feat(client-mpa): Updates to multi-party approval (MPA) service to add support for multi-factor authentication (MFA) for voting operations.

awstools · awstools · commit a8d958260f6b · 2026-02-02T19:11:42.000Z
diff --git a/clients/client-mpa/src/commands/GetApprovalTeamCommand.ts b/clients/client-mpa/src/commands/GetApprovalTeamCommand.ts
@@ -56,6 +56,12 @@ export interface GetApprovalTeamCommandOutput extends GetApprovalTeamResponse, _
  * //       PrimaryIdentityId: "STRING_VALUE",
  * //       PrimaryIdentitySourceArn: "STRING_VALUE",
  * //       PrimaryIdentityStatus: "PENDING" || "ACCEPTED" || "REJECTED" || "INVALID",
+ * //       MfaMethods: [ // MfaMethods
+ * //         { // MfaMethod
+ * //           Type: "EMAIL_OTP", // required
+ * //           SyncStatus: "IN_SYNC" || "OUT_OF_SYNC", // required
+ * //         },
+ * //       ],
  * //     },
  * //   ],
  * //   Arn: "STRING_VALUE",
@@ -91,6 +97,12 @@ export interface GetApprovalTeamCommandOutput extends GetApprovalTeamResponse, _
  * //         PrimaryIdentityId: "STRING_VALUE",
  * //         PrimaryIdentitySourceArn: "STRING_VALUE",
  * //         PrimaryIdentityStatus: "PENDING" || "ACCEPTED" || "REJECTED" || "INVALID",
+ * //         MfaMethods: [
+ * //           {
+ * //             Type: "EMAIL_OTP", // required
+ * //             SyncStatus: "IN_SYNC" || "OUT_OF_SYNC", // required
+ * //           },
+ * //         ],
  * //       },
  * //     ],
  * //     UpdateInitiationTime: new Date("TIMESTAMP"),
diff --git a/clients/client-mpa/src/commands/GetPolicyVersionCommand.ts b/clients/client-mpa/src/commands/GetPolicyVersionCommand.ts
@@ -27,7 +27,7 @@ export interface GetPolicyVersionCommandInput extends GetPolicyVersionRequest {}
 export interface GetPolicyVersionCommandOutput extends GetPolicyVersionResponse, __MetadataBearer {}
 
 /**
- * <p>Returns details for the version of a policy. Policies define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Returns details for the version of a policy. Policies define the permissions for team resources.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-mpa/src/commands/GetSessionCommand.ts b/clients/client-mpa/src/commands/GetSessionCommand.ts
@@ -79,6 +79,9 @@ export interface GetSessionCommandOutput extends GetSessionResponse, __MetadataB
  * //       ResponseTime: new Date("TIMESTAMP"),
  * //     },
  * //   ],
+ * //   AdditionalSecurityRequirements: [ // AdditionalSecurityRequirements
+ * //     "APPROVER_VERIFICATION_REQUIRED",
+ * //   ],
  * // };
  *
  * ```
diff --git a/clients/client-mpa/src/commands/ListPoliciesCommand.ts b/clients/client-mpa/src/commands/ListPoliciesCommand.ts
@@ -27,7 +27,7 @@ export interface ListPoliciesCommandInput extends ListPoliciesRequest {}
 export interface ListPoliciesCommandOutput extends ListPoliciesResponse, __MetadataBearer {}
 
 /**
- * <p>Returns a list of policies. Policies define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Returns a list of policies. Policies define the permissions for team resources.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-mpa/src/commands/ListPolicyVersionsCommand.ts b/clients/client-mpa/src/commands/ListPolicyVersionsCommand.ts
@@ -27,7 +27,7 @@ export interface ListPolicyVersionsCommandInput extends ListPolicyVersionsReques
 export interface ListPolicyVersionsCommandOutput extends ListPolicyVersionsResponse, __MetadataBearer {}
 
 /**
- * <p>Returns a list of the versions for policies. Policies define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Returns a list of the versions for policies. Policies define the permissions for team resources.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-mpa/src/commands/ListSessionsCommand.ts b/clients/client-mpa/src/commands/ListSessionsCommand.ts
@@ -71,6 +71,9 @@ export interface ListSessionsCommandOutput extends ListSessionsResponse, __Metad
  * //       StatusCode: "REJECTED" || "EXPIRED" || "CONFIGURATION_CHANGED",
  * //       StatusMessage: "STRING_VALUE",
  * //       ActionCompletionStrategy: "AUTO_COMPLETION_UPON_APPROVAL",
+ * //       AdditionalSecurityRequirements: [ // AdditionalSecurityRequirements
+ * //         "APPROVER_VERIFICATION_REQUIRED",
+ * //       ],
  * //     },
  * //   ],
  * // };
diff --git a/clients/client-mpa/src/commands/UpdateApprovalTeamCommand.ts b/clients/client-mpa/src/commands/UpdateApprovalTeamCommand.ts
@@ -50,6 +50,9 @@ export interface UpdateApprovalTeamCommandOutput extends UpdateApprovalTeamRespo
  *   ],
  *   Description: "STRING_VALUE",
  *   Arn: "STRING_VALUE", // required
+ *   UpdateActions: [ // UpdateActions
+ *     "SYNCHRONIZE_MFA_DEVICES",
+ *   ],
  * };
  * const command = new UpdateApprovalTeamCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-mpa/src/models/enums.ts b/clients/client-mpa/src/models/enums.ts
@@ -11,6 +11,44 @@ export const ActionCompletionStrategy = {
  */
 export type ActionCompletionStrategy = (typeof ActionCompletionStrategy)[keyof typeof ActionCompletionStrategy];
 
+/**
+ * @public
+ * @enum
+ */
+export const AdditionalSecurityRequirement = {
+  APPROVER_VERIFICATION_REQUIRED: "APPROVER_VERIFICATION_REQUIRED",
+} as const;
+/**
+ * @public
+ */
+export type AdditionalSecurityRequirement =
+  (typeof AdditionalSecurityRequirement)[keyof typeof AdditionalSecurityRequirement];
+
+/**
+ * @public
+ * @enum
+ */
+export const MfaSyncStatus = {
+  IN_SYNC: "IN_SYNC",
+  OUT_OF_SYNC: "OUT_OF_SYNC",
+} as const;
+/**
+ * @public
+ */
+export type MfaSyncStatus = (typeof MfaSyncStatus)[keyof typeof MfaSyncStatus];
+
+/**
+ * @public
+ * @enum
+ */
+export const MfaType = {
+  EMAIL_OTP: "EMAIL_OTP",
+} as const;
+/**
+ * @public
+ */
+export type MfaType = (typeof MfaType)[keyof typeof MfaType];
+
 /**
  * @public
  * @enum
@@ -64,6 +102,18 @@ export const ApprovalTeamStatusCode = {
  */
 export type ApprovalTeamStatusCode = (typeof ApprovalTeamStatusCode)[keyof typeof ApprovalTeamStatusCode];
 
+/**
+ * @public
+ * @enum
+ */
+export const UpdateAction = {
+  SYNCHRONIZE_MFA_DEVICES: "SYNCHRONIZE_MFA_DEVICES",
+} as const;
+/**
+ * @public
+ */
+export type UpdateAction = (typeof UpdateAction)[keyof typeof UpdateAction];
+
 /**
  * @public
  * @enum
diff --git a/clients/client-mpa/src/models/models_0.ts b/clients/client-mpa/src/models/models_0.ts
@@ -1,20 +1,24 @@
 // smithy-typescript generated code
 import {
   ActionCompletionStrategy,
+  AdditionalSecurityRequirement,
   ApprovalTeamStatus,
   ApprovalTeamStatusCode,
   FilterField,
   IdentitySourceStatus,
   IdentitySourceStatusCode,
   IdentitySourceType,
   IdentityStatus,
+  MfaSyncStatus,
+  MfaType,
   Operator,
   PolicyStatus,
   PolicyType,
   SessionExecutionStatus,
   SessionResponse,
   SessionStatus,
   SessionStatusCode,
+  UpdateAction,
 } from "./enums";
 
 /**
@@ -126,7 +130,7 @@ export interface ApprovalTeamRequestApprover {
 }
 
 /**
- * <p>Contains the Amazon Resource Name (ARN) for a policy. Policies define what operations a team that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Contains the Amazon Resource Name (ARN) for a policy. Policies define what operations a team that define the permissions for team resources.</p>
  * @public
  */
 export interface PolicyReference {
@@ -166,7 +170,7 @@ export interface CreateApprovalTeamRequest {
   Description: string | undefined;
 
   /**
-   * <p>An array of <code>PolicyReference</code> objects. Contains a list of policies that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+   * <p>An array of <code>PolicyReference</code> objects. Contains a list of policies that define the permissions for team resources.</p>
    * @public
    */
   Policies: PolicyReference[] | undefined;
@@ -246,6 +250,24 @@ export interface GetApprovalTeamRequest {
   Arn: string | undefined;
 }
 
+/**
+ * <p>MFA configuration and sycnronization status for an approver</p>
+ * @public
+ */
+export interface MfaMethod {
+  /**
+   * <p>The type of MFA configuration used by the approver</p>
+   * @public
+   */
+  Type: MfaType | undefined;
+
+  /**
+   * <p>Indicates if the approver's MFA device is in-sync with the Identity Source</p>
+   * @public
+   */
+  SyncStatus: MfaSyncStatus | undefined;
+}
+
 /**
  * <p>Contains details for an approver.</p>
  * @public
@@ -280,6 +302,12 @@ export interface GetApprovalTeamResponseApprover {
    * @public
    */
   PrimaryIdentityStatus?: IdentityStatus | undefined;
+
+  /**
+   * <p>Multi-factor authentication configuration for the approver</p>
+   * @public
+   */
+  MfaMethods?: MfaMethod[] | undefined;
 }
 
 /**
@@ -419,7 +447,7 @@ export interface GetApprovalTeamResponse {
   VersionId?: string | undefined;
 
   /**
-   * <p>An array of <code>PolicyReference</code> objects. Contains a list of policies that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+   * <p>An array of <code>PolicyReference</code> objects. Contains a list of policies that define the permissions for team resources.</p>
    * @public
    */
   Policies?: PolicyReference[] | undefined;
@@ -592,6 +620,12 @@ export interface UpdateApprovalTeamRequest {
    * @public
    */
   Arn: string | undefined;
+
+  /**
+   * <p>A list of <code>UpdateAction</code> to perform when updating the team.</p>
+   * @public
+   */
+  UpdateActions?: UpdateAction[] | undefined;
 }
 
 /**
@@ -617,7 +651,7 @@ export interface GetPolicyVersionRequest {
 }
 
 /**
- * <p>Contains details for the version of a policy. Policies define what operations a team that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Contains details for the version of a policy. Policies define what operations a team that define the permissions for team resources.</p>
  * @public
  */
 export interface PolicyVersion {
@@ -658,7 +692,7 @@ export interface PolicyVersion {
   Name: string | undefined;
 
   /**
-   * <p>Status for the policy. For example, if the policy is <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html">attachable</a> or <a href="https://docs.aws.amazon.com/access_policies_managed-deprecated.html">deprecated</a>.</p>
+   * <p>Status for the policy. For example, if the policy is <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html">attachable</a> or <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-deprecated.html">deprecated</a>.</p>
    * @public
    */
   Status: PolicyStatus | undefined;
@@ -687,7 +721,7 @@ export interface PolicyVersion {
  */
 export interface GetPolicyVersionResponse {
   /**
-   * <p>A <code>PolicyVersion</code> object. Contains details for the version of the policy. Policies define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+   * <p>A <code>PolicyVersion</code> object. Contains details for the version of the policy. Policies define the permissions for team resources.</p>
    * @public
    */
   PolicyVersion: PolicyVersion | undefined;
@@ -1122,7 +1156,7 @@ export interface ListPoliciesRequest {
 }
 
 /**
- * <p>Contains details for a policy. Policies define what operations a team that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Contains details for a policy. Policies define what operations a team that define the permissions for team resources.</p>
  * @public
  */
 export interface Policy {
@@ -1162,7 +1196,7 @@ export interface ListPoliciesResponse {
   NextToken?: string | undefined;
 
   /**
-   * <p>An array of <code>Policy</code> objects. Contains a list of policies that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+   * <p>An array of <code>Policy</code> objects. Contains a list of policies that define the permissions for team resources.</p>
    * @public
    */
   Policies?: Policy[] | undefined;
@@ -1192,7 +1226,7 @@ export interface ListPolicyVersionsRequest {
 }
 
 /**
- * <p>Contains details for the version of a policy. Policies define what operations a team that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+ * <p>Contains details for the version of a policy. Policies define what operations a team that define the permissions for team resources.</p>
  * @public
  */
 export interface PolicyVersionSummary {
@@ -1233,7 +1267,7 @@ export interface PolicyVersionSummary {
   Name: string | undefined;
 
   /**
-   * <p>Status for the policy. For example, if the policy is <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html">attachable</a> or <a href="https://docs.aws.amazon.com/access_policies_managed-deprecated.html">deprecated</a>.</p>
+   * <p>Status for the policy. For example, if the policy is <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html">attachable</a> or <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-deprecated.html">deprecated</a>.</p>
    * @public
    */
   Status: PolicyStatus | undefined;
@@ -1262,7 +1296,7 @@ export interface ListPolicyVersionsResponse {
   NextToken?: string | undefined;
 
   /**
-   * <p>An array of <code>PolicyVersionSummary</code> objects. Contains details for the version of the policies that define the permissions for team resources.</p> <p>The protected operation for a service integration might require specific permissions. For more information, see <a href="https://docs.aws.amazon.com/mpa/latest/userguide/mpa-integrations.html">How other services work with Multi-party approval</a> in the <i>Multi-party approval User Guide</i>.</p>
+   * <p>An array of <code>PolicyVersionSummary</code> objects. Contains details for the version of the policies that define the permissions for team resources.</p>
    * @public
    */
   PolicyVersions?: PolicyVersionSummary[] | undefined;
@@ -1558,6 +1592,12 @@ export interface GetSessionResponse {
    * @public
    */
   ApproverResponses?: GetSessionResponseApproverResponse[] | undefined;
+
+  /**
+   * <p>A list of <code>AdditionalSecurityRequirement</code> applied to the session.</p>
+   * @public
+   */
+  AdditionalSecurityRequirements?: AdditionalSecurityRequirement[] | undefined;
 }
 
 /**
@@ -1719,6 +1759,12 @@ export interface ListSessionsResponseSession {
    * @public
    */
   ActionCompletionStrategy?: ActionCompletionStrategy | undefined;
+
+  /**
+   * <p>A list of <code>AdditionalSecurityRequirement</code> applied to the session.</p>
+   * @public
+   */
+  AdditionalSecurityRequirements?: AdditionalSecurityRequirement[] | undefined;
 }
 
 /**
diff --git a/clients/client-mpa/src/schemas/schemas_0.ts b/clients/client-mpa/src/schemas/schemas_0.ts
diff --git a/clients/client-mpa/test/index-objects.spec.mjs b/clients/client-mpa/test/index-objects.spec.mjs
diff --git a/clients/client-mpa/test/index-types.ts b/clients/client-mpa/test/index-types.ts
diff --git a/codegen/sdk-codegen/aws-models/mpa.json b/codegen/sdk-codegen/aws-models/mpa.json
