diff --git a/amazonka-iam.cabal b/amazonka-iam.cabal
--- a/amazonka-iam.cabal
+++ b/amazonka-iam.cabal
@@ -1,5 +1,5 @@
 name:                  amazonka-iam
-version:               0.0.7
+version:               0.0.8
 synopsis:              Amazon Identity and Access Management SDK.
 homepage:              https://github.com/brendanhay/amazonka
 license:               OtherLicense
@@ -69,6 +69,7 @@
         , Network.AWS.IAM.DeleteVirtualMFADevice
         , Network.AWS.IAM.EnableMFADevice
         , Network.AWS.IAM.GenerateCredentialReport
+        , Network.AWS.IAM.GetAccountAuthorizationDetails
         , Network.AWS.IAM.GetAccountPasswordPolicy
         , Network.AWS.IAM.GetAccountSummary
         , Network.AWS.IAM.GetCredentialReport
@@ -124,5 +125,5 @@
     other-modules:
 
     build-depends:
-          amazonka-core == 0.0.7.*
+          amazonka-core == 0.0.8.*
         , base          >= 4.7     && < 5
diff --git a/gen/Network/AWS/IAM.hs b/gen/Network/AWS/IAM.hs
--- a/gen/Network/AWS/IAM.hs
+++ b/gen/Network/AWS/IAM.hs
@@ -48,6 +48,7 @@
     , module Network.AWS.IAM.DeleteVirtualMFADevice
     , module Network.AWS.IAM.EnableMFADevice
     , module Network.AWS.IAM.GenerateCredentialReport
+    , module Network.AWS.IAM.GetAccountAuthorizationDetails
     , module Network.AWS.IAM.GetAccountPasswordPolicy
     , module Network.AWS.IAM.GetAccountSummary
     , module Network.AWS.IAM.GetCredentialReport
@@ -134,6 +135,7 @@
 import Network.AWS.IAM.DeleteVirtualMFADevice
 import Network.AWS.IAM.EnableMFADevice
 import Network.AWS.IAM.GenerateCredentialReport
+import Network.AWS.IAM.GetAccountAuthorizationDetails
 import Network.AWS.IAM.GetAccountPasswordPolicy
 import Network.AWS.IAM.GetAccountSummary
 import Network.AWS.IAM.GetCredentialReport
diff --git a/gen/Network/AWS/IAM/CreateOpenIDConnectProvider.hs b/gen/Network/AWS/IAM/CreateOpenIDConnectProvider.hs
--- a/gen/Network/AWS/IAM/CreateOpenIDConnectProvider.hs
+++ b/gen/Network/AWS/IAM/CreateOpenIDConnectProvider.hs
@@ -35,6 +35,10 @@
 -- certificate(s) that the IdP uses. You get all of this information from the
 -- OIDC IdP that you want to use for access to AWS.
 --
+-- Because trust for the OIDC provider is ultimately derived from the IAM
+-- provider that this action creates, it is a best practice to limit access to
+-- the 'CreateOpenIDConnectProvider' action to highly-privileged users.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html>
 module Network.AWS.IAM.CreateOpenIDConnectProvider
     (
diff --git a/gen/Network/AWS/IAM/CreateSAMLProvider.hs b/gen/Network/AWS/IAM/CreateSAMLProvider.hs
--- a/gen/Network/AWS/IAM/CreateSAMLProvider.hs
+++ b/gen/Network/AWS/IAM/CreateSAMLProvider.hs
@@ -38,7 +38,7 @@
 -- metadata document using the identity management software that is used as your
 -- organization's IdP.
 --
--- For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html Giving Console Access Using SAML> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html CreatingTemporary Security Credentials for SAML Federation> in the /Using TemporaryCredentials/ guide.
+-- This operation requires <http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html Signature Version 4>.   For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html Giving Console Access Using SAML> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in the /UsingTemporary Credentials/ guide.
 --
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateSAMLProvider.html>
 module Network.AWS.IAM.CreateSAMLProvider
diff --git a/gen/Network/AWS/IAM/DeleteSAMLProvider.hs b/gen/Network/AWS/IAM/DeleteSAMLProvider.hs
--- a/gen/Network/AWS/IAM/DeleteSAMLProvider.hs
+++ b/gen/Network/AWS/IAM/DeleteSAMLProvider.hs
@@ -28,6 +28,8 @@
 -- provider as a principal in their trust policies. Any attempt to assume a role
 -- that references a SAML provider that has been deleted will fail.
 --
+-- This operation requires <http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html Signature Version 4>.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html>
 module Network.AWS.IAM.DeleteSAMLProvider
     (
diff --git a/gen/Network/AWS/IAM/DeleteVirtualMFADevice.hs b/gen/Network/AWS/IAM/DeleteVirtualMFADevice.hs
--- a/gen/Network/AWS/IAM/DeleteVirtualMFADevice.hs
+++ b/gen/Network/AWS/IAM/DeleteVirtualMFADevice.hs
@@ -24,6 +24,9 @@
 
 -- | Deletes a virtual MFA device.
 --
+-- You must deactivate a user's virtual MFA device before you can delete it.
+-- For information about deactivating MFA devices, see <http://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html DeactivateMFADevice>.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteVirtualMFADevice.html>
 module Network.AWS.IAM.DeleteVirtualMFADevice
     (
diff --git a/gen/Network/AWS/IAM/GetAccountAuthorizationDetails.hs b/gen/Network/AWS/IAM/GetAccountAuthorizationDetails.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/IAM/GetAccountAuthorizationDetails.hs
@@ -0,0 +1,187 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.IAM.GetAccountAuthorizationDetails
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+--
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- | Retrieves information about all IAM users, groups, and roles in your account,
+-- including their relationships to one another and their attached policies. Use
+-- this API to obtain a snapshot of the configuration of IAM permissions (users,
+-- groups, roles, and policies) in your account.
+--
+-- You can optionally filter the results using the 'Filter' parameter. You can
+-- paginate the results using the 'MaxItems' and 'Marker' parameters.
+--
+-- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html>
+module Network.AWS.IAM.GetAccountAuthorizationDetails
+    (
+    -- * Request
+      GetAccountAuthorizationDetails
+    -- ** Request constructor
+    , getAccountAuthorizationDetails
+    -- ** Request lenses
+    , gaadFilter
+    , gaadMarker
+    , gaadMaxItems
+
+    -- * Response
+    , GetAccountAuthorizationDetailsResponse
+    -- ** Response constructor
+    , getAccountAuthorizationDetailsResponse
+    -- ** Response lenses
+    , gaadrGroupDetailList
+    , gaadrIsTruncated
+    , gaadrMarker
+    , gaadrRoleDetailList
+    , gaadrUserDetailList
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.IAM.Types
+import qualified GHC.Exts
+
+data GetAccountAuthorizationDetails = GetAccountAuthorizationDetails
+    { _gaadFilter   :: List "member" EntityType
+    , _gaadMarker   :: Maybe Text
+    , _gaadMaxItems :: Maybe Nat
+    } deriving (Eq, Show)
+
+-- | 'GetAccountAuthorizationDetails' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gaadFilter' @::@ ['EntityType']
+--
+-- * 'gaadMarker' @::@ 'Maybe' 'Text'
+--
+-- * 'gaadMaxItems' @::@ 'Maybe' 'Natural'
+--
+getAccountAuthorizationDetails :: GetAccountAuthorizationDetails
+getAccountAuthorizationDetails = GetAccountAuthorizationDetails
+    { _gaadFilter   = mempty
+    , _gaadMaxItems = Nothing
+    , _gaadMarker   = Nothing
+    }
+
+-- | A list of entity types (user, group, or role) for filtering the results.
+gaadFilter :: Lens' GetAccountAuthorizationDetails [EntityType]
+gaadFilter = lens _gaadFilter (\s a -> s { _gaadFilter = a }) . _List
+
+-- | Use this only when paginating results, and only in a subsequent request after
+-- you've received a response where the results are truncated. Set it to the
+-- value of the 'Marker' element in the response you just received.
+gaadMarker :: Lens' GetAccountAuthorizationDetails (Maybe Text)
+gaadMarker = lens _gaadMarker (\s a -> s { _gaadMarker = a })
+
+-- | Use this only when paginating results to indicate the maximum number of items
+-- you want in the response. If there are additional items beyond the maximum
+-- you specify, the 'IsTruncated' response element is 'true'. This parameter is
+-- optional. If you do not include it, it defaults to 100.
+gaadMaxItems :: Lens' GetAccountAuthorizationDetails (Maybe Natural)
+gaadMaxItems = lens _gaadMaxItems (\s a -> s { _gaadMaxItems = a }) . mapping _Nat
+
+data GetAccountAuthorizationDetailsResponse = GetAccountAuthorizationDetailsResponse
+    { _gaadrGroupDetailList :: List "member" GroupDetail
+    , _gaadrIsTruncated     :: Maybe Bool
+    , _gaadrMarker          :: Maybe Text
+    , _gaadrRoleDetailList  :: List "member" RoleDetail
+    , _gaadrUserDetailList  :: List "member" UserDetail
+    } deriving (Eq, Show)
+
+-- | 'GetAccountAuthorizationDetailsResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gaadrGroupDetailList' @::@ ['GroupDetail']
+--
+-- * 'gaadrIsTruncated' @::@ 'Maybe' 'Bool'
+--
+-- * 'gaadrMarker' @::@ 'Maybe' 'Text'
+--
+-- * 'gaadrRoleDetailList' @::@ ['RoleDetail']
+--
+-- * 'gaadrUserDetailList' @::@ ['UserDetail']
+--
+getAccountAuthorizationDetailsResponse :: GetAccountAuthorizationDetailsResponse
+getAccountAuthorizationDetailsResponse = GetAccountAuthorizationDetailsResponse
+    { _gaadrUserDetailList  = mempty
+    , _gaadrGroupDetailList = mempty
+    , _gaadrRoleDetailList  = mempty
+    , _gaadrIsTruncated     = Nothing
+    , _gaadrMarker          = Nothing
+    }
+
+-- | A list containing information about IAM groups.
+gaadrGroupDetailList :: Lens' GetAccountAuthorizationDetailsResponse [GroupDetail]
+gaadrGroupDetailList =
+    lens _gaadrGroupDetailList (\s a -> s { _gaadrGroupDetailList = a })
+        . _List
+
+-- | A flag that indicates whether there are more items to return. If your results
+-- were truncated, you can make a subsequent pagination request using the 'Marker'
+-- request parameter to retrieve more items.
+gaadrIsTruncated :: Lens' GetAccountAuthorizationDetailsResponse (Maybe Bool)
+gaadrIsTruncated = lens _gaadrIsTruncated (\s a -> s { _gaadrIsTruncated = a })
+
+-- | If 'IsTruncated' is 'true', this element is present and contains the value to use
+-- for the 'Marker' parameter in a subsequent pagination request.
+gaadrMarker :: Lens' GetAccountAuthorizationDetailsResponse (Maybe Text)
+gaadrMarker = lens _gaadrMarker (\s a -> s { _gaadrMarker = a })
+
+-- | A list containing information about IAM roles.
+gaadrRoleDetailList :: Lens' GetAccountAuthorizationDetailsResponse [RoleDetail]
+gaadrRoleDetailList =
+    lens _gaadrRoleDetailList (\s a -> s { _gaadrRoleDetailList = a })
+        . _List
+
+-- | A list containing information about IAM users.
+gaadrUserDetailList :: Lens' GetAccountAuthorizationDetailsResponse [UserDetail]
+gaadrUserDetailList =
+    lens _gaadrUserDetailList (\s a -> s { _gaadrUserDetailList = a })
+        . _List
+
+instance ToPath GetAccountAuthorizationDetails where
+    toPath = const "/"
+
+instance ToQuery GetAccountAuthorizationDetails where
+    toQuery GetAccountAuthorizationDetails{..} = mconcat
+        [ "Filter"   =? _gaadFilter
+        , "Marker"   =? _gaadMarker
+        , "MaxItems" =? _gaadMaxItems
+        ]
+
+instance ToHeaders GetAccountAuthorizationDetails
+
+instance AWSRequest GetAccountAuthorizationDetails where
+    type Sv GetAccountAuthorizationDetails = IAM
+    type Rs GetAccountAuthorizationDetails = GetAccountAuthorizationDetailsResponse
+
+    request  = post "GetAccountAuthorizationDetails"
+    response = xmlResponse
+
+instance FromXML GetAccountAuthorizationDetailsResponse where
+    parseXML = withElement "GetAccountAuthorizationDetailsResult" $ \x -> GetAccountAuthorizationDetailsResponse
+        <$> x .@? "GroupDetailList" .!@ mempty
+        <*> x .@? "IsTruncated"
+        <*> x .@? "Marker"
+        <*> x .@? "RoleDetailList" .!@ mempty
+        <*> x .@? "UserDetailList" .!@ mempty
diff --git a/gen/Network/AWS/IAM/GetCredentialReport.hs b/gen/Network/AWS/IAM/GetCredentialReport.hs
--- a/gen/Network/AWS/IAM/GetCredentialReport.hs
+++ b/gen/Network/AWS/IAM/GetCredentialReport.hs
@@ -83,7 +83,7 @@
 gcrrContent :: Lens' GetCredentialReportResponse (Maybe Base64)
 gcrrContent = lens _gcrrContent (\s a -> s { _gcrrContent = a })
 
--- | The time and date when the credential report was created, in <http://www.iso.org/iso/iso8601 ISO 8601date-time format>.
+-- | The date and time when the credential report was created, in <http://www.iso.org/iso/iso8601 ISO 8601date-time format>.
 gcrrGeneratedTime :: Lens' GetCredentialReportResponse (Maybe UTCTime)
 gcrrGeneratedTime =
     lens _gcrrGeneratedTime (\s a -> s { _gcrrGeneratedTime = a })
diff --git a/gen/Network/AWS/IAM/GetSAMLProvider.hs b/gen/Network/AWS/IAM/GetSAMLProvider.hs
--- a/gen/Network/AWS/IAM/GetSAMLProvider.hs
+++ b/gen/Network/AWS/IAM/GetSAMLProvider.hs
@@ -25,6 +25,8 @@
 -- | Returns the SAML provider metadocument that was uploaded when the provider
 -- was created or updated.
 --
+-- This operation requires <http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html Signature Version 4>.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSAMLProvider.html>
 module Network.AWS.IAM.GetSAMLProvider
     (
diff --git a/gen/Network/AWS/IAM/ListAccessKeys.hs b/gen/Network/AWS/IAM/ListAccessKeys.hs
--- a/gen/Network/AWS/IAM/ListAccessKeys.hs
+++ b/gen/Network/AWS/IAM/ListAccessKeys.hs
@@ -34,6 +34,9 @@
 -- action to manage root credentials even if the AWS account has no associated
 -- users.
 --
+-- To ensure the security of your AWS account, the secret access key is
+-- accessible only during key and user creation.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html>
 module Network.AWS.IAM.ListAccessKeys
     (
diff --git a/gen/Network/AWS/IAM/ListSAMLProviders.hs b/gen/Network/AWS/IAM/ListSAMLProviders.hs
--- a/gen/Network/AWS/IAM/ListSAMLProviders.hs
+++ b/gen/Network/AWS/IAM/ListSAMLProviders.hs
@@ -24,6 +24,8 @@
 
 -- | Lists the SAML providers in the account.
 --
+-- This operation requires <http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html Signature Version 4>.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSAMLProviders.html>
 module Network.AWS.IAM.ListSAMLProviders
     (
diff --git a/gen/Network/AWS/IAM/PutGroupPolicy.hs b/gen/Network/AWS/IAM/PutGroupPolicy.hs
--- a/gen/Network/AWS/IAM/PutGroupPolicy.hs
+++ b/gen/Network/AWS/IAM/PutGroupPolicy.hs
@@ -29,6 +29,11 @@
 -- For information about limits on the number of policies you can associate
 -- with a group, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html Limitations on IAM Entities> in the /Using IAM/ guide.
 --
+-- Because policy documents can be large, you should use POST rather than GET
+-- when calling 'PutGroupPolicy'. For information about setting up signatures and
+-- authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests> in the /AWSGeneral Reference/. For general information about using the Query API with
+-- IAM, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in the /Using IAM/ guide.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html>
 module Network.AWS.IAM.PutGroupPolicy
     (
diff --git a/gen/Network/AWS/IAM/PutRolePolicy.hs b/gen/Network/AWS/IAM/PutRolePolicy.hs
--- a/gen/Network/AWS/IAM/PutRolePolicy.hs
+++ b/gen/Network/AWS/IAM/PutRolePolicy.hs
@@ -29,6 +29,11 @@
 -- For information about limits on the policies you can associate with a role,
 -- see <http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html Limitations on IAM Entities> in the /Using IAM/ guide.
 --
+-- Because policy documents can be large, you should use POST rather than GET
+-- when calling 'PutRolePolicy'. For information about setting up signatures and
+-- authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests> in the /AWSGeneral Reference/. For general information about using the Query API with
+-- IAM, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in the /Using IAM/ guide.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html>
 module Network.AWS.IAM.PutRolePolicy
     (
diff --git a/gen/Network/AWS/IAM/PutUserPolicy.hs b/gen/Network/AWS/IAM/PutUserPolicy.hs
--- a/gen/Network/AWS/IAM/PutUserPolicy.hs
+++ b/gen/Network/AWS/IAM/PutUserPolicy.hs
@@ -29,6 +29,11 @@
 -- For information about limits on the number of policies you can associate
 -- with a user, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html Limitations on IAM Entities> in the /Using IAM/ guide.
 --
+-- Because policy documents can be large, you should use POST rather than GET
+-- when calling 'PutUserPolicy'. For information about setting up signatures and
+-- authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests> in the /AWSGeneral Reference/. For general information about using the Query API with
+-- IAM, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in the /Using IAM/ guide.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html>
 module Network.AWS.IAM.PutUserPolicy
     (
diff --git a/gen/Network/AWS/IAM/Types.hs b/gen/Network/AWS/IAM/Types.hs
--- a/gen/Network/AWS/IAM/Types.hs
+++ b/gen/Network/AWS/IAM/Types.hs
@@ -7,6 +7,7 @@
 {-# LANGUAGE OverloadedStrings           #-}
 {-# LANGUAGE RecordWildCards             #-}
 {-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE ViewPatterns                #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
 
@@ -74,6 +75,18 @@
     , ipPath
     , ipRoles
 
+    -- * RoleDetail
+    , RoleDetail
+    , roleDetail
+    , rdArn
+    , rdAssumeRolePolicyDocument
+    , rdCreateDate
+    , rdInstanceProfileList
+    , rdPath
+    , rdRoleId
+    , rdRoleName
+    , rdRolePolicyList
+
     -- * ReportFormatType
     , ReportFormatType (..)
 
@@ -99,9 +112,22 @@
     , lpPasswordResetRequired
     , lpUserName
 
+    -- * EntityType
+    , EntityType (..)
+
     -- * SummaryKeyType
     , SummaryKeyType (..)
 
+    -- * GroupDetail
+    , GroupDetail
+    , groupDetail
+    , gdArn
+    , gdCreateDate
+    , gdGroupId
+    , gdGroupName
+    , gdGroupPolicyList
+    , gdPath
+
     -- * ReportStateType
     , ReportStateType (..)
 
@@ -115,6 +141,12 @@
     , uUserId
     , uUserName
 
+    -- * PolicyDetail
+    , PolicyDetail
+    , policyDetail
+    , pdPolicyDocument
+    , pdPolicyName
+
     -- * StatusType
     , StatusType (..)
 
@@ -135,6 +167,17 @@
     , rRoleId
     , rRoleName
 
+    -- * UserDetail
+    , UserDetail
+    , userDetail
+    , udArn
+    , udCreateDate
+    , udGroupList
+    , udPath
+    , udUserId
+    , udUserName
+    , udUserPolicyList
+
     -- * ServerCertificate
     , ServerCertificate
     , serverCertificate
@@ -178,7 +221,6 @@
     , akmUserName
     ) where
 
-import Network.AWS.Error
 import Network.AWS.Prelude
 import Network.AWS.Signing
 import qualified GHC.Exts
@@ -190,18 +232,44 @@
     type Sg IAM = V4
     type Er IAM = RESTError
 
-    service = Service
-        { _svcAbbrev       = "IAM"
-        , _svcPrefix       = "iam"
-        , _svcVersion      = "2010-05-08"
-        , _svcTargetPrefix = Nothing
-        , _svcJSONVersion  = Nothing
-        }
+    service = service'
+      where
+        service' :: Service IAM
+        service' = Service
+            { _svcAbbrev       = "IAM"
+            , _svcPrefix       = "iam"
+            , _svcVersion      = "2010-05-08"
+            , _svcTargetPrefix = Nothing
+            , _svcJSONVersion  = Nothing
+            , _svcHandle       = handle
+            , _svcRetry        = retry
+            }
 
-    handle = restError statusSuccess
+        handle :: Status
+               -> Maybe (LazyByteString -> ServiceError RESTError)
+        handle = restError statusSuccess service'
 
+        retry :: Retry IAM
+        retry = Exponential
+            { _retryBase     = 0.05
+            , _retryGrowth   = 2
+            , _retryAttempts = 5
+            , _retryCheck    = check
+            }
+
+        check :: Status
+              -> RESTError
+              -> Bool
+        check (statusCode -> s) (awsErrorCode -> e)
+            | s == 400 && "Throttling" == e = True -- Throttling
+            | s == 500  = True -- General Server Error
+            | s == 509  = True -- Limit Exceeded
+            | s == 503  = True -- Service Unavailable
+            | otherwise = False
+
 ns :: Text
 ns = "https://iam.amazonaws.com/doc/2010-05-08/"
+{-# INLINE ns #-}
 
 data AssignmentStatusType
     = Any        -- ^ Any
@@ -406,7 +474,7 @@
 gArn :: Lens' Group Text
 gArn = lens _gArn (\s a -> s { _gArn = a })
 
--- | The date when the group was created.
+-- | The date and time, in <http://www.iso.org/iso/iso8601 ISO 8601 date-time format>, when the group was created.
 gCreateDate :: Lens' Group UTCTime
 gCreateDate = lens _gCreateDate (\s a -> s { _gCreateDate = a }) . _Time
 
@@ -415,7 +483,7 @@
 gGroupId :: Lens' Group Text
 gGroupId = lens _gGroupId (\s a -> s { _gGroupId = a })
 
--- | The name that identifies the group.
+-- | The friendly name that identifies the group.
 gGroupName :: Lens' Group Text
 gGroupName = lens _gGroupName (\s a -> s { _gGroupName = a })
 
@@ -581,6 +649,110 @@
         , "Roles"               =? _ipRoles
         ]
 
+data RoleDetail = RoleDetail
+    { _rdArn                      :: Maybe Text
+    , _rdAssumeRolePolicyDocument :: Maybe Text
+    , _rdCreateDate               :: Maybe ISO8601
+    , _rdInstanceProfileList      :: List "member" InstanceProfile
+    , _rdPath                     :: Maybe Text
+    , _rdRoleId                   :: Maybe Text
+    , _rdRoleName                 :: Maybe Text
+    , _rdRolePolicyList           :: List "member" PolicyDetail
+    } deriving (Eq, Show)
+
+-- | 'RoleDetail' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'rdArn' @::@ 'Maybe' 'Text'
+--
+-- * 'rdAssumeRolePolicyDocument' @::@ 'Maybe' 'Text'
+--
+-- * 'rdCreateDate' @::@ 'Maybe' 'UTCTime'
+--
+-- * 'rdInstanceProfileList' @::@ ['InstanceProfile']
+--
+-- * 'rdPath' @::@ 'Maybe' 'Text'
+--
+-- * 'rdRoleId' @::@ 'Maybe' 'Text'
+--
+-- * 'rdRoleName' @::@ 'Maybe' 'Text'
+--
+-- * 'rdRolePolicyList' @::@ ['PolicyDetail']
+--
+roleDetail :: RoleDetail
+roleDetail = RoleDetail
+    { _rdPath                     = Nothing
+    , _rdRoleName                 = Nothing
+    , _rdRoleId                   = Nothing
+    , _rdArn                      = Nothing
+    , _rdCreateDate               = Nothing
+    , _rdAssumeRolePolicyDocument = Nothing
+    , _rdInstanceProfileList      = mempty
+    , _rdRolePolicyList           = mempty
+    }
+
+rdArn :: Lens' RoleDetail (Maybe Text)
+rdArn = lens _rdArn (\s a -> s { _rdArn = a })
+
+-- | The trust policy that grants an entity permission to assume the role.
+--
+-- The returned policy is URL-encoded according to <http://www.faqs.org/rfcs/rfc3986.html RFC 3986>.
+rdAssumeRolePolicyDocument :: Lens' RoleDetail (Maybe Text)
+rdAssumeRolePolicyDocument =
+    lens _rdAssumeRolePolicyDocument
+        (\s a -> s { _rdAssumeRolePolicyDocument = a })
+
+-- | The date and time, in <http://www.iso.org/iso/iso8601 ISO 8601 date-time format>, when the role was created.
+rdCreateDate :: Lens' RoleDetail (Maybe UTCTime)
+rdCreateDate = lens _rdCreateDate (\s a -> s { _rdCreateDate = a }) . mapping _Time
+
+rdInstanceProfileList :: Lens' RoleDetail [InstanceProfile]
+rdInstanceProfileList =
+    lens _rdInstanceProfileList (\s a -> s { _rdInstanceProfileList = a })
+        . _List
+
+-- | The path to the role. For more information about paths, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers>
+-- in the /Using IAM/ guide.
+rdPath :: Lens' RoleDetail (Maybe Text)
+rdPath = lens _rdPath (\s a -> s { _rdPath = a })
+
+-- | The stable and unique string identifying the role. For more information about
+-- IDs, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers> in the /Using IAM/ guide.
+rdRoleId :: Lens' RoleDetail (Maybe Text)
+rdRoleId = lens _rdRoleId (\s a -> s { _rdRoleId = a })
+
+-- | The friendly name that identifies the role.
+rdRoleName :: Lens' RoleDetail (Maybe Text)
+rdRoleName = lens _rdRoleName (\s a -> s { _rdRoleName = a })
+
+-- | A list of the access (permissions) policies attached to the role.
+rdRolePolicyList :: Lens' RoleDetail [PolicyDetail]
+rdRolePolicyList = lens _rdRolePolicyList (\s a -> s { _rdRolePolicyList = a }) . _List
+
+instance FromXML RoleDetail where
+    parseXML x = RoleDetail
+        <$> x .@? "Arn"
+        <*> x .@? "AssumeRolePolicyDocument"
+        <*> x .@? "CreateDate"
+        <*> x .@? "InstanceProfileList" .!@ mempty
+        <*> x .@? "Path"
+        <*> x .@? "RoleId"
+        <*> x .@? "RoleName"
+        <*> x .@? "RolePolicyList" .!@ mempty
+
+instance ToQuery RoleDetail where
+    toQuery RoleDetail{..} = mconcat
+        [ "Arn"                      =? _rdArn
+        , "AssumeRolePolicyDocument" =? _rdAssumeRolePolicyDocument
+        , "CreateDate"               =? _rdCreateDate
+        , "InstanceProfileList"      =? _rdInstanceProfileList
+        , "Path"                     =? _rdPath
+        , "RoleId"                   =? _rdRoleId
+        , "RoleName"                 =? _rdRoleName
+        , "RolePolicyList"           =? _rdRolePolicyList
+        ]
+
 data ReportFormatType
     = TextCsv -- ^ text/csv
       deriving (Eq, Ord, Show, Generic, Enum)
@@ -770,6 +942,35 @@
         , "UserName"              =? _lpUserName
         ]
 
+data EntityType
+    = ETGroup -- ^ Group
+    | ETRole  -- ^ Role
+    | ETUser  -- ^ User
+      deriving (Eq, Ord, Show, Generic, Enum)
+
+instance Hashable EntityType
+
+instance FromText EntityType where
+    parser = takeText >>= \case
+        "Group" -> pure ETGroup
+        "Role"  -> pure ETRole
+        "User"  -> pure ETUser
+        e       -> fail $
+            "Failure parsing EntityType from " ++ show e
+
+instance ToText EntityType where
+    toText = \case
+        ETGroup -> "Group"
+        ETRole  -> "Role"
+        ETUser  -> "User"
+
+instance ToByteString EntityType
+instance ToHeader     EntityType
+instance ToQuery      EntityType
+
+instance FromXML EntityType where
+    parseXML = parseXMLText "EntityType"
+
 data SummaryKeyType
     = AccessKeysPerUserQuota          -- ^ AccessKeysPerUserQuota
     | AccountMFAEnabled               -- ^ AccountMFAEnabled
@@ -832,6 +1033,87 @@
 instance FromXML SummaryKeyType where
     parseXML = parseXMLText "SummaryKeyType"
 
+data GroupDetail = GroupDetail
+    { _gdArn             :: Maybe Text
+    , _gdCreateDate      :: Maybe ISO8601
+    , _gdGroupId         :: Maybe Text
+    , _gdGroupName       :: Maybe Text
+    , _gdGroupPolicyList :: List "member" PolicyDetail
+    , _gdPath            :: Maybe Text
+    } deriving (Eq, Show)
+
+-- | 'GroupDetail' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gdArn' @::@ 'Maybe' 'Text'
+--
+-- * 'gdCreateDate' @::@ 'Maybe' 'UTCTime'
+--
+-- * 'gdGroupId' @::@ 'Maybe' 'Text'
+--
+-- * 'gdGroupName' @::@ 'Maybe' 'Text'
+--
+-- * 'gdGroupPolicyList' @::@ ['PolicyDetail']
+--
+-- * 'gdPath' @::@ 'Maybe' 'Text'
+--
+groupDetail :: GroupDetail
+groupDetail = GroupDetail
+    { _gdPath            = Nothing
+    , _gdGroupName       = Nothing
+    , _gdGroupId         = Nothing
+    , _gdArn             = Nothing
+    , _gdCreateDate      = Nothing
+    , _gdGroupPolicyList = mempty
+    }
+
+gdArn :: Lens' GroupDetail (Maybe Text)
+gdArn = lens _gdArn (\s a -> s { _gdArn = a })
+
+-- | The date and time, in <http://www.iso.org/iso/iso8601 ISO 8601 date-time format>, when the group was created.
+gdCreateDate :: Lens' GroupDetail (Maybe UTCTime)
+gdCreateDate = lens _gdCreateDate (\s a -> s { _gdCreateDate = a }) . mapping _Time
+
+-- | The stable and unique string identifying the group. For more information
+-- about IDs, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers> in the /Using IAM/ guide.
+gdGroupId :: Lens' GroupDetail (Maybe Text)
+gdGroupId = lens _gdGroupId (\s a -> s { _gdGroupId = a })
+
+-- | The friendly name that identifies the group.
+gdGroupName :: Lens' GroupDetail (Maybe Text)
+gdGroupName = lens _gdGroupName (\s a -> s { _gdGroupName = a })
+
+-- | A list of the policies attached to the group.
+gdGroupPolicyList :: Lens' GroupDetail [PolicyDetail]
+gdGroupPolicyList =
+    lens _gdGroupPolicyList (\s a -> s { _gdGroupPolicyList = a })
+        . _List
+
+-- | The path to the group. For more information about paths, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers>
+-- in the /Using IAM/ guide.
+gdPath :: Lens' GroupDetail (Maybe Text)
+gdPath = lens _gdPath (\s a -> s { _gdPath = a })
+
+instance FromXML GroupDetail where
+    parseXML x = GroupDetail
+        <$> x .@? "Arn"
+        <*> x .@? "CreateDate"
+        <*> x .@? "GroupId"
+        <*> x .@? "GroupName"
+        <*> x .@? "GroupPolicyList" .!@ mempty
+        <*> x .@? "Path"
+
+instance ToQuery GroupDetail where
+    toQuery GroupDetail{..} = mconcat
+        [ "Arn"             =? _gdArn
+        , "CreateDate"      =? _gdCreateDate
+        , "GroupId"         =? _gdGroupId
+        , "GroupName"       =? _gdGroupName
+        , "GroupPolicyList" =? _gdGroupPolicyList
+        , "Path"            =? _gdPath
+        ]
+
 data ReportStateType
     = Complete   -- ^ COMPLETE
     | Inprogress -- ^ INPROGRESS
@@ -957,6 +1239,46 @@
         , "UserName"         =? _uUserName
         ]
 
+data PolicyDetail = PolicyDetail
+    { _pdPolicyDocument :: Maybe Text
+    , _pdPolicyName     :: Maybe Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'PolicyDetail' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'pdPolicyDocument' @::@ 'Maybe' 'Text'
+--
+-- * 'pdPolicyName' @::@ 'Maybe' 'Text'
+--
+policyDetail :: PolicyDetail
+policyDetail = PolicyDetail
+    { _pdPolicyName     = Nothing
+    , _pdPolicyDocument = Nothing
+    }
+
+-- | The policy document.
+--
+-- The returned policy is URL-encoded according to <http://www.faqs.org/rfcs/rfc3986.html RFC 3986>.
+pdPolicyDocument :: Lens' PolicyDetail (Maybe Text)
+pdPolicyDocument = lens _pdPolicyDocument (\s a -> s { _pdPolicyDocument = a })
+
+-- | The name of the policy.
+pdPolicyName :: Lens' PolicyDetail (Maybe Text)
+pdPolicyName = lens _pdPolicyName (\s a -> s { _pdPolicyName = a })
+
+instance FromXML PolicyDetail where
+    parseXML x = PolicyDetail
+        <$> x .@? "PolicyDocument"
+        <*> x .@? "PolicyName"
+
+instance ToQuery PolicyDetail where
+    toQuery PolicyDetail{..} = mconcat
+        [ "PolicyDocument" =? _pdPolicyDocument
+        , "PolicyName"     =? _pdPolicyName
+        ]
+
 data StatusType
     = Active   -- ^ Active
     | Inactive -- ^ Inactive
@@ -1082,14 +1404,13 @@
 
 -- | The policy that grants an entity permission to assume the role.
 --
--- The returned policy is URL-encoded according to RFC 3986. For more
--- information about RFC 3986, go to <http://www.faqs.org/rfcs/rfc3986.html http://www.faqs.org/rfcs/rfc3986.html>.
+-- The returned policy is URL-encoded according to <http://www.faqs.org/rfcs/rfc3986.html RFC 3986>.
 rAssumeRolePolicyDocument :: Lens' Role (Maybe Text)
 rAssumeRolePolicyDocument =
     lens _rAssumeRolePolicyDocument
         (\s a -> s { _rAssumeRolePolicyDocument = a })
 
--- | The date when the role was created.
+-- | The date and time, in <http://www.iso.org/iso/iso8601 ISO 8601 date-time format>, when the role was created.
 rCreateDate :: Lens' Role UTCTime
 rCreateDate = lens _rCreateDate (\s a -> s { _rCreateDate = a }) . _Time
 
@@ -1103,7 +1424,7 @@
 rRoleId :: Lens' Role Text
 rRoleId = lens _rRoleId (\s a -> s { _rRoleId = a })
 
--- | The name that identifies the role.
+-- | The friendly name that identifies the role.
 rRoleName :: Lens' Role Text
 rRoleName = lens _rRoleName (\s a -> s { _rRoleName = a })
 
@@ -1124,6 +1445,95 @@
         , "Path"                     =? _rPath
         , "RoleId"                   =? _rRoleId
         , "RoleName"                 =? _rRoleName
+        ]
+
+data UserDetail = UserDetail
+    { _udArn            :: Maybe Text
+    , _udCreateDate     :: Maybe ISO8601
+    , _udGroupList      :: List "member" Text
+    , _udPath           :: Maybe Text
+    , _udUserId         :: Maybe Text
+    , _udUserName       :: Maybe Text
+    , _udUserPolicyList :: List "member" PolicyDetail
+    } deriving (Eq, Show)
+
+-- | 'UserDetail' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'udArn' @::@ 'Maybe' 'Text'
+--
+-- * 'udCreateDate' @::@ 'Maybe' 'UTCTime'
+--
+-- * 'udGroupList' @::@ ['Text']
+--
+-- * 'udPath' @::@ 'Maybe' 'Text'
+--
+-- * 'udUserId' @::@ 'Maybe' 'Text'
+--
+-- * 'udUserName' @::@ 'Maybe' 'Text'
+--
+-- * 'udUserPolicyList' @::@ ['PolicyDetail']
+--
+userDetail :: UserDetail
+userDetail = UserDetail
+    { _udPath           = Nothing
+    , _udUserName       = Nothing
+    , _udUserId         = Nothing
+    , _udArn            = Nothing
+    , _udCreateDate     = Nothing
+    , _udUserPolicyList = mempty
+    , _udGroupList      = mempty
+    }
+
+udArn :: Lens' UserDetail (Maybe Text)
+udArn = lens _udArn (\s a -> s { _udArn = a })
+
+-- | The date and time, in <http://www.iso.org/iso/iso8601 ISO 8601 date-time format>, when the user was created.
+udCreateDate :: Lens' UserDetail (Maybe UTCTime)
+udCreateDate = lens _udCreateDate (\s a -> s { _udCreateDate = a }) . mapping _Time
+
+-- | A list of the IAM groups that the user is in.
+udGroupList :: Lens' UserDetail [Text]
+udGroupList = lens _udGroupList (\s a -> s { _udGroupList = a }) . _List
+
+-- | The path to the user. For more information about paths, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers>
+-- in the /Using IAM/ guide.
+udPath :: Lens' UserDetail (Maybe Text)
+udPath = lens _udPath (\s a -> s { _udPath = a })
+
+-- | The stable and unique string identifying the user. For more information about
+-- IDs, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html IAM Identifiers> in the /Using IAM/ guide.
+udUserId :: Lens' UserDetail (Maybe Text)
+udUserId = lens _udUserId (\s a -> s { _udUserId = a })
+
+-- | The friendly name identifying the user.
+udUserName :: Lens' UserDetail (Maybe Text)
+udUserName = lens _udUserName (\s a -> s { _udUserName = a })
+
+-- | A list of the policies attached to the user.
+udUserPolicyList :: Lens' UserDetail [PolicyDetail]
+udUserPolicyList = lens _udUserPolicyList (\s a -> s { _udUserPolicyList = a }) . _List
+
+instance FromXML UserDetail where
+    parseXML x = UserDetail
+        <$> x .@? "Arn"
+        <*> x .@? "CreateDate"
+        <*> x .@? "GroupList" .!@ mempty
+        <*> x .@? "Path"
+        <*> x .@? "UserId"
+        <*> x .@? "UserName"
+        <*> x .@? "UserPolicyList" .!@ mempty
+
+instance ToQuery UserDetail where
+    toQuery UserDetail{..} = mconcat
+        [ "Arn"            =? _udArn
+        , "CreateDate"     =? _udCreateDate
+        , "GroupList"      =? _udGroupList
+        , "Path"           =? _udPath
+        , "UserId"         =? _udUserId
+        , "UserName"       =? _udUserName
+        , "UserPolicyList" =? _udUserPolicyList
         ]
 
 data ServerCertificate = ServerCertificate
diff --git a/gen/Network/AWS/IAM/UpdateAccountPasswordPolicy.hs b/gen/Network/AWS/IAM/UpdateAccountPasswordPolicy.hs
--- a/gen/Network/AWS/IAM/UpdateAccountPasswordPolicy.hs
+++ b/gen/Network/AWS/IAM/UpdateAccountPasswordPolicy.hs
@@ -24,6 +24,11 @@
 
 -- | Updates the password policy settings for the AWS account.
 --
+-- This action does not support partial updates. No parameters are required,
+-- but if you do not specify a parameter, that parameter's value reverts to its
+-- default value. See the Request Parameters section for each parameter's
+-- default value.
+--
 -- For more information about using a password policy, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html Managing an IAMPassword Policy> in the /Using IAM/ guide.
 --
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html>
diff --git a/gen/Network/AWS/IAM/UpdateGroup.hs b/gen/Network/AWS/IAM/UpdateGroup.hs
--- a/gen/Network/AWS/IAM/UpdateGroup.hs
+++ b/gen/Network/AWS/IAM/UpdateGroup.hs
@@ -26,6 +26,11 @@
 --
 -- You should understand the implications of changing a group's path or name.
 -- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html Renaming Users and Groups> in the /Using IAM/ guide.
+-- To change a group name the requester must have appropriate permissions on
+-- both the source object and the target object. For example, to change Managers
+-- to MGRs, the entity making the request must have permission on Managers and
+-- MGRs, or must have permission on all (*). For more information about
+-- permissions, see Permissions and Policies.
 --
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateGroup.html>
 module Network.AWS.IAM.UpdateGroup
diff --git a/gen/Network/AWS/IAM/UpdateOpenIDConnectProviderThumbprint.hs b/gen/Network/AWS/IAM/UpdateOpenIDConnectProviderThumbprint.hs
--- a/gen/Network/AWS/IAM/UpdateOpenIDConnectProviderThumbprint.hs
+++ b/gen/Network/AWS/IAM/UpdateOpenIDConnectProviderThumbprint.hs
@@ -33,6 +33,11 @@
 -- IAM provider as a principal will fail until the certificate thumbprint is
 -- updated.
 --
+-- Because trust for the OpenID Connect provider is ultimately derived from the
+-- provider's certificate and is validated by the thumbprint, it is a best
+-- practice to limit access to the 'UpdateOpenIDConnectProviderThumbprint' action
+-- to highly-privileged users.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateOpenIDConnectProviderThumbprint.html>
 module Network.AWS.IAM.UpdateOpenIDConnectProviderThumbprint
     (
diff --git a/gen/Network/AWS/IAM/UpdateSAMLProvider.hs b/gen/Network/AWS/IAM/UpdateSAMLProvider.hs
--- a/gen/Network/AWS/IAM/UpdateSAMLProvider.hs
+++ b/gen/Network/AWS/IAM/UpdateSAMLProvider.hs
@@ -24,6 +24,8 @@
 
 -- | Updates the metadata document for an existing SAML provider.
 --
+-- This operation requires <http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html Signature Version 4>.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html>
 module Network.AWS.IAM.UpdateSAMLProvider
     (
diff --git a/gen/Network/AWS/IAM/UpdateServerCertificate.hs b/gen/Network/AWS/IAM/UpdateServerCertificate.hs
--- a/gen/Network/AWS/IAM/UpdateServerCertificate.hs
+++ b/gen/Network/AWS/IAM/UpdateServerCertificate.hs
@@ -25,7 +25,12 @@
 -- | Updates the name and/or the path of the specified server certificate.
 --
 -- You should understand the implications of changing a server certificate's
--- path or name. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.html Managing Server Certificates> in the /Using IAM/ guide.
+-- path or name. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.html Managing Server Certificates> in the /Using IAM/ guide.   To change a server certificate name the requester must have
+-- appropriate permissions on both the source object and the target object. For
+-- example, to change the name from ProductionCert to ProdCert, the entity
+-- making the request must have permission on ProductionCert and ProdCert, or
+-- must have permission on all (*). For more information about permissions, see Permissions and Policies
+-- .
 --
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServerCertificate.html>
 module Network.AWS.IAM.UpdateServerCertificate
diff --git a/gen/Network/AWS/IAM/UpdateUser.hs b/gen/Network/AWS/IAM/UpdateUser.hs
--- a/gen/Network/AWS/IAM/UpdateUser.hs
+++ b/gen/Network/AWS/IAM/UpdateUser.hs
@@ -26,6 +26,11 @@
 --
 -- You should understand the implications of changing a user's path or name.
 -- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html Renaming Users and Groups> in the /Using IAM/ guide.
+-- To change a user name the requester must have appropriate permissions on both
+-- the source object and the target object. For example, to change Bob to
+-- Robert, the entity making the request must have permission on Bob and Robert,
+-- or must have permission on all (*). For more information about permissions,
+-- see Permissions and Policies.
 --
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html>
 module Network.AWS.IAM.UpdateUser
diff --git a/gen/Network/AWS/IAM/UploadServerCertificate.hs b/gen/Network/AWS/IAM/UploadServerCertificate.hs
--- a/gen/Network/AWS/IAM/UploadServerCertificate.hs
+++ b/gen/Network/AWS/IAM/UploadServerCertificate.hs
@@ -28,6 +28,12 @@
 --
 -- For information about the number of server certificates you can upload, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html Limitations on IAM Entities> in the /Using IAM/ guide.
 --
+-- Because the body of the public key certificate, private key, and the
+-- certificate chain can be large, you should use POST rather than GET when
+-- calling 'UploadServerCertificate'. For information about setting up signatures
+-- and authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests> in the /AWSGeneral Reference/. For general information about using the Query API with
+-- IAM, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in the /Using IAM/ guide.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadServerCertificate.html>
 module Network.AWS.IAM.UploadServerCertificate
     (
@@ -104,6 +110,11 @@
 --
 -- This parameter is optional. If it is not included, it defaults to a slash
 -- (/).
+--
+-- If you are uploading a server certificate specifically for use with Amazon
+-- CloudFront distributions, you must specify a path using the '--path' option.
+-- The path must begin with '/cloudfront' and must include a trailing slash (for
+-- example, '/cloudfront/test/').
 uscPath :: Lens' UploadServerCertificate (Maybe Text)
 uscPath = lens _uscPath (\s a -> s { _uscPath = a })
 
diff --git a/gen/Network/AWS/IAM/UploadSigningCertificate.hs b/gen/Network/AWS/IAM/UploadSigningCertificate.hs
--- a/gen/Network/AWS/IAM/UploadSigningCertificate.hs
+++ b/gen/Network/AWS/IAM/UploadSigningCertificate.hs
@@ -33,6 +33,11 @@
 -- action to manage root credentials even if the AWS account has no associated
 -- users.
 --
+-- Because the body of a X.509 certificate can be large, you should use POST
+-- rather than GET when calling 'UploadSigningCertificate'. For information about
+-- setting up signatures and authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWSAPI Requests> in the /AWS General Reference/. For general information about
+-- using the Query API with IAM, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in the /Using IAM/guide.
+--
 -- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSigningCertificate.html>
 module Network.AWS.IAM.UploadSigningCertificate
     (
