diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -8,7 +8,9 @@
 
 ## Description
 
-The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
+    The AWS Security Token Service (STS) is a web service that enables you to
+    request temporary, limited-privilege credentials for AWS Identity and Access
+    Management (IAM) users or for users that you authenticate (federated users).
 
 Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts)
 and [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html).
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,5 +1,5 @@
 name:                  amazonka-sts
-version:               0.0.1
+version:               0.0.2
 synopsis:              Amazon Security Token Service SDK.
 homepage:              https://github.com/brendanhay/amazonka
 license:               OtherLicense
@@ -13,10 +13,9 @@
 cabal-version:         >= 1.10
 
 description:
-    The AWS Security Token Service (STS) is a web service that enables you
-    to request temporary, limited-privilege credentials for AWS Identity
-    and Access Management (IAM) users or for users that you authenticate
-    (federated users).
+    The AWS Security Token Service (STS) is a web service that enables you to
+    request temporary, limited-privilege credentials for AWS Identity and Access
+    Management (IAM) users or for users that you authenticate (federated users).
     .
     /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>
     .
@@ -46,5 +45,5 @@
     other-modules:
 
     build-depends:
-          amazonka-core == 0.0.1.*
+          amazonka-core == 0.0.2.*
         , base          >= 4.7     && < 5
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
--- a/gen/Network/AWS/STS.hs
+++ b/gen/Network/AWS/STS.hs
@@ -9,9 +9,8 @@
 -- Portability : non-portable (GHC extensions)
 
 -- | The AWS Security Token Service (STS) is a web service that enables you to
--- request temporary, limited-privilege credentials for AWS Identity and
--- Access Management (IAM) users or for users that you authenticate (federated
--- users).
+-- request temporary, limited-privilege credentials for AWS Identity and Access
+-- Management (IAM) users or for users that you authenticate (federated users).
 module Network.AWS.STS
     ( module Network.AWS.STS.AssumeRole
     , module Network.AWS.STS.AssumeRoleWithSAML
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
--- a/gen/Network/AWS/STS/AssumeRole.hs
+++ b/gen/Network/AWS/STS/AssumeRole.hs
@@ -20,62 +20,73 @@
 -- Stability   : experimental
 -- Portability : non-portable (GHC extensions)
 
--- | Returns a set of temporary security credentials (consisting of an access
--- key ID, a secret access key, and a security token) that you can use to
--- access AWS resources that you might not normally have access to. Typically,
--- you use AssumeRole for cross-account access or federation. Important: You
--- cannot call AssumeRole by using AWS account credentials; access will be
--- denied. You must use IAM user credentials or temporary security credentials
--- to call AssumeRole. For cross-account access, imagine that you own multiple
--- accounts and need to access resources in each account. You could create
--- long-term credentials in each account to access those resources. However,
--- managing all those credentials and remembering which one can access which
--- account can be time consuming. Instead, you can create one set of long-term
--- credentials in one account and then use temporary security credentials to
--- access all the other accounts by assuming roles in those accounts. For more
--- information about roles, see Roles in Using IAM. For federation, you can,
--- for example, grant single sign-on access to the AWS Management Console. If
--- you already have an identity and authentication system in your corporate
--- network, you don't have to recreate user identities in AWS in order to
--- grant those user identities access to AWS. Instead, after a user has been
--- authenticated, you call AssumeRole (and specify the role with the
--- appropriate permissions) to get temporary security credentials for that
--- user. With those temporary security credentials, you construct a sign-in
--- URL that users can use to access the console. For more information, see
--- Scenarios for Granting Temporary Access in Using Temporary Security
--- Credentials. The temporary security credentials are valid for the duration
--- that you specified when calling AssumeRole, which can be from 900 seconds
--- (15 minutes) to 3600 seconds (1 hour). The default is 1 hour. Optionally,
--- you can pass an IAM access policy to this operation. If you choose not to
--- pass a policy, the temporary security credentials that are returned by the
--- operation have the permissions that are defined in the access policy of the
--- role that is being assumed. If you pass a policy to this operation, the
--- temporary security credentials that are returned by the operation have the
--- permissions that are allowed by both the access policy of the role that is
--- being assumed, and the policy that you pass. This gives you a way to
--- further restrict the permissions for the resulting temporary security
--- credentials. You cannot use the passed policy to grant permissions that are
--- in excess of those allowed by the access policy of the role that is being
--- assumed. For more information, see Permissions for AssumeRole in Using
--- Temporary Security Credentials. To assume a role, your AWS account must be
--- trusted by the role. The trust relationship is defined in the role's trust
--- policy when the role is created. You must also have a policy that allows
--- you to call sts:AssumeRole. Using MFA with AssumeRole You can optionally
--- include multi-factor authentication (MFA) information when you call
--- AssumeRole. This is useful for cross-account scenarios in which you want to
--- make sure that the user who is assuming the role has been authenticated
--- using an AWS MFA device. In that scenario, the trust policy of the role
--- being assumed includes a condition that tests for MFA authentication; if
--- the caller does not include valid MFA information, the request to assume
--- the role is denied. The condition in a trust policy that tests for MFA
--- authentication might look like the following example. "Condition": {"Null":
--- {"aws:MultiFactorAuthAge": false}} For more information, see Configuring
--- MFA-Protected API Access in the Using IAM guide. To use MFA with
--- AssumeRole, you pass values for the SerialNumber and TokenCode parameters.
--- The SerialNumber value identifies the user's hardware or virtual MFA
--- device. The TokenCode is the time-based one-time password (TOTP) that the
+-- | Returns a set of temporary security credentials (consisting of an access key
+-- ID, a secret access key, and a security token) that you can use to access AWS
+-- resources that you might not normally have access to. Typically, you use 'AssumeRole' for cross-account access or federation.
+--
+-- Important: You cannot call 'AssumeRole' by using AWS account credentials;
+-- access will be denied. You must use IAM user credentials or temporary
+-- security credentials to call 'AssumeRole'.
+--
+-- For cross-account access, imagine that you own multiple accounts and need to
+-- access resources in each account. You could create long-term credentials in
+-- each account to access those resources. However, managing all those
+-- credentials and remembering which one can access which account can be time
+-- consuming. Instead, you can create one set of long-term credentials in one
+-- account and then use temporary security credentials to access all the other
+-- accounts by assuming roles in those accounts. For more information about
+-- roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html Roles> in /Using IAM/.
+--
+-- For federation, you can, for example, grant single sign-on access to the AWS
+-- Management Console. If you already have an identity and authentication system
+-- in your corporate network, you don't have to recreate user identities in AWS
+-- in order to grant those user identities access to AWS. Instead, after a user
+-- has been authenticated, you call 'AssumeRole' (and specify the role with the
+-- appropriate permissions) to get temporary security credentials for that user.
+-- With those temporary security credentials, you construct a sign-in URL that
+-- users can use to access the console. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios forGranting Temporary Access> in /Using Temporary Security Credentials/.
+--
+-- The temporary security credentials are valid for the duration that you
+-- specified when calling 'AssumeRole', which can be from 900 seconds (15 minutes)
+-- to 3600 seconds (1 hour). The default is 1 hour.
+--
+-- Optionally, you can pass an IAM access policy to this operation. If you
+-- choose not to pass a policy, the temporary security credentials that are
+-- returned by the operation have the permissions that are defined in the access
+-- policy of the role that is being assumed. If you pass a policy to this
+-- operation, the temporary security credentials that are returned by the
+-- operation have the permissions that are allowed by both the access policy of
+-- the role that is being assumed, /and/ the policy that you pass. This gives you
+-- a way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant permissions
+-- that are in excess of those allowed by the access policy of the role that is
+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /UsingTemporary Security Credentials/.
+--
+-- To assume a role, your AWS account must be trusted by the role. The trust
+-- relationship is defined in the role's trust policy when the role is created.
+-- You must also have a policy that allows you to call 'sts:AssumeRole'.
+--
+-- Using MFA with AssumeRole
+--
+-- You can optionally include multi-factor authentication (MFA) information
+-- when you call 'AssumeRole'. This is useful for cross-account scenarios in which
+-- you want to make sure that the user who is assuming the role has been
+-- authenticated using an AWS MFA device. In that scenario, the trust policy of
+-- the role being assumed includes a condition that tests for MFA
+-- authentication; if the caller does not include valid MFA information, the
+-- request to assume the role is denied. The condition in a trust policy that
+-- tests for MFA authentication might look like the following example.
+--
+-- '"Condition": {"Null": {"aws:MultiFactorAuthAge": false}}'
+--
+-- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /UsingIAM/ guide.
+--
+-- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and 'TokenCode' parameters. The 'SerialNumber' value identifies the user's hardware or virtual
+-- MFA device. The 'TokenCode' is the time-based one-time password (TOTP) that the
 -- MFA devices produces.
 --
+--
+--
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>
 module Network.AWS.STS.AssumeRole
     (
@@ -148,34 +159,33 @@
     , _arTokenCode       = Nothing
     }
 
--- | The duration, in seconds, of the role session. The value can range from
--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
--- is set to 3600 seconds.
+-- | The duration, in seconds, of the role session. The value can range from 900
+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
+-- to 3600 seconds.
 arDurationSeconds :: Lens' AssumeRole (Maybe Natural)
 arDurationSeconds =
     lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })
         . mapping _Nat
 
--- | A unique identifier that is used by third parties to assume a role in
--- their customers' accounts. For each role that the third party can assume,
--- they should instruct their customers to create a role with the external
--- ID that the third party generated. Each time the third party assumes the
--- role, they must pass the customer's external ID. The external ID is
--- useful in order to help third parties bind a role to the customer who
--- created it. For more information about the external ID, see About the
--- External ID in Using Temporary Security Credentials.
+-- | A unique identifier that is used by third parties to assume a role in their
+-- customers' accounts. For each role that the third party can assume, they
+-- should instruct their customers to create a role with the external ID that
+-- the third party generated. Each time the third party assumes the role, they
+-- must pass the customer's external ID. The external ID is useful in order to
+-- help third parties bind a role to the customer who created it. For more
+-- information about the external ID, see About the External ID in /UsingTemporary Security Credentials/.
 arExternalId :: Lens' AssumeRole (Maybe Text)
 arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })
 
--- | An IAM policy in JSON format. The policy parameter is optional. If you
--- pass a policy, the temporary security credentials that are returned by
--- the operation have the permissions that are allowed by both the access
--- policy of the role that is being assumed, and the policy that you pass.
--- This gives you a way to further restrict the permissions for the
--- resulting temporary security credentials. You cannot use the passed
--- policy to grant permissions that are in excess of those allowed by the
--- access policy of the role that is being assumed. For more information,
--- see Permissions for AssumeRole in Using Temporary Security Credentials.
+-- | An IAM policy in JSON format.
+--
+-- The policy parameter is optional. If you pass a policy, the temporary
+-- security credentials that are returned by the operation have the permissions
+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
+-- permissions for the resulting temporary security credentials. You cannot use
+-- the passed policy to grant permissions that are in excess of those allowed by
+-- the access policy of the role that is being assumed. For more information,
+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /Using Temporary Security Credentials/.
 arPolicy :: Lens' AssumeRole (Maybe Text)
 arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })
 
@@ -183,26 +193,23 @@
 arRoleArn :: Lens' AssumeRole Text
 arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })
 
--- | An identifier for the assumed role session. The session name is included
--- as part of the AssumedRoleUser.
+-- | An identifier for the assumed role session. The session name is included as
+-- part of the 'AssumedRoleUser'.
 arRoleSessionName :: Lens' AssumeRole Text
 arRoleSessionName =
     lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })
 
--- | The identification number of the MFA device that is associated with the
--- user who is making the AssumeRole call. Specify this value if the trust
--- policy of the role being assumed includes a condition that requires MFA
--- authentication. The value is either the serial number for a hardware
--- device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a
--- virtual device (such as arn:aws:iam::123456789012:mfa/user).
+-- | The identification number of the MFA device that is associated with the user
+-- who is making the 'AssumeRole' call. Specify this value if the trust policy of
+-- the role being assumed includes a condition that requires MFA authentication.
+-- The value is either the serial number for a hardware device (such as 'GAHT12345678') or an Amazon Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user').
 arSerialNumber :: Lens' AssumeRole (Maybe Text)
 arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })
 
--- | The value provided by the MFA device, if the trust policy of the role
--- being assumed requires MFA (that is, if the policy includes a condition
--- that tests for MFA). If the role being assumed requires MFA and if the
--- TokenCode value is missing or expired, the AssumeRole call returns an
--- "access denied" error.
+-- | The value provided by the MFA device, if the trust policy of the role being
+-- assumed requires MFA (that is, if the policy includes a condition that tests
+-- for MFA). If the role being assumed requires MFA and if the 'TokenCode' value
+-- is missing or expired, the 'AssumeRole' call returns an "access denied" error.
 arTokenCode :: Lens' AssumeRole (Maybe Text)
 arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })
 
@@ -229,24 +236,23 @@
     , _arrPackedPolicySize = Nothing
     }
 
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are
--- identifiers that you can use to refer to the resulting temporary security
--- credentials. For example, you can reference these credentials as a
--- principal in a resource-based policy by using the ARN or assumed role ID.
--- The ARN and ID include the RoleSessionName that you specified when you
--- called AssumeRole.
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
+-- that you can use to refer to the resulting temporary security credentials.
+-- For example, you can reference these credentials as a principal in a
+-- resource-based policy by using the ARN or assumed role ID. The ARN and ID
+-- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.
 arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
 arrAssumedRoleUser =
     lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })
 
--- | The temporary security credentials, which include an access key ID, a
--- secret access key, and a security (or session) token.
+-- | The temporary security credentials, which include an access key ID, a secret
+-- access key, and a security (or session) token.
 arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
 arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })
 
--- | A percentage value that indicates the size of the policy in packed form.
--- The service rejects any policy with a packed size greater than 100
--- percent, which means the policy exceeded the allowed space.
+-- | A percentage value that indicates the size of the policy in packed form. The
+-- service rejects any policy with a packed size greater than 100 percent, which
+-- means the policy exceeded the allowed space.
 arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
 arrPackedPolicySize =
     lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -23,39 +23,43 @@
 -- | Returns a set of temporary security credentials for users who have been
 -- authenticated via a SAML authentication response. This operation provides a
 -- mechanism for tying an enterprise identity store or directory to role-based
--- AWS access without user-specific credentials or configuration. The
--- temporary security credentials returned by this operation consist of an
+-- AWS access without user-specific credentials or configuration.
+--
+-- The temporary security credentials returned by this operation consist of an
 -- access key ID, a secret access key, and a security token. Applications can
 -- use these temporary security credentials to sign calls to AWS services. The
--- credentials are valid for the duration that you specified when calling
--- AssumeRoleWithSAML, which can be up to 3600 seconds (1 hour) or until the
--- time specified in the SAML authentication response's NotOnOrAfter value,
--- whichever is shorter. Optionally, you can pass an IAM access policy to this
--- operation. If you choose not to pass a policy, the temporary security
--- credentials that are returned by the operation have the permissions that
--- are defined in the access policy of the role that is being assumed. If you
--- pass a policy to this operation, the temporary security credentials that
--- are returned by the operation have the permissions that are allowed by both
--- the access policy of the role that is being assumed, and the policy that
--- you pass. This gives you a way to further restrict the permissions for the
--- resulting temporary security credentials. You cannot use the passed policy
--- to grant permissions that are in excess of those allowed by the access
--- policy of the role that is being assumed. For more information, see
--- Permissions for AssumeRoleWithSAML in Using Temporary Security Credentials.
--- Before your application can call AssumeRoleWithSAML, you must configure
--- your SAML identity provider (IdP) to issue the claims required by AWS.
--- Additionally, you must use AWS Identity and Access Management (IAM) to
--- create a SAML provider entity in your AWS account that represents your
--- identity provider, and create an IAM role that specifies this SAML provider
--- in its trust policy. Calling AssumeRoleWithSAML does not require the use of
--- AWS security credentials. The identity of the caller is validated by using
--- keys in the metadata document that is uploaded for the SAML provider entity
--- for your identity provider. For more information, see the following
--- resources: Creating Temporary Security Credentials for SAML Federation in
--- Using Temporary Security Credentials. SAML Providers in Using IAM.
--- Configuring a Relying Party and Claims in Using IAM. Creating a Role for
--- SAML-Based Federation in Using IAM.
+-- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the
+-- SAML authentication response's 'NotOnOrAfter' value, whichever is shorter.
 --
+-- Optionally, you can pass an IAM access policy to this operation. If you
+-- choose not to pass a policy, the temporary security credentials that are
+-- returned by the operation have the permissions that are defined in the access
+-- policy of the role that is being assumed. If you pass a policy to this
+-- operation, the temporary security credentials that are returned by the
+-- operation have the permissions that are allowed by both the access policy of
+-- the role that is being assumed, /and/ the policy that you pass. This gives you
+-- a way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant permissions
+-- that are in excess of those allowed by the access policy of the role that is
+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
+-- in /Using Temporary Security Credentials/.
+--
+-- Before your application can call 'AssumeRoleWithSAML', you must configure your
+-- SAML identity provider (IdP) to issue the claims required by AWS.
+-- Additionally, you must use AWS Identity and Access Management (IAM) to create
+-- a SAML provider entity in your AWS account that represents your identity
+-- provider, and create an IAM role that specifies this SAML provider in its
+-- trust policy.
+--
+-- Calling 'AssumeRoleWithSAML' does not require the use of AWS security
+-- credentials. The identity of the caller is validated by using keys in the
+-- metadata document that is uploaded for the SAML provider entity for your
+-- identity provider.
+--
+-- For more information, see the following resources:
+--
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in /UsingTemporary Security Credentials/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuringa Relying Party and Claims> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-BasedFederation> in /Using IAM/.
+--
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>
 module Network.AWS.STS.AssumeRoleWithSAML
     (
@@ -124,31 +128,31 @@
     , _arwsamlDurationSeconds = Nothing
     }
 
--- | The duration, in seconds, of the role session. The value can range from
--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
--- is set to 3600 seconds. An expiration can also be specified in the SAML
--- authentication response's NotOnOrAfter value. The actual expiration time
--- is whichever value is shorter.
+-- | The duration, in seconds, of the role session. The value can range from 900
+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
+-- to 3600 seconds. An expiration can also be specified in the SAML
+-- authentication response's 'NotOnOrAfter' value. The actual expiration time is
+-- whichever value is shorter.
 arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)
 arwsamlDurationSeconds =
     lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })
         . mapping _Nat
 
--- | An IAM policy in JSON format. The policy parameter is optional. If you
--- pass a policy, the temporary security credentials that are returned by
--- the operation have the permissions that are allowed by both the access
--- policy of the role that is being assumed, and the policy that you pass.
--- This gives you a way to further restrict the permissions for the
--- resulting temporary security credentials. You cannot use the passed
--- policy to grant permissions that are in excess of those allowed by the
--- access policy of the role that is being assumed. For more information,
--- see Permissions for AssumeRoleWithSAML in Using Temporary Security
--- Credentials.
+-- | An IAM policy in JSON format.
+--
+-- The policy parameter is optional. If you pass a policy, the temporary
+-- security credentials that are returned by the operation have the permissions
+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
+-- permissions for the resulting temporary security credentials. You cannot use
+-- the passed policy to grant permissions that are in excess of those allowed by
+-- the access policy of the role that is being assumed. For more information,
+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/
+-- .
 arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)
 arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })
 
--- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
--- the IdP.
+-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the
+-- IdP.
 arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text
 arwsamlPrincipalArn =
     lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })
@@ -157,9 +161,10 @@
 arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text
 arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })
 
--- | The base-64 encoded SAML authentication response provided by the IdP. For
--- more information, see Configuring a Relying Party and Adding Claims in
--- the Using IAM guide.
+-- | The base-64 encoded SAML authentication response provided by the IdP.
+--
+-- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in
+-- the /Using IAM/ guide.
 arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text
 arwsamlSAMLAssertion =
     lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })
@@ -211,8 +216,8 @@
 arwsamlrAssumedRoleUser =
     lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })
 
--- | The value of the Recipient attribute of the SubjectConfirmationData
--- element of the SAML assertion.
+-- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData' element
+-- of the SAML assertion.
 arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })
 
@@ -220,41 +225,43 @@
 arwsamlrCredentials =
     lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })
 
--- | The value of the Issuer element of the SAML assertion.
+-- | The value of the 'Issuer' element of the SAML assertion.
 arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })
 
--- | A hash value based on the concatenation of the Issuer response value, the
--- AWS account ID, and the friendly name (the last part of the ARN) of the
--- SAML provider in IAM. The combination of NameQualifier and Subject can be
--- used to uniquely identify a federated user. The following pseudocode
--- shows how the hash value is calculated: BASE64 ( SHA1 (
--- "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ).
+-- | A hash value based on the concatenation of the 'Issuer' response value, the AWS
+-- account ID, and the friendly name (the last part of the ARN) of the SAML
+-- provider in IAM. The combination of 'NameQualifier' and 'Subject' can be used to
+-- uniquely identify a federated user.
+--
+-- The following pseudocode shows how the hash value is calculated:
+--
+-- 'BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP") )'
 arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrNameQualifier =
     lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })
 
--- | A percentage value that indicates the size of the policy in packed form.
--- The service rejects any policy with a packed size greater than 100
--- percent, which means the policy exceeded the allowed space.
+-- | A percentage value that indicates the size of the policy in packed form. The
+-- service rejects any policy with a packed size greater than 100 percent, which
+-- means the policy exceeded the allowed space.
 arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
 arwsamlrPackedPolicySize =
     lens _arwsamlrPackedPolicySize
         (\s a -> s { _arwsamlrPackedPolicySize = a })
             . mapping _Nat
 
--- | The value of the NameID element in the Subject element of the SAML
--- assertion.
+-- | The value of the 'NameID' element in the 'Subject' element of the SAML assertion.
 arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })
 
--- | The format of the name ID, as defined by the Format attribute in the
--- NameID element of the SAML assertion. Typical examples of the format are
--- transient or persistent. If the format includes the prefix
--- urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For
--- example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned
--- as transient. If the format includes any other prefix, the format is
--- returned with no modifications.
+-- | The format of the name ID, as defined by the 'Format' attribute in the 'NameID'
+-- element of the SAML assertion. Typical examples of the format are 'transient'
+-- or 'persistent'.
+--
+-- If the format includes the prefix 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For example,
+-- 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is returned as 'transient'.
+-- If the format includes any other prefix, the format is returned with no
+-- modifications.
 arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrSubjectType =
     lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -22,52 +22,55 @@
 
 -- | Returns a set of temporary security credentials for users who have been
 -- authenticated in a mobile or web application with a web identity provider,
--- such as Login with Amazon, Amazon Cognito, Facebook, or Google. Calling
--- AssumeRoleWithWebIdentity does not require the use of AWS security
+-- such as Login with Amazon, Amazon Cognito, Facebook, or Google.
+--
+-- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security
 -- credentials. Therefore, you can distribute an application (for example, on
 -- mobile devices) that requests temporary security credentials without
--- including long-term AWS credentials in the application, and without
--- deploying server-based proxy services that use long-term AWS credentials.
--- Instead, the identity of the caller is validated by using a token from the
--- web identity provider. The temporary security credentials returned by this
--- API consist of an access key ID, a secret access key, and a security token.
--- Applications can use these temporary security credentials to sign calls to
--- AWS service APIs. The credentials are valid for the duration that you
--- specified when calling AssumeRoleWithWebIdentity, which can be from 900
--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary
--- security credentials are valid for 1 hour. Optionally, you can pass an IAM
--- access policy to this operation. If you choose not to pass a policy, the
--- temporary security credentials that are returned by the operation have the
--- permissions that are defined in the access policy of the role that is being
--- assumed. If you pass a policy to this operation, the temporary security
--- credentials that are returned by the operation have the permissions that
--- are allowed by both the access policy of the role that is being assumed,
--- and the policy that you pass. This gives you a way to further restrict the
--- permissions for the resulting temporary security credentials. You cannot
--- use the passed policy to grant permissions that are in excess of those
--- allowed by the access policy of the role that is being assumed. For more
--- information, see Permissions for AssumeRoleWithWebIdentity in Using
--- Temporary Security Credentials. Before your application can call
--- AssumeRoleWithWebIdentity, you must have an identity token from a supported
--- identity provider and create a role that the application can assume. The
--- role that your application assumes must trust the identity provider that is
--- associated with the identity token. In other words, the identity provider
--- must be specified in the role's trust policy. For more information about
--- how to use web identity federation and the AssumeRoleWithWebIdentity, see
--- the following resources: Creating a Mobile Application with Third-Party
--- Sign-In and Creating Temporary Security Credentials for Mobile Apps Using
--- Third-Party Identity Providers in Using Temporary Security Credentials. Web
--- Identity Federation Playground. This interactive website lets you walk
--- through the process of authenticating via Login with Amazon, Facebook, or
--- Google, getting temporary security credentials, and then using those
--- credentials to make a request to AWS. AWS SDK for iOS and AWS SDK for
--- Android. These toolkits contain sample apps that show how to invoke the
--- identity providers, and then how to use the information from these
--- providers to get and use temporary security credentials. Web Identity
--- Federation with Mobile Applications. This article discusses web identity
--- federation and shows an example of how to use web identity federation to
--- get access to content in Amazon S3.
+-- including long-term AWS credentials in the application, and without deploying
+-- server-based proxy services that use long-term AWS credentials. Instead, the
+-- identity of the caller is validated by using a token from the web identity
+-- provider.
 --
+-- The temporary security credentials returned by this API consist of an access
+-- key ID, a secret access key, and a security token. Applications can use these
+-- temporary security credentials to sign calls to AWS service APIs. The
+-- credentials are valid for the duration that you specified when calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By
+-- default, the temporary security credentials are valid for 1 hour.
+--
+-- Optionally, you can pass an IAM access policy to this operation. If you
+-- choose not to pass a policy, the temporary security credentials that are
+-- returned by the operation have the permissions that are defined in the access
+-- policy of the role that is being assumed. If you pass a policy to this
+-- operation, the temporary security credentials that are returned by the
+-- operation have the permissions that are allowed by both the access policy of
+-- the role that is being assumed, /and/ the policy that you pass. This gives you
+-- a way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant permissions
+-- that are in excess of those allowed by the access policy of the role that is
+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions forAssumeRoleWithWebIdentity> in /Using Temporary Security Credentials/.
+--
+-- Before your application can call 'AssumeRoleWithWebIdentity', you must have an
+-- identity token from a supported identity provider and create a role that the
+-- application can assume. The role that your application assumes must trust the
+-- identity provider that is associated with the identity token. In other words,
+-- the identity provider must be specified in the role's trust policy.
+--
+-- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity', see the following resources:
+--
+-- Creating a Mobile Application with Third-Party Sign-In and  Creating
+-- Temporary Security Credentials for Mobile Apps Using Third-Party Identity
+-- Providers in /Using Temporary Security Credentials/.    Web Identity Federation
+-- Playground. This interactive website lets you walk through the process of
+-- authenticating via Login with Amazon, Facebook, or Google, getting temporary
+-- security credentials, and then using those credentials to make a request to
+-- AWS.   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and AWS SDK for Android. These toolkits contain sample
+-- apps that show how to invoke the identity providers, and then how to use the
+-- information from these providers to get and use temporary security
+-- credentials.   Web Identity Federation with Mobile Applications. This article
+-- discusses web identity federation and shows an example of how to use web
+-- identity federation to get access to content in Amazon S3.
+--
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>
 module Network.AWS.STS.AssumeRoleWithWebIdentity
     (
@@ -139,32 +142,30 @@
     , _arwwiDurationSeconds  = Nothing
     }
 
--- | The duration, in seconds, of the role session. The value can range from
--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
--- is set to 3600 seconds.
+-- | The duration, in seconds, of the role session. The value can range from 900
+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
+-- to 3600 seconds.
 arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)
 arwwiDurationSeconds =
     lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })
         . mapping _Nat
 
--- | An IAM policy in JSON format. The policy parameter is optional. If you
--- pass a policy, the temporary security credentials that are returned by
--- the operation have the permissions that are allowed by both the access
--- policy of the role that is being assumed, and the policy that you pass.
--- This gives you a way to further restrict the permissions for the
--- resulting temporary security credentials. You cannot use the passed
--- policy to grant permissions that are in excess of those allowed by the
--- access policy of the role that is being assumed. For more information,
--- see Permissions for AssumeRoleWithWebIdentity in Using Temporary Security
--- Credentials.
+-- | An IAM policy in JSON format.
+--
+-- The policy parameter is optional. If you pass a policy, the temporary
+-- security credentials that are returned by the operation have the permissions
+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
+-- permissions for the resulting temporary security credentials. You cannot use
+-- the passed policy to grant permissions that are in excess of those allowed by
+-- the access policy of the role that is being assumed. For more information,
+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity> in /Using Temporary SecurityCredentials/.
 arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
 arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })
 
 -- | The fully-qualified host component of the domain name of the identity
 -- provider. Specify this value only for OAuth access tokens. Do not specify
--- this value for OpenID Connect ID tokens, such as accounts.google.com. Do
--- not include URL schemes and port numbers. Currently, www.amazon.com and
--- graph.facebook.com are supported.
+-- this value for OpenID Connect ID tokens, such as 'accounts.google.com'. Do not
+-- include URL schemes and port numbers. Currently, 'www.amazon.com' and 'graph.facebook.com' are supported.
 arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
 arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })
 
@@ -172,20 +173,19 @@
 arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text
 arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })
 
--- | An identifier for the assumed role session. Typically, you pass the name
--- or identifier that is associated with the user who is using your
--- application. That way, the temporary security credentials that your
--- application will use are associated with that user. This session name is
--- included as part of the ARN and assumed role ID in the AssumedRoleUser
--- response element.
+-- | An identifier for the assumed role session. Typically, you pass the name or
+-- identifier that is associated with the user who is using your application.
+-- That way, the temporary security credentials that your application will use
+-- are associated with that user. This session name is included as part of the
+-- ARN and assumed role ID in the 'AssumedRoleUser' response element.
 arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text
 arwwiRoleSessionName =
     lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })
 
--- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by
--- the identity provider. Your application must get this token by
--- authenticating the user who is using your application with a web identity
--- provider before the application makes an AssumeRoleWithWebIdentity call.
+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the
+-- identity provider. Your application must get this token by authenticating the
+-- user who is using your application with a web identity provider before the
+-- application makes an 'AssumeRoleWithWebIdentity' call.
 arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text
 arwwiWebIdentityToken =
     lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })
@@ -225,50 +225,48 @@
     , _arwwirAudience                    = Nothing
     }
 
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are
--- identifiers that you can use to refer to the resulting temporary security
--- credentials. For example, you can reference these credentials as a
--- principal in a resource-based policy by using the ARN or assumed role ID.
--- The ARN and ID include the RoleSessionName that you specified when you
--- called AssumeRole.
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
+-- that you can use to refer to the resulting temporary security credentials.
+-- For example, you can reference these credentials as a principal in a
+-- resource-based policy by using the ARN or assumed role ID. The ARN and ID
+-- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.
 arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
 arwwirAssumedRoleUser =
     lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })
 
--- | The intended audience of the web identity token. This is traditionally
--- the client identifier issued to the application that requested the web
--- identity token.
+-- | The intended audience of the web identity token. This is traditionally the
+-- client identifier issued to the application that requested the web identity
+-- token.
 arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })
 
--- | The temporary security credentials, which include an access key ID, a
--- secret access key, and a security token.
+-- | The temporary security credentials, which include an access key ID, a secret
+-- access key, and a security token.
 arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
 arwwirCredentials =
     lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })
 
--- | A percentage value that indicates the size of the policy in packed form.
--- The service rejects any policy with a packed size greater than 100
--- percent, which means the policy exceeded the allowed space.
+-- | A percentage value that indicates the size of the policy in packed form. The
+-- service rejects any policy with a packed size greater than 100 percent, which
+-- means the policy exceeded the allowed space.
 arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
 arwwirPackedPolicySize =
     lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })
         . mapping _Nat
 
 -- | The issuing authority of the web identity token presented. For OpenID
--- Connect ID Tokens this contains the value of the iss field. For OAuth 2.0
--- Access Tokens, this contains the value of the ProviderId parameter that
--- was passed in the AssumeRoleWithWebIdentity request.
+-- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0
+-- Access Tokens, this contains the value of the 'ProviderId' parameter that was
+-- passed in the 'AssumeRoleWithWebIdentity' request.
 arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })
 
--- | The unique user identifier that is returned by the identity provider.
--- This identifier is associated with the WebIdentityToken that was
--- submitted with the AssumeRoleWithWebIdentity call. The identifier is
--- typically unique to the user and the application that acquired the
--- WebIdentityToken (pairwise identifier). If an OpenID Connect ID token was
--- submitted in the WebIdentityToken, this value is returned by the identity
--- provider as the token's sub (Subject) claim.
+-- | The unique user identifier that is returned by the identity provider. This
+-- identifier is associated with the 'WebIdentityToken' that was submitted with
+-- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the
+-- user and the application that acquired the 'WebIdentityToken' (pairwise
+-- identifier). If an OpenID Connect ID token was submitted in the 'WebIdentityToken', this value is returned by the identity provider as the token's 'sub'
+-- (Subject) claim.
 arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirSubjectFromWebIdentityToken =
     lens _arwwirSubjectFromWebIdentityToken
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -21,23 +21,25 @@
 -- Portability : non-portable (GHC extensions)
 
 -- | Decodes additional information about the authorization status of a request
--- from an encoded message returned in response to an AWS request. For
--- example, if a user is not authorized to perform an action that he or she
--- has requested, the request returns a Client.UnauthorizedOperation response
+-- from an encoded message returned in response to an AWS request.
+--
+-- For example, if a user is not authorized to perform an action that he or she
+-- has requested, the request returns a 'Client.UnauthorizedOperation' response
 -- (an HTTP 403 response). Some AWS actions additionally return an encoded
--- message that can provide details about this authorization failure. The
--- message is encoded because the details of the authorization status can
+-- message that can provide details about this authorization failure.
+--
+-- The message is encoded because the details of the authorization status can
 -- constitute privileged information that the user who requested the action
 -- should not see. To decode an authorization status message, a user must be
--- granted permissions via an IAM policy to request the
--- DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action. The
--- decoded message includes the following type of information: Whether the
--- request was denied due to an explicit deny or due to the absence of an
--- explicit allow. For more information, see Determining Whether a Request is
--- Allowed or Denied in Using IAM. The principal who made the request. The
--- requested action. The requested resource. The values of condition keys in
--- the context of the user's request.
+-- granted permissions via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
 --
+-- The decoded message includes the following type of information:
+--
+-- Whether the request was denied due to an explicit deny or due to the
+-- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/.  The principal who made the
+-- request. The requested action. The requested resource. The values of
+-- condition keys in the context of the user's request.
+--
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>
 module Network.AWS.STS.DecodeAuthorizationMessage
     (
@@ -97,8 +99,7 @@
     { _damrDecodedMessage = Nothing
     }
 
--- | An XML document that contains the decoded message. For more information,
--- see DecodeAuthorizationMessage.
+-- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'.
 damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
 damrDecodedMessage =
     lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -20,57 +20,61 @@
 -- Stability   : experimental
 -- Portability : non-portable (GHC extensions)
 
--- | Returns a set of temporary security credentials (consisting of an access
--- key ID, a secret access key, and a security token) for a federated user. A
+-- | Returns a set of temporary security credentials (consisting of an access key
+-- ID, a secret access key, and a security token) for a federated user. A
 -- typical use is in a proxy application that gets temporary security
--- credentials on behalf of distributed applications inside a corporate
--- network. Because you must call the GetFederationToken action using the
--- long-term security credentials of an IAM user, this call is appropriate in
--- contexts where those credentials can be safely stored, usually in a
--- server-based application. Note: Do not use this call in mobile applications
--- or client-based web applications that directly get temporary security
--- credentials. For those types of applications, use
--- AssumeRoleWithWebIdentity. The GetFederationToken action must be called by
--- using the long-term AWS security credentials of an IAM user. You can also
--- call GetFederationToken using the security credentials of an AWS account
--- (root), but this is not recommended. Instead, we recommend that you create
--- an IAM user for the purpose of the proxy application and then attach a
--- policy to the IAM user that limits federated users to only the actions and
--- resources they need access to. For more information, see IAM Best Practices
--- in Using IAM. The temporary security credentials that are obtained by using
--- the long-term credentials of an IAM user are valid for the specified
--- duration, between 900 seconds (15 minutes) and 129600 seconds (36 hours).
--- Temporary credentials that are obtained by using AWS account (root)
--- credentials have a maximum duration of 3600 seconds (1 hour) Permissions
--- The permissions for the temporary security credentials returned by
--- GetFederationToken are determined by a combination of the following: The
--- policy or policies that are attached to the IAM user whose credentials are
--- used to call GetFederationToken. The policy that is passed as a parameter
--- in the call. The passed policy is attached to the temporary security
--- credentials that result from the GetFederationToken API call--that is, to
--- the federated user. When the federated user makes an AWS request, AWS
--- evaluates the policy attached to the federated user in combination with the
--- policy or policies attached to the IAM user whose credentials were used to
--- call GetFederationToken. AWS allows the federated user's request only when
--- both the federated user and the IAM user are explicitly allowed to perform
--- the requested action. The passed policy cannot grant more permissions than
--- those that are defined in the IAM user policy. A typical use case is that
--- the permissions of the IAM user whose credentials are used to call
--- GetFederationToken are designed to allow access to all the actions and
--- resources that any federated user will need. Then, for individual users,
--- you pass a policy to the operation that scopes down the permissions to a
--- level that's appropriate to that individual user, using a policy that
--- allows only a subset of permissions that are granted to the IAM user. If
--- you do not pass a policy, the resulting temporary security credentials have
--- no effective permissions. The only exception is when the temporary security
--- credentials are used to access a resource that has a resource-based policy
--- that specifically allows the federated user to access the resource. For
--- more information about how permissions work, see Permissions for
--- GetFederationToken in Using Temporary Security Credentials. For information
--- about using GetFederationToken to create temporary security credentials,
--- see Creating Temporary Credentials to Enable Access for Federated Users in
--- Using Temporary Security Credentials.
+-- credentials on behalf of distributed applications inside a corporate network.
+-- Because you must call the 'GetFederationToken' action using the long-term
+-- security credentials of an IAM user, this call is appropriate in contexts
+-- where those credentials can be safely stored, usually in a server-based
+-- application.
 --
+-- Note: Do not use this call in mobile applications or client-based web
+-- applications that directly get temporary security credentials. For those
+-- types of applications, use 'AssumeRoleWithWebIdentity'.
+--
+-- The 'GetFederationToken' action must be called by using the long-term AWS
+-- security credentials of an IAM user. You can also call 'GetFederationToken'
+-- using the security credentials of an AWS account (root), but this is not
+-- recommended. Instead, we recommend that you create an IAM user for the
+-- purpose of the proxy application and then attach a policy to the IAM user
+-- that limits federated users to only the actions and resources they need
+-- access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices> in /Using IAM/.
+--
+-- The temporary security credentials that are obtained by using the long-term
+-- credentials of an IAM user are valid for the specified duration, between 900
+-- seconds (15 minutes) and 129600 seconds (36 hours). Temporary credentials
+-- that are obtained by using AWS account (root) credentials have a maximum
+-- duration of 3600 seconds (1 hour)
+--
+-- Permissions
+--
+-- The permissions for the temporary security credentials returned by 'GetFederationToken' are determined by a combination of the following:
+--
+-- The policy or policies that are attached to the IAM user whose credentials
+-- are used to call 'GetFederationToken'. The policy that is passed as a parameter
+-- in the call.  The passed policy is attached to the temporary security
+-- credentials that result from the 'GetFederationToken' API call--that is, to the /federated user/. When the federated user makes an AWS request, AWS evaluates
+-- the policy attached to the federated user in combination with the policy or
+-- policies attached to the IAM user whose credentials were used to call 'GetFederationToken'. AWS allows the federated user's request only when both the federated user /and/ the IAM user are explicitly allowed to perform the requested action. The
+-- passed policy cannot grant more permissions than those that are defined in
+-- the IAM user policy.
+--
+-- A typical use case is that the permissions of the IAM user whose credentials
+-- are used to call 'GetFederationToken' are designed to allow access to all the
+-- actions and resources that any federated user will need. Then, for individual
+-- users, you pass a policy to the operation that scopes down the permissions to
+-- a level that's appropriate to that individual user, using a policy that
+-- allows only a subset of permissions that are granted to the IAM user.
+--
+-- If you do not pass a policy, the resulting temporary security credentials
+-- have no effective permissions. The only exception is when the temporary
+-- security credentials are used to access a resource that has a resource-based
+-- policy that specifically allows the federated user to access the resource.
+--
+-- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. For information
+-- about using 'GetFederationToken' to create temporary security credentials, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users> in /Using Temporary Security Credentials/.
+--
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>
 module Network.AWS.STS.GetFederationToken
     (
@@ -122,41 +126,40 @@
     , _gftDurationSeconds = Nothing
     }
 
--- | The duration, in seconds, that the session should last. Acceptable
--- durations for federation sessions range from 900 seconds (15 minutes) to
--- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.
--- Sessions obtained using AWS account (root) credentials are restricted to
--- a maximum of 3600 seconds (one hour). If the specified duration is longer
--- than one hour, the session obtained by using AWS account (root)
--- credentials defaults to one hour.
+-- | The duration, in seconds, that the session should last. Acceptable durations
+-- for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
+-- (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
+-- using AWS account (root) credentials are restricted to a maximum of 3600
+-- seconds (one hour). If the specified duration is longer than one hour, the
+-- session obtained by using AWS account (root) credentials defaults to one
+-- hour.
 gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)
 gftDurationSeconds =
     lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })
         . mapping _Nat
 
 -- | The name of the federated user. The name is used as an identifier for the
--- temporary security credentials (such as Bob). For example, you can
--- reference the federated user name in a resource-based policy, such as in
--- an Amazon S3 bucket policy.
+-- temporary security credentials (such as 'Bob'). For example, you can reference
+-- the federated user name in a resource-based policy, such as in an Amazon S3
+-- bucket policy.
 gftName :: Lens' GetFederationToken Text
 gftName = lens _gftName (\s a -> s { _gftName = a })
 
--- | An IAM policy in JSON format that is passed with the GetFederationToken
--- call and evaluated along with the policy or policies that are attached to
--- the IAM user whose credentials are used to call GetFederationToken. The
--- passed policy is used to scope down the permissions that are available to
--- the IAM user, by allowing only a subset of the permissions that are
--- granted to the IAM user. The passed policy cannot grant more permissions
--- than those granted to the IAM user. The final permissions for the
--- federated user are the most restrictive set based on the intersection of
--- the passed policy and the IAM user policy. If you do not pass a policy,
--- the resulting temporary security credentials have no effective
--- permissions. The only exception is when the temporary security
--- credentials are used to access a resource that has a resource-based
--- policy that specifically allows the federated user to access the
--- resource. For more information about how permissions work, see
--- Permissions for GetFederationToken in Using Temporary Security
--- Credentials.
+-- | An IAM policy in JSON format that is passed with the 'GetFederationToken' call
+-- and evaluated along with the policy or policies that are attached to the IAM
+-- user whose credentials are used to call 'GetFederationToken'. The passed policy
+-- is used to scope down the permissions that are available to the IAM user, by
+-- allowing only a subset of the permissions that are granted to the IAM user.
+-- The passed policy cannot grant more permissions than those granted to the IAM
+-- user. The final permissions for the federated user are the most restrictive
+-- set based on the intersection of the passed policy and the IAM user policy.
+--
+-- If you do not pass a policy, the resulting temporary security credentials
+-- have no effective permissions. The only exception is when the temporary
+-- security credentials are used to access a resource that has a resource-based
+-- policy that specifically allows the federated user to access the resource.
+--
+-- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/.
 gftPolicy :: Lens' GetFederationToken (Maybe Text)
 gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })
 
@@ -187,10 +190,8 @@
 gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
 gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })
 
--- | Identifiers for the federated user associated with the credentials (such
--- as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
--- can use the federated user's ARN in your resource-based policies, such as
--- an Amazon S3 bucket policy.
+-- | Identifiers for the federated user associated with the credentials (such as 'arn:aws:sts::123456789012:federated-user/Bob' or '123456789012:Bob'). You can use the federated user's ARN in your
+-- resource-based policies, such as an Amazon S3 bucket policy.
 gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
 gftrFederatedUser =
     lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -21,28 +21,32 @@
 -- Portability : non-portable (GHC extensions)
 
 -- | Returns a set of temporary credentials for an AWS account or IAM user. The
--- credentials consist of an access key ID, a secret access key, and a
--- security token. Typically, you use GetSessionToken if you want to use MFA
--- to protect programmatic calls to specific AWS APIs like Amazon EC2
--- StopInstances. MFA-enabled IAM users would need to call GetSessionToken and
--- submit an MFA code that is associated with their MFA device. Using the
--- temporary security credentials that are returned from the call, IAM users
--- can then make programmatic calls to APIs that require MFA authentication.
--- The GetSessionToken action must be called by using the long-term AWS
--- security credentials of the AWS account or an IAM user. Credentials that
--- are created by IAM users are valid for the duration that you specify,
--- between 900 seconds (15 minutes) and 129600 seconds (36 hours); credentials
--- that are created by using account credentials have a maximum duration of
--- 3600 seconds (1 hour). The permissions associated with the temporary
--- security credentials returned by GetSessionToken are based on the
--- permissions associated with account or IAM user whose credentials are used
--- to call the action. If GetSessionToken is called using root account
--- credentials, the temporary credentials have root account permissions.
--- Similarly, if GetSessionToken is called using the credentials of an IAM
--- user, the temporary credentials have the same permissions as the IAM user.
--- For more information about using GetSessionToken to create temporary
+-- credentials consist of an access key ID, a secret access key, and a security
+-- token. Typically, you use 'GetSessionToken' if you want to use MFA to protect
+-- programmatic calls to specific AWS APIs like Amazon EC2 'StopInstances'.
+-- MFA-enabled IAM users would need to call 'GetSessionToken' and submit an MFA
+-- code that is associated with their MFA device. Using the temporary security
+-- credentials that are returned from the call, IAM users can then make
+-- programmatic calls to APIs that require MFA authentication.
+--
+-- The 'GetSessionToken' action must be called by using the long-term AWS
+-- security credentials of the AWS account or an IAM user. Credentials that are
+-- created by IAM users are valid for the duration that you specify, between 900
+-- seconds (15 minutes) and 129600 seconds (36 hours); credentials that are
+-- created by using account credentials have a maximum duration of 3600 seconds
+-- (1 hour).
+--
+-- The permissions associated with the temporary security credentials returned
+-- by 'GetSessionToken' are based on the permissions associated with account or
+-- IAM user whose credentials are used to call the action. If 'GetSessionToken' is
+-- called using root account credentials, the temporary credentials have root
+-- account permissions. Similarly, if 'GetSessionToken' is called using the
+-- credentials of an IAM user, the temporary credentials have the same
+-- permissions as the IAM user.
+--
+-- For more information about using 'GetSessionToken' to create temporary
 -- credentials, go to Creating Temporary Credentials to Enable Access for IAM
--- Users in Using Temporary Security Credentials.
+-- Users in /Using Temporary Security Credentials/.
 --
 -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>
 module Network.AWS.STS.GetSessionToken
@@ -94,31 +98,29 @@
 
 -- | The duration, in seconds, that the credentials should remain valid.
 -- Acceptable durations for IAM user sessions range from 900 seconds (15
--- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as
--- the default. Sessions for AWS account owners are restricted to a maximum
--- of 3600 seconds (one hour). If the duration is longer than one hour, the
--- session for AWS account owners defaults to one hour.
+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
+-- default. Sessions for AWS account owners are restricted to a maximum of 3600
+-- seconds (one hour). If the duration is longer than one hour, the session for
+-- AWS account owners defaults to one hour.
 gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
 gstDurationSeconds =
     lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })
         . mapping _Nat
 
--- | The identification number of the MFA device that is associated with the
--- IAM user who is making the GetSessionToken call. Specify this value if
--- the IAM user has a policy that requires MFA authentication. The value is
--- either the serial number for a hardware device (such as GAHT12345678) or
--- an Amazon Resource Name (ARN) for a virtual device (such as
--- arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM
--- user by going to the AWS Management Console and viewing the user's
--- security credentials.
+-- | The identification number of the MFA device that is associated with the IAM
+-- user who is making the 'GetSessionToken' call. Specify this value if the IAM
+-- user has a policy that requires MFA authentication. The value is either the
+-- serial number for a hardware device (such as 'GAHT12345678') or an Amazon
+-- Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management
+-- Console and viewing the user's security credentials.
 gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
 gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })
 
 -- | The value provided by the MFA device, if MFA is required. If any policy
 -- requires the IAM user to submit an MFA code, specify this value. If MFA
 -- authentication is required, and the user does not provide a code when
--- requesting a set of temporary security credentials, the user will receive
--- an "access denied" response when requesting resources that require MFA
+-- requesting a set of temporary security credentials, the user will receive an
+-- "access denied" response when requesting resources that require MFA
 -- authentication.
 gstTokenCode :: Lens' GetSessionToken (Maybe Text)
 gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
--- a/gen/Network/AWS/STS/Types.hs
+++ b/gen/Network/AWS/STS/Types.hs
@@ -78,7 +78,7 @@
 
 data Credentials = Credentials
     { _cAccessKeyId     :: Text
-    , _cExpiration      :: RFC822
+    , _cExpiration      :: ISO8601
     , _cSecretAccessKey :: Text
     , _cSessionToken    :: Text
     } deriving (Eq, Ord, Show)
@@ -161,8 +161,8 @@
     }
 
 -- | The ARN that specifies the federated user that is associated with the
--- credentials. For more information about ARNs and how to use them in
--- policies, see Identifiers for IAM Entities in Using IAM.
+-- credentials. For more information about ARNs and how to use them in policies,
+-- see Identifiers for IAM Entities in /Using IAM/.
 fuArn :: Lens' FederatedUser Text
 fuArn = lens _fuArn (\s a -> s { _fuArn = a })
 
@@ -204,15 +204,14 @@
     , _aruArn           = p2
     }
 
--- | The ARN of the temporary security credentials that are returned from the
--- AssumeRole action. For more information about ARNs and how to use them in
--- policies, see Identifiers for IAM Entities in Using IAM.
+-- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see
+-- Identifiers for IAM Entities  in /Using IAM/.
 aruArn :: Lens' AssumedRoleUser Text
 aruArn = lens _aruArn (\s a -> s { _aruArn = a })
 
--- | A unique identifier that contains the role ID and the role session name
--- of the role that is being assumed. The role ID is generated by AWS when
--- the role is created.
+-- | A unique identifier that contains the role ID and the role session name of
+-- the role that is being assumed. The role ID is generated by AWS when the role
+-- is created.
 aruAssumedRoleId :: Lens' AssumedRoleUser Text
 aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })
 
