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__23c766eb59af70f92541dfd9c9cae67b99255f21efd59868b8feff44354f4e77)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument identity_pool_id", value=identity_pool_id, expected_type=type_hints["identity_pool_id"])
+        return typing.cast(_IIdentityPoolRef_5cf45895, jsii.sinvoke(cls, "fromIdentityPoolId", [scope, id, identity_pool_id]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -2359,6 +2423,12 @@ class CfnIdentityPool(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="identityPoolRef")
+    def identity_pool_ref(self) -> _IdentityPoolReference_3ad34644:
+        '''A reference to a IdentityPool resource.'''
+        return typing.cast(_IdentityPoolReference_3ad34644, jsii.get(self, "identityPoolRef"))
+
     @builtins.property
     @jsii.member(jsii_name="allowUnauthenticatedIdentities")
     def allow_unauthenticated_identities(
@@ -2817,7 +2887,7 @@ class CfnIdentityPool(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IIdentityPoolPrincipalTagRef_9e692705)
 class CfnIdentityPoolPrincipalTag(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2857,7 +2927,8 @@ class CfnIdentityPoolPrincipalTag(
         principal_tags: typing.Any = None,
         use_defaults: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::IdentityPoolPrincipalTag``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param identity_pool_id: The identity pool that you want to associate with this principal tag map.
@@ -2913,6 +2984,14 @@ class CfnIdentityPoolPrincipalTag(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="identityPoolPrincipalTagRef")
+    def identity_pool_principal_tag_ref(
+        self,
+    ) -> _IdentityPoolPrincipalTagReference_aaa53261:
+        '''A reference to a IdentityPoolPrincipalTag resource.'''
+        return typing.cast(_IdentityPoolPrincipalTagReference_aaa53261, jsii.get(self, "identityPoolPrincipalTagRef"))
+
     @builtins.property
     @jsii.member(jsii_name="identityPoolId")
     def identity_pool_id(self) -> builtins.str:
@@ -3338,7 +3417,7 @@ class CfnIdentityPoolProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IIdentityPoolRoleAttachmentRef_2e8a15ee)
 class CfnIdentityPoolRoleAttachment(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3392,7 +3471,8 @@ class CfnIdentityPoolRoleAttachment(
         role_mappings: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentityPoolRoleAttachment.RoleMappingProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         roles: typing.Any = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::IdentityPoolRoleAttachment``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param identity_pool_id: An identity pool ID in the format ``REGION:GUID`` .
@@ -3453,6 +3533,14 @@ class CfnIdentityPoolRoleAttachment(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="identityPoolRoleAttachmentRef")
+    def identity_pool_role_attachment_ref(
+        self,
+    ) -> _IdentityPoolRoleAttachmentReference_d6aa4828:
+        '''A reference to a IdentityPoolRoleAttachment resource.'''
+        return typing.cast(_IdentityPoolRoleAttachmentReference_d6aa4828, jsii.get(self, "identityPoolRoleAttachmentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="identityPoolId")
     def identity_pool_id(self) -> builtins.str:
@@ -3923,7 +4011,7 @@ class CfnIdentityPoolRoleAttachmentProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ILogDeliveryConfigurationRef_0c0b6844)
 class CfnLogDeliveryConfiguration(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3971,7 +4059,8 @@ class CfnLogDeliveryConfiguration(
         user_pool_id: builtins.str,
         log_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLogDeliveryConfiguration.LogConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::LogDeliveryConfiguration``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The ID of the user pool where you configured logging.
@@ -4031,6 +4120,14 @@ class CfnLogDeliveryConfiguration(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="logDeliveryConfigurationRef")
+    def log_delivery_configuration_ref(
+        self,
+    ) -> _LogDeliveryConfigurationReference_3ea56b01:
+        '''A reference to a LogDeliveryConfiguration resource.'''
+        return typing.cast(_LogDeliveryConfigurationReference_3ea56b01, jsii.get(self, "logDeliveryConfigurationRef"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
@@ -4454,7 +4551,7 @@ class CfnLogDeliveryConfigurationProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IManagedLoginBrandingRef_2fdc5419)
 class CfnManagedLoginBranding(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4514,14 +4611,15 @@ class CfnManagedLoginBranding(
         settings: typing.Any = None,
         use_cognito_provided_values: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::ManagedLoginBranding``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The user pool where the branding style is assigned.
         :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
-        :param client_id: The app client that's assigned to the branding style that you want more information about.
+        :param client_id: The app client that you want to assign the branding style to. Each style is linked to an app client until you delete it.
         :param return_merged_resources: When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults. When ``false`` or when you omit this parameter, returns only values that you customized in your branding style.
-        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style. The following components are not currently implemented and reserved for future use: - ``signUp`` - ``instructions`` - ``sessionTimerDisplay`` - ``languageSelector`` (for localization, see `Managed login localization) <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization>`_
         :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding editor. When you specify ``true`` for this option, you must also omit values for ``Settings`` and ``Assets`` in the request.
         '''
         if __debug__:
@@ -4583,6 +4681,12 @@ class CfnManagedLoginBranding(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="managedLoginBrandingRef")
+    def managed_login_branding_ref(self) -> _ManagedLoginBrandingReference_f305ff72:
+        '''A reference to a ManagedLoginBranding resource.'''
+        return typing.cast(_ManagedLoginBrandingReference_f305ff72, jsii.get(self, "managedLoginBrandingRef"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
@@ -4617,7 +4721,7 @@ class CfnManagedLoginBranding(
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> typing.Optional[builtins.str]:
-        '''The app client that's assigned to the branding style that you want more information about.'''
+        '''The app client that you want to assign the branding style to.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientId"))
 
     @client_id.setter
@@ -4832,9 +4936,9 @@ class CfnManagedLoginBrandingProps:
 
         :param user_pool_id: The user pool where the branding style is assigned.
         :param assets: An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
-        :param client_id: The app client that's assigned to the branding style that you want more information about.
+        :param client_id: The app client that you want to assign the branding style to. Each style is linked to an app client until you delete it.
         :param return_merged_resources: When ``true`` , returns values for branding options that are unchanged from Amazon Cognito defaults. When ``false`` or when you omit this parameter, returns only values that you customized in your branding style.
-        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
+        :param settings: A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style. The following components are not currently implemented and reserved for future use: - ``signUp`` - ``instructions`` - ``sessionTimerDisplay`` - ``languageSelector`` (for localization, see `Managed login localization) <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization>`_
         :param use_cognito_provided_values: When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding editor. When you specify ``true`` for this option, you must also omit values for ``Settings`` and ``Assets`` in the request.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html
@@ -4914,7 +5018,9 @@ class CfnManagedLoginBrandingProps:
 
     @builtins.property
     def client_id(self) -> typing.Optional[builtins.str]:
-        '''The app client that's assigned to the branding style that you want more information about.
+        '''The app client that you want to assign the branding style to.
+
+        Each style is linked to an app client until you delete it.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-clientid
         '''
@@ -4938,6 +5044,13 @@ class CfnManagedLoginBrandingProps:
     def settings(self) -> typing.Any:
         '''A JSON file, encoded as a ``Document`` type, with the the settings that you want to apply to your style.
 
+        The following components are not currently implemented and reserved for future use:
+
+        - ``signUp``
+        - ``instructions``
+        - ``sessionTimerDisplay``
+        - ``languageSelector`` (for localization, see `Managed login localization) <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization>`_
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-settings
         '''
         result = self._values.get("settings")
@@ -4970,7 +5083,343 @@ class CfnManagedLoginBrandingProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ITermsRef_3aea4e86)
+class CfnTerms(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cognito.CfnTerms",
+):
+    '''Resource Type definition for AWS::Cognito::Terms.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html
+    :cloudformationResource: AWS::Cognito::Terms
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_cognito as cognito
+        
+        cfn_terms = cognito.CfnTerms(self, "MyCfnTerms",
+            enforcement="enforcement",
+            links={
+                "links_key": "links"
+            },
+            terms_name="termsName",
+            terms_source="termsSource",
+            user_pool_id="userPoolId",
+        
+            # the properties below are optional
+            client_id="clientId"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        enforcement: builtins.str,
+        links: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+        terms_name: builtins.str,
+        terms_source: builtins.str,
+        user_pool_id: builtins.str,
+        client_id: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Create a new ``AWS::Cognito::Terms``.
+
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param enforcement: 
+        :param links: 
+        :param terms_name: 
+        :param terms_source: 
+        :param user_pool_id: 
+        :param client_id: 
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__60ed6baa47f9012cc57d9cef7e22f15d5f04fd45aa55fc0e8672f7e89ef3f146)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnTermsProps(
+            enforcement=enforcement,
+            links=links,
+            terms_name=terms_name,
+            terms_source=terms_source,
+            user_pool_id=user_pool_id,
+            client_id=client_id,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0c857e95caaea9926ffb4e0ab5c3a0bb7d8a82c05cf7bd42adce1312c203e7a6)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9dddb891f6e734bbc549324d30543ba3d862fb957be34e904236132737d7b71a)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrTermsId")
+    def attr_terms_id(self) -> builtins.str:
+        '''
+        :cloudformationAttribute: TermsId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrTermsId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="termsRef")
+    def terms_ref(self) -> _TermsReference_01199e92:
+        '''A reference to a Terms resource.'''
+        return typing.cast(_TermsReference_01199e92, jsii.get(self, "termsRef"))
+
+    @builtins.property
+    @jsii.member(jsii_name="enforcement")
+    def enforcement(self) -> builtins.str:
+        return typing.cast(builtins.str, jsii.get(self, "enforcement"))
+
+    @enforcement.setter
+    def enforcement(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f61b831431a9a8cd9abc071d0372ef9f7481c4297f99d22362f79e4456530000)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "enforcement", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="links")
+    def links(
+        self,
+    ) -> typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]:
+        return typing.cast(typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b], jsii.get(self, "links"))
+
+    @links.setter
+    def links(
+        self,
+        value: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4f9dfce3805ce6a5b41ec8b8adeb160b16b2bb09e9af48569f2f3a28a1301c36)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "links", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="termsName")
+    def terms_name(self) -> builtins.str:
+        return typing.cast(builtins.str, jsii.get(self, "termsName"))
+
+    @terms_name.setter
+    def terms_name(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__68b51d1ab80adde15516db14033542fe90da3c6c88f931ab391ca9a06f2b57a2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "termsName", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="termsSource")
+    def terms_source(self) -> builtins.str:
+        return typing.cast(builtins.str, jsii.get(self, "termsSource"))
+
+    @terms_source.setter
+    def terms_source(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d5aa2b8f439bae6d46ca78a5e059a5ed10c4d8f1fa1e7624f714272d8d13b98e)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "termsSource", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="userPoolId")
+    def user_pool_id(self) -> builtins.str:
+        return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
+
+    @user_pool_id.setter
+    def user_pool_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__bedec026b3875318368cb2e1f7df8e4146e8efed23c452b2176302d00eac9db3)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "userPoolId", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="clientId")
+    def client_id(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientId"))
+
+    @client_id.setter
+    def client_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b52c4f91e8237836ed692eed70ef894814f27cdb9a5c5fe5278b59f348ab3bb9)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "clientId", value) # pyright: ignore[reportArgumentType]
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.CfnTermsProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "enforcement": "enforcement",
+        "links": "links",
+        "terms_name": "termsName",
+        "terms_source": "termsSource",
+        "user_pool_id": "userPoolId",
+        "client_id": "clientId",
+    },
+)
+class CfnTermsProps:
+    def __init__(
+        self,
+        *,
+        enforcement: builtins.str,
+        links: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+        terms_name: builtins.str,
+        terms_source: builtins.str,
+        user_pool_id: builtins.str,
+        client_id: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnTerms``.
+
+        :param enforcement: 
+        :param links: 
+        :param terms_name: 
+        :param terms_source: 
+        :param user_pool_id: 
+        :param client_id: 
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_cognito as cognito
+            
+            cfn_terms_props = cognito.CfnTermsProps(
+                enforcement="enforcement",
+                links={
+                    "links_key": "links"
+                },
+                terms_name="termsName",
+                terms_source="termsSource",
+                user_pool_id="userPoolId",
+            
+                # the properties below are optional
+                client_id="clientId"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__285db7e3bc95478b571785bee7fa49951055cef4d8266009ed59e73fea5e4d4e)
+            check_type(argname="argument enforcement", value=enforcement, expected_type=type_hints["enforcement"])
+            check_type(argname="argument links", value=links, expected_type=type_hints["links"])
+            check_type(argname="argument terms_name", value=terms_name, expected_type=type_hints["terms_name"])
+            check_type(argname="argument terms_source", value=terms_source, expected_type=type_hints["terms_source"])
+            check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
+            check_type(argname="argument client_id", value=client_id, expected_type=type_hints["client_id"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "enforcement": enforcement,
+            "links": links,
+            "terms_name": terms_name,
+            "terms_source": terms_source,
+            "user_pool_id": user_pool_id,
+        }
+        if client_id is not None:
+            self._values["client_id"] = client_id
+
+    @builtins.property
+    def enforcement(self) -> builtins.str:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-enforcement
+        '''
+        result = self._values.get("enforcement")
+        assert result is not None, "Required property 'enforcement' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def links(
+        self,
+    ) -> typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-links
+        '''
+        result = self._values.get("links")
+        assert result is not None, "Required property 'links' is missing"
+        return typing.cast(typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b], result)
+
+    @builtins.property
+    def terms_name(self) -> builtins.str:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-termsname
+        '''
+        result = self._values.get("terms_name")
+        assert result is not None, "Required property 'terms_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def terms_source(self) -> builtins.str:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-termssource
+        '''
+        result = self._values.get("terms_source")
+        assert result is not None, "Required property 'terms_source' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def user_pool_id(self) -> builtins.str:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-userpoolid
+        '''
+        result = self._values.get("user_pool_id")
+        assert result is not None, "Required property 'user_pool_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def client_id(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-terms.html#cfn-cognito-terms-clientid
+        '''
+        result = self._values.get("client_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnTermsProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556, _IUserPoolRef_0b7d02b5, _ITaggable_36806126)
 class CfnUserPool(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5156,7 +5605,8 @@ class CfnUserPool(
         web_authn_relying_party_id: typing.Optional[builtins.str] = None,
         web_authn_user_verification: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPool``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
@@ -5227,6 +5677,48 @@ class CfnUserPool(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromUserPoolArn")
+    @builtins.classmethod
+    def from_user_pool_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        arn: builtins.str,
+    ) -> _IUserPoolRef_0b7d02b5:
+        '''Creates a new IUserPoolRef from an ARN.
+
+        :param scope: -
+        :param id: -
+        :param arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__50cb94accc8d60746f0970af6f3f1428a04180d1d6c471b7ebb0c7eeaf6f5e11)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
+        return typing.cast(_IUserPoolRef_0b7d02b5, jsii.sinvoke(cls, "fromUserPoolArn", [scope, id, arn]))
+
+    @jsii.member(jsii_name="fromUserPoolId")
+    @builtins.classmethod
+    def from_user_pool_id(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        user_pool_id: builtins.str,
+    ) -> _IUserPoolRef_0b7d02b5:
+        '''Creates a new IUserPoolRef from a userPoolId.
+
+        :param scope: -
+        :param id: -
+        :param user_pool_id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__77bca4d59ea1b80508c0fd60c8f34e3c4dff94c3e5dada90fee904207040ff1a)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
+        return typing.cast(_IUserPoolRef_0b7d02b5, jsii.sinvoke(cls, "fromUserPoolId", [scope, id, user_pool_id]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -5304,6 +5796,12 @@ class CfnUserPool(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolRef")
+    def user_pool_ref(self) -> _UserPoolReference_0ef20aae:
+        '''A reference to a UserPool resource.'''
+        return typing.cast(_UserPoolReference_0ef20aae, jsii.get(self, "userPoolRef"))
+
     @builtins.property
     @jsii.member(jsii_name="accountRecoverySetting")
     def account_recovery_setting(
@@ -8024,7 +8522,7 @@ class CfnUserPool(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolClientRef_4466eeba)
 class CfnUserPoolClient(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -8130,7 +8628,8 @@ class CfnUserPoolClient(
         token_validity_units: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolClient.TokenValidityUnitsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         write_attributes: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolClient``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The ID of the user pool where you want to create an app client.
@@ -8140,7 +8639,7 @@ class CfnUserPoolClient(
         :param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for callback URLs to ``http://localhost`` , ``http://127.0.0.1`` and ``http://[::1]`` . These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs. App callback URLs such as ``myapp://example`` are also supported.
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
@@ -8151,7 +8650,7 @@ class CfnUserPoolClient(
         :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
-        :param refresh_token_rotation: 
+        :param refresh_token_rotation: The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
@@ -8249,6 +8748,12 @@ class CfnUserPoolClient(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolClientRef")
+    def user_pool_client_ref(self) -> _UserPoolClientReference_2e04ee48:
+        '''A reference to a UserPoolClient resource.'''
+        return typing.cast(_UserPoolClientReference_2e04ee48, jsii.get(self, "userPoolClientRef"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
@@ -8528,6 +9033,7 @@ class CfnUserPoolClient(
     def refresh_token_rotation(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolClient.RefreshTokenRotationProperty"]]:
+        '''The configuration of your app client for refresh token rotation.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolClient.RefreshTokenRotationProperty"]], jsii.get(self, "refreshTokenRotation"))
 
     @refresh_token_rotation.setter
@@ -8749,9 +9255,12 @@ class CfnUserPoolClient(
             feature: typing.Optional[builtins.str] = None,
             retry_grace_period_seconds: typing.Optional[jsii.Number] = None,
         ) -> None:
-            '''
-            :param feature: 
-            :param retry_grace_period_seconds: 
+            '''The configuration of your app client for refresh token rotation.
+
+            When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
+
+            :param feature: The state of refresh token rotation for the current app client.
+            :param retry_grace_period_seconds: When you request a token refresh with ``GetTokensFromRefreshToken`` , the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds. This allows for client-side retries. When ``RetryGracePeriodSeconds`` is ``0`` , the grace period is disabled and a successful request immediately invalidates the submitted refresh token.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.html
             :exampleMetadata: fixture=_generated
@@ -8779,7 +9288,8 @@ class CfnUserPoolClient(
 
         @builtins.property
         def feature(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The state of refresh token rotation for the current app client.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.html#cfn-cognito-userpoolclient-refreshtokenrotation-feature
             '''
             result = self._values.get("feature")
@@ -8787,7 +9297,10 @@ class CfnUserPoolClient(
 
         @builtins.property
         def retry_grace_period_seconds(self) -> typing.Optional[jsii.Number]:
-            '''
+            '''When you request a token refresh with ``GetTokensFromRefreshToken`` , the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds.
+
+            This allows for client-side retries. When ``RetryGracePeriodSeconds`` is ``0`` , the grace period is disabled and a successful request immediately invalidates the submitted refresh token.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.html#cfn-cognito-userpoolclient-refreshtokenrotation-retrygraceperiodseconds
             '''
             result = self._values.get("retry_grace_period_seconds")
@@ -8968,7 +9481,7 @@ class CfnUserPoolClientProps:
         :param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
         :param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
+        :param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for callback URLs to ``http://localhost`` , ``http://127.0.0.1`` and ``http://[::1]`` . These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs. App callback URLs such as ``myapp://example`` are also supported.
         :param client_name: A friendly name for the app client that you want to create.
         :param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
         :param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
@@ -8979,7 +9492,7 @@ class CfnUserPoolClientProps:
         :param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
         :param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
         :param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
-        :param refresh_token_rotation: 
+        :param refresh_token_rotation: The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
         :param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
         :param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
         :param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
@@ -9221,9 +9734,9 @@ class CfnUserPoolClientProps:
 
         See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ .
 
-        Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
+        Amazon Cognito requires HTTPS over HTTP except for callback URLs to ``http://localhost`` , ``http://127.0.0.1`` and ``http://[::1]`` . These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs.
 
-        App callback URLs such as myapp://example are also supported.
+        App callback URLs such as ``myapp://example`` are also supported.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-callbackurls
         '''
@@ -9381,7 +9894,10 @@ class CfnUserPoolClientProps:
     def refresh_token_rotation(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolClient.RefreshTokenRotationProperty]]:
-        '''
+        '''The configuration of your app client for refresh token rotation.
+
+        When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-refreshtokenrotation
         '''
         result = self._values.get("refresh_token_rotation")
@@ -9461,7 +9977,7 @@ class CfnUserPoolClientProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolDomainRef_2fa54b0c)
 class CfnUserPoolDomain(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -9501,7 +10017,8 @@ class CfnUserPoolDomain(
         custom_domain_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolDomain.CustomDomainConfigTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         managed_login_version: typing.Optional[jsii.Number] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolDomain``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
@@ -9566,6 +10083,12 @@ class CfnUserPoolDomain(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolDomainRef")
+    def user_pool_domain_ref(self) -> _UserPoolDomainReference_8e0aecda:
+        '''A reference to a UserPoolDomain resource.'''
+        return typing.cast(_UserPoolDomainReference_8e0aecda, jsii.get(self, "userPoolDomainRef"))
+
     @builtins.property
     @jsii.member(jsii_name="domain")
     def domain(self) -> builtins.str:
@@ -9636,7 +10159,7 @@ class CfnUserPoolDomain(
         ) -> None:
             '''The configuration for a hosted UI custom domain.
 
-            :param certificate_arn: The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
+            :param certificate_arn: The Amazon Resource Name (ARN) of an Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooldomain-customdomainconfigtype.html
             :exampleMetadata: fixture=_generated
@@ -9660,7 +10183,7 @@ class CfnUserPoolDomain(
 
         @builtins.property
         def certificate_arn(self) -> typing.Optional[builtins.str]:
-            '''The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate.
+            '''The Amazon Resource Name (ARN) of an Certificate Manager SSL certificate.
 
             You use this certificate for the subdomain of your custom domain.
 
@@ -9802,7 +10325,7 @@ class CfnUserPoolDomainProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolGroupRef_89b16d48)
 class CfnUserPoolGroup(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -9844,7 +10367,8 @@ class CfnUserPoolGroup(
         precedence: typing.Optional[jsii.Number] = None,
         role_arn: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolGroup``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The ID of the user pool where you want to create a user group.
@@ -9902,6 +10426,12 @@ class CfnUserPoolGroup(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolGroupRef")
+    def user_pool_group_ref(self) -> _UserPoolGroupReference_5e435fdd:
+        '''A reference to a UserPoolGroup resource.'''
+        return typing.cast(_UserPoolGroupReference_5e435fdd, jsii.get(self, "userPoolGroupRef"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
@@ -10103,7 +10633,7 @@ class CfnUserPoolGroupProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolIdentityProviderRef_935eed62)
 class CfnUserPoolIdentityProvider(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -10148,7 +10678,8 @@ class CfnUserPoolIdentityProvider(
         attribute_mapping: typing.Any = None,
         idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolIdentityProvider``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
@@ -10208,6 +10739,14 @@ class CfnUserPoolIdentityProvider(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolIdentityProviderRef")
+    def user_pool_identity_provider_ref(
+        self,
+    ) -> _UserPoolIdentityProviderReference_a5d59f88:
+        '''A reference to a UserPoolIdentityProvider resource.'''
+        return typing.cast(_UserPoolIdentityProviderReference_a5d59f88, jsii.get(self, "userPoolIdentityProviderRef"))
+
     @builtins.property
     @jsii.member(jsii_name="providerDetails")
     def provider_details(self) -> typing.Any:
@@ -11170,7 +11709,7 @@ class CfnUserPoolProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolResourceServerRef_fda874c5)
 class CfnUserPoolResourceServer(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -11215,7 +11754,8 @@ class CfnUserPoolResourceServer(
         user_pool_id: builtins.str,
         scopes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolResourceServer.ResourceServerScopeTypeProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolResourceServer``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param identifier: A unique resource server identifier for the resource server. The identifier can be an API friendly name like ``solar-system-data`` . You can also set an API URL like ``https://solar-system-data-api.example.com`` as your identifier. Amazon Cognito represents scopes in the access token in the format ``$resource-server-identifier/$scope`` . Longer scope-identifier strings increase the size of your access tokens.
@@ -11268,6 +11808,14 @@ class CfnUserPoolResourceServer(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolResourceServerRef")
+    def user_pool_resource_server_ref(
+        self,
+    ) -> _UserPoolResourceServerReference_5b196bf5:
+        '''A reference to a UserPoolResourceServer resource.'''
+        return typing.cast(_UserPoolResourceServerReference_5b196bf5, jsii.get(self, "userPoolResourceServerRef"))
+
     @builtins.property
     @jsii.member(jsii_name="identifier")
     def identifier(self) -> builtins.str:
@@ -11524,7 +12072,7 @@ class CfnUserPoolResourceServerProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolRiskConfigurationAttachmentRef_b5390b06)
 class CfnUserPoolRiskConfigurationAttachment(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -11621,7 +12169,8 @@ class CfnUserPoolRiskConfigurationAttachment(
         compromised_credentials_risk_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         risk_exception_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolRiskConfigurationAttachment``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
@@ -11679,6 +12228,14 @@ class CfnUserPoolRiskConfigurationAttachment(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolRiskConfigurationAttachmentRef")
+    def user_pool_risk_configuration_attachment_ref(
+        self,
+    ) -> _UserPoolRiskConfigurationAttachmentReference_815104e9:
+        '''A reference to a UserPoolRiskConfigurationAttachment resource.'''
+        return typing.cast(_UserPoolRiskConfigurationAttachmentReference_815104e9, jsii.get(self, "userPoolRiskConfigurationAttachmentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> builtins.str:
@@ -12226,7 +12783,7 @@ class CfnUserPoolRiskConfigurationAttachment(
             :param from_: The email address that sends the email message. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
             :param mfa_email: The template for the email message that your user pool sends when MFA is challenged in response to a detected risk.
             :param no_action_email: The template for the email message that your user pool sends when no action is taken in response to a detected risk.
-            :param reply_to: The reply-to email address of an email template.
+            :param reply_to: The reply-to email address of an email template. Can be an email address in the format ``admin@example.com`` or ``Administrator <admin@example.com>`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html
             :exampleMetadata: fixture=_generated
@@ -12348,6 +12905,8 @@ class CfnUserPoolRiskConfigurationAttachment(
         def reply_to(self) -> typing.Optional[builtins.str]:
             '''The reply-to email address of an email template.
 
+            Can be an email address in the format ``admin@example.com`` or ``Administrator <admin@example.com>`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-replyto
             '''
             result = self._values.get("reply_to")
@@ -12726,7 +13285,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolUICustomizationAttachmentRef_855e6497)
 class CfnUserPoolUICustomizationAttachment(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -12762,7 +13321,8 @@ class CfnUserPoolUICustomizationAttachment(
         user_pool_id: builtins.str,
         css: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolUICustomizationAttachment``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
@@ -12814,6 +13374,14 @@ class CfnUserPoolUICustomizationAttachment(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolUiCustomizationAttachmentRef")
+    def user_pool_ui_customization_attachment_ref(
+        self,
+    ) -> _UserPoolUICustomizationAttachmentReference_2c1e7860:
+        '''A reference to a UserPoolUICustomizationAttachment resource.'''
+        return typing.cast(_UserPoolUICustomizationAttachmentReference_2c1e7860, jsii.get(self, "userPoolUiCustomizationAttachmentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="clientId")
     def client_id(self) -> builtins.str:
@@ -12947,7 +13515,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolUserRef_cbf1b211)
 class CfnUserPoolUser(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -13001,11 +13569,12 @@ class CfnUserPoolUser(
         username: typing.Optional[builtins.str] = None,
         validation_data: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolUser.AttributeTypeProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolUser``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The ID of the user pool where you want to create a user.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see `Connecting API actions to Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
@@ -13065,6 +13634,12 @@ class CfnUserPoolUser(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolUserRef")
+    def user_pool_user_ref(self) -> _UserPoolUserReference_b50e0a97:
+        '''A reference to a UserPoolUser resource.'''
+        return typing.cast(_UserPoolUserReference_b50e0a97, jsii.get(self, "userPoolUserRef"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolId")
     def user_pool_id(self) -> builtins.str:
@@ -13293,7 +13868,7 @@ class CfnUserPoolUserProps:
         '''Properties for defining a ``CfnUserPoolUser``.
 
         :param user_pool_id: The ID of the user pool where you want to create a user.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see `Connecting API actions to Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following: - Store the ``ClientMetadata`` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ``ClientMetadata`` parameter serves no purpose. - Validate the ``ClientMetadata`` value. - Encrypt the ``ClientMetadata`` value. Don't send sensitive information in this parameter.
         :param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
@@ -13375,9 +13950,11 @@ class CfnUserPoolUserProps:
     ) -> typing.Optional[typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b]]:
         '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
 
-        You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``ClientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
+        You create custom workflows by assigning AWS Lambda functions to user pool triggers.
+
+        When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
 
-        For more information, see `Using Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* .
+        To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see `Connecting API actions to Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event>`_ in the *Amazon Cognito Developer Guide* .
         .. epigraph::
 
            When you use the ``ClientMetadata`` parameter, note that Amazon Cognito won't do the following:
@@ -13498,7 +14075,7 @@ class CfnUserPoolUserProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPoolUserToGroupAttachmentRef_04a5a41e)
 class CfnUserPoolUserToGroupAttachment(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -13541,7 +14118,8 @@ class CfnUserPoolUserToGroupAttachment(
         username: builtins.str,
         user_pool_id: builtins.str,
     ) -> None:
-        '''
+        '''Create a new ``AWS::Cognito::UserPoolUserToGroupAttachment``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group that you want to add your user to.
@@ -13593,6 +14171,14 @@ class CfnUserPoolUserToGroupAttachment(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPoolUserToGroupAttachmentRef")
+    def user_pool_user_to_group_attachment_ref(
+        self,
+    ) -> _UserPoolUserToGroupAttachmentReference_fa1a0479:
+        '''A reference to a UserPoolUserToGroupAttachment resource.'''
+        return typing.cast(_UserPoolUserToGroupAttachmentReference_fa1a0479, jsii.get(self, "userPoolUserToGroupAttachmentRef"))
+
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> builtins.str:
@@ -14435,6 +15021,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         o_auth: typing.Optional[typing.Union["OAuthSettings", typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence["UserPoolClientIdentityProvider"]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -14455,6 +15042,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -14492,7 +15080,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
     ) -> "UserPoolGroup":
         '''Add a new group to this user pool.
 
@@ -14605,6 +15193,7 @@ class _IUserPoolProxy(
         o_auth: typing.Optional[typing.Union["OAuthSettings", typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence["UserPoolClientIdentityProvider"]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -14625,6 +15214,7 @@ class _IUserPoolProxy(
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -14648,6 +15238,7 @@ class _IUserPoolProxy(
             o_auth=o_auth,
             prevent_user_existence_errors=prevent_user_existence_errors,
             read_attributes=read_attributes,
+            refresh_token_rotation_grace_period=refresh_token_rotation_grace_period,
             refresh_token_validity=refresh_token_validity,
             supported_identity_providers=supported_identity_providers,
             user_pool_client_name=user_pool_client_name,
@@ -14693,7 +15284,7 @@ class _IUserPoolProxy(
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
     ) -> "UserPoolGroup":
         '''Add a new group to this user pool.
 
@@ -17884,7 +18475,7 @@ class UserPool(
         advanced_security_mode: typing.Optional[AdvancedSecurityMode] = None,
         auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
-        custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+        custom_sender_kms_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -17904,7 +18495,7 @@ class UserPool(
         sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
         sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
         sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
-        sms_role: typing.Optional[_IRole_235f5d8e] = None,
+        sms_role: typing.Optional[_IRoleRef_8400221f] = None,
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
         standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -18049,6 +18640,7 @@ class UserPool(
         o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence["UserPoolClientIdentityProvider"]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -18069,6 +18661,7 @@ class UserPool(
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -18090,6 +18683,7 @@ class UserPool(
             o_auth=o_auth,
             prevent_user_existence_errors=prevent_user_existence_errors,
             read_attributes=read_attributes,
+            refresh_token_rotation_grace_period=refresh_token_rotation_grace_period,
             refresh_token_validity=refresh_token_validity,
             supported_identity_providers=supported_identity_providers,
             user_pool_client_name=user_pool_client_name,
@@ -18133,7 +18727,7 @@ class UserPool(
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
     ) -> "UserPoolGroup":
         '''Add a new group to this user pool.
 
@@ -18232,6 +18826,12 @@ class UserPool(
             check_type(argname="argument provider", value=provider, expected_type=type_hints["provider"])
         return typing.cast(None, jsii.invoke(self, "registerIdentityProvider", [provider]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="identityProviders")
     def identity_providers(self) -> typing.List[IUserPoolIdentityProvider]:
@@ -18315,6 +18915,7 @@ class UserPoolClient(
         o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence["UserPoolClientIdentityProvider"]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -18336,6 +18937,7 @@ class UserPoolClient(
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -18359,6 +18961,7 @@ class UserPoolClient(
             o_auth=o_auth,
             prevent_user_existence_errors=prevent_user_existence_errors,
             read_attributes=read_attributes,
+            refresh_token_rotation_grace_period=refresh_token_rotation_grace_period,
             refresh_token_validity=refresh_token_validity,
             supported_identity_providers=supported_identity_providers,
             user_pool_client_name=user_pool_client_name,
@@ -18388,6 +18991,12 @@ class UserPoolClient(
             check_type(argname="argument user_pool_client_id", value=user_pool_client_id, expected_type=type_hints["user_pool_client_id"])
         return typing.cast(IUserPoolClient, jsii.sinvoke(cls, "fromUserPoolClientId", [scope, id, user_pool_client_id]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="oAuthFlows")
     def o_auth_flows(self) -> OAuthFlows:
@@ -18511,6 +19120,7 @@ class UserPoolClientIdentityProvider(
         "o_auth": "oAuth",
         "prevent_user_existence_errors": "preventUserExistenceErrors",
         "read_attributes": "readAttributes",
+        "refresh_token_rotation_grace_period": "refreshTokenRotationGracePeriod",
         "refresh_token_validity": "refreshTokenValidity",
         "supported_identity_providers": "supportedIdentityProviders",
         "user_pool_client_name": "userPoolClientName",
@@ -18533,6 +19143,7 @@ class UserPoolClientOptions:
         o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -18552,6 +19163,7 @@ class UserPoolClientOptions:
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -18593,6 +19205,7 @@ class UserPoolClientOptions:
             check_type(argname="argument o_auth", value=o_auth, expected_type=type_hints["o_auth"])
             check_type(argname="argument prevent_user_existence_errors", value=prevent_user_existence_errors, expected_type=type_hints["prevent_user_existence_errors"])
             check_type(argname="argument read_attributes", value=read_attributes, expected_type=type_hints["read_attributes"])
+            check_type(argname="argument refresh_token_rotation_grace_period", value=refresh_token_rotation_grace_period, expected_type=type_hints["refresh_token_rotation_grace_period"])
             check_type(argname="argument refresh_token_validity", value=refresh_token_validity, expected_type=type_hints["refresh_token_validity"])
             check_type(argname="argument supported_identity_providers", value=supported_identity_providers, expected_type=type_hints["supported_identity_providers"])
             check_type(argname="argument user_pool_client_name", value=user_pool_client_name, expected_type=type_hints["user_pool_client_name"])
@@ -18622,6 +19235,8 @@ class UserPoolClientOptions:
             self._values["prevent_user_existence_errors"] = prevent_user_existence_errors
         if read_attributes is not None:
             self._values["read_attributes"] = read_attributes
+        if refresh_token_rotation_grace_period is not None:
+            self._values["refresh_token_rotation_grace_period"] = refresh_token_rotation_grace_period
         if refresh_token_validity is not None:
             self._values["refresh_token_validity"] = refresh_token_validity
         if supported_identity_providers is not None:
@@ -18768,6 +19383,21 @@ class UserPoolClientOptions:
         result = self._values.get("read_attributes")
         return typing.cast(typing.Optional[ClientAttributes], result)
 
+    @builtins.property
+    def refresh_token_rotation_grace_period(
+        self,
+    ) -> typing.Optional[_Duration_4839e8c3]:
+        '''Enables refresh token rotation when set.
+
+        Defines the grace period for the original refresh token (0-60 seconds).
+
+        :default: - undefined (refresh token rotation is disabled)
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation
+        '''
+        result = self._values.get("refresh_token_rotation_grace_period")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
     @builtins.property
     def refresh_token_validity(self) -> typing.Optional[_Duration_4839e8c3]:
         '''Validity of the refresh token.
@@ -18844,6 +19474,7 @@ class UserPoolClientOptions:
         "o_auth": "oAuth",
         "prevent_user_existence_errors": "preventUserExistenceErrors",
         "read_attributes": "readAttributes",
+        "refresh_token_rotation_grace_period": "refreshTokenRotationGracePeriod",
         "refresh_token_validity": "refreshTokenValidity",
         "supported_identity_providers": "supportedIdentityProviders",
         "user_pool_client_name": "userPoolClientName",
@@ -18867,6 +19498,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
         prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
         read_attributes: typing.Optional[ClientAttributes] = None,
+        refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
         supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
         user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -18887,6 +19519,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         :param o_auth: OAuth settings for this client to interact with the app. An error is thrown when this is specified and ``disableOAuth`` is set. Default: - see defaults in ``OAuthSettings``. meaningless if ``disableOAuth`` is set.
         :param prevent_user_existence_errors: Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence. Default: false
         :param read_attributes: The set of attributes this client will be able to read. Default: - all standard and custom attributes
+        :param refresh_token_rotation_grace_period: Enables refresh token rotation when set. Defines the grace period for the original refresh token (0-60 seconds). Default: - undefined (refresh token rotation is disabled)
         :param refresh_token_validity: Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)
         :param supported_identity_providers: The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the ``UserPool.registerIdentityProvider()`` API.
         :param user_pool_client_name: Name of the application client. Default: - cloudformation generated name
@@ -18941,6 +19574,7 @@ class UserPoolClientProps(UserPoolClientOptions):
             check_type(argname="argument o_auth", value=o_auth, expected_type=type_hints["o_auth"])
             check_type(argname="argument prevent_user_existence_errors", value=prevent_user_existence_errors, expected_type=type_hints["prevent_user_existence_errors"])
             check_type(argname="argument read_attributes", value=read_attributes, expected_type=type_hints["read_attributes"])
+            check_type(argname="argument refresh_token_rotation_grace_period", value=refresh_token_rotation_grace_period, expected_type=type_hints["refresh_token_rotation_grace_period"])
             check_type(argname="argument refresh_token_validity", value=refresh_token_validity, expected_type=type_hints["refresh_token_validity"])
             check_type(argname="argument supported_identity_providers", value=supported_identity_providers, expected_type=type_hints["supported_identity_providers"])
             check_type(argname="argument user_pool_client_name", value=user_pool_client_name, expected_type=type_hints["user_pool_client_name"])
@@ -18973,6 +19607,8 @@ class UserPoolClientProps(UserPoolClientOptions):
             self._values["prevent_user_existence_errors"] = prevent_user_existence_errors
         if read_attributes is not None:
             self._values["read_attributes"] = read_attributes
+        if refresh_token_rotation_grace_period is not None:
+            self._values["refresh_token_rotation_grace_period"] = refresh_token_rotation_grace_period
         if refresh_token_validity is not None:
             self._values["refresh_token_validity"] = refresh_token_validity
         if supported_identity_providers is not None:
@@ -19119,6 +19755,21 @@ class UserPoolClientProps(UserPoolClientOptions):
         result = self._values.get("read_attributes")
         return typing.cast(typing.Optional[ClientAttributes], result)
 
+    @builtins.property
+    def refresh_token_rotation_grace_period(
+        self,
+    ) -> typing.Optional[_Duration_4839e8c3]:
+        '''Enables refresh token rotation when set.
+
+        Defines the grace period for the original refresh token (0-60 seconds).
+
+        :default: - undefined (refresh token rotation is disabled)
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation
+        '''
+        result = self._values.get("refresh_token_rotation_grace_period")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
     @builtins.property
     def refresh_token_validity(self) -> typing.Optional[_Duration_4839e8c3]:
         '''Validity of the refresh token.
@@ -19302,6 +19953,12 @@ class UserPoolDomain(
 
         return typing.cast(builtins.str, jsii.invoke(self, "signInUrl", [client, options]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="cloudFrontDomainName")
     def cloud_front_domain_name(self) -> builtins.str:
@@ -19844,7 +20501,7 @@ class UserPoolGroup(
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
     ) -> None:
         '''
         :param scope: -
@@ -19890,6 +20547,12 @@ class UserPoolGroup(
             check_type(argname="argument group_name", value=group_name, expected_type=type_hints["group_name"])
         return typing.cast(IUserPoolGroup, jsii.sinvoke(cls, "fromGroupName", [scope, id, group_name]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> builtins.str:
@@ -19914,7 +20577,7 @@ class UserPoolGroupOptions:
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
     ) -> None:
         '''Options to create a UserPoolGroup.
 
@@ -20000,13 +20663,13 @@ class UserPoolGroupOptions:
         return typing.cast(typing.Optional[jsii.Number], result)
 
     @builtins.property
-    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+    def role(self) -> typing.Optional[_IRoleRef_8400221f]:
         '''The role for the group.
 
         :default: - no description
         '''
         result = self._values.get("role")
-        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+        return typing.cast(typing.Optional[_IRoleRef_8400221f], result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -20038,7 +20701,7 @@ class UserPoolGroupProps(UserPoolGroupOptions):
         description: typing.Optional[builtins.str] = None,
         group_name: typing.Optional[builtins.str] = None,
         precedence: typing.Optional[jsii.Number] = None,
-        role: typing.Optional[_IRole_235f5d8e] = None,
+        role: typing.Optional[_IRoleRef_8400221f] = None,
         user_pool: IUserPool,
     ) -> None:
         '''Props for UserPoolGroup construct.
@@ -20129,13 +20792,13 @@ class UserPoolGroupProps(UserPoolGroupOptions):
         return typing.cast(typing.Optional[jsii.Number], result)
 
     @builtins.property
-    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+    def role(self) -> typing.Optional[_IRoleRef_8400221f]:
         '''The role for the group.
 
         :default: - no description
         '''
         result = self._values.get("role")
-        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+        return typing.cast(typing.Optional[_IRoleRef_8400221f], result)
 
     @builtins.property
     def user_pool(self) -> IUserPool:
@@ -20251,6 +20914,12 @@ class UserPoolIdentityProviderAmazon(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -20363,6 +21032,12 @@ class UserPoolIdentityProviderApple(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -20465,6 +21140,12 @@ class UserPoolIdentityProviderFacebook(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -20538,6 +21219,12 @@ class UserPoolIdentityProviderGoogle(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -20661,6 +21348,12 @@ class UserPoolIdentityProviderOidc(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -20849,6 +21542,12 @@ class UserPoolIdentityProviderSaml(
     def _configure_attribute_mapping(self) -> typing.Any:
         return typing.cast(typing.Any, jsii.invoke(self, "configureAttributeMapping", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -21346,7 +22045,7 @@ class UserPoolProps:
         advanced_security_mode: typing.Optional[AdvancedSecurityMode] = None,
         auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
         custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
-        custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+        custom_sender_kms_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
         custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
         device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -21366,7 +22065,7 @@ class UserPoolProps:
         sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
         sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
         sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
-        sms_role: typing.Optional[_IRole_235f5d8e] = None,
+        sms_role: typing.Optional[_IRoleRef_8400221f] = None,
         sms_role_external_id: typing.Optional[builtins.str] = None,
         sns_region: typing.Optional[builtins.str] = None,
         standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -21592,7 +22291,7 @@ class UserPoolProps:
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]], result)
 
     @builtins.property
-    def custom_sender_kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+    def custom_sender_kms_key(self) -> typing.Optional[_IKeyRef_d4fc6ef3]:
         '''This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
 
         :default: - no key ID configured
@@ -21600,7 +22299,7 @@ class UserPoolProps:
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
         '''
         result = self._values.get("custom_sender_kms_key")
-        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+        return typing.cast(typing.Optional[_IKeyRef_d4fc6ef3], result)
 
     @builtins.property
     def custom_threat_protection_mode(
@@ -21819,13 +22518,13 @@ class UserPoolProps:
         return typing.cast(typing.Optional[SignInPolicy], result)
 
     @builtins.property
-    def sms_role(self) -> typing.Optional[_IRole_235f5d8e]:
+    def sms_role(self) -> typing.Optional[_IRoleRef_8400221f]:
         '''The IAM role that Cognito will assume while sending SMS messages.
 
         :default: - a new IAM role is created.
         '''
         result = self._values.get("sms_role")
-        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+        return typing.cast(typing.Optional[_IRoleRef_8400221f], result)
 
     @builtins.property
     def sms_role_external_id(self) -> typing.Optional[builtins.str]:
@@ -22009,6 +22708,12 @@ class UserPoolResourceServer(
             check_type(argname="argument user_pool_resource_server_id", value=user_pool_resource_server_id, expected_type=type_hints["user_pool_resource_server_id"])
         return typing.cast(IUserPoolResourceServer, jsii.sinvoke(cls, "fromUserPoolResourceServerId", [scope, id, user_pool_resource_server_id]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="userPoolResourceServerId")
     def user_pool_resource_server_id(self) -> builtins.str:
@@ -23745,6 +24450,8 @@ __all__ = [
     "CfnLogDeliveryConfigurationProps",
     "CfnManagedLoginBranding",
     "CfnManagedLoginBrandingProps",
+    "CfnTerms",
+    "CfnTermsProps",
     "CfnUserPool",
     "CfnUserPoolClient",
     "CfnUserPoolClientProps",
@@ -23869,7 +24576,7 @@ def _typecheckingstub__f67277ee392b3c256b3bd87e4afcb7bb83df8d226097757f9c9261034
     application: typing.Optional[_CfnApp_e8bac60b] = None,
     application_id: typing.Optional[builtins.str] = None,
     external_id: typing.Optional[builtins.str] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
     share_user_data: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
@@ -23946,6 +24653,14 @@ def _typecheckingstub__d5156c08d9bb3b0ceca6f4ec485d84f9775d7be40128a6614e1b9cbf0
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__23c766eb59af70f92541dfd9c9cae67b99255f21efd59868b8feff44354f4e77(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    identity_pool_id: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d0046422699f4c95c1d9df0a173b8caf8590dc3fcb3ada38e03f96cba1a359bc(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -24368,6 +25083,80 @@ def _typecheckingstub__60e207e1aa2ab8ae23b36c3e1ae73765c6f328b13bf0c7b205865e93a
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__60ed6baa47f9012cc57d9cef7e22f15d5f04fd45aa55fc0e8672f7e89ef3f146(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    enforcement: builtins.str,
+    links: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+    terms_name: builtins.str,
+    terms_source: builtins.str,
+    user_pool_id: builtins.str,
+    client_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0c857e95caaea9926ffb4e0ab5c3a0bb7d8a82c05cf7bd42adce1312c203e7a6(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__9dddb891f6e734bbc549324d30543ba3d862fb957be34e904236132737d7b71a(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f61b831431a9a8cd9abc071d0372ef9f7481c4297f99d22362f79e4456530000(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__4f9dfce3805ce6a5b41ec8b8adeb160b16b2bb09e9af48569f2f3a28a1301c36(
+    value: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__68b51d1ab80adde15516db14033542fe90da3c6c88f931ab391ca9a06f2b57a2(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d5aa2b8f439bae6d46ca78a5e059a5ed10c4d8f1fa1e7624f714272d8d13b98e(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__bedec026b3875318368cb2e1f7df8e4146e8efed23c452b2176302d00eac9db3(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b52c4f91e8237836ed692eed70ef894814f27cdb9a5c5fe5278b59f348ab3bb9(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__285db7e3bc95478b571785bee7fa49951055cef4d8266009ed59e73fea5e4d4e(
+    *,
+    enforcement: builtins.str,
+    links: typing.Union[typing.Mapping[builtins.str, builtins.str], _IResolvable_da3f097b],
+    terms_name: builtins.str,
+    terms_source: builtins.str,
+    user_pool_id: builtins.str,
+    client_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc37ee551(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -24405,6 +25194,22 @@ def _typecheckingstub__32d20f28e2758f9a461380e2ed5d06233baf0f45541047ba837f26ebc
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__50cb94accc8d60746f0970af6f3f1428a04180d1d6c471b7ebb0c7eeaf6f5e11(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__77bca4d59ea1b80508c0fd60c8f34e3c4dff94c3e5dada90fee904207040ff1a(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    user_pool_id: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__190e7831a65154362cd300369d61a522f7add5d60374fc990db7dd8ecb232388(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -25740,6 +26545,7 @@ def _typecheckingstub__6eaa0ebaf797c6ac4bac11bd73d9ad61c50892a9450e0ff5880903434
     o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
     prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
     read_attributes: typing.Optional[ClientAttributes] = None,
+    refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
     supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
     user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -25764,7 +26570,7 @@ def _typecheckingstub__e70d406698753c50dbab4e4d1f9837fc55e7c713f52b3937d20745b5a
     description: typing.Optional[builtins.str] = None,
     group_name: typing.Optional[builtins.str] = None,
     precedence: typing.Optional[jsii.Number] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -26012,7 +26818,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     advanced_security_mode: typing.Optional[AdvancedSecurityMode] = None,
     auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
-    custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    custom_sender_kms_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26032,7 +26838,7 @@ def _typecheckingstub__677a8ec9a3f2a22d2dfde6fd6818121e4a071dc4e942f6bbe219e5a9b
     sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
     sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
     sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
-    sms_role: typing.Optional[_IRole_235f5d8e] = None,
+    sms_role: typing.Optional[_IRoleRef_8400221f] = None,
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,
     standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26075,6 +26881,7 @@ def _typecheckingstub__b4ce1f762a6eeaca3920ca827a1685cfa2b670f96aa13d8cfdded4055
     o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
     prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
     read_attributes: typing.Optional[ClientAttributes] = None,
+    refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
     supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
     user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -26099,7 +26906,7 @@ def _typecheckingstub__182df28f489c4d9ab970aca99503d45cd2196b431c6ce7b04bb1e3436
     description: typing.Optional[builtins.str] = None,
     group_name: typing.Optional[builtins.str] = None,
     precedence: typing.Optional[jsii.Number] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -26152,6 +26959,7 @@ def _typecheckingstub__e654de9921a676ab8214720f2ab2c7f212d67a62531595c721560e88c
     o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
     prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
     read_attributes: typing.Optional[ClientAttributes] = None,
+    refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
     supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
     user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -26188,6 +26996,7 @@ def _typecheckingstub__80185296586b917ea24ebc48255c627ce95ec5c85ae2ab4e52736240b
     o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
     prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
     read_attributes: typing.Optional[ClientAttributes] = None,
+    refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
     supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
     user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -26210,6 +27019,7 @@ def _typecheckingstub__95c8cad8419f2fd5def82ad39281b322b9ec6b2f7d891de939bf1e903
     o_auth: typing.Optional[typing.Union[OAuthSettings, typing.Dict[builtins.str, typing.Any]]] = None,
     prevent_user_existence_errors: typing.Optional[builtins.bool] = None,
     read_attributes: typing.Optional[ClientAttributes] = None,
+    refresh_token_rotation_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     refresh_token_validity: typing.Optional[_Duration_4839e8c3] = None,
     supported_identity_providers: typing.Optional[typing.Sequence[UserPoolClientIdentityProvider]] = None,
     user_pool_client_name: typing.Optional[builtins.str] = None,
@@ -26293,7 +27103,7 @@ def _typecheckingstub__775ac13db76309a928c26a49c092fd74e83d97ad55358f5e3e7abc39c
     description: typing.Optional[builtins.str] = None,
     group_name: typing.Optional[builtins.str] = None,
     precedence: typing.Optional[jsii.Number] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -26311,7 +27121,7 @@ def _typecheckingstub__a76259212a5e57f1375d5eb2940f0d6cde7a130c86d1a85fc682cc659
     description: typing.Optional[builtins.str] = None,
     group_name: typing.Optional[builtins.str] = None,
     precedence: typing.Optional[jsii.Number] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -26321,7 +27131,7 @@ def _typecheckingstub__6f5beec5c4d6b11b4325b68ae8691c3f5f2eb75f4aa5ef1c6e333e5df
     description: typing.Optional[builtins.str] = None,
     group_name: typing.Optional[builtins.str] = None,
     precedence: typing.Optional[jsii.Number] = None,
-    role: typing.Optional[_IRole_235f5d8e] = None,
+    role: typing.Optional[_IRoleRef_8400221f] = None,
     user_pool: IUserPool,
 ) -> None:
     """Type checking stubs"""
@@ -26474,7 +27284,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     advanced_security_mode: typing.Optional[AdvancedSecurityMode] = None,
     auto_verify: typing.Optional[typing.Union[AutoVerifiedAttrs, typing.Dict[builtins.str, typing.Any]]] = None,
     custom_attributes: typing.Optional[typing.Mapping[builtins.str, ICustomAttribute]] = None,
-    custom_sender_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    custom_sender_kms_key: typing.Optional[_IKeyRef_d4fc6ef3] = None,
     custom_threat_protection_mode: typing.Optional[CustomThreatProtectionMode] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
     device_tracking: typing.Optional[typing.Union[DeviceTracking, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26494,7 +27304,7 @@ def _typecheckingstub__754b1af40b4712720733e130c63a8ec0ca9a35d4cfb25450725d5aa02
     sign_in_aliases: typing.Optional[typing.Union[SignInAliases, typing.Dict[builtins.str, typing.Any]]] = None,
     sign_in_case_sensitive: typing.Optional[builtins.bool] = None,
     sign_in_policy: typing.Optional[typing.Union[SignInPolicy, typing.Dict[builtins.str, typing.Any]]] = None,
-    sms_role: typing.Optional[_IRole_235f5d8e] = None,
+    sms_role: typing.Optional[_IRoleRef_8400221f] = None,
     sms_role_external_id: typing.Optional[builtins.str] = None,
     sns_region: typing.Optional[builtins.str] = None,
     standard_attributes: typing.Optional[typing.Union[StandardAttributes, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -26649,3 +27459,6 @@ def _typecheckingstub__b7df3aca94dedaeba54fe7b775b3935c8ba1292a6334855a44eadaaf7
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICustomAttribute, IUserPool, IUserPoolClient, IUserPoolDomain, IUserPoolGroup, IUserPoolIdentityProvider, IUserPoolResourceServer]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])