diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts index 1a3ca1a77492..3f91c3766a35 100644 --- a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts +++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts @@ -2168,7 +2168,7 @@ export interface CognitoIdentityProvider { /** *
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
*This API reference provides detailed information about API operations and object types * in Amazon Cognito.
@@ -2200,7 +2200,7 @@ export interface CognitoIdentityProvider { ** Amazon Web Services - * Command Line Interface + * Command Line Interface *
** Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *
** Amazon Web Services SDK for PHP - * V3 + * V3 *
** Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *
*With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
*This API reference provides detailed information about API operations and object types * in Amazon Cognito.
@@ -763,7 +763,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden ** Amazon Web Services - * Command Line Interface + * Command Line Interface *
** Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *
** Amazon Web Services SDK for PHP - * V3 + * V3 *
** Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *
*This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user - * when they signed up in your user pool. After your user enters their code, they confirm - * ownership of the email address or phone number that they provided, and their user - * account becomes active. Depending on your user pool configuration, your users will - * receive their confirmation code in an email or SMS message.
- *Local users who signed up in your user pool are the only type of user who can confirm - * sign-up with a code. Users who federate through an external identity provider (IdP) have - * already been confirmed by their IdP. Administrator-created users confirm their accounts - * when they respond to their invitation email message and choose a password.
+ *This IAM-authenticated API operation confirms user sign-up as an administrator. + * Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation. + * No confirmation code is required.
+ *This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can + * configure your user pool to not send confirmation codes to new users and instead confirm + * them with this API operation on the back end.
*Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For * this operation, you must use IAM credentials to authorize requests, and you must diff --git a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts index 2a47386f6c88..593a18fb76dd 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts @@ -171,7 +171,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when a user isn't authorized.
* + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * * @throws {@link PasswordResetRequiredException} (client fault) *This exception is thrown when a password reset is required.
* diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts index e620c0d67f2c..63bc3158858e 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts @@ -114,6 +114,10 @@ export interface AdminSetUserPasswordCommandOutput extends AdminSetUserPasswordR * @throws {@link NotAuthorizedException} (client fault) *This exception is thrown when a user isn't authorized.
* + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * * @throws {@link ResourceNotFoundException} (client fault) *This exception is thrown when the Amazon Cognito service can't find the requested * resource.
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts index 9393c68e86f6..32e0280e37c9 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts @@ -139,7 +139,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
MFA_SETUP
or SOFTWARE_TOKEN_SETUP
challenge
- * each time your user signs. Complete setup with AssociateSoftwareToken
- * and VerifySoftwareToken
.
+ * each time your user signs in. Complete setup with
+ * AssociateSoftwareToken
and VerifySoftwareToken
.
* After you set up software token MFA for your user, Amazon Cognito generates a
* SOFTWARE_TOKEN_MFA
challenge when they authenticate. Respond to
* this challenge with your user's TOTP.
This exception is thrown when a user isn't authorized.
* + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * * @throws {@link PasswordResetRequiredException} (client fault) *This exception is thrown when a password reset is required.
* diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts index 987c69f9cdbf..45e9d02cefec 100644 --- a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts @@ -109,6 +109,10 @@ export interface ConfirmForgotPasswordCommandOutput extends ConfirmForgotPasswor * @throws {@link NotAuthorizedException} (client fault) *This exception is thrown when a user isn't authorized.
* + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * * @throws {@link ResourceNotFoundException} (client fault) *This exception is thrown when the Amazon Cognito service can't find the requested * resource.
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts index f655b4cbcd56..9faf64fc5bc9 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts @@ -89,6 +89,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * RequireLowercase: true || false, * RequireNumbers: true || false, * RequireSymbols: true || false, + * PasswordHistorySize: Number("int"), * TemporaryPasswordValidityDays: Number("int"), * }, * }, @@ -218,6 +219,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * // RequireLowercase: true || false, * // RequireNumbers: true || false, * // RequireSymbols: true || false, + * // PasswordHistorySize: Number("int"), * // TemporaryPasswordValidityDays: Number("int"), * // }, * // }, @@ -371,7 +373,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
Gets the detailed activity logging configuration for a user pool.
+ *Gets the logging configuration of a user pool.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -51,11 +51,17 @@ export interface GetLogDeliveryConfigurationCommandOutput * // UserPoolId: "STRING_VALUE", // required * // LogConfigurations: [ // LogConfigurationListType // required * // { // LogConfigurationType - * // LogLevel: "ERROR", // required - * // EventSource: "userNotification", // required + * // LogLevel: "ERROR" || "INFO", // required + * // EventSource: "userNotification" || "userAuthEvents", // required * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * // LogGroupArn: "STRING_VALUE", * // }, + * // S3Configuration: { // S3ConfigurationType + * // BucketArn: "STRING_VALUE", + * // }, + * // FirehoseConfiguration: { // FirehoseConfigurationType + * // StreamArn: "STRING_VALUE", + * // }, * // }, * // ], * // }, diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts index 3309c889c476..ea7b330e218a 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts @@ -128,7 +128,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when a user isn't authorized.
* + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * * @throws {@link PasswordResetRequiredException} (client fault) *This exception is thrown when a password reset is required.
* diff --git a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts index 464481414787..13e119540641 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts @@ -10,8 +10,7 @@ import { ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; import { commonParams } from "../endpoint/EndpointParameters"; -import { SetLogDeliveryConfigurationRequest } from "../models/models_0"; -import { SetLogDeliveryConfigurationResponse } from "../models/models_1"; +import { SetLogDeliveryConfigurationRequest, SetLogDeliveryConfigurationResponse } from "../models/models_1"; import { de_SetLogDeliveryConfigurationCommand, se_SetLogDeliveryConfigurationCommand } from "../protocols/Aws_json1_1"; /** @@ -35,7 +34,8 @@ export interface SetLogDeliveryConfigurationCommandOutput __MetadataBearer {} /** - *Sets up or modifies the detailed activity logging configuration of a user pool.
+ *Sets up or modifies the logging configuration of a user pool. User pools can export + * user notification logs and advanced security features user activity logs.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -46,11 +46,17 @@ export interface SetLogDeliveryConfigurationCommandOutput * UserPoolId: "STRING_VALUE", // required * LogConfigurations: [ // LogConfigurationListType // required * { // LogConfigurationType - * LogLevel: "ERROR", // required - * EventSource: "userNotification", // required + * LogLevel: "ERROR" || "INFO", // required + * EventSource: "userNotification" || "userAuthEvents", // required * CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * LogGroupArn: "STRING_VALUE", * }, + * S3Configuration: { // S3ConfigurationType + * BucketArn: "STRING_VALUE", + * }, + * FirehoseConfiguration: { // FirehoseConfigurationType + * StreamArn: "STRING_VALUE", + * }, * }, * ], * }; @@ -61,11 +67,17 @@ export interface SetLogDeliveryConfigurationCommandOutput * // UserPoolId: "STRING_VALUE", // required * // LogConfigurations: [ // LogConfigurationListType // required * // { // LogConfigurationType - * // LogLevel: "ERROR", // required - * // EventSource: "userNotification", // required + * // LogLevel: "ERROR" || "INFO", // required + * // EventSource: "userNotification" || "userAuthEvents", // required * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * // LogGroupArn: "STRING_VALUE", * // }, + * // S3Configuration: { // S3ConfigurationType + * // BucketArn: "STRING_VALUE", + * // }, + * // FirehoseConfiguration: { // FirehoseConfigurationType + * // StreamArn: "STRING_VALUE", + * // }, * // }, * // ], * // }, diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts index 7a938d7dc8da..ed3c2afd9880 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts @@ -114,7 +114,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
*This API reference provides detailed information about API operations and object types * in Amazon Cognito.
@@ -35,7 +35,7 @@ ** Amazon Web Services - * Command Line Interface + * Command Line Interface *
** Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *
** Amazon Web Services SDK for PHP - * V3 + * V3 *
** Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *
*This exception is thrown when the trust relationship is not valid for the role
* provided for SMS configuration. This can happen if you don't trust
- * cognito-idp.amazonaws.com
or the external ID provided in the role does
+ * cognito-idp.amazonaws.com
or the external ID provided in the role does
* not match what is provided in the SMS configuration for the user pool.
The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.
+ * @public + */ +export class PasswordHistoryPolicyViolationException extends __BaseException { + readonly name: "PasswordHistoryPolicyViolationException" = "PasswordHistoryPolicyViolationException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionTypeThis exception is thrown when the software token time-based one-time password (TOTP) * multi-factor authentication (MFA) isn't activated for the user pool.
@@ -5313,6 +5334,17 @@ export interface PasswordPolicyType { */ RequireSymbols?: boolean; + /** + *The number of previous passwords that you want Amazon Cognito to restrict each user from
+ * reusing. Users can't set a password that matches any of n
previous
+ * passwords, where n
is the value of PasswordHistorySize
.
Password history isn't enforced and isn't displayed in DescribeUserPool responses when you set this value to
+ * 0
or don't provide it. To activate this setting,
+ * advanced security features must be active in your user pool.
The number of days a temporary password is valid in the password policy. If the user * doesn't sign in during this time, an administrator must reset their password. Defaults @@ -6508,6 +6540,7 @@ export interface CreateUserPoolClientRequest { * existence related errors aren't prevented.
* * + *Defaults to LEGACY
when you don't provide a value.
- * LEGACY
- This represents the old behavior of Amazon Cognito where user
+ * LEGACY
- This represents the early behavior of Amazon Cognito where user
* existence related errors aren't prevented.
Defaults to LEGACY
when you don't provide a value.
The ID of the user pool where you want to view detailed activity logging - * configuration.
+ *The ID of the user pool that has the logging configuration that you want to + * view.
* @public */ UserPoolId: string | undefined; } /** - *The CloudWatch logging destination of a user pool detailed activity logging - * configuration.
+ *Configuration for the CloudWatch log group destination of user pool detailed activity + * logging, or of user activity log export with advanced security features.
* @public */ export interface CloudWatchLogsConfigurationType { @@ -7897,6 +7931,7 @@ export interface CloudWatchLogsConfigurationType { * @enum */ export const EventSourceName = { + USER_AUTH_EVENTS: "userAuthEvents", USER_NOTIFICATION: "userNotification", } as const; @@ -7905,12 +7940,27 @@ export const EventSourceName = { */ export type EventSourceName = (typeof EventSourceName)[keyof typeof EventSourceName]; +/** + *Configuration for the Amazon Data Firehose stream destination of user activity log export with + * advanced security features.
+ * @public + */ +export interface FirehoseConfigurationType { + /** + *The ARN of an Amazon Data Firehose stream that's the destination for advanced security + * features log export.
+ * @public + */ + StreamArn?: string; +} + /** * @public * @enum */ export const LogLevel = { ERROR: "ERROR", + INFO: "INFO", } as const; /** @@ -7918,6 +7968,20 @@ export const LogLevel = { */ export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]; +/** + *Configuration for the Amazon S3 bucket destination of user activity log export with + * advanced security features.
+ * @public + */ +export interface S3ConfigurationType { + /** + *The ARN of an Amazon S3 bucket that's the destination for advanced security features + * log export.
+ * @public + */ + BucketArn?: string; +} + /** *The logging parameters of a user pool.
* @public @@ -7925,37 +7989,63 @@ export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]; export interface LogConfigurationType { /** *The errorlevel
selection of logs that a user pool sends for detailed
- * activity logging.
userNotification
activity with information about message delivery, choose ERROR
with
+ * CloudWatchLogsConfiguration
. To send userAuthEvents
+ * activity with user logs from advanced security features, choose INFO
with
+ * one of CloudWatchLogsConfiguration
, FirehoseConfiguration
, or
+ * S3Configuration
.
* @public
*/
LogLevel: LogLevel | undefined;
/**
- * The source of events that your user pool sends for detailed activity logging.
+ *The source of events that your user pool sends for logging. To send error-level logs
+ * about user notification activity, set to userNotification
. To send
+ * info-level logs about advanced security features user activity, set to
+ * userAuthEvents
.
The CloudWatch logging destination of a user pool.
+ *The CloudWatch log group destination of user pool detailed activity logs, or of user + * activity log export with advanced security features.
* @public */ CloudWatchLogsConfiguration?: CloudWatchLogsConfigurationType; + + /** + *The Amazon S3 bucket destination of user activity log export with advanced security + * features. To activate this setting, + * advanced security features must be active in your user pool.
+ * @public + */ + S3Configuration?: S3ConfigurationType; + + /** + *The Amazon Data Firehose stream destination of user activity log export with advanced security + * features. To activate this setting, + * advanced security features must be active in your user pool.
+ * @public + */ + FirehoseConfiguration?: FirehoseConfigurationType; } /** - *The logging parameters of a user pool.
+ *The logging parameters of a user pool returned in response to
+ * GetLogDeliveryConfiguration
.
The ID of the user pool where you configured detailed activity logging.
+ *The ID of the user pool where you configured logging.
* @public */ UserPoolId: string | undefined; /** - *The detailed activity logging destination of a user pool.
+ *A logging destination of a user pool. User pools can have multiple logging + * destinations for message-delivery and user-activity logs.
* @public */ LogConfigurations: LogConfigurationType[] | undefined; @@ -7966,7 +8056,7 @@ export interface LogDeliveryConfigurationType { */ export interface GetLogDeliveryConfigurationResponse { /** - *The detailed activity logging configuration of the requested user pool.
+ *The logging configuration of the requested user pool.
* @public */ LogDeliveryConfiguration?: LogDeliveryConfigurationType; @@ -9598,65 +9688,6 @@ export class UnauthorizedException extends __BaseException { } } -/** - *Exception that is thrown when you attempt to perform an operation that isn't enabled - * for the user pool client.
- * @public - */ -export class UnsupportedOperationException extends __BaseException { - readonly name: "UnsupportedOperationException" = "UnsupportedOperationException"; - readonly $fault: "client" = "client"; - /** - * @internal - */ - constructor(opts: __ExceptionOptionTypeException that is thrown when an unsupported token is passed to an operation.
- * @public - */ -export class UnsupportedTokenTypeException extends __BaseException { - readonly name: "UnsupportedTokenTypeException" = "UnsupportedTokenTypeException"; - readonly $fault: "client" = "client"; - /** - * @internal - */ - constructor(opts: __ExceptionOptionTypeThe ID of the user pool where you want to configure detailed activity logging .
- * @public - */ - UserPoolId: string | undefined; - - /** - *A collection of all of the detailed activity logging configurations for a user - * pool.
- * @public - */ - LogConfigurations: LogConfigurationType[] | undefined; -} - /** * @internal */ diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts index 0d3a519c75bf..c0ba8eab7016 100644 --- a/clients/client-cognito-identity-provider/src/models/models_1.ts +++ b/clients/client-cognito-identity-provider/src/models/models_1.ts @@ -23,6 +23,7 @@ import { GroupType, IdentityProviderType, LambdaConfigType, + LogConfigurationType, LogDeliveryConfigurationType, MFAOptionType, OAuthFlowType, @@ -52,6 +53,64 @@ import { VerifiedAttributeType, } from "./models_0"; +/** + *Exception that is thrown when you attempt to perform an operation that isn't enabled + * for the user pool client.
+ * @public + */ +export class UnsupportedOperationException extends __BaseException { + readonly name: "UnsupportedOperationException" = "UnsupportedOperationException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionTypeException that is thrown when an unsupported token is passed to an operation.
+ * @public + */ +export class UnsupportedTokenTypeException extends __BaseException { + readonly name: "UnsupportedTokenTypeException" = "UnsupportedTokenTypeException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionTypeThe ID of the user pool where you want to configure logging.
+ * @public + */ + UserPoolId: string | undefined; + + /** + *A collection of the logging configurations for a user pool.
+ * @public + */ + LogConfigurations: LogConfigurationType[] | undefined; +} + /** * @public */ @@ -420,7 +479,7 @@ export interface SignUpResponse { CodeDeliveryDetails?: CodeDeliveryDetailsType; /** - *The UUID of the authenticated user. This isn't the same as + *
The 128-bit ID of the authenticated user. This isn't the same as
* username
.
Defaults to LEGACY
when you don't provide a value.
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To\n authenticate users from third-party identity providers (IdPs) in this API, you can\n link IdP users to native user profiles. Learn more\n about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
\nThis API reference provides detailed information about API operations and object types\n in Amazon Cognito.
\nAlong with resource management operations, the Amazon Cognito user pools API includes classes\n of operations and authorization models for client-side and server-side authentication of\n users. You can interact with operations in the Amazon Cognito user pools API as any of the\n following subjects.
\nAn administrator who wants to configure user pools, app clients, users,\n groups, or other user pool functions.
\nA server-side app, like a web application, that wants to use its Amazon Web Services\n privileges to manage, authenticate, or authorize a user.
\nA client-side app, like a mobile app, that wants to make unauthenticated\n requests to manage, authenticate, or authorize a user.
\nFor more information, see Using the Amazon Cognito user pools API and user pool endpoints\n in the Amazon Cognito Developer Guide.
\nWith your Amazon Web Services SDK, you can build the logic to support operational flows in every use\n case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started\n with the CognitoIdentityProvider
client in other supported Amazon Web Services\n SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services\n SDKs.
", + "smithy.api#documentation": "With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To\n authenticate users from third-party identity providers (IdPs) in this API, you can\n link IdP users to native user profiles. Learn more\n about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
\nThis API reference provides detailed information about API operations and object types\n in Amazon Cognito.
\nAlong with resource management operations, the Amazon Cognito user pools API includes classes\n of operations and authorization models for client-side and server-side authentication of\n users. You can interact with operations in the Amazon Cognito user pools API as any of the\n following subjects.
\nAn administrator who wants to configure user pools, app clients, users,\n groups, or other user pool functions.
\nA server-side app, like a web application, that wants to use its Amazon Web Services\n privileges to manage, authenticate, or authorize a user.
\nA client-side app, like a mobile app, that wants to make unauthenticated\n requests to manage, authenticate, or authorize a user.
\nFor more information, see Using the Amazon Cognito user pools API and user pool endpoints\n in the Amazon Cognito Developer Guide.
\nWith your Amazon Web Services SDK, you can build the logic to support operational flows in every use\n case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started\n with the CognitoIdentityProvider
client in other supported Amazon Web Services\n SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services\n SDKs.
", "smithy.api#title": "Amazon Cognito Identity Provider", "smithy.api#xmlNamespace": { "uri": "http://cognito-idp.amazonaws.com/doc/2016-04-18/" @@ -1570,7 +1570,7 @@ } ], "traits": { - "smithy.api#documentation": "This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user\n when they signed up in your user pool. After your user enters their code, they confirm\n ownership of the email address or phone number that they provided, and their user\n account becomes active. Depending on your user pool configuration, your users will\n receive their confirmation code in an email or SMS message.
\nLocal users who signed up in your user pool are the only type of user who can confirm\n sign-up with a code. Users who federate through an external identity provider (IdP) have\n already been confirmed by their IdP. Administrator-created users confirm their accounts\n when they respond to their invitation email message and choose a password.
\nAmazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.
\n\n Learn more\n
\n\n Using the Amazon Cognito user pools API and user pool endpoints\n
\nThis IAM-authenticated API operation confirms user sign-up as an administrator.\n Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation.\n No confirmation code is required.
\nThis request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can\n configure your user pool to not send confirmation codes to new users and instead confirm\n them with this API operation on the back end.
\nAmazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.
\n\n Learn more\n
\n\n Using the Amazon Cognito user pools API and user pool endpoints\n
\nBegins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken
request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.
Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP
or SOFTWARE_TOKEN_SETUP
challenge\n each time your user signs. Complete setup with AssociateSoftwareToken
\n and VerifySoftwareToken
.
After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA
challenge when they authenticate. Respond to\n this challenge with your user's TOTP.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
\nBegins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken
request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.
Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP
or SOFTWARE_TOKEN_SETUP
challenge\n each time your user signs in. Complete setup with\n AssociateSoftwareToken
and VerifySoftwareToken
.
After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA
challenge when they authenticate. Respond to\n this challenge with your user's TOTP.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
\nThe CloudWatch logging destination of a user pool detailed activity logging\n configuration.
" + "smithy.api#documentation": "Configuration for the CloudWatch log group destination of user pool detailed activity\n logging, or of user activity log export with advanced security features.
" } }, "com.amazonaws.cognitoidentityprovider#CodeDeliveryDetailsListType": { @@ -4893,6 +4902,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException" }, @@ -6241,7 +6253,7 @@ "PreventUserExistenceErrors": { "target": "com.amazonaws.cognitoidentityprovider#PreventUserExistenceErrorTypes", "traits": { - "smithy.api#documentation": "Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Defaults to LEGACY
when you don't provide a value.
The ARN of an Amazon Data Firehose stream that's the destination for advanced security\n features log export.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Configuration for the Amazon Data Firehose stream destination of user activity log export with\n advanced security features.
" + } + }, "com.amazonaws.cognitoidentityprovider#ForbiddenException": { "type": "structure", "members": { @@ -8788,7 +8820,7 @@ } ], "traits": { - "smithy.api#documentation": "Gets the detailed activity logging configuration for a user pool.
" + "smithy.api#documentation": "Gets the logging configuration of a user pool.
" } }, "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationRequest": { @@ -8797,7 +8829,7 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "The ID of the user pool where you want to view detailed activity logging\n configuration.
", + "smithy.api#documentation": "The ID of the user pool that has the logging configuration that you want to\n view.
", "smithy.api#required": {} } } @@ -8812,7 +8844,7 @@ "LogDeliveryConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType", "traits": { - "smithy.api#documentation": "The detailed activity logging configuration of the requested user pool.
" + "smithy.api#documentation": "The logging configuration of the requested user pool.
" } } }, @@ -9834,7 +9866,7 @@ } }, "traits": { - "smithy.api#documentation": "This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com
or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com
or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.
The errorlevel
selection of logs that a user pool sends for detailed\n activity logging.
The errorlevel
selection of logs that a user pool sends for detailed\n activity logging. To send userNotification
activity with information about message delivery, choose ERROR
with\n CloudWatchLogsConfiguration
. To send userAuthEvents
\n activity with user logs from advanced security features, choose INFO
with\n one of CloudWatchLogsConfiguration
, FirehoseConfiguration
, or\n S3Configuration
.
The source of events that your user pool sends for detailed activity logging.
", + "smithy.api#documentation": "The source of events that your user pool sends for logging. To send error-level logs\n about user notification activity, set to userNotification
. To send\n info-level logs about advanced security features user activity, set to\n userAuthEvents
.
The CloudWatch logging destination of a user pool.
" + "smithy.api#documentation": "The CloudWatch log group destination of user pool detailed activity logs, or of user\n activity log export with advanced security features.
" + } + }, + "S3Configuration": { + "target": "com.amazonaws.cognitoidentityprovider#S3ConfigurationType", + "traits": { + "smithy.api#documentation": "The Amazon S3 bucket destination of user activity log export with advanced security\n features. To activate this setting, \n advanced security features must be active in your user pool.
" + } + }, + "FirehoseConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#FirehoseConfigurationType", + "traits": { + "smithy.api#documentation": "The Amazon Data Firehose stream destination of user activity log export with advanced security\n features. To activate this setting, \n advanced security features must be active in your user pool.
" } } }, @@ -10941,20 +10985,20 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "The ID of the user pool where you configured detailed activity logging.
", + "smithy.api#documentation": "The ID of the user pool where you configured logging.
", "smithy.api#required": {} } }, "LogConfigurations": { "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", "traits": { - "smithy.api#documentation": "The detailed activity logging destination of a user pool.
", + "smithy.api#documentation": "A logging destination of a user pool. User pools can have multiple logging\n destinations for message-delivery and user-activity logs.
", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "The logging parameters of a user pool.
" + "smithy.api#documentation": "The logging parameters of a user pool returned in response to\n GetLogDeliveryConfiguration
.
The message returned when a user's new password matches a previous password and \n doesn't comply with the password-history policy.
", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.cognitoidentityprovider#PasswordHistorySizeType": { + "type": "integer", + "traits": { + "smithy.api#range": { + "min": 0, + "max": 24 + } + } + }, "com.amazonaws.cognitoidentityprovider#PasswordPolicyMinLengthType": { "type": "integer", "traits": { @@ -11302,6 +11374,12 @@ "smithy.api#documentation": "In the password policy that you have set, refers to whether you have required users to\n use at least one symbol in their password.
" } }, + "PasswordHistorySize": { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistorySizeType", + "traits": { + "smithy.api#documentation": "The number of previous passwords that you want Amazon Cognito to restrict each user from\n reusing. Users can't set a password that matches any of n
previous\n passwords, where n
is the value of PasswordHistorySize
.
Password history isn't enforced and isn't displayed in DescribeUserPool responses when you set this value to\n 0
or don't provide it. To activate this setting, \n advanced security features must be active in your user pool.
Configuration for the Amazon S3 bucket destination of user activity log export with\n advanced security features.
" + } + }, "com.amazonaws.cognitoidentityprovider#SESConfigurationSet": { "type": "string", "traits": { @@ -12462,7 +12567,7 @@ } ], "traits": { - "smithy.api#documentation": "Sets up or modifies the detailed activity logging configuration of a user pool.
" + "smithy.api#documentation": "Sets up or modifies the logging configuration of a user pool. User pools can export\n user notification logs and advanced security features user activity logs.
" } }, "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationRequest": { @@ -12471,14 +12576,14 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "The ID of the user pool where you want to configure detailed activity logging .
", + "smithy.api#documentation": "The ID of the user pool where you want to configure logging.
", "smithy.api#required": {} } }, "LogConfigurations": { "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", "traits": { - "smithy.api#documentation": "A collection of all of the detailed activity logging configurations for a user\n pool.
", + "smithy.api#documentation": "A collection of the logging configurations for a user pool.
", "smithy.api#required": {} } } @@ -13062,7 +13167,7 @@ "UserSub": { "target": "com.amazonaws.cognitoidentityprovider#StringType", "traits": { - "smithy.api#documentation": "The UUID of the authenticated user. This isn't the same as\n username
.
The 128-bit ID of the authenticated user. This isn't the same as\n username
.
Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Defaults to LEGACY
when you don't provide a value.
Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the old behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED
and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY
, those APIs return a\n UserNotFoundException
exception if the user doesn't exist in the user\n pool.
Valid values include:
\n\n ENABLED
- This prevents user existence-related errors.
\n LEGACY
- This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.
Defaults to LEGACY
when you don't provide a value.