From d34290b4a96c05c29c6157e6544e69ba3b16304a Mon Sep 17 00:00:00 2001 From: AWS <> Date: Fri, 21 Oct 2022 20:06:09 +0000 Subject: [PATCH] Amazon Cognito Identity Provider Update: This release adds a new "DeletionProtection" field to the UserPool in Cognito. Application admins can configure this value with either ACTIVE or INACTIVE value. Setting this field to ACTIVE will prevent a user pool from accidental deletion. --- ...AmazonCognitoIdentityProvider-3e50d70.json | 6 + .../codegen-resources/endpoint-tests.json | 332 +++++++++--------- .../codegen-resources/service-2.json | 66 ++-- 3 files changed, 216 insertions(+), 188 deletions(-) create mode 100644 .changes/next-release/feature-AmazonCognitoIdentityProvider-3e50d70.json diff --git a/.changes/next-release/feature-AmazonCognitoIdentityProvider-3e50d70.json b/.changes/next-release/feature-AmazonCognitoIdentityProvider-3e50d70.json new file mode 100644 index 000000000000..42f8d69148d1 --- /dev/null +++ b/.changes/next-release/feature-AmazonCognitoIdentityProvider-3e50d70.json @@ -0,0 +1,6 @@ +{ + "type": "feature", + "category": "Amazon Cognito Identity Provider", + "contributor": "", + "description": "This release adds a new \"DeletionProtection\" field to the UserPool in Cognito. Application admins can configure this value with either ACTIVE or INACTIVE value. Setting this field to ACTIVE will prevent a user pool from accidental deletion." +} diff --git a/services/cognitoidentityprovider/src/main/resources/codegen-resources/endpoint-tests.json b/services/cognitoidentityprovider/src/main/resources/codegen-resources/endpoint-tests.json index e6936a350e67..2e9849ac5e9f 100644 --- a/services/cognitoidentityprovider/src/main/resources/codegen-resources/endpoint-tests.json +++ b/services/cognitoidentityprovider/src/main/resources/codegen-resources/endpoint-tests.json @@ -8,9 +8,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-south-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -21,9 +21,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-south-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -34,9 +34,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-south-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -47,9 +47,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-south-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -60,9 +60,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-south-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -73,9 +73,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-south-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -86,9 +86,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-south-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -99,9 +99,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-south-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -112,9 +112,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ca-central-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -125,9 +125,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ca-central-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -138,9 +138,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ca-central-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -151,9 +151,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ca-central-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -164,9 +164,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-central-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -177,9 +177,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-central-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -190,9 +190,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-central-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -203,9 +203,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-central-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -216,9 +216,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "us-west-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -229,9 +229,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "us-west-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -242,9 +242,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "us-west-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -255,9 +255,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "us-west-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -268,9 +268,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "us-west-2", - "UseFIPS": true + "UseDualStack": true } }, { @@ -281,9 +281,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "us-west-2", - "UseFIPS": true + "UseDualStack": false } }, { @@ -294,9 +294,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "us-west-2", - "UseFIPS": false + "UseDualStack": true } }, { @@ -307,9 +307,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "us-west-2", - "UseFIPS": false + "UseDualStack": false } }, { @@ -320,9 +320,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-north-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -333,9 +333,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-north-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -346,9 +346,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-north-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -359,9 +359,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-north-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -372,9 +372,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-west-3", - "UseFIPS": true + "UseDualStack": true } }, { @@ -385,9 +385,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-west-3", - "UseFIPS": true + "UseDualStack": false } }, { @@ -398,9 +398,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-west-3", - "UseFIPS": false + "UseDualStack": true } }, { @@ -411,9 +411,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-west-3", - "UseFIPS": false + "UseDualStack": false } }, { @@ -424,9 +424,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-west-2", - "UseFIPS": true + "UseDualStack": true } }, { @@ -437,9 +437,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-west-2", - "UseFIPS": true + "UseDualStack": false } }, { @@ -450,9 +450,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-west-2", - "UseFIPS": false + "UseDualStack": true } }, { @@ -463,9 +463,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-west-2", - "UseFIPS": false + "UseDualStack": false } }, { @@ -476,9 +476,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "eu-west-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -489,9 +489,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "eu-west-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -502,9 +502,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "eu-west-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -515,9 +515,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "eu-west-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -528,9 +528,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-northeast-2", - "UseFIPS": true + "UseDualStack": true } }, { @@ -541,9 +541,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-northeast-2", - "UseFIPS": true + "UseDualStack": false } }, { @@ -554,9 +554,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-northeast-2", - "UseFIPS": false + "UseDualStack": true } }, { @@ -567,9 +567,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-northeast-2", - "UseFIPS": false + "UseDualStack": false } }, { @@ -580,9 +580,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-northeast-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -593,9 +593,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-northeast-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -606,9 +606,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-northeast-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -619,9 +619,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-northeast-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -632,9 +632,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "me-south-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -645,9 +645,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "me-south-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -658,9 +658,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "me-south-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -671,9 +671,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "me-south-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -684,9 +684,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "sa-east-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -697,9 +697,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "sa-east-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -710,9 +710,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "sa-east-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -723,9 +723,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "sa-east-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -736,9 +736,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-east-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -749,9 +749,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-east-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -762,9 +762,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-east-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -775,9 +775,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-east-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -788,9 +788,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "us-gov-west-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -801,9 +801,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "us-gov-west-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -814,9 +814,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "us-gov-west-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -827,9 +827,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "us-gov-west-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -840,9 +840,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-southeast-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -853,9 +853,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-southeast-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -866,9 +866,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-southeast-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -879,9 +879,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-southeast-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -892,9 +892,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "ap-southeast-2", - "UseFIPS": true + "UseDualStack": true } }, { @@ -905,9 +905,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "ap-southeast-2", - "UseFIPS": true + "UseDualStack": false } }, { @@ -918,9 +918,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "ap-southeast-2", - "UseFIPS": false + "UseDualStack": true } }, { @@ -931,9 +931,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "ap-southeast-2", - "UseFIPS": false + "UseDualStack": false } }, { @@ -944,9 +944,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "us-east-1", - "UseFIPS": true + "UseDualStack": true } }, { @@ -957,9 +957,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "us-east-1", - "UseFIPS": true + "UseDualStack": false } }, { @@ -970,9 +970,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "us-east-1", - "UseFIPS": false + "UseDualStack": true } }, { @@ -983,9 +983,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "us-east-1", - "UseFIPS": false + "UseDualStack": false } }, { @@ -996,9 +996,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": true, "Region": "us-east-2", - "UseFIPS": true + "UseDualStack": true } }, { @@ -1009,9 +1009,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": true, "Region": "us-east-2", - "UseFIPS": true + "UseDualStack": false } }, { @@ -1022,9 +1022,9 @@ } }, "params": { - "UseDualStack": true, + "UseFIPS": false, "Region": "us-east-2", - "UseFIPS": false + "UseDualStack": true } }, { @@ -1035,9 +1035,9 @@ } }, "params": { - "UseDualStack": false, + "UseFIPS": false, "Region": "us-east-2", - "UseFIPS": false + "UseDualStack": false } }, { @@ -1048,9 +1048,9 @@ } }, "params": { - "UseDualStack": false, - "Region": "us-east-1", "UseFIPS": false, + "Region": "us-east-1", + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -1060,9 +1060,9 @@ "error": "Invalid Configuration: FIPS and custom endpoint are not supported" }, "params": { - "UseDualStack": false, - "Region": "us-east-1", "UseFIPS": true, + "Region": "us-east-1", + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -1072,9 +1072,9 @@ "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" }, "params": { - "UseDualStack": true, - "Region": "us-east-1", "UseFIPS": false, + "Region": "us-east-1", + "UseDualStack": true, "Endpoint": "https://example.com" } } diff --git a/services/cognitoidentityprovider/src/main/resources/codegen-resources/service-2.json b/services/cognitoidentityprovider/src/main/resources/codegen-resources/service-2.json index cacee2a1e148..68d68540de9d 100644 --- a/services/cognitoidentityprovider/src/main/resources/codegen-resources/service-2.json +++ b/services/cognitoidentityprovider/src/main/resources/codegen-resources/service-2.json @@ -168,7 +168,7 @@ {"shape":"UserNotFoundException"}, {"shape":"InternalErrorException"} ], - "documentation":"

Disables the specified user.

Calling this action requires developer credentials.

" + "documentation":"

Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.

You must make this API request with Amazon Web Services credentials that have cognito-idp:AdminDisableUser permissions.

" }, "AdminEnableUser":{ "name":"AdminEnableUser", @@ -838,6 +838,7 @@ "errors":[ {"shape":"InvalidParameterException"}, {"shape":"UnsupportedIdentityProviderException"}, + {"shape":"ConcurrentModificationException"}, {"shape":"ResourceNotFoundException"}, {"shape":"NotAuthorizedException"}, {"shape":"TooManyRequestsException"}, @@ -933,6 +934,7 @@ {"shape":"InvalidParameterException"}, {"shape":"TooManyRequestsException"}, {"shape":"NotAuthorizedException"}, + {"shape":"ConcurrentModificationException"}, {"shape":"InternalErrorException"} ], "documentation":"

Allows the developer to delete the user pool client.

" @@ -1208,7 +1210,7 @@ {"shape":"InvalidParameterException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"

This method takes a user pool ID, and returns the signing certificate.

" + "documentation":"

This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, but doesn't invalidate the original certificate.

" }, "GetUICustomization":{ "name":"GetUICustomization", @@ -1314,7 +1316,7 @@ {"shape":"InternalErrorException"}, {"shape":"ForbiddenException"} ], - "documentation":"

Signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito has issued to a user. The user's current access and ID tokens remain valid until their expiry. By default, access and ID tokens expire one hour after Amazon Cognito issues them. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the cookie validity period of 1 hour.

" + "documentation":"

Signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie validity period.

" }, "InitiateAuth":{ "name":"InitiateAuth", @@ -1597,7 +1599,7 @@ {"shape":"UnsupportedTokenTypeException"}, {"shape":"ForbiddenException"} ], - "documentation":"

Revokes all of the access tokens generated by the specified refresh token. After the token is revoked, you can't use the revoked token to access Amazon Cognito authenticated APIs.

" + "documentation":"

Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.

" }, "SetRiskConfiguration":{ "name":"SetRiskConfiguration", @@ -1864,6 +1866,7 @@ {"shape":"InvalidParameterException"}, {"shape":"UnsupportedIdentityProviderException"}, {"shape":"ResourceNotFoundException"}, + {"shape":"ConcurrentModificationException"}, {"shape":"NotAuthorizedException"}, {"shape":"TooManyRequestsException"}, {"shape":"InternalErrorException"} @@ -2681,7 +2684,7 @@ }, "MaxResults":{ "shape":"QueryLimitType", - "documentation":"

The maximum number of authentication events to return.

" + "documentation":"

The maximum number of authentication events to return. Returns 60 events if you set MaxResults to 0, or if you don't include a MaxResults parameter.

" }, "NextToken":{ "shape":"PaginationKey", @@ -3854,15 +3857,15 @@ }, "RefreshTokenValidity":{ "shape":"RefreshTokenValidityType", - "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

" + "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.

" }, "AccessTokenValidity":{ "shape":"AccessTokenValidityType", - "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.

" }, "IdTokenValidity":{ "shape":"IdTokenValidityType", - "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.

" }, "TokenValidityUnits":{ "shape":"TokenValidityUnitsType", @@ -3878,7 +3881,7 @@ }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", - "documentation":"

The authentication flows that are supported by the user pool clients. Flow names without the ALLOW_ prefix are no longer supported, in favor of new names with the ALLOW_ prefix.

Values with ALLOW_ prefix must be used only along with the ALLOW_ prefix.

Valid values include:

ALLOW_ADMIN_USER_PASSWORD_AUTH

Enable admin based user password authentication flow ADMIN_USER_PASSWORD_AUTH. This setting replaces the ADMIN_NO_SRP_AUTH setting. With this authentication flow, Amazon Cognito receives the password in the request instead of using the Secure Remote Password (SRP) protocol to verify passwords.

ALLOW_CUSTOM_AUTH

Enable Lambda trigger based authentication.

ALLOW_USER_PASSWORD_AUTH

Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.

ALLOW_USER_SRP_AUTH

Enable SRP-based authentication.

ALLOW_REFRESH_TOKEN_AUTH

Enable the authflow that refreshes tokens.

If you don't specify a value for ExplicitAuthFlows, your user client supports ALLOW_USER_SRP_AUTH and ALLOW_CUSTOM_AUTH.

" + "documentation":"

The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.

If you don't specify a value for ExplicitAuthFlows, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

Valid values include:

In some environments, you will see the values ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, or USER_PASSWORD_AUTH. You can't assign these legacy ExplicitAuthFlows values to user pool clients at the same time as values that begin with ALLOW_, like ALLOW_USER_SRP_AUTH.

" }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", @@ -3983,6 +3986,10 @@ "shape":"UserPoolPolicyType", "documentation":"

The policies associated with the new user pool.

" }, + "DeletionProtection":{ + "shape":"DeletionProtectionType", + "documentation":"

When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.

When you try to delete a protected user pool in a DeleteUserPool API request, Amazon Cognito returns an InvalidParameterException error. To delete a protected user pool, send a new DeleteUserPool request after you deactivate deletion protection in an UpdateUserPool API request.

" + }, "LambdaConfig":{ "shape":"LambdaConfigType", "documentation":"

The Lambda trigger configuration information for the new user pool.

In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.

For more information on using the Lambda API to add permission, see AddPermission .

For adding permission using the CLI, see add-permission .

" @@ -4288,6 +4295,13 @@ }, "documentation":"

Represents the request to delete a user.

" }, + "DeletionProtectionType":{ + "type":"string", + "enum":[ + "ACTIVE", + "INACTIVE" + ] + }, "DeliveryMediumListType":{ "type":"list", "member":{"shape":"DeliveryMediumType"} @@ -4322,7 +4336,7 @@ "members":{ "IdentityProvider":{ "shape":"IdentityProviderType", - "documentation":"

The IdP that was deleted.

" + "documentation":"

The identity provider details.

" } } }, @@ -4637,7 +4651,7 @@ }, "EmailSendingAccount":{ "shape":"EmailSendingAccountType", - "documentation":"

Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values:

COGNITO_DEFAULT

When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.

To look up the email delivery limit for the default option, see Limits in in the Developer Guide.

The default FROM address is no-reply@verificationemail.com. To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the SourceArn parameter.

DEVELOPER

When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your Amazon Web Services account.

If you use this option, provide the ARN of an Amazon SES verified email address for the SourceArn parameter.

Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role, which is a type of role, in your Amazon Web Services account. This role contains the permissions that allow to access Amazon SES and send email messages with your address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide.

" + "documentation":"

Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration. Specify one of the following values:

COGNITO_DEFAULT

When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.

To look up the email delivery limit for the default option, see Limits in the Amazon Cognito Developer Guide.

The default FROM address is no-reply@verificationemail.com. To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the SourceArn parameter.

DEVELOPER

When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your Amazon Web Services account.

If you use this option, provide the ARN of an Amazon SES verified email address for the SourceArn parameter.

Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role, which is a type of role in your Amazon Web Services account. This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide.

" }, "From":{ "shape":"StringType", @@ -5010,7 +5024,7 @@ "members":{ "IdentityProvider":{ "shape":"IdentityProviderType", - "documentation":"

The IdP object.

" + "documentation":"

The identity provider details.

" } } }, @@ -6761,7 +6775,7 @@ }, "MfaConfiguration":{ "shape":"UserPoolMfaType", - "documentation":"

The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor Authentication (MFA) to a user pool. Valid values include:

" + "documentation":"

The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor Authentication (MFA) to a user pool. Valid values include:

" } } }, @@ -7378,7 +7392,7 @@ "members":{ "IdentityProvider":{ "shape":"IdentityProviderType", - "documentation":"

The IdP object.

" + "documentation":"

The identity provider details.

" } } }, @@ -7471,15 +7485,15 @@ }, "RefreshTokenValidity":{ "shape":"RefreshTokenValidityType", - "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

" + "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.

" }, "AccessTokenValidity":{ "shape":"AccessTokenValidityType", - "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.

" }, "IdTokenValidity":{ "shape":"IdTokenValidityType", - "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.

" }, "TokenValidityUnits":{ "shape":"TokenValidityUnitsType", @@ -7495,7 +7509,7 @@ }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", - "documentation":"

The authentication flows that are supported by the user pool clients. Flow names without the ALLOW_ prefix are no longer supported in favor of new names with the ALLOW_ prefix. Note that values with ALLOW_ prefix must be used only along with values with the ALLOW_ prefix.

Valid values include:

" + "documentation":"

The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.

If you don't specify a value for ExplicitAuthFlows, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

Valid values include:

In some environments, you will see the values ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, or USER_PASSWORD_AUTH. You can't assign these legacy ExplicitAuthFlows values to user pool clients at the same time as values that begin with ALLOW_, like ALLOW_USER_SRP_AUTH.

" }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", @@ -7603,6 +7617,10 @@ "shape":"UserPoolPolicyType", "documentation":"

A container with the policies you want to update in a user pool.

" }, + "DeletionProtection":{ + "shape":"DeletionProtectionType", + "documentation":"

When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.

When you try to delete a protected user pool in a DeleteUserPool API request, Amazon Cognito returns an InvalidParameterException error. To delete a protected user pool, send a new DeleteUserPool request after you deactivate deletion protection in an UpdateUserPool API request.

" + }, "LambdaConfig":{ "shape":"LambdaConfigType", "documentation":"

The Lambda configuration information from the request to update the user pool.

" @@ -7911,15 +7929,15 @@ }, "RefreshTokenValidity":{ "shape":"RefreshTokenValidityType", - "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

" + "documentation":"

The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

The default time unit for RefreshTokenValidity in an API request is days. You can't set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.

" }, "AccessTokenValidity":{ "shape":"AccessTokenValidityType", - "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.

" }, "IdTokenValidity":{ "shape":"IdTokenValidityType", - "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

" + "documentation":"

The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.

" }, "TokenValidityUnits":{ "shape":"TokenValidityUnitsType", @@ -7935,7 +7953,7 @@ }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", - "documentation":"

The authentication flows that are supported by the user pool clients. Flow names without the ALLOW_ prefix are no longer supported in favor of new names with the ALLOW_ prefix. Note that values with ALLOW_ prefix must be used only along with values including the ALLOW_ prefix.

Valid values include:

" + "documentation":"

The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.

If you don't specify a value for ExplicitAuthFlows, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

Valid values include:

In some environments, you will see the values ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, or USER_PASSWORD_AUTH. You can't assign these legacy ExplicitAuthFlows values to user pool clients at the same time as values that begin with ALLOW_, like ALLOW_USER_SRP_AUTH.

" }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", @@ -8085,6 +8103,10 @@ "shape":"UserPoolPolicyType", "documentation":"

The policies associated with the user pool.

" }, + "DeletionProtection":{ + "shape":"DeletionProtectionType", + "documentation":"

When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.

When you try to delete a protected user pool in a DeleteUserPool API request, Amazon Cognito returns an InvalidParameterException error. To delete a protected user pool, send a new DeleteUserPool request after you deactivate deletion protection in an UpdateUserPool API request.

" + }, "LambdaConfig":{ "shape":"LambdaConfigType", "documentation":"

The Lambda triggers associated with the user pool.

"