diff --git a/.changelog/19702.txt b/.changelog/19702.txt
new file mode 100644
index 00000000000..dedfe075e98
--- /dev/null
+++ b/.changelog/19702.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_cognito_user_pool_client: Add plan time validation for `id_token_validity` and `access_token_validity`.
+```
+
+```release-note:bug
+resource/aws_cognito_user_pool_client: Fix plan time validation for `refresh_token_validity`
+```
\ No newline at end of file
diff --git a/aws/resource_aws_cognito_user_pool_client.go b/aws/resource_aws_cognito_user_pool_client.go
index 49a98fc2b7c..02938c6bcb4 100644
--- a/aws/resource_aws_cognito_user_pool_client.go
+++ b/aws/resource_aws_cognito_user_pool_client.go
@@ -26,8 +26,9 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 		// https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html
 		Schema: map[string]*schema.Schema{
 			"access_token_validity": {
-				Type:     schema.TypeInt,
-				Optional: true,
+				Type:         schema.TypeInt,
+				Optional:     true,
+				ValidateFunc: validation.IntBetween(0, 86400),
 			},
 			"allowed_oauth_flows": {
 				Type:     schema.TypeSet,
@@ -133,8 +134,9 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				ForceNew: true,
 			},
 			"id_token_validity": {
-				Type:     schema.TypeInt,
-				Optional: true,
+				Type:         schema.TypeInt,
+				Optional:     true,
+				ValidateFunc: validation.IntBetween(0, 86400),
 			},
 			"logout_urls": {
 				Type:     schema.TypeSet,
@@ -175,7 +177,7 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				Type:         schema.TypeInt,
 				Optional:     true,
 				Default:      30,
-				ValidateFunc: validation.IntBetween(0, 3650),
+				ValidateFunc: validation.IntBetween(0, 315360000),
 			},
 			"supported_identity_providers": {
 				Type:     schema.TypeSet,
diff --git a/aws/resource_aws_cognito_user_pool_client_test.go b/aws/resource_aws_cognito_user_pool_client_test.go
index 20b0d914838..2b69f9d3e0f 100644
--- a/aws/resource_aws_cognito_user_pool_client_test.go
+++ b/aws/resource_aws_cognito_user_pool_client_test.go
@@ -761,15 +761,15 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 resource "aws_cognito_user_pool" "test" {
-  name = "%[1]s"
+  name = %[1]q
 }
 
 resource "aws_pinpoint_app" "test" {
-  name = "%[2]s"
+  name = %[2]q
 }
 
 resource "aws_iam_role" "test" {
-  name = "%[2]s"
+  name = %[2]q
 
   assume_role_policy = <<EOF
 {
@@ -789,7 +789,7 @@ EOF
 }
 
 resource "aws_iam_role_policy" "test" {
-  name = "%[2]s"
+  name = %[2]q
   role = aws_iam_role.test.id
 
   policy = <<-EOF
@@ -814,12 +814,12 @@ EOF
 func testAccAWSCognitoUserPoolClientConfigAnalyticsConfig(userPoolName, clientName string) string {
 	return testAccAWSCognitoUserPoolClientConfigAnalyticsConfigBase(userPoolName, clientName) + fmt.Sprintf(`
 resource "aws_cognito_user_pool_client" "test" {
-  name         = "%[1]s"
+  name         = %[1]q
   user_pool_id = aws_cognito_user_pool.test.id
 
   analytics_configuration {
     application_id = aws_pinpoint_app.test.application_id
-    external_id    = "%[1]s"
+    external_id    = %[1]q
     role_arn       = aws_iam_role.test.arn
   }
 }
@@ -829,12 +829,12 @@ resource "aws_cognito_user_pool_client" "test" {
 func testAccAWSCognitoUserPoolClientConfigAnalyticsConfigShareUserData(userPoolName, clientName string) string {
 	return testAccAWSCognitoUserPoolClientConfigAnalyticsConfigBase(userPoolName, clientName) + fmt.Sprintf(`
 resource "aws_cognito_user_pool_client" "test" {
-  name         = "%[1]s"
+  name         = %[1]q
   user_pool_id = aws_cognito_user_pool.test.id
 
   analytics_configuration {
     application_id   = aws_pinpoint_app.test.application_id
-    external_id      = "%[1]s"
+    external_id      = %[1]q
     role_arn         = aws_iam_role.test.arn
     user_data_shared = true
   }
@@ -845,7 +845,7 @@ resource "aws_cognito_user_pool_client" "test" {
 func testAccAWSCognitoUserPoolClientConfigAnalyticsWithArnConfig(userPoolName, clientName string) string {
 	return testAccAWSCognitoUserPoolClientConfigAnalyticsConfigBase(userPoolName, clientName) + fmt.Sprintf(`
 resource "aws_cognito_user_pool_client" "test" {
-  name         = "%[1]s"
+  name         = %[1]q
   user_pool_id = aws_cognito_user_pool.test.id
 
   analytics_configuration {