diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,5 +1,5 @@
 name:                  amazonka-sts
-version:               0.3.4
+version:               0.3.5
 synopsis:              Amazon Security Token Service SDK.
 homepage:              https://github.com/brendanhay/amazonka
 license:               OtherLicense
@@ -46,5 +46,5 @@
     other-modules:
 
     build-depends:
-          amazonka-core == 0.3.4.*
+          amazonka-core == 0.3.5.*
         , base          >= 4.7     && < 5
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -31,20 +31,22 @@
 -- access key ID, a secret access key, and a security token. Applications can
 -- use these temporary security credentials to sign calls to AWS services. The
 -- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the
--- SAML authentication response's 'NotOnOrAfter' value, whichever is shorter.
+-- SAML authentication response's 'SessionNotOnOrAfter' value, whichever is
+-- shorter.
 --
--- Optionally, you can pass an IAM access policy to this operation. If you
--- choose not to pass a policy, the temporary security credentials that are
--- returned by the operation have the permissions that are defined in the access
--- policy of the role that is being assumed. If you pass a policy to this
--- operation, the temporary security credentials that are returned by the
--- operation have the permissions that are allowed by both the access policy of
--- the role that is being assumed, /and/ the policy that you pass. This gives you
--- a way to further restrict the permissions for the resulting temporary
--- security credentials. You cannot use the passed policy to grant permissions
--- that are in excess of those allowed by the access policy of the role that is
--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
--- in /Using Temporary Security Credentials/.
+-- The maximum duration for a session is 1 hour, and the minimum duration is 15
+-- minutes, even if values outside this range are specified.  Optionally, you
+-- can pass an IAM access policy to this operation. If you choose not to pass a
+-- policy, the temporary security credentials that are returned by the operation
+-- have the permissions that are defined in the access policy of the role that
+-- is being assumed. If you pass a policy to this operation, the temporary
+-- security credentials that are returned by the operation have the permissions
+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
+-- permissions for the resulting temporary security credentials. You cannot use
+-- the passed policy to grant permissions that are in excess of those allowed by
+-- the access policy of the role that is being assumed. For more information,
+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/
+-- .
 --
 -- Before your application can call 'AssumeRoleWithSAML', you must configure your
 -- SAML identity provider (IdP) to issue the claims required by AWS.
@@ -133,8 +135,11 @@
 -- | The duration, in seconds, of the role session. The value can range from 900
 -- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
 -- to 3600 seconds. An expiration can also be specified in the SAML
--- authentication response's 'NotOnOrAfter' value. The actual expiration time is
--- whichever value is shorter.
+-- authentication response's 'SessionNotOnOrAfter' value. The actual expiration
+-- time is whichever value is shorter.
+--
+-- The maximum duration for a session is 1 hour, and the minimum duration is 15
+-- minutes, even if values outside this range are specified.
 arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)
 arwsamlDurationSeconds =
     lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })
@@ -150,6 +155,9 @@
 -- the access policy of the role that is being assumed. For more information,
 -- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/
 -- .
+--
+-- The policy must be 2048 bytes or shorter, and its packed size must be less
+-- than 450 bytes.
 arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)
 arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })
 
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -24,8 +24,16 @@
 
 -- | Returns a set of temporary security credentials for users who have been
 -- authenticated in a mobile or web application with a web identity provider,
--- such as Login with Amazon, Amazon Cognito, Facebook, or Google.
+-- such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
+-- Connect-compatible identity provider.
 --
+-- For mobile applications, we recommend that you use Amazon Cognito. You can
+-- use Amazon Cognito with the <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to
+-- uniquely identify a user and supply the user with a consistent identity
+-- throughout the lifetime of an application.
+--
+-- To learn more about Amazon Cognito, see <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> in the /AWSSDK for Android Developer Guide/ guide and <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> in the /AWSSDK for iOS Developer Guide/.
+--
 -- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security
 -- credentials. Therefore, you can distribute an application (for example, on
 -- mobile devices) that requests temporary security credentials without
@@ -58,18 +66,15 @@
 -- identity provider that is associated with the identity token. In other words,
 -- the identity provider must be specified in the role's trust policy.
 --
--- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity', see the following resources:
+-- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity' API, see the following resources:
 --
--- Creating a Mobile Application with Third-Party Sign-In and  Creating
--- Temporary Security Credentials for Mobile Apps Using Third-Party Identity
--- Providers in /Using Temporary Security Credentials/.    Web Identity Federation
--- Playground. This interactive website lets you walk through the process of
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider  Creating a Mobile Application with Third-Party Sign-In> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html  CreatingTemporary Security Credentials for Mobile Apps Using Third-Party IdentityProviders> in /Using Temporary Security Credentials/.   <https://web-identity-federation-playground.s3.amazonaws.com/index.html  Web Identity FederationPlayground>. This interactive website lets you walk through the process of
 -- authenticating via Login with Amazon, Facebook, or Google, getting temporary
 -- security credentials, and then using those credentials to make a request to
--- AWS.   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and AWS SDK for Android. These toolkits contain sample
+-- AWS.   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These toolkits contain sample
 -- apps that show how to invoke the identity providers, and then how to use the
 -- information from these providers to get and use temporary security
--- credentials.   Web Identity Federation with Mobile Applications. This article
+-- credentials.   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>. This article
 -- discusses web identity federation and shows an example of how to use web
 -- identity federation to get access to content in Amazon S3.
 --
@@ -164,10 +169,14 @@
 arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
 arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })
 
--- | The fully-qualified host component of the domain name of the identity
--- provider. Specify this value only for OAuth access tokens. Do not specify
--- this value for OpenID Connect ID tokens, such as 'accounts.google.com'. Do not
--- include URL schemes and port numbers. Currently, 'www.amazon.com' and 'graph.facebook.com' are supported.
+-- | The fully qualified host component of the domain name of the identity
+-- provider.
+--
+-- Specify this value only for OAuth 2.0 access tokens. Currently 'www.amazon.com'
+-- and 'graph.facebook.com' are the only supported identity providers for OAuth
+-- 2.0 access tokens. Do not include URL schemes and port numbers.
+--
+-- Do not specify this value for OpenID Connect ID tokens.
 arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
 arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })
 
@@ -236,9 +245,9 @@
 arwwirAssumedRoleUser =
     lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })
 
--- | The intended audience of the web identity token. This is traditionally the
--- client identifier issued to the application that requested the web identity
--- token.
+-- | The intended audience (also known as client ID) of the web identity token.
+-- This is traditionally the client identifier issued to the application that
+-- requested the web identity token.
 arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })
 
@@ -258,7 +267,7 @@
 
 -- | The issuing authority of the web identity token presented. For OpenID
 -- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0
--- Access Tokens, this contains the value of the 'ProviderId' parameter that was
+-- access tokens, this contains the value of the 'ProviderId' parameter that was
 -- passed in the 'AssumeRoleWithWebIdentity' request.
 arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })
@@ -267,8 +276,8 @@
 -- identifier is associated with the 'WebIdentityToken' that was submitted with
 -- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the
 -- user and the application that acquired the 'WebIdentityToken' (pairwise
--- identifier). If an OpenID Connect ID token was submitted in the 'WebIdentityToken', this value is returned by the identity provider as the token's 'sub'
--- (Subject) claim.
+-- identifier). For OpenID Connect ID tokens, this field contains the value
+-- returned by the identity provider as the token's 'sub' (Subject) claim.
 arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
 arwwirSubjectFromWebIdentityToken =
     lens _arwwirSubjectFromWebIdentityToken
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -30,10 +30,13 @@
 -- (an HTTP 403 response). Some AWS actions additionally return an encoded
 -- message that can provide details about this authorization failure.
 --
--- The message is encoded because the details of the authorization status can
--- constitute privileged information that the user who requested the action
--- should not see. To decode an authorization status message, a user must be
--- granted permissions via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
+-- Only certain AWS actions return an encoded authorization message. The
+-- documentation for an individual action indicates whether that action returns
+-- an encoded message in addition to returning an HTTP code.  The message is
+-- encoded because the details of the authorization status can constitute
+-- privileged information that the user who requested the action should not see.
+-- To decode an authorization status message, a user must be granted permissions
+-- via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
 --
 -- The decoded message includes the following type of information:
 --
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -31,9 +31,11 @@
 -- where those credentials can be safely stored, usually in a server-based
 -- application.
 --
--- Note: Do not use this call in mobile applications or client-based web
--- applications that directly get temporary security credentials. For those
--- types of applications, use 'AssumeRoleWithWebIdentity'.
+-- If you are creating a mobile-based or browser-based app that can
+-- authenticate users using a web identity provider like Login with Amazon,
+-- Facebook, Google, or an OpenID Connect-compatible identity provider, we
+-- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito> or 'AssumeRoleWithWebIdentity'. For more
+-- information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile AppsUsing Identity Providers> in /Using Temporary Security Credentials/.
 --
 -- The 'GetFederationToken' action must be called by using the long-term AWS
 -- security credentials of an IAM user. You can also call 'GetFederationToken'
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -38,6 +38,11 @@
 -- created by using account credentials have a maximum duration of 3600 seconds
 -- (1 hour).
 --
+-- We recommend that you do not call 'GetSessionToken' with root account
+-- credentials. Instead, follow our <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> by creating one or more IAM
+-- users, giving them the necessary permissions, and using IAM users for
+-- everyday interaction with AWS.
+--
 -- The permissions associated with the temporary security credentials returned
 -- by 'GetSessionToken' are based on the permissions associated with account or
 -- IAM user whose credentials are used to call the action. If 'GetSessionToken' is
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
--- a/gen/Network/AWS/STS/Types.hs
+++ b/gen/Network/AWS/STS/Types.hs
@@ -93,7 +93,7 @@
               -> RESTError
               -> Bool
         check (statusCode -> s) (awsErrorCode -> e)
-            | s == 400 && "Throttling" == e = True -- Throttling
+            | s == 400 && (Just "Throttling") == e = True -- Throttling
             | s == 500  = True -- General Server Error
             | s == 509  = True -- Limit Exceeded
             | s == 503  = True -- Service Unavailable
