diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 
 ## Version
 
-`1.3.5`
+`1.3.6`
 
 
 ## Description
@@ -20,7 +20,7 @@
 Access Management (IAM) users or for users that you authenticate
 (federated users). This guide provides descriptions of the STS API. For
 more detailed information about using this service, go to
-<http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+<http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html Temporary Security Credentials>.
 
 As an alternative to using the API, you can use one of the AWS SDKs,
 which consist of libraries and sample code for various programming
@@ -39,8 +39,8 @@
 <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
 in /Using IAM/. For information about using security tokens with other
 AWS products, go to
-<http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
-in /Using Temporary Security Credentials/.
+<http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
+in the /Using IAM/.
 
 If you\'re new to AWS and need additional technical information about a
 specific AWS product, you can find the product\'s technical
@@ -53,8 +53,8 @@
 region. Additional regions are available, but must first be activated in
 the AWS Management Console before you can use a different region\'s
 endpoint. For more information about activating a region for STS see
-<http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
-in the /Using Temporary Security Credentials/ guide.
+<http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
+in the /Using IAM/.
 
 For information about STS endpoints, see
 <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,5 +1,5 @@
 name:                  amazonka-sts
-version:               1.3.5
+version:               1.3.6
 synopsis:              Amazon Security Token Service SDK.
 homepage:              https://github.com/brendanhay/amazonka
 bug-reports:           https://github.com/brendanhay/amazonka/issues
@@ -20,7 +20,7 @@
     Access Management (IAM) users or for users that you authenticate
     (federated users). This guide provides descriptions of the STS API. For
     more detailed information about using this service, go to
-    <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html Temporary Security Credentials>.
 
     As an alternative to using the API, you can use one of the AWS SDKs,
     which consist of libraries and sample code for various programming
@@ -39,8 +39,8 @@
     <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
     in /Using IAM/. For information about using security tokens with other
     AWS products, go to
-    <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
-    in /Using Temporary Security Credentials/.
+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
+    in the /Using IAM/.
 
     If you\'re new to AWS and need additional technical information about a
     specific AWS product, you can find the product\'s technical
@@ -53,8 +53,8 @@
     region. Additional regions are available, but must first be activated in
     the AWS Management Console before you can use a different region\'s
     endpoint. For more information about activating a region for STS see
-    <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
-    in the /Using Temporary Security Credentials/ guide.
+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
+    in the /Using IAM/.
 
     For information about STS endpoints, see
     <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
@@ -110,7 +110,7 @@
         , Network.AWS.STS.Types.Sum
 
     build-depends:
-          amazonka-core == 1.3.5.*
+          amazonka-core == 1.3.6.*
         , base          >= 4.7     && < 5
 
 test-suite amazonka-sts-test
@@ -130,9 +130,9 @@
         , Test.AWS.STS.Internal
 
     build-depends:
-          amazonka-core == 1.3.5.*
-        , amazonka-test == 1.3.5.*
-        , amazonka-sts == 1.3.5.*
+          amazonka-core == 1.3.6.*
+        , amazonka-test == 1.3.6.*
+        , amazonka-sts == 1.3.6.*
         , base
         , bytestring
         , lens
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
--- a/gen/Network/AWS/STS.hs
+++ b/gen/Network/AWS/STS.hs
@@ -18,7 +18,7 @@
 -- Access Management (IAM) users or for users that you authenticate
 -- (federated users). This guide provides descriptions of the STS API. For
 -- more detailed information about using this service, go to
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html Temporary Security Credentials>.
 --
 -- As an alternative to using the API, you can use one of the AWS SDKs,
 -- which consist of libraries and sample code for various programming
@@ -37,8 +37,8 @@
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
 -- in /Using IAM/. For information about using security tokens with other
 -- AWS products, go to
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
+-- in the /Using IAM/.
 --
 -- If you\'re new to AWS and need additional technical information about a
 -- specific AWS product, you can find the product\'s technical
@@ -51,8 +51,8 @@
 -- region. Additional regions are available, but must first be activated in
 -- the AWS Management Console before you can use a different region\'s
 -- endpoint. For more information about activating a region for STS see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
--- in the /Using Temporary Security Credentials/ guide.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
+-- in the /Using IAM/.
 --
 -- For information about STS endpoints, see
 -- <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
--- a/gen/Network/AWS/STS/AssumeRole.hs
+++ b/gen/Network/AWS/STS/AssumeRole.hs
@@ -36,7 +36,7 @@
 -- to access all the other accounts by assuming roles in those accounts.
 -- For more information about roles, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)>
--- in /Using IAM/.
+-- in the /Using IAM/.
 --
 -- For federation, you can, for example, grant single sign-on access to the
 -- AWS Management Console. If you already have an identity and
@@ -47,8 +47,8 @@
 -- get temporary security credentials for that user. With those temporary
 -- security credentials, you construct a sign-in URL that users can use to
 -- access the console. For more information, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios for Granting Temporary Access>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction Common Scenarios for Temporary Credentials>
+-- in the /Using IAM/.
 --
 -- The temporary security credentials are valid for the duration that you
 -- specified when calling 'AssumeRole', which can be from 900 seconds (15
@@ -66,8 +66,8 @@
 -- policy to grant permissions that are in excess of those allowed by the
 -- access policy of the role that is being assumed. For more information,
 -- see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- To assume a role, your AWS account must be trusted by the role. The
 -- trust relationship is defined in the role\'s trust policy when the role
@@ -90,7 +90,7 @@
 --
 -- For more information, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>
--- in /Using IAM/ guide.
+-- in the /Using IAM/ guide.
 --
 -- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and
 -- 'TokenCode' parameters. The 'SerialNumber' value identifies the user\'s
@@ -195,8 +195,8 @@
 -- security credentials. You cannot use the passed policy to grant
 -- permissions that are in excess of those allowed by the access policy of
 -- the role that is being assumed. For more information, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
@@ -214,8 +214,8 @@
 -- external ID. The external ID is useful in order to help third parties
 -- bind a role to the customer who created it. For more information about
 -- the external ID, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-delegating-externalid.html How to Use External ID When Granting Access to Your AWS Resources>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your AWS Resources to a Third Party>
+-- in the /Using IAM/.
 arExternalId :: Lens' AssumeRole (Maybe Text)
 arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a});
 
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -47,8 +47,8 @@
 -- policy to grant permissions that are in excess of those allowed by the
 -- access policy of the role that is being assumed. For more information,
 -- see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
--- in /Using Temporary Security Credentials/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- Before your application can call 'AssumeRoleWithSAML', you must
 -- configure your SAML identity provider (IdP) to issue the claims required
@@ -64,13 +64,14 @@
 --
 -- For more information, see the following resources:
 --
--- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation>.
--- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers>
---     in /Using IAM/.
--- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Claims>
---     in /Using IAM/.
--- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-Based Federation>
---     in /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html About SAML 2.0-based Federation>
+--     in the /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html Creating SAML Identity Providers>
+--     in the /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html Configuring a Relying Party and Claims>
+--     in the /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html Creating a Role for SAML 2.0 Federation>
+--     in the /Using IAM/.
 --
 -- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html AWS API Reference> for AssumeRoleWithSAML.
 module Network.AWS.STS.AssumeRoleWithSAML
@@ -162,9 +163,9 @@
 -- way to further restrict the permissions for the resulting temporary
 -- security credentials. You cannot use the passed policy to grant
 -- permissions that are in excess of those allowed by the access policy of
--- the role that is being assumed. For more information, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
--- in /Using Temporary Security Credentials/.
+-- the role that is being assumed. For more information,
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -64,7 +64,8 @@
 -- policy to grant permissions that are in excess of those allowed by the
 -- access policy of the role that is being assumed. For more information,
 -- see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- Before your application can call 'AssumeRoleWithWebIdentity', you must
 -- have an identity token from a supported identity provider and create a
@@ -76,9 +77,9 @@
 -- For more information about how to use web identity federation and the
 -- 'AssumeRoleWithWebIdentity' API, see the following resources:
 --
--- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In>
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual Using Web Identity Federation APIs for Mobile Apps>
 --     and
---     <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Third-Party Identity Providers>.
+--     <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>.
 -- -   <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground>.
 --     This interactive website lets you walk through the process of
 --     authenticating via Login with Amazon, Facebook, or Google, getting
@@ -195,7 +196,8 @@
 -- security credentials. You cannot use the passed policy to grant
 -- permissions that are in excess of those allowed by the access policy of
 -- the role that is being assumed. For more information, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRoleWithWebIdentity>
+-- in the /Using IAM/.
 --
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -41,8 +41,8 @@
 --
 -- -   Whether the request was denied due to an explicit deny or due to the
 --     absence of an explicit allow. For more information, see
---     <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>
---     in /Using IAM/.
+--     <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>
+--     in the /Using IAM/.
 -- -   The principal who made the request.
 -- -   The requested action.
 -- -   The requested resource.
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -32,7 +32,7 @@
 -- Facebook, Google, or an OpenID Connect-compatible identity provider, we
 -- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito>
 -- or 'AssumeRoleWithWebIdentity'. For more information, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Identity Providers>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>.
 --
 -- The 'GetFederationToken' action must be called by using the long-term
 -- AWS security credentials of an IAM user. You can also call
@@ -41,8 +41,8 @@
 -- create an IAM user for the purpose of the proxy application and then
 -- attach a policy to the IAM user that limits federated users to only the
 -- actions and resources they need access to. For more information, see
--- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices>
--- in /Using IAM/.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices>
+-- in the /Using IAM/.
 --
 -- The temporary security credentials that are obtained by using the
 -- long-term credentials of an IAM user are valid for the specified
@@ -85,10 +85,10 @@
 -- to access the resource.
 --
 -- For more information about how permissions work, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html Permissions for GetFederationToken>.
 -- For information about using 'GetFederationToken' to create temporary
 -- security credentials, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken GetFederationToken—Federation Through a Custom Identity Broker>.
 --
 -- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html AWS API Reference> for GetFederationToken.
 module Network.AWS.STS.GetFederationToken
@@ -177,7 +177,7 @@
 -- equaling the maximum allowed size.
 --
 -- For more information about how permissions work, see
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html Permissions for GetFederationToken>.
 gftPolicy :: Lens' GetFederationToken (Maybe Text)
 gftPolicy = lens _gftPolicy (\ s a -> s{_gftPolicy = a});
 
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -26,7 +26,8 @@
 -- 'GetSessionToken' and submit an MFA code that is associated with their
 -- MFA device. Using the temporary security credentials that are returned
 -- from the call, IAM users can then make programmatic calls to APIs that
--- require MFA authentication.
+-- require MFA authentication. If you do not supply a correct MFA code,
+-- then the API returns an access denied error.
 --
 -- The 'GetSessionToken' action must be called by using the long-term AWS
 -- security credentials of the AWS account or an IAM user. Credentials that
@@ -37,7 +38,7 @@
 --
 -- We recommend that you do not call 'GetSessionToken' with root account
 -- credentials. Instead, follow our
--- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices>
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users best practices>
 -- by creating one or more IAM users, giving them the necessary
 -- permissions, and using IAM users for everyday interaction with AWS.
 --
@@ -51,7 +52,8 @@
 --
 -- For more information about using 'GetSessionToken' to create temporary
 -- credentials, go to
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html Creating Temporary Credentials to Enable Access for IAM Users>.
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken Temporary Credentials for Users in Untrusted Environments>
+-- in the /Using IAM/.
 --
 -- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html AWS API Reference> for GetSessionToken.
 module Network.AWS.STS.GetSessionToken
