AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-05-03 · Documentation medium

File: AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md

Summary

Expanded documentation for RefreshTokenRotation property, including grace period configuration for token invalidation.

Security assessment

Documents refresh token rotation, a security best practice to mitigate stolen token risks. Grace period configuration allows controlled token revocation but does not address a specific vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md b/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md
index 76ddea284..557d9b777 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-refreshtokenrotation.md
@@ -7 +7 @@ SyntaxProperties
-The `RefreshTokenRotation` property type specifies Property description not available. for an [AWS::Cognito::UserPoolClient](./aws-resource-cognito-userpoolclient.html).
+The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
@@ -34 +34 @@ To declare this entity in your AWS CloudFormation template, use the following sy
-Property description not available.
+The state of refresh token rotation for the current app client.
@@ -47 +47 @@ _Required_ : No
-Property description not available.
+When you request a token refresh with `GetTokensFromRefreshToken`, the original refresh token that you're rotating out can remain valid for a period of time of up to 60 seconds. This allows for client-side retries. When `RetryGracePeriodSeconds` is `0`, the grace period is disabled and a successful request immediately invalidates the submitted refresh token.