aws-sdk-ec2 1.489.0 → 1.491.0

data/lib/aws-sdk-ec2/client.rb

@@ -6267,6 +6267,7 @@ module Aws::EC2
     #   resp.subnet.private_dns_name_options_on_launch.hostname_type #=> String, one of "ip-name", "resource-name"
     #   resp.subnet.private_dns_name_options_on_launch.enable_resource_name_dns_a_record #=> Boolean
     #   resp.subnet.private_dns_name_options_on_launch.enable_resource_name_dns_aaaa_record #=> Boolean
+    #   resp.subnet.block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.subnet.subnet_id #=> String
     #   resp.subnet.state #=> String, one of "pending", "available", "unavailable"
     #   resp.subnet.vpc_id #=> String
@@ -6336,6 +6337,7 @@ module Aws::EC2
     #   resp.vpc.tags #=> Array
     #   resp.vpc.tags[0].key #=> String
     #   resp.vpc.tags[0].value #=> String
+    #   resp.vpc.block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.vpc.vpc_id #=> String
     #   resp.vpc.state #=> String, one of "pending", "available"
     #   resp.vpc.cidr_block #=> String
@@ -8591,6 +8593,9 @@ module Aws::EC2
     # @option params [required, Types::RequestLaunchTemplateData] :launch_template_data
     #   The information for the launch template.
     #
+    # @option params [Types::OperatorRequest] :operator
+    #   Reserved for internal use.
+    #
     # @option params [Array<Types::TagSpecification>] :tag_specifications
     #   The tags to apply to the launch template on creation. To tag the
     #   launch template, the resource type must be `launch-template`.
@@ -8887,6 +8892,12 @@ module Aws::EC2
     #         auto_recovery: "default", # accepts default, disabled
     #       },
     #       disable_api_stop: false,
+    #       operator: {
+    #         principal: "String",
+    #       },
+    #     },
+    #     operator: {
+    #       principal: "String",
     #     },
     #     tag_specifications: [
     #       {
@@ -8912,6 +8923,8 @@ module Aws::EC2
     #   resp.launch_template.tags #=> Array
     #   resp.launch_template.tags[0].key #=> String
     #   resp.launch_template.tags[0].value #=> String
+    #   resp.launch_template.operator.managed #=> Boolean
+    #   resp.launch_template.operator.principal #=> String
     #   resp.warning.errors #=> Array
     #   resp.warning.errors[0].code #=> String
     #   resp.warning.errors[0].message #=> String
@@ -9289,6 +9302,9 @@ module Aws::EC2
     #         auto_recovery: "default", # accepts default, disabled
     #       },
     #       disable_api_stop: false,
+    #       operator: {
+    #         principal: "String",
+    #       },
     #     },
     #     resolve_alias: false,
     #   })
@@ -9451,6 +9467,10 @@ module Aws::EC2
     #   resp.launch_template_version.launch_template_data.private_dns_name_options.enable_resource_name_dns_aaaa_record #=> Boolean
     #   resp.launch_template_version.launch_template_data.maintenance_options.auto_recovery #=> String, one of "default", "disabled"
     #   resp.launch_template_version.launch_template_data.disable_api_stop #=> Boolean
+    #   resp.launch_template_version.launch_template_data.operator.managed #=> Boolean
+    #   resp.launch_template_version.launch_template_data.operator.principal #=> String
+    #   resp.launch_template_version.operator.managed #=> Boolean
+    #   resp.launch_template_version.operator.principal #=> String
     #   resp.warning.errors #=> Array
     #   resp.warning.errors[0].code #=> String
     #   resp.warning.errors[0].message #=> String
@@ -10768,6 +10788,9 @@ module Aws::EC2
     # @option params [Types::ConnectionTrackingSpecificationRequest] :connection_tracking_specification
     #   A connection tracking specification for the network interface.
     #
+    # @option params [Types::OperatorRequest] :operator
+    #   Reserved for internal use.
+    #
     # @option params [required, String] :subnet_id
     #   The ID of the subnet to associate with the network interface.
     #
@@ -10911,6 +10934,9 @@ module Aws::EC2
     #       udp_stream_timeout: 1,
     #       udp_timeout: 1,
     #     },
+    #     operator: {
+    #       principal: "String",
+    #     },
     #     subnet_id: "SubnetId", # required
     #     description: "String",
     #     private_ip_address: "String",
@@ -10996,6 +11022,8 @@ module Aws::EC2
     #   resp.network_interface.deny_all_igw_traffic #=> Boolean
     #   resp.network_interface.ipv_6_native #=> Boolean
     #   resp.network_interface.ipv_6_address #=> String
+    #   resp.network_interface.operator.managed #=> Boolean
+    #   resp.network_interface.operator.principal #=> String
     #   resp.client_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateNetworkInterface AWS API Documentation
@@ -12542,6 +12570,7 @@ module Aws::EC2
     #   resp.subnet.private_dns_name_options_on_launch.hostname_type #=> String, one of "ip-name", "resource-name"
     #   resp.subnet.private_dns_name_options_on_launch.enable_resource_name_dns_a_record #=> Boolean
     #   resp.subnet.private_dns_name_options_on_launch.enable_resource_name_dns_aaaa_record #=> Boolean
+    #   resp.subnet.block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.subnet.subnet_id #=> String
     #   resp.subnet.state #=> String, one of "pending", "available", "unavailable"
     #   resp.subnet.vpc_id #=> String
@@ -14688,6 +14717,9 @@ module Aws::EC2
     #
     #   [1]: https://docs.aws.amazon.com/ec2/latest/devguide/ec2-api-idempotency.html
     #
+    # @option params [Types::OperatorRequest] :operator
+    #   Reserved for internal use.
+    #
     # @option params [Boolean] :dry_run
     #   Checks whether you have the required permissions for the action,
     #   without actually making the request, and provides an error response.
@@ -14704,6 +14736,7 @@ module Aws::EC2
     #   * {Types::Volume#multi_attach_enabled #multi_attach_enabled} => Boolean
     #   * {Types::Volume#throughput #throughput} => Integer
     #   * {Types::Volume#sse_type #sse_type} => String
+    #   * {Types::Volume#operator #operator} => Types::OperatorResponse
     #   * {Types::Volume#volume_id #volume_id} => String
     #   * {Types::Volume#size #size} => Integer
     #   * {Types::Volume#snapshot_id #snapshot_id} => String
@@ -14791,6 +14824,9 @@ module Aws::EC2
     #     multi_attach_enabled: false,
     #     throughput: 1,
     #     client_token: "String",
+    #     operator: {
+    #       principal: "String",
+    #     },
     #     dry_run: false,
     #   })
     #
@@ -14806,6 +14842,8 @@ module Aws::EC2
     #   resp.multi_attach_enabled #=> Boolean
     #   resp.throughput #=> Integer
     #   resp.sse_type #=> String, one of "sse-ebs", "sse-kms", "none"
+    #   resp.operator.managed #=> Boolean
+    #   resp.operator.principal #=> String
     #   resp.volume_id #=> String
     #   resp.size #=> Integer
     #   resp.snapshot_id #=> String
@@ -15024,6 +15062,7 @@ module Aws::EC2
     #   resp.vpc.tags #=> Array
     #   resp.vpc.tags[0].key #=> String
     #   resp.vpc.tags[0].value #=> String
+    #   resp.vpc.block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.vpc.vpc_id #=> String
     #   resp.vpc.state #=> String, one of "pending", "available"
     #   resp.vpc.cidr_block #=> String
@@ -15038,6 +15077,96 @@ module Aws::EC2
       req.send_request(options)
     end
 
+    # Create a VPC Block Public Access (BPA) exclusion. A VPC BPA exclusion
+    # is a mode that can be applied to a single VPC or subnet that exempts
+    # it from the account’s BPA mode and will allow bidirectional or
+    # egress-only access. You can create BPA exclusions for VPCs and subnets
+    # even when BPA is not enabled on the account to ensure that there is no
+    # traffic disruption to the exclusions when VPC BPA is turned on. To
+    # learn more about VPC BPA, see [Block public access to VPCs and
+    # subnets][1] in the *Amazon VPC User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @option params [String] :subnet_id
+    #   A subnet ID.
+    #
+    # @option params [String] :vpc_id
+    #   A VPC ID.
+    #
+    # @option params [required, String] :internet_gateway_exclusion_mode
+    #   The exclusion mode for internet gateway traffic.
+    #
+    #   * `bidirectional-access-allowed`: Allow all internet traffic to and
+    #     from the excluded VPCs and subnets.
+    #
+    #   * `egress-access-allowed`: Allow outbound internet traffic from the
+    #     excluded VPCs and subnets. Block inbound internet traffic to the
+    #     excluded VPCs and subnets. Only applies when VPC Block Public Access
+    #     is set to Bidirectional.
+    #
+    # @option params [Array<Types::TagSpecification>] :tag_specifications
+    #   `tag` - The key/value combination of a tag assigned to the resource.
+    #   Use the tag key in the filter name and the tag value as the filter
+    #   value. For example, to find all resources that have a tag with the key
+    #   `Owner` and the value `TeamA`, specify `tag:Owner` for the filter name
+    #   and `TeamA` for the filter value.
+    #
+    # @return [Types::CreateVpcBlockPublicAccessExclusionResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateVpcBlockPublicAccessExclusionResult#vpc_block_public_access_exclusion #vpc_block_public_access_exclusion} => Types::VpcBlockPublicAccessExclusion
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_vpc_block_public_access_exclusion({
+    #     dry_run: false,
+    #     subnet_id: "SubnetId",
+    #     vpc_id: "VpcId",
+    #     internet_gateway_exclusion_mode: "allow-bidirectional", # required, accepts allow-bidirectional, allow-egress
+    #     tag_specifications: [
+    #       {
+    #         resource_type: "capacity-reservation", # accepts capacity-reservation, client-vpn-endpoint, customer-gateway, carrier-gateway, coip-pool, dedicated-host, dhcp-options, egress-only-internet-gateway, elastic-ip, elastic-gpu, export-image-task, export-instance-task, fleet, fpga-image, host-reservation, image, import-image-task, import-snapshot-task, instance, instance-event-window, internet-gateway, ipam, ipam-pool, ipam-scope, ipv4pool-ec2, ipv6pool-ec2, key-pair, launch-template, local-gateway, local-gateway-route-table, local-gateway-virtual-interface, local-gateway-virtual-interface-group, local-gateway-route-table-vpc-association, local-gateway-route-table-virtual-interface-group-association, natgateway, network-acl, network-interface, network-insights-analysis, network-insights-path, network-insights-access-scope, network-insights-access-scope-analysis, placement-group, prefix-list, replace-root-volume-task, reserved-instances, route-table, security-group, security-group-rule, snapshot, spot-fleet-request, spot-instances-request, subnet, subnet-cidr-reservation, traffic-mirror-filter, traffic-mirror-session, traffic-mirror-target, transit-gateway, transit-gateway-attachment, transit-gateway-connect-peer, transit-gateway-multicast-domain, transit-gateway-policy-table, transit-gateway-route-table, transit-gateway-route-table-announcement, volume, vpc, vpc-endpoint, vpc-endpoint-connection, vpc-endpoint-service, vpc-endpoint-service-permission, vpc-peering-connection, vpn-connection, vpn-gateway, vpc-flow-log, capacity-reservation-fleet, traffic-mirror-filter-rule, vpc-endpoint-connection-device-type, verified-access-instance, verified-access-group, verified-access-endpoint, verified-access-policy, verified-access-trust-provider, vpn-connection-device-type, vpc-block-public-access-exclusion, ipam-resource-discovery, ipam-resource-discovery-association, instance-connect-endpoint, ipam-external-resource-verification-token
+    #         tags: [
+    #           {
+    #             key: "String",
+    #             value: "String",
+    #           },
+    #         ],
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_exclusion.exclusion_id #=> String
+    #   resp.vpc_block_public_access_exclusion.internet_gateway_exclusion_mode #=> String, one of "allow-bidirectional", "allow-egress"
+    #   resp.vpc_block_public_access_exclusion.resource_arn #=> String
+    #   resp.vpc_block_public_access_exclusion.state #=> String, one of "create-in-progress", "create-complete", "create-failed", "update-in-progress", "update-complete", "update-failed", "delete-in-progress", "delete-complete", "disable-in-progress", "disable-complete"
+    #   resp.vpc_block_public_access_exclusion.reason #=> String
+    #   resp.vpc_block_public_access_exclusion.creation_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.last_update_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.deletion_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.tags #=> Array
+    #   resp.vpc_block_public_access_exclusion.tags[0].key #=> String
+    #   resp.vpc_block_public_access_exclusion.tags[0].value #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateVpcBlockPublicAccessExclusion AWS API Documentation
+    #
+    # @overload create_vpc_block_public_access_exclusion(params = {})
+    # @param [Hash] params ({})
+    def create_vpc_block_public_access_exclusion(params = {}, options = {})
+      req = build_request(:create_vpc_block_public_access_exclusion, params)
+      req.send_request(options)
+    end
+
     # Creates a VPC endpoint. A VPC endpoint provides a private connection
     # between the specified VPC and the specified endpoint service. You can
     # use an endpoint service provided by Amazon Web Services, an Amazon Web
@@ -16956,6 +17085,8 @@ module Aws::EC2
     #   resp.launch_template.tags #=> Array
     #   resp.launch_template.tags[0].key #=> String
     #   resp.launch_template.tags[0].value #=> String
+    #   resp.launch_template.operator.managed #=> Boolean
+    #   resp.launch_template.operator.principal #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteLaunchTemplate AWS API Documentation
     #
@@ -19254,6 +19385,62 @@ module Aws::EC2
       req.send_request(options)
     end
 
+    # Delete a VPC Block Public Access (BPA) exclusion. A VPC BPA exclusion
+    # is a mode that can be applied to a single VPC or subnet that exempts
+    # it from the account’s BPA mode and will allow bidirectional or
+    # egress-only access. You can create BPA exclusions for VPCs and subnets
+    # even when BPA is not enabled on the account to ensure that there is no
+    # traffic disruption to the exclusions when VPC BPA is turned on. To
+    # learn more about VPC BPA, see [Block public access to VPCs and
+    # subnets][1] in the *Amazon VPC User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @option params [required, String] :exclusion_id
+    #   The ID of the exclusion.
+    #
+    # @return [Types::DeleteVpcBlockPublicAccessExclusionResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DeleteVpcBlockPublicAccessExclusionResult#vpc_block_public_access_exclusion #vpc_block_public_access_exclusion} => Types::VpcBlockPublicAccessExclusion
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_vpc_block_public_access_exclusion({
+    #     dry_run: false,
+    #     exclusion_id: "VpcBlockPublicAccessExclusionId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_exclusion.exclusion_id #=> String
+    #   resp.vpc_block_public_access_exclusion.internet_gateway_exclusion_mode #=> String, one of "allow-bidirectional", "allow-egress"
+    #   resp.vpc_block_public_access_exclusion.resource_arn #=> String
+    #   resp.vpc_block_public_access_exclusion.state #=> String, one of "create-in-progress", "create-complete", "create-failed", "update-in-progress", "update-complete", "update-failed", "delete-in-progress", "delete-complete", "disable-in-progress", "disable-complete"
+    #   resp.vpc_block_public_access_exclusion.reason #=> String
+    #   resp.vpc_block_public_access_exclusion.creation_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.last_update_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.deletion_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.tags #=> Array
+    #   resp.vpc_block_public_access_exclusion.tags[0].key #=> String
+    #   resp.vpc_block_public_access_exclusion.tags[0].value #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteVpcBlockPublicAccessExclusion AWS API Documentation
+    #
+    # @overload delete_vpc_block_public_access_exclusion(params = {})
+    # @param [Hash] params ({})
+    def delete_vpc_block_public_access_exclusion(params = {}, options = {})
+      req = build_request(:delete_vpc_block_public_access_exclusion, params)
+      req.send_request(options)
+    end
+
     # Deletes the specified VPC endpoint connection notifications.
     #
     # @option params [Boolean] :dry_run
@@ -21097,7 +21284,6 @@ module Aws::EC2
     #     * `dedicated` - The Capacity Reservation is created on single-tenant
     #       hardware that is dedicated to a single Amazon Web Services
     #       account.
-    #
     #   * `outpost-arn` - The Amazon Resource Name (ARN) of the Outpost on
     #     which the Capacity Reservation was created.
     #
@@ -21121,7 +21307,6 @@ module Aws::EC2
     #       might fail due to invalid request parameters, capacity
     #       constraints, or instance limit constraints. Failed requests are
     #       retained for 60 minutes.
-    #
     #   * `start-date` - The date and time at which the Capacity Reservation
     #     was started.
     #
@@ -21140,7 +21325,6 @@ module Aws::EC2
     #
     #     * `limited` - The Capacity Reservation expires automatically at a
     #       specified date and time.
-    #
     #   * `instance-match-criteria` - Indicates the type of instance launches
     #     that the Capacity Reservation accepts. The options include:
     #
@@ -21155,7 +21339,6 @@ module Aws::EC2
     #       Availability Zone), and explicitly target the Capacity
     #       Reservation. This ensures that only permitted instances can use
     #       the reserved capacity.
-    #
     #   * `placement-group-arn` - The ARN of the cluster placement group in
     #     which the Capacity Reservation was created.
     #
@@ -21342,11 +21525,11 @@ module Aws::EC2
     #
     #   * `instance-id` - The ID of the instance.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -22140,11 +22323,11 @@ module Aws::EC2
     #   * `owner-id` - The ID of the Amazon Web Services account that owns the
     #     DHCP options set.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -22259,11 +22442,11 @@ module Aws::EC2
     # @option params [Array<Types::Filter>] :filters
     #   The filters.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -24711,6 +24894,8 @@ module Aws::EC2
     #   resp.block_device_mappings[0].ebs.volume_id #=> String
     #   resp.block_device_mappings[0].ebs.associated_resource #=> String
     #   resp.block_device_mappings[0].ebs.volume_owner_id #=> String
+    #   resp.block_device_mappings[0].ebs.operator.managed #=> Boolean
+    #   resp.block_device_mappings[0].ebs.operator.principal #=> String
     #   resp.disable_api_termination.value #=> Boolean
     #   resp.ena_support.value #=> Boolean
     #   resp.enclave_options.enabled #=> Boolean
@@ -25249,6 +25434,8 @@ module Aws::EC2
     #   resp.instance_image_metadata[0].image_metadata.creation_date #=> String
     #   resp.instance_image_metadata[0].image_metadata.deprecation_time #=> String
     #   resp.instance_image_metadata[0].image_metadata.is_public #=> Boolean
+    #   resp.instance_image_metadata[0].operator.managed #=> Boolean
+    #   resp.instance_image_metadata[0].operator.principal #=> String
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeInstanceImageMetadata AWS API Documentation
@@ -25454,6 +25641,8 @@ module Aws::EC2
     #   resp.instance_statuses #=> Array
     #   resp.instance_statuses[0].availability_zone #=> String
     #   resp.instance_statuses[0].outpost_arn #=> String
+    #   resp.instance_statuses[0].operator.managed #=> Boolean
+    #   resp.instance_statuses[0].operator.principal #=> String
     #   resp.instance_statuses[0].events #=> Array
     #   resp.instance_statuses[0].events[0].instance_event_id #=> String
     #   resp.instance_statuses[0].events[0].code #=> String, one of "instance-reboot", "system-reboot", "system-maintenance", "instance-retirement", "instance-stop"
@@ -25509,7 +25698,6 @@ module Aws::EC2
     #   * Availability Zone
     #
     #   * Local Zone
-    #
     # * Supported instance types
     #
     #   * `hpc6a.48xlarge` \| `hpc6id.32xlarge` \| `hpc7a.12xlarge` \|
@@ -26634,6 +26822,8 @@ module Aws::EC2
     #   resp.reservations[0].instances[0].block_device_mappings[0].ebs.volume_id #=> String
     #   resp.reservations[0].instances[0].block_device_mappings[0].ebs.associated_resource #=> String
     #   resp.reservations[0].instances[0].block_device_mappings[0].ebs.volume_owner_id #=> String
+    #   resp.reservations[0].instances[0].block_device_mappings[0].ebs.operator.managed #=> Boolean
+    #   resp.reservations[0].instances[0].block_device_mappings[0].ebs.operator.principal #=> String
     #   resp.reservations[0].instances[0].client_token #=> String
     #   resp.reservations[0].instances[0].ebs_optimized #=> Boolean
     #   resp.reservations[0].instances[0].ena_support #=> Boolean
@@ -26698,6 +26888,8 @@ module Aws::EC2
     #   resp.reservations[0].instances[0].network_interfaces[0].connection_tracking_configuration.tcp_established_timeout #=> Integer
     #   resp.reservations[0].instances[0].network_interfaces[0].connection_tracking_configuration.udp_stream_timeout #=> Integer
     #   resp.reservations[0].instances[0].network_interfaces[0].connection_tracking_configuration.udp_timeout #=> Integer
+    #   resp.reservations[0].instances[0].network_interfaces[0].operator.managed #=> Boolean
+    #   resp.reservations[0].instances[0].network_interfaces[0].operator.principal #=> String
     #   resp.reservations[0].instances[0].outpost_arn #=> String
     #   resp.reservations[0].instances[0].root_device_name #=> String
     #   resp.reservations[0].instances[0].root_device_type #=> String, one of "ebs", "instance-store"
@@ -26741,6 +26933,8 @@ module Aws::EC2
     #   resp.reservations[0].instances[0].tpm_support #=> String
     #   resp.reservations[0].instances[0].maintenance_options.auto_recovery #=> String, one of "disabled", "default"
     #   resp.reservations[0].instances[0].current_instance_boot_mode #=> String, one of "legacy-bios", "uefi"
+    #   resp.reservations[0].instances[0].operator.managed #=> Boolean
+    #   resp.reservations[0].instances[0].operator.principal #=> String
     #   resp.reservations[0].instances[0].instance_id #=> String
     #   resp.reservations[0].instances[0].image_id #=> String
     #   resp.reservations[0].instances[0].state.code #=> Integer
@@ -26833,11 +27027,11 @@ module Aws::EC2
     #   * `owner-id` - The ID of the Amazon Web Services account that owns the
     #     internet gateway.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -28023,6 +28217,10 @@ module Aws::EC2
     #   resp.launch_template_versions[0].launch_template_data.private_dns_name_options.enable_resource_name_dns_aaaa_record #=> Boolean
     #   resp.launch_template_versions[0].launch_template_data.maintenance_options.auto_recovery #=> String, one of "default", "disabled"
     #   resp.launch_template_versions[0].launch_template_data.disable_api_stop #=> Boolean
+    #   resp.launch_template_versions[0].launch_template_data.operator.managed #=> Boolean
+    #   resp.launch_template_versions[0].launch_template_data.operator.principal #=> String
+    #   resp.launch_template_versions[0].operator.managed #=> Boolean
+    #   resp.launch_template_versions[0].operator.principal #=> String
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeLaunchTemplateVersions AWS API Documentation
@@ -28133,6 +28331,8 @@ module Aws::EC2
     #   resp.launch_templates[0].tags #=> Array
     #   resp.launch_templates[0].tags[0].key #=> String
     #   resp.launch_templates[0].tags[0].value #=> String
+    #   resp.launch_templates[0].operator.managed #=> Boolean
+    #   resp.launch_templates[0].operator.principal #=> String
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeLaunchTemplates AWS API Documentation
@@ -28978,11 +29178,11 @@ module Aws::EC2
     #
     #   * `subnet-id` - The ID of the subnet in which the NAT gateway resides.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -29191,11 +29391,11 @@ module Aws::EC2
     #   * `owner-id` - The ID of the Amazon Web Services account that owns the
     #     network ACL.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -31015,6 +31215,8 @@ module Aws::EC2
     #   resp.network_interfaces[0].deny_all_igw_traffic #=> Boolean
     #   resp.network_interfaces[0].ipv_6_native #=> Boolean
     #   resp.network_interfaces[0].ipv_6_address #=> String
+    #   resp.network_interfaces[0].operator.managed #=> Boolean
+    #   resp.network_interfaces[0].operator.principal #=> String
     #   resp.next_token #=> String
     #
     #
@@ -32238,11 +32440,11 @@ module Aws::EC2
     #   * `route.vpc-peering-connection-id` - The ID of a VPC peering
     #     connection specified in a route in the table.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -34878,11 +35080,11 @@ module Aws::EC2
     #
     #   * `subnet-id` - The ID of the subnet.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -34995,6 +35197,7 @@ module Aws::EC2
     #   resp.subnets[0].private_dns_name_options_on_launch.hostname_type #=> String, one of "ip-name", "resource-name"
     #   resp.subnets[0].private_dns_name_options_on_launch.enable_resource_name_dns_a_record #=> Boolean
     #   resp.subnets[0].private_dns_name_options_on_launch.enable_resource_name_dns_aaaa_record #=> Boolean
+    #   resp.subnets[0].block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.subnets[0].subnet_id #=> String
     #   resp.subnets[0].state #=> String, one of "pending", "available", "unavailable"
     #   resp.subnets[0].vpc_id #=> String
@@ -37385,6 +37588,8 @@ module Aws::EC2
     #   resp.volumes[0].multi_attach_enabled #=> Boolean
     #   resp.volumes[0].throughput #=> Integer
     #   resp.volumes[0].sse_type #=> String, one of "sse-ebs", "sse-kms", "none"
+    #   resp.volumes[0].operator.managed #=> Boolean
+    #   resp.volumes[0].operator.principal #=> String
     #   resp.volumes[0].volume_id #=> String
     #   resp.volumes[0].size #=> Integer
     #   resp.volumes[0].snapshot_id #=> String
@@ -37616,6 +37821,159 @@ module Aws::EC2
       req.send_request(options)
     end
 
+    # Describe VPC Block Public Access (BPA) exclusions. A VPC BPA exclusion
+    # is a mode that can be applied to a single VPC or subnet that exempts
+    # it from the account’s BPA mode and will allow bidirectional or
+    # egress-only access. You can create BPA exclusions for VPCs and subnets
+    # even when BPA is not enabled on the account to ensure that there is no
+    # traffic disruption to the exclusions when VPC BPA is turned on. To
+    # learn more about VPC BPA, see [Block public access to VPCs and
+    # subnets][1] in the *Amazon VPC User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @option params [Array<Types::Filter>] :filters
+    #   Filters for the request:
+    #
+    #   * `resource-arn` - The Amazon Resource Name (ARN) of a exclusion.
+    #
+    #   * `internet-gateway-exclusion-mode` - The mode of a VPC BPA exclusion.
+    #     Possible values: `bidirectional-access-allowed |
+    #     egress-access-allowed`.
+    #
+    #   * `state` - The state of VPC BPA. Possible values: `create-in-progress
+    #     | create-complete | update-in-progress | update-complete |
+    #     delete-in-progress | deleted-complete | disable-in-progress |
+    #     disable-complete`
+    #
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
+    #
+    #   * `tag-key` - The key of a tag assigned to the resource. Use this
+    #     filter to find all resources assigned a tag with a specific key,
+    #     regardless of the tag value.
+    #
+    #   * `tag-value`: The value of a tag assigned to the resource. Use this
+    #     filter to find all resources assigned a tag with a specific value,
+    #     regardless of the tag key.
+    #
+    # @option params [Array<String>] :exclusion_ids
+    #   IDs of exclusions.
+    #
+    # @option params [String] :next_token
+    #   The token returned from a previous paginated request. Pagination
+    #   continues from the end of the items returned by the previous request.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of items to return for this request. To get the
+    #   next page of items, make another request with the token returned in
+    #   the output. For more information, see [Pagination][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html#api-pagination
+    #
+    # @return [Types::DescribeVpcBlockPublicAccessExclusionsResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeVpcBlockPublicAccessExclusionsResult#vpc_block_public_access_exclusions #vpc_block_public_access_exclusions} => Array&lt;Types::VpcBlockPublicAccessExclusion&gt;
+    #   * {Types::DescribeVpcBlockPublicAccessExclusionsResult#next_token #next_token} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_vpc_block_public_access_exclusions({
+    #     dry_run: false,
+    #     filters: [
+    #       {
+    #         name: "String",
+    #         values: ["String"],
+    #       },
+    #     ],
+    #     exclusion_ids: ["VpcBlockPublicAccessExclusionId"],
+    #     next_token: "String",
+    #     max_results: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_exclusions #=> Array
+    #   resp.vpc_block_public_access_exclusions[0].exclusion_id #=> String
+    #   resp.vpc_block_public_access_exclusions[0].internet_gateway_exclusion_mode #=> String, one of "allow-bidirectional", "allow-egress"
+    #   resp.vpc_block_public_access_exclusions[0].resource_arn #=> String
+    #   resp.vpc_block_public_access_exclusions[0].state #=> String, one of "create-in-progress", "create-complete", "create-failed", "update-in-progress", "update-complete", "update-failed", "delete-in-progress", "delete-complete", "disable-in-progress", "disable-complete"
+    #   resp.vpc_block_public_access_exclusions[0].reason #=> String
+    #   resp.vpc_block_public_access_exclusions[0].creation_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusions[0].last_update_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusions[0].deletion_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusions[0].tags #=> Array
+    #   resp.vpc_block_public_access_exclusions[0].tags[0].key #=> String
+    #   resp.vpc_block_public_access_exclusions[0].tags[0].value #=> String
+    #   resp.next_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVpcBlockPublicAccessExclusions AWS API Documentation
+    #
+    # @overload describe_vpc_block_public_access_exclusions(params = {})
+    # @param [Hash] params ({})
+    def describe_vpc_block_public_access_exclusions(params = {}, options = {})
+      req = build_request(:describe_vpc_block_public_access_exclusions, params)
+      req.send_request(options)
+    end
+
+    # Describe VPC Block Public Access (BPA) options. VPC Block public
+    # Access (BPA) enables you to block resources in VPCs and subnets that
+    # you own in a Region from reaching or being reached from the internet
+    # through internet gateways and egress-only internet gateways. To learn
+    # more about VPC BPA, see [Block public access to VPCs and subnets][1]
+    # in the *Amazon VPC User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @return [Types::DescribeVpcBlockPublicAccessOptionsResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeVpcBlockPublicAccessOptionsResult#vpc_block_public_access_options #vpc_block_public_access_options} => Types::VpcBlockPublicAccessOptions
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_vpc_block_public_access_options({
+    #     dry_run: false,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_options.aws_account_id #=> String
+    #   resp.vpc_block_public_access_options.aws_region #=> String
+    #   resp.vpc_block_public_access_options.state #=> String, one of "default-state", "update-in-progress", "update-complete"
+    #   resp.vpc_block_public_access_options.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
+    #   resp.vpc_block_public_access_options.reason #=> String
+    #   resp.vpc_block_public_access_options.last_update_timestamp #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeVpcBlockPublicAccessOptions AWS API Documentation
+    #
+    # @overload describe_vpc_block_public_access_options(params = {})
+    # @param [Hash] params ({})
+    def describe_vpc_block_public_access_options(params = {}, options = {})
+      req = build_request(:describe_vpc_block_public_access_options, params)
+      req.send_request(options)
+    end
+
     # <note markdown="1"> This action is deprecated.
     #
     #  </note>
@@ -37637,11 +37995,11 @@ module Aws::EC2
     #   * `is-classic-link-enabled` - Whether the VPC is enabled for
     #     ClassicLink (`true` \| `false`).
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -38380,11 +38738,11 @@ module Aws::EC2
     #   * `status-message` - A message that provides more information about
     #     the status of the VPC peering connection, if applicable.
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -38505,11 +38863,11 @@ module Aws::EC2
     #
     #   * `state` - The state of the VPC (`pending` \| `available`).
     #
-    #   * `tag`:&lt;key&gt; - The key/value combination of a tag assigned to
-    #     the resource. Use the tag key in the filter name and the tag value
-    #     as the filter value. For example, to find all resources that have a
-    #     tag with the key `Owner` and the value `TeamA`, specify `tag:Owner`
-    #     for the filter name and `TeamA` for the filter value.
+    #   * `tag` - The key/value combination of a tag assigned to the resource.
+    #     Use the tag key in the filter name and the tag value as the filter
+    #     value. For example, to find all resources that have a tag with the
+    #     key `Owner` and the value `TeamA`, specify `tag:Owner` for the
+    #     filter name and `TeamA` for the filter value.
     #
     #   * `tag-key` - The key of a tag assigned to the resource. Use this
     #     filter to find all resources assigned a tag with a specific key,
@@ -38616,6 +38974,7 @@ module Aws::EC2
     #   resp.vpcs[0].tags #=> Array
     #   resp.vpcs[0].tags[0].key #=> String
     #   resp.vpcs[0].tags[0].value #=> String
+    #   resp.vpcs[0].block_public_access_states.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
     #   resp.vpcs[0].vpc_id #=> String
     #   resp.vpcs[0].state #=> String, one of "pending", "available"
     #   resp.vpcs[0].cidr_block #=> String
@@ -44029,6 +44388,8 @@ module Aws::EC2
     #   resp.launch_template_data.private_dns_name_options.enable_resource_name_dns_aaaa_record #=> Boolean
     #   resp.launch_template_data.maintenance_options.auto_recovery #=> String, one of "default", "disabled"
     #   resp.launch_template_data.disable_api_stop #=> Boolean
+    #   resp.launch_template_data.operator.managed #=> Boolean
+    #   resp.launch_template_data.operator.principal #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetLaunchTemplateData AWS API Documentation
     #
@@ -46890,7 +47251,6 @@ module Aws::EC2
     #
     #     * The snapshot is unlocked by a user with the appropriate
     #       permissions.
-    #
     #     Users with the appropriate IAM permissions can unlock the snapshot,
     #     increase or decrease the lock duration, and change the lock mode to
     #     `compliance` at any time.
@@ -49663,6 +50023,8 @@ module Aws::EC2
     #   resp.launch_template.tags #=> Array
     #   resp.launch_template.tags[0].key #=> String
     #   resp.launch_template.tags[0].value #=> String
+    #   resp.launch_template.operator.managed #=> Boolean
+    #   resp.launch_template.operator.principal #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyLaunchTemplate AWS API Documentation
     #
@@ -52012,6 +52374,131 @@ module Aws::EC2
       req.send_request(options)
     end
 
+    # Modify VPC Block Public Access (BPA) exclusions. A VPC BPA exclusion
+    # is a mode that can be applied to a single VPC or subnet that exempts
+    # it from the account’s BPA mode and will allow bidirectional or
+    # egress-only access. You can create BPA exclusions for VPCs and subnets
+    # even when BPA is not enabled on the account to ensure that there is no
+    # traffic disruption to the exclusions when VPC BPA is turned on.
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @option params [required, String] :exclusion_id
+    #   The ID of an exclusion.
+    #
+    # @option params [required, String] :internet_gateway_exclusion_mode
+    #   The exclusion mode for internet gateway traffic.
+    #
+    #   * `bidirectional-access-allowed`: Allow all internet traffic to and
+    #     from the excluded VPCs and subnets.
+    #
+    #   * `egress-access-allowed`: Allow outbound internet traffic from the
+    #     excluded VPCs and subnets. Block inbound internet traffic to the
+    #     excluded VPCs and subnets. Only applies when VPC Block Public Access
+    #     is set to Bidirectional.
+    #
+    # @return [Types::ModifyVpcBlockPublicAccessExclusionResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ModifyVpcBlockPublicAccessExclusionResult#vpc_block_public_access_exclusion #vpc_block_public_access_exclusion} => Types::VpcBlockPublicAccessExclusion
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.modify_vpc_block_public_access_exclusion({
+    #     dry_run: false,
+    #     exclusion_id: "VpcBlockPublicAccessExclusionId", # required
+    #     internet_gateway_exclusion_mode: "allow-bidirectional", # required, accepts allow-bidirectional, allow-egress
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_exclusion.exclusion_id #=> String
+    #   resp.vpc_block_public_access_exclusion.internet_gateway_exclusion_mode #=> String, one of "allow-bidirectional", "allow-egress"
+    #   resp.vpc_block_public_access_exclusion.resource_arn #=> String
+    #   resp.vpc_block_public_access_exclusion.state #=> String, one of "create-in-progress", "create-complete", "create-failed", "update-in-progress", "update-complete", "update-failed", "delete-in-progress", "delete-complete", "disable-in-progress", "disable-complete"
+    #   resp.vpc_block_public_access_exclusion.reason #=> String
+    #   resp.vpc_block_public_access_exclusion.creation_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.last_update_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.deletion_timestamp #=> Time
+    #   resp.vpc_block_public_access_exclusion.tags #=> Array
+    #   resp.vpc_block_public_access_exclusion.tags[0].key #=> String
+    #   resp.vpc_block_public_access_exclusion.tags[0].value #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVpcBlockPublicAccessExclusion AWS API Documentation
+    #
+    # @overload modify_vpc_block_public_access_exclusion(params = {})
+    # @param [Hash] params ({})
+    def modify_vpc_block_public_access_exclusion(params = {}, options = {})
+      req = build_request(:modify_vpc_block_public_access_exclusion, params)
+      req.send_request(options)
+    end
+
+    # Modify VPC Block Public Access (BPA) options. VPC Block public Access
+    # (BPA) enables you to block resources in VPCs and subnets that you own
+    # in a Region from reaching or being reached from the internet through
+    # internet gateways and egress-only internet gateways. To learn more
+    # about VPC BPA, see [Block public access to VPCs and subnets][1] in the
+    # *Amazon VPC User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks whether you have the required permissions for the action,
+    #   without actually making the request, and provides an error response.
+    #   If you have the required permissions, the error response is
+    #   `DryRunOperation`. Otherwise, it is `UnauthorizedOperation`.
+    #
+    # @option params [required, String] :internet_gateway_block_mode
+    #   The mode of VPC BPA.
+    #
+    #   * `bidirectional-access-allowed`: VPC BPA is not enabled and traffic
+    #     is allowed to and from internet gateways and egress-only internet
+    #     gateways in this Region.
+    #
+    #   * `bidirectional-access-blocked`: Block all traffic to and from
+    #     internet gateways and egress-only internet gateways in this Region
+    #     (except for excluded VPCs and subnets).
+    #
+    #   * `ingress-access-blocked`: Block all internet traffic to the VPCs in
+    #     this Region (except for VPCs or subnets which are excluded). Only
+    #     traffic to and from NAT gateways and egress-only internet gateways
+    #     is allowed because these gateways only allow outbound connections to
+    #     be established.
+    #
+    # @return [Types::ModifyVpcBlockPublicAccessOptionsResult] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ModifyVpcBlockPublicAccessOptionsResult#vpc_block_public_access_options #vpc_block_public_access_options} => Types::VpcBlockPublicAccessOptions
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.modify_vpc_block_public_access_options({
+    #     dry_run: false,
+    #     internet_gateway_block_mode: "off", # required, accepts off, block-bidirectional, block-ingress
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.vpc_block_public_access_options.aws_account_id #=> String
+    #   resp.vpc_block_public_access_options.aws_region #=> String
+    #   resp.vpc_block_public_access_options.state #=> String, one of "default-state", "update-in-progress", "update-complete"
+    #   resp.vpc_block_public_access_options.internet_gateway_block_mode #=> String, one of "off", "block-bidirectional", "block-ingress"
+    #   resp.vpc_block_public_access_options.reason #=> String
+    #   resp.vpc_block_public_access_options.last_update_timestamp #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyVpcBlockPublicAccessOptions AWS API Documentation
+    #
+    # @overload modify_vpc_block_public_access_options(params = {})
+    # @param [Hash] params ({})
+    def modify_vpc_block_public_access_options(params = {}, options = {})
+      req = build_request(:modify_vpc_block_public_access_options, params)
+      req.send_request(options)
+    end
+
     # Modifies attributes of a specified VPC endpoint. The attributes that
     # you can modify depend on the type of VPC endpoint (interface, gateway,
     # or Gateway Load Balancer). For more information, see the [Amazon Web
@@ -57879,6 +58366,9 @@ module Aws::EC2
     #   first IPv6 GUA address associated with the ENI becomes the primary
     #   IPv6 address.
     #
+    # @option params [Types::OperatorRequest] :operator
+    #   Reserved for internal use.
+    #
     # @option params [Boolean] :dry_run
     #   Checks whether you have the required permissions for the operation,
     #   without actually making the request, and provides an error response.
@@ -58137,6 +58627,9 @@ module Aws::EC2
     #     },
     #     disable_api_stop: false,
     #     enable_primary_ipv_6: false,
+    #     operator: {
+    #       principal: "String",
+    #     },
     #     dry_run: false,
     #     disable_api_termination: false,
     #     instance_initiated_shutdown_behavior: "stop", # accepts stop, terminate
@@ -58221,6 +58714,8 @@ module Aws::EC2
     #   resp.instances[0].block_device_mappings[0].ebs.volume_id #=> String
     #   resp.instances[0].block_device_mappings[0].ebs.associated_resource #=> String
     #   resp.instances[0].block_device_mappings[0].ebs.volume_owner_id #=> String
+    #   resp.instances[0].block_device_mappings[0].ebs.operator.managed #=> Boolean
+    #   resp.instances[0].block_device_mappings[0].ebs.operator.principal #=> String
     #   resp.instances[0].client_token #=> String
     #   resp.instances[0].ebs_optimized #=> Boolean
     #   resp.instances[0].ena_support #=> Boolean
@@ -58285,6 +58780,8 @@ module Aws::EC2
     #   resp.instances[0].network_interfaces[0].connection_tracking_configuration.tcp_established_timeout #=> Integer
     #   resp.instances[0].network_interfaces[0].connection_tracking_configuration.udp_stream_timeout #=> Integer
     #   resp.instances[0].network_interfaces[0].connection_tracking_configuration.udp_timeout #=> Integer
+    #   resp.instances[0].network_interfaces[0].operator.managed #=> Boolean
+    #   resp.instances[0].network_interfaces[0].operator.principal #=> String
     #   resp.instances[0].outpost_arn #=> String
     #   resp.instances[0].root_device_name #=> String
     #   resp.instances[0].root_device_type #=> String, one of "ebs", "instance-store"
@@ -58328,6 +58825,8 @@ module Aws::EC2
     #   resp.instances[0].tpm_support #=> String
     #   resp.instances[0].maintenance_options.auto_recovery #=> String, one of "disabled", "default"
     #   resp.instances[0].current_instance_boot_mode #=> String, one of "legacy-bios", "uefi"
+    #   resp.instances[0].operator.managed #=> Boolean
+    #   resp.instances[0].operator.principal #=> String
     #   resp.instances[0].instance_id #=> String
     #   resp.instances[0].image_id #=> String
     #   resp.instances[0].state.code #=> Integer
@@ -60849,7 +61348,7 @@ module Aws::EC2
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-ec2'
-      context[:gem_version] = '1.489.0'
+      context[:gem_version] = '1.491.0'
       Seahorse::Client::Request.new(handlers, context)
     end