feat(cognito): add new AdvancedSecurityMode property (#23261)

fixes #7405


https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooladdons
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode

We refer to the following suspended PRs
#17923

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-cognito/README.md

@@ -356,6 +356,16 @@ new cognito.UserPool(this, 'UserPool', {
 The default for account recovery is by phone if available and by email otherwise.
 A user will not be allowed to reset their password via phone if they are also using it for MFA.
 
+#### Advanced Security Mode
+
+User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more.
+
+```ts
+new cognito.UserPool(this, 'myuserpool', {
+  // ...
+  advancedSecurityMode: cognito.AdvancedSecurityMode.ENFORCED,
+});
+```
 
 ### Emails
 

packages/@aws-cdk/aws-cognito/lib/user-pool.ts

@@ -496,6 +496,19 @@ export interface DeviceTracking {
   readonly deviceOnlyRememberedOnUserPrompt: boolean;
 }
 
+/**
+ * The different ways in which a user pool's Advanced Security Mode can be configured.
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
+ */
+export enum AdvancedSecurityMode {
+  /** Enable advanced security mode */
+  ENFORCED = 'ENFORCED',
+  /** gather metrics on detected risks without taking action. Metrics are published to Amazon CloudWatch */
+  AUDIT = 'AUDIT',
+  /** Advanced security mode is disabled */
+  OFF = 'OFF'
+}
+
 /**
  * Props for the UserPool construct
  */
@@ -692,6 +705,12 @@ export interface UserPoolProps {
    * @default - no key ID configured
    */
   readonly customSenderKmsKey?: IKey;
+
+  /**
+   * The user pool's Advanced Security Mode
+   * @default - no value
+   */
+  readonly advancedSecurityMode?: AdvancedSecurityMode;
 }
 
 /**
@@ -934,6 +953,9 @@ export class UserPool extends UserPoolBase {
       emailVerificationSubject,
       smsVerificationMessage,
       verificationMessageTemplate,
+      userPoolAddOns: undefinedIfNoKeys({
+        advancedSecurityMode: props.advancedSecurityMode,
+      }),
       schema: this.schemaConfiguration(props),
       mfaConfiguration: props.mfa,
       enabledMfas: this.mfaConfiguration(props),

packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"21.0.0"}
+{"version":"22.0.0"}

packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "files": {
-    "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08": {
+    "d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34": {
       "source": {
         "path": "integ-user-pool.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08.json",
+          "objectKey": "d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json

@@ -905,6 +905,9 @@
       "phone_number"
      ]
     },
+    "UserPoolAddOns": {
+     "AdvancedSecurityMode": "ENFORCED"
+    },
     "UserPoolName": "MyUserPool",
     "VerificationMessageTemplate": {
      "DefaultEmailOption": "CONFIRM_WITH_CODE",

packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "testCases": {
     "integ.user-pool-explicit-props": {
       "stacks": [

packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json

@@ -1,12 +1,6 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-user-pool.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -260,99 +254,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
-        ],
-        "createAuthChallengeCreateAuthChallengeCognito57E2297E": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "createAuthChallengeCreateAuthChallengeCognito57E2297E",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "customMessageCustomMessageCognitoB4F894A6": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "customMessageCustomMessageCognitoB4F894A6",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "defineAuthChallengeDefineAuthChallengeCognito4DBD8021": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "defineAuthChallengeDefineAuthChallengeCognito4DBD8021",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "postAuthenticationPostAuthenticationCognito8B923BC3": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "postAuthenticationPostAuthenticationCognito8B923BC3",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "postConfirmationPostConfirmationCognito9D010393": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "postConfirmationPostConfirmationCognito9D010393",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preAuthenticationPreAuthenticationCognito67FACB54": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preAuthenticationPreAuthenticationCognito67FACB54",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preSignUpPreSignUpCognitoE986CC53": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preSignUpPreSignUpCognitoE986CC53",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preTokenGenerationPreTokenGenerationCognitoC1959918": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preTokenGenerationPreTokenGenerationCognitoC1959918",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "userMigrationUserMigrationCognito29EEC4AD": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "userMigrationUserMigrationCognito29EEC4AD",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "verifyAuthChallengeResponseVerifyAuthChallengeResponseCognito9DC48AFC": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "verifyAuthChallengeResponseVerifyAuthChallengeResponseCognito9DC48AFC",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
         ]
       },
       "displayName": "integ-user-pool"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }