feat(client-cognito-identity-provider): Advanced security feature upd…

…ates to include password history and log export for Cognito user pools.

clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts

@@ -2168,7 +2168,7 @@ export interface CognitoIdentityProvider {
 /**
  * <p>With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To
  *             authenticate users from third-party identity providers (IdPs) in this API, you can
- *                 <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html">link IdP users to native user profiles</a>. Learn more
+ *             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html">link IdP users to native user profiles</a>. Learn more
  *             about the authentication and authorization of federated users at <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html">Adding user pool sign-in through a third party</a> and in the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html">User pool federation endpoints and hosted UI reference</a>.</p>
  *          <p>This API reference provides detailed information about API operations and object types
  *             in Amazon Cognito.</p>
@@ -2200,7 +2200,7 @@ export interface CognitoIdentityProvider {
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/index.html#cli-aws-cognito-idp">Amazon Web Services
- *                         Command Line Interface</a>
+ *                     Command Line Interface</a>
  *                </p>
  *             </li>
  *             <li>
@@ -2226,13 +2226,13 @@ export interface CognitoIdentityProvider {
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html">Amazon Web Services
- *                         SDK for JavaScript</a>
+ *                     SDK for JavaScript</a>
  *                </p>
  *             </li>
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html">Amazon Web Services SDK for PHP
- *                         V3</a>
+ *                     V3</a>
  *                </p>
  *             </li>
  *             <li>
@@ -2243,7 +2243,7 @@ export interface CognitoIdentityProvider {
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Client.html">Amazon Web Services SDK
- *                         for Ruby V3</a>
+ *                     for Ruby V3</a>
  *                </p>
  *             </li>
  *          </ul>

clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts

@@ -731,7 +731,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden
 /**
  * <p>With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To
  *             authenticate users from third-party identity providers (IdPs) in this API, you can
- *                 <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html">link IdP users to native user profiles</a>. Learn more
+ *             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html">link IdP users to native user profiles</a>. Learn more
  *             about the authentication and authorization of federated users at <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html">Adding user pool sign-in through a third party</a> and in the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html">User pool federation endpoints and hosted UI reference</a>.</p>
  *          <p>This API reference provides detailed information about API operations and object types
  *             in Amazon Cognito.</p>
@@ -763,7 +763,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/index.html#cli-aws-cognito-idp">Amazon Web Services
- *                         Command Line Interface</a>
+ *                     Command Line Interface</a>
  *                </p>
  *             </li>
  *             <li>
@@ -789,13 +789,13 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html">Amazon Web Services
- *                         SDK for JavaScript</a>
+ *                     SDK for JavaScript</a>
  *                </p>
  *             </li>
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html">Amazon Web Services SDK for PHP
- *                         V3</a>
+ *                     V3</a>
  *                </p>
  *             </li>
  *             <li>
@@ -806,7 +806,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden
  *             <li>
  *                <p>
  *                   <a href="https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Client.html">Amazon Web Services SDK
- *                         for Ruby V3</a>
+ *                     for Ruby V3</a>
  *                </p>
  *             </li>
  *          </ul>

clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts

@@ -36,15 +36,12 @@ export interface AdminConfirmSignUpCommandInput extends AdminConfirmSignUpReques
 export interface AdminConfirmSignUpCommandOutput extends AdminConfirmSignUpResponse, __MetadataBearer {}
 
 /**
- * <p>This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user
- *             when they signed up in your user pool. After your user enters their code, they confirm
- *             ownership of the email address or phone number that they provided, and their user
- *             account becomes active. Depending on your user pool configuration, your users will
- *             receive their confirmation code in an email or SMS message.</p>
- *          <p>Local users who signed up in your user pool are the only type of user who can confirm
- *             sign-up with a code. Users who federate through an external identity provider (IdP) have
- *             already been confirmed by their IdP. Administrator-created users confirm their accounts
- *             when they respond to their invitation email message and choose a password.</p>
+ * <p>This IAM-authenticated API operation confirms user sign-up as an administrator.
+ *             Unlike <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmSignUp.html">ConfirmSignUp</a>, your IAM credentials authorize user account confirmation.
+ *             No confirmation code is required.</p>
+ *          <p>This request sets a user account active in a user pool that <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#signing-up-users-in-your-app-and-confirming-them-as-admin">requires confirmation of new user accounts</a> before they can sign in. You can
+ *             configure your user pool to not send confirmation codes to new users and instead confirm
+ *             them with this API operation on the back end.</p>
  *          <note>
  *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
  *     this operation, you must use IAM credentials to authorize requests, and you must

clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts

@@ -171,7 +171,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)

clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts

@@ -153,7 +153,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)

clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts

@@ -131,7 +131,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)

clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts

@@ -179,7 +179,7 @@ export interface AdminRespondToAuthChallengeCommandOutput
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)
@@ -192,6 +192,10 @@ export interface AdminRespondToAuthChallengeCommandOutput
  * @throws {@link NotAuthorizedException} (client fault)
  *  <p>This exception is thrown when a user isn't authorized.</p>
  *
+ * @throws {@link PasswordHistoryPolicyViolationException} (client fault)
+ *  <p>The message returned when a user's new password matches a previous password and
+ *             doesn't comply with the password-history policy.</p>
+ *
  * @throws {@link PasswordResetRequiredException} (client fault)
  *  <p>This exception is thrown when a password reset is required.</p>
  *

clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts

@@ -114,6 +114,10 @@ export interface AdminSetUserPasswordCommandOutput extends AdminSetUserPasswordR
  * @throws {@link NotAuthorizedException} (client fault)
  *  <p>This exception is thrown when a user isn't authorized.</p>
  *
+ * @throws {@link PasswordHistoryPolicyViolationException} (client fault)
+ *  <p>The message returned when a user's new password matches a previous password and
+ *             doesn't comply with the password-history policy.</p>
+ *
  * @throws {@link ResourceNotFoundException} (client fault)
  *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
  *             resource.</p>

clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts

@@ -139,7 +139,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)

clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts

@@ -48,8 +48,8 @@ export interface AssociateSoftwareTokenCommandOutput extends AssociateSoftwareTo
  *                 token and your user pool doesn't require MFA, the user can then authenticate with
  *                 user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito
  *                 generates an <code>MFA_SETUP</code> or <code>SOFTWARE_TOKEN_SETUP</code> challenge
- *                 each time your user signs. Complete setup with <code>AssociateSoftwareToken</code>
- *                 and <code>VerifySoftwareToken</code>.</p>
+ *                 each time your user signs in. Complete setup with
+ *                     <code>AssociateSoftwareToken</code> and <code>VerifySoftwareToken</code>.</p>
  *             <p>After you set up software token MFA for your user, Amazon Cognito generates a
  *                     <code>SOFTWARE_TOKEN_MFA</code> challenge when they authenticate. Respond to
  *                 this challenge with your user's TOTP.</p>

clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts

@@ -88,6 +88,10 @@ export interface ChangePasswordCommandOutput extends ChangePasswordResponse, __M
  * @throws {@link NotAuthorizedException} (client fault)
  *  <p>This exception is thrown when a user isn't authorized.</p>
  *
+ * @throws {@link PasswordHistoryPolicyViolationException} (client fault)
+ *  <p>The message returned when a user's new password matches a previous password and
+ *             doesn't comply with the password-history policy.</p>
+ *
  * @throws {@link PasswordResetRequiredException} (client fault)
  *  <p>This exception is thrown when a password reset is required.</p>
  *

clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts

@@ -109,6 +109,10 @@ export interface ConfirmForgotPasswordCommandOutput extends ConfirmForgotPasswor
  * @throws {@link NotAuthorizedException} (client fault)
  *  <p>This exception is thrown when a user isn't authorized.</p>
  *
+ * @throws {@link PasswordHistoryPolicyViolationException} (client fault)
+ *  <p>The message returned when a user's new password matches a previous password and
+ *             doesn't comply with the password-history policy.</p>
+ *
  * @throws {@link ResourceNotFoundException} (client fault)
  *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
  *             resource.</p>

clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts

@@ -89,6 +89,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  *       RequireLowercase: true || false,
  *       RequireNumbers: true || false,
  *       RequireSymbols: true || false,
+ *       PasswordHistorySize: Number("int"),
  *       TemporaryPasswordValidityDays: Number("int"),
  *     },
  *   },
@@ -218,6 +219,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * //         RequireLowercase: true || false,
  * //         RequireNumbers: true || false,
  * //         RequireSymbols: true || false,
+ * //         PasswordHistorySize: Number("int"),
  * //         TemporaryPasswordValidityDays: Number("int"),
  * //       },
  * //     },
@@ -371,7 +373,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)

clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts

@@ -75,6 +75,7 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse,
  * //         RequireLowercase: true || false,
  * //         RequireNumbers: true || false,
  * //         RequireSymbols: true || false,
+ * //         PasswordHistorySize: Number("int"),
  * //         TemporaryPasswordValidityDays: Number("int"),
  * //       },
  * //     },

clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts

@@ -139,7 +139,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)

clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts

@@ -34,7 +34,7 @@ export interface GetLogDeliveryConfigurationCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Gets the detailed activity logging configuration for a user pool.</p>
+ * <p>Gets the logging configuration of a user pool.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -51,11 +51,17 @@ export interface GetLogDeliveryConfigurationCommandOutput
  * //     UserPoolId: "STRING_VALUE", // required
  * //     LogConfigurations: [ // LogConfigurationListType // required
  * //       { // LogConfigurationType
- * //         LogLevel: "ERROR", // required
- * //         EventSource: "userNotification", // required
+ * //         LogLevel: "ERROR" || "INFO", // required
+ * //         EventSource: "userNotification" || "userAuthEvents", // required
  * //         CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType
  * //           LogGroupArn: "STRING_VALUE",
  * //         },
+ * //         S3Configuration: { // S3ConfigurationType
+ * //           BucketArn: "STRING_VALUE",
+ * //         },
+ * //         FirehoseConfiguration: { // FirehoseConfigurationType
+ * //           StreamArn: "STRING_VALUE",
+ * //         },
  * //       },
  * //     ],
  * //   },

clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts

@@ -128,7 +128,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)

clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts

@@ -135,7 +135,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)