@awboost/cfntypes 0.100.26 → 0.100.28

package/lib/resources.generated.d.ts

@@ -3291,21 +3291,12 @@ export type ApiGatewayUsagePlanKeyAttributes = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-vpclink.html}
  */
 export type ApiGatewayVpcLinkProps = {
-    /**
-     * The description of the VPC link.
-     */
     Description?: string;
-    /**
-     * The name used to label and identify the VPC link.
-     */
     Name: string;
     /**
      * An array of arbitrary tags (key-value pairs) to associate with the VPC link.
      */
     Tags?: ApiGatewayVpcLinkTag[];
-    /**
-     * The ARN of the network load balancer of the VPC targeted by the VPC link. The network load balancer must be owned by the same AWS-account of the API owner.
-     */
     TargetArns: string[];
 };
 /**
@@ -11251,23 +11242,83 @@ export type AppSyncFunctionConfigurationSyncConfig = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html}
  */
 export type AppSyncGraphQLApiProps = {
+    /**
+     * A list of additional authentication providers for the GraphqlApi API.
+     */
     AdditionalAuthenticationProviders?: AppSyncGraphQLApiAdditionalAuthenticationProvider[];
+    /**
+     * The value that indicates whether the GraphQL API is a standard API (GRAPHQL) or merged API (MERGED).
+     */
     ApiType?: string;
+    /**
+     * Security configuration for your GraphQL API
+     */
     AuthenticationType: string;
+    /**
+     * Enables and controls the enhanced metrics feature. Enhanced metrics emit granular data on API usage and performance such as AppSync request and error counts, latency, and cache hits/misses. All enhanced metric data is sent to your CloudWatch account, and you can configure the types of data that will be sent.
+     */
     EnhancedMetricsConfig?: AppSyncGraphQLApiEnhancedMetricsConfig;
-    EnvironmentVariables?: Record<string, any>;
+    /**
+     * A map containing the list of resources with their properties and environment variables.
+     */
+    EnvironmentVariables?: Record<string, string>;
+    /**
+     * Sets the value of the GraphQL API to enable (ENABLED) or disable (DISABLED) introspection. If no value is provided, the introspection configuration will be set to ENABLED by default. This field will produce an error if the operation attempts to use the introspection feature while this field is disabled.
+     */
     IntrospectionConfig?: string;
+    /**
+     * A LambdaAuthorizerConfig holds configuration on how to authorize AWS AppSync API access when using the AWS_LAMBDA authorizer mode. Be aware that an AWS AppSync API may have only one Lambda authorizer configured at a time.
+     */
     LambdaAuthorizerConfig?: AppSyncGraphQLApiLambdaAuthorizerConfig;
+    /**
+     * The Amazon CloudWatch Logs configuration.
+     */
     LogConfig?: AppSyncGraphQLApiLogConfig;
+    /**
+     * The AWS Identity and Access Management service role ARN for a merged API.
+     */
     MergedApiExecutionRoleArn?: string;
+    /**
+     * The API name
+     */
     Name: string;
+    /**
+     * The OpenID Connect configuration.
+     */
     OpenIDConnectConfig?: AppSyncGraphQLApiOpenIDConnectConfig;
+    /**
+     * The owner contact information for an API resource.
+     */
     OwnerContact?: string;
+    /**
+     * The maximum depth a query can have in a single request. Depth refers to the amount of nested levels allowed in the body of query.
+     */
     QueryDepthLimit?: number;
+    /**
+     * The maximum number of resolvers that can be invoked in a single request.
+     */
     ResolverCountLimit?: number;
+    /**
+       * An arbitrary set of tags (key-value pairs) for this GraphQL API.
+      
+      
+       */
     Tags?: AppSyncGraphQLApiTag[];
+    /**
+       * Optional authorization configuration for using Amazon Cognito user pools with your GraphQL endpoint.
+      
+      
+       */
     UserPoolConfig?: AppSyncGraphQLApiUserPoolConfig;
+    /**
+     * Sets the scope of the GraphQL API to public (GLOBAL) or private (PRIVATE). By default, the scope is set to Global if no value is provided.
+     */
     Visibility?: string;
+    /**
+       * A flag indicating whether to use AWS X-Ray tracing for this GraphqlApi.
+      
+      
+       */
     XrayEnabled?: boolean;
 };
 /**
@@ -11275,13 +11326,33 @@ export type AppSyncGraphQLApiProps = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html#aws-resource-appsync-graphqlapi-return-values}
  */
 export type AppSyncGraphQLApiAttributes = {
+    /**
+     * Unique AWS AppSync GraphQL API identifier.
+     */
     ApiId: string;
+    /**
+     * The Amazon Resource Name (ARN) of the API key
+     */
     Arn: string;
+    /**
+     * The fully qualified domain name (FQDN) of the endpoint URL of your GraphQL API.
+     */
     GraphQLDns: string;
+    /**
+     * The GraphQL endpoint ARN.
+     */
     GraphQLEndpointArn: string;
+    /**
+     * The Endpoint URL of your GraphQL API.
+     */
     GraphQLUrl: string;
-    Id: string;
+    /**
+     * The fully qualified domain name (FQDN) of the real-time endpoint URL of your GraphQL API.
+     */
     RealtimeDns: string;
+    /**
+     * The GraphQL API real-time endpoint URL.
+     */
     RealtimeUrl: string;
 };
 /**
@@ -11289,6 +11360,9 @@ export type AppSyncGraphQLApiAttributes = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-additionalauthenticationprovider.html}
  */
 export type AppSyncGraphQLApiAdditionalAuthenticationProvider = {
+    /**
+     * The authentication type for API key, AWS Identity and Access Management, OIDC, Amazon Cognito user pools, or AWS Lambda.
+     */
     AuthenticationType: string;
     LambdaAuthorizerConfig?: AppSyncGraphQLApiLambdaAuthorizerConfig;
     OpenIDConnectConfig?: AppSyncGraphQLApiOpenIDConnectConfig;
@@ -11299,8 +11373,17 @@ export type AppSyncGraphQLApiAdditionalAuthenticationProvider = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-cognitouserpoolconfig.html}
  */
 export type AppSyncGraphQLApiCognitoUserPoolConfig = {
+    /**
+     * A regular expression for validating the incoming Amazon Cognito user pool app client ID.
+     */
     AppIdClientRegex?: string;
+    /**
+     * The AWS Region in which the user pool was created.
+     */
     AwsRegion?: string;
+    /**
+     * The user pool ID
+     */
     UserPoolId?: string;
 };
 /**
@@ -11308,8 +11391,23 @@ export type AppSyncGraphQLApiCognitoUserPoolConfig = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-enhancedmetricsconfig.html}
  */
 export type AppSyncGraphQLApiEnhancedMetricsConfig = {
+    /**
+       * Controls how data source metrics will be emitted to CloudWatch. Data source metrics include:
+      
+      
+       */
     DataSourceLevelMetricsBehavior: string;
+    /**
+       * Controls how operation metrics will be emitted to CloudWatch. Operation metrics include:
+      
+      
+       */
     OperationLevelMetricsConfig: string;
+    /**
+       * Controls how resolver metrics will be emitted to CloudWatch. Resolver metrics include:
+      
+      
+       */
     ResolverLevelMetricsBehavior: string;
 };
 /**
@@ -11317,8 +11415,17 @@ export type AppSyncGraphQLApiEnhancedMetricsConfig = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html}
  */
 export type AppSyncGraphQLApiLambdaAuthorizerConfig = {
+    /**
+     * The number of seconds a response should be cached for.
+     */
     AuthorizerResultTtlInSeconds?: number;
+    /**
+     * The ARN of the Lambda function to be called for authorization.
+     */
     AuthorizerUri?: string;
+    /**
+     * A regular expression for validation of tokens before the Lambda function is called.
+     */
     IdentityValidationExpression?: string;
 };
 /**
@@ -11326,8 +11433,17 @@ export type AppSyncGraphQLApiLambdaAuthorizerConfig = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-logconfig.html}
  */
 export type AppSyncGraphQLApiLogConfig = {
+    /**
+     * The service role that AWS AppSync will assume to publish to Amazon CloudWatch Logs in your account.
+     */
     CloudWatchLogsRoleArn?: string;
+    /**
+     * Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level.
+     */
     ExcludeVerboseContent?: boolean;
+    /**
+     * The field logging level. Values can be NONE, ERROR, INFO, DEBUG, or ALL.
+     */
     FieldLogLevel?: string;
 };
 /**
@@ -11335,9 +11451,23 @@ export type AppSyncGraphQLApiLogConfig = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-openidconnectconfig.html}
  */
 export type AppSyncGraphQLApiOpenIDConnectConfig = {
+    /**
+     * The number of milliseconds that a token is valid after being authenticated.
+     */
     AuthTTL?: number;
+    /**
+     * The client identifier of the Relying party at the OpenID identity provider.
+     */
     ClientId?: string;
+    /**
+       * The number of milliseconds that a token is valid after it's issued to a user.
+      
+      
+       */
     IatTTL?: number;
+    /**
+     * The issuer for the OIDC configuration.
+     */
     Issuer?: string;
 };
 /**
@@ -11353,9 +11483,21 @@ export type AppSyncGraphQLApiTag = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-userpoolconfig.html}
  */
 export type AppSyncGraphQLApiUserPoolConfig = {
+    /**
+     * A regular expression for validating the incoming Amazon Cognito user pool app client ID.
+     */
     AppIdClientRegex?: string;
+    /**
+     * The AWS Region in which the user pool was created.
+     */
     AwsRegion?: string;
+    /**
+     * The action that you want your GraphQL API to take when a request that uses Amazon Cognito user pool authentication doesn't match the Amazon Cognito user pool configuration.
+     */
     DefaultAction?: string;
+    /**
+     * The user pool ID.
+     */
     UserPoolId?: string;
 };
 /**
@@ -13174,7 +13316,7 @@ export type AutoScalingAutoScalingGroupProps = {
     HealthCheckGracePeriod?: number;
     /**
        * A comma-separated value string of one or more health check types.
-       The valid values are ``EC2``, ``ELB``, and ``VPC_LATTICE``. ``EC2`` is the default health check and cannot be disabled. For more information, see [Health checks for instances in an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-health-checks.html) in the *Amazon EC2 Auto Scaling User Guide*.
+       The valid values are ``EC2``, ``EBS``, ``ELB``, and ``VPC_LATTICE``. ``EC2`` is the default health check and cannot be disabled. For more information, see [Health checks for instances in an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-health-checks.html) in the *Amazon EC2 Auto Scaling User Guide*.
        Only specify ``EC2`` if you must clear a value that was previously set.
        */
     HealthCheckType?: string;
@@ -13266,6 +13408,7 @@ export type AutoScalingAutoScalingGroupProps = {
        Valid values: ``Default`` | ``AllocationStrategy`` | ``ClosestToNextInstanceHour`` | ``NewestInstance`` | ``OldestInstance`` | ``OldestLaunchConfiguration`` | ``OldestLaunchTemplate`` | ``arn:aws:lambda:region:account-id:function:my-function:my-alias``
        */
     TerminationPolicies?: string[];
+    TrafficSources?: AutoScalingAutoScalingGroupTrafficSourceIdentifier[];
     /**
        * A list of subnet IDs for a virtual private cloud (VPC) where instances in the Auto Scaling group can be created.
        If this resource specifies public subnets and is also in a VPC that is defined in the same stack template, you must use the [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) to declare a dependency on the [VPC-gateway attachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html).
@@ -13863,6 +14006,14 @@ export type AutoScalingAutoScalingGroupTotalLocalStorageGBRequest = {
      */
     Min?: number;
 };
+/**
+ * Type definition for `AWS::AutoScaling::AutoScalingGroup.TrafficSourceIdentifier`.
+ * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-autoscalinggroup-trafficsourceidentifier.html}
+ */
+export type AutoScalingAutoScalingGroupTrafficSourceIdentifier = {
+    Identifier: string;
+    Type: string;
+};
 /**
  * Type definition for `AWS::AutoScaling::AutoScalingGroup.VCpuCountRequest`.
  * ``VCpuCountRequest`` is a property of the ``InstanceRequirements`` property of the [AWS::AutoScaling::AutoScalingGroup LaunchTemplateOverrides](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-autoscalinggroup-launchtemplateoverrides.html) property type that describes the minimum and maximum number of vCPUs for an instance type.
@@ -15356,6 +15507,39 @@ export type BackupFrameworkTag = {
      */
     Value?: string;
 };
+/**
+ * Resource Type definition for AWS::Backup::LogicallyAirGappedBackupVault
+ * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-backup-logicallyairgappedbackupvault.html}
+ */
+export type BackupLogicallyAirGappedBackupVaultProps = {
+    AccessPolicy?: Record<string, any> | string;
+    /**
+     * @pattern `^[a-zA-Z0-9\-\_]{2,50}$`
+     */
+    BackupVaultName: string;
+    BackupVaultTags?: Record<string, string>;
+    MaxRetentionDays: number;
+    MinRetentionDays: number;
+    Notifications?: BackupLogicallyAirGappedBackupVaultNotificationObjectType;
+    VaultState?: string;
+    VaultType?: string;
+};
+/**
+ * Attribute type definition for `AWS::Backup::LogicallyAirGappedBackupVault`.
+ * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-backup-logicallyairgappedbackupvault.html#aws-resource-backup-logicallyairgappedbackupvault-return-values}
+ */
+export type BackupLogicallyAirGappedBackupVaultAttributes = {
+    BackupVaultArn: string;
+    EncryptionKeyArn: string;
+};
+/**
+ * Type definition for `AWS::Backup::LogicallyAirGappedBackupVault.NotificationObjectType`.
+ * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-backup-logicallyairgappedbackupvault-notificationobjecttype.html}
+ */
+export type BackupLogicallyAirGappedBackupVaultNotificationObjectType = {
+    BackupVaultEvents: string[];
+    SNSTopicArn: string;
+};
 /**
  * Resource type definition for `AWS::Backup::ReportPlan`.
  * Contains detailed information about a report plan in AWS Backup Audit Manager.
@@ -16463,7 +16647,7 @@ export type BedrockAgentProps = {
      * ARN or name of a Bedrock model.
      * @minLength `1`
      * @maxLength `2048`
-     * @pattern `^arn:aws(-[^:]+)?:bedrock:[a-z0-9-]{1,20}:(([0-9]{12}:custom-model/[a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}(([:][a-z0-9-]{1,63}){0,2})?/[a-z0-9]{12})|(:foundation-model/([a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.]?[a-z0-9-]{1,63})([:][a-z0-9-]{1,63}){0,2})))|(([a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.]?[a-z0-9-]{1,63})([:][a-z0-9-]{1,63}){0,2}))|(([0-9a-zA-Z][_-]?)+)$`
+     * @pattern `^arn:aws(-[^:]+)?:bedrock:[a-z0-9-]{1,20}:(([0-9]{12}:custom-model/[a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}(([:][a-z0-9-]{1,63}){0,2})?/[a-z0-9]{12})|(:foundation-model/([a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.]?[a-z0-9-]{1,63})([:][a-z0-9-]{1,63}){0,2}))|([0-9]{12}:(inference-profile|application-inference-profile)/[a-zA-Z0-9-:.]+))|(([a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.]?[a-z0-9-]{1,63})([:][a-z0-9-]{1,63}){0,2}))|(([0-9a-zA-Z][_-]?)+)$`
      */
     FoundationModel?: string;
     /**
@@ -16575,7 +16759,7 @@ export type BedrockAgentActionGroupExecutor = {
  * Action Group Signature for a BuiltIn Action
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-bedrock-agent-actiongroupsignature.html}
  */
-export type BedrockAgentActionGroupSignature = "AMAZON.UserInput";
+export type BedrockAgentActionGroupSignature = "AMAZON.UserInput" | "AMAZON.CodeInterpreter";
 /**
  * Type definition for `AWS::Bedrock::Agent.ActionGroupState`.
  * State of the action group
@@ -29693,20 +29877,13 @@ export type CognitoUserPoolGroupProps = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html}
  */
 export type CognitoUserPoolIdentityProviderProps = {
-    AttributeMapping?: Record<string, any>;
+    AttributeMapping?: Record<string, string>;
     IdpIdentifiers?: string[];
-    ProviderDetails?: Record<string, any>;
+    ProviderDetails: Record<string, string>;
     ProviderName: string;
     ProviderType: string;
     UserPoolId: string;
 };
-/**
- * Attribute type definition for `AWS::Cognito::UserPoolIdentityProvider`.
- * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#aws-resource-cognito-userpoolidentityprovider-return-values}
- */
-export type CognitoUserPoolIdentityProviderAttributes = {
-    Id: string;
-};
 /**
  * Resource Type definition for AWS::Cognito::UserPoolResourceServer
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html}
@@ -42996,6 +43173,7 @@ export type EC2CapacityReservationProps = {
     PlacementGroupArn?: string;
     TagSpecifications?: EC2CapacityReservationTagSpecification[];
     Tenancy?: string;
+    UnusedReservationBillingOwnerId?: string;
 };
 /**
  * Attribute type definition for `AWS::EC2::CapacityReservation`.
@@ -50709,7 +50887,8 @@ export type EC2VPCDHCPOptionsAssociationProps = {
 export type EC2VPCEndpointProps = {
     /**
        * An endpoint policy, which controls access to the service from the VPC. The default endpoint policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints.
-       For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. CFNlong converts YAML policies to JSON format before calling the API to create or modify the VPC endpoint.
+       For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. For example, if you have a JSON policy, you can convert it to YAML before including it in the YAML template, and CFNlong converts the policy to JSON format before calling the API actions for privatelink. Alternatively, you can include the JSON directly in the YAML, as shown in the following ``Properties`` section:
+       ``Properties: VpcEndpointType: 'Interface' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' PolicyDocument: '{ "Version":"2012-10-17", "Statement": [{ "Effect":"Allow", "Principal":"*", "Action":["logs:Describe*","logs:Get*","logs:List*","logs:FilterLogEvents"], "Resource":"*" }] }'``
        */
     PolicyDocument?: string | Record<string, any>;
     /**
@@ -50981,60 +51160,100 @@ export type EC2VPNConnectionAttributes = {
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.CloudwatchLogOptionsSpecification`.
+ * Options for sending VPN tunnel logs to CloudWatch.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.html}
  */
 export type EC2VPNConnectionCloudwatchLogOptionsSpecification = {
+    /**
+       * Enable or disable VPN tunnel logging feature. Default value is ``False``.
+       Valid values: ``True`` | ``False``
+       */
     LogEnabled?: boolean;
+    /**
+     * The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
+     */
     LogGroupArn?: string;
+    /**
+       * Set log format. Default format is ``json``.
+       Valid values: ``json`` | ``text``
+       */
     LogOutputFormat?: "json" | "text";
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.IKEVersionsRequestListValue`.
+ * The IKE version that is permitted for the VPN tunnel.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-ikeversionsrequestlistvalue.html}
  */
 export type EC2VPNConnectionIKEVersionsRequestListValue = {
+    /**
+     * The IKE version.
+     */
     Value?: "ikev1" | "ikev2";
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase1DHGroupNumbersRequestListValue`.
+ * Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase1DHGroupNumbersRequestListValue = {
+    /**
+     * The Diffie-Hellmann group number.
+     */
     Value?: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24;
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase1EncryptionAlgorithmsRequestListValue`.
+ * Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase1EncryptionAlgorithmsRequestListValue = {
+    /**
+     * The value for the encryption algorithm.
+     */
     Value?: "AES128" | "AES256" | "AES128-GCM-16" | "AES256-GCM-16";
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase1IntegrityAlgorithmsRequestListValue`.
+ * Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase1IntegrityAlgorithmsRequestListValue = {
+    /**
+     * The value for the integrity algorithm.
+     */
     Value?: "SHA1" | "SHA2-256" | "SHA2-384" | "SHA2-512";
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase2DHGroupNumbersRequestListValue`.
+ * Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase2DHGroupNumbersRequestListValue = {
+    /**
+     * The Diffie-Hellmann group number.
+     */
     Value?: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24;
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase2EncryptionAlgorithmsRequestListValue`.
+ * Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase2EncryptionAlgorithmsRequestListValue = {
+    /**
+     * The encryption algorithm.
+     */
     Value?: "AES128" | "AES256" | "AES128-GCM-16" | "AES256-GCM-16";
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.Phase2IntegrityAlgorithmsRequestListValue`.
+ * Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue.html}
  */
 export type EC2VPNConnectionPhase2IntegrityAlgorithmsRequestListValue = {
+    /**
+     * The integrity algorithm.
+     */
     Value?: "SHA1" | "SHA2-256" | "SHA2-384" | "SHA2-512";
 };
 /**
@@ -51054,9 +51273,13 @@ export type EC2VPNConnectionTag = {
 };
 /**
  * Type definition for `AWS::EC2::VPNConnection.VpnTunnelLogOptionsSpecification`.
+ * Options for logging VPN tunnel activity.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunnellogoptionsspecification.html}
  */
 export type EC2VPNConnectionVpnTunnelLogOptionsSpecification = {
+    /**
+     * Options for sending VPN tunnel logs to CloudWatch.
+     */
     CloudwatchLogOptions?: EC2VPNConnectionCloudwatchLogOptionsSpecification;
 };
 /**
@@ -51065,29 +51288,77 @@ export type EC2VPNConnectionVpnTunnelLogOptionsSpecification = {
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html}
  */
 export type EC2VPNConnectionVpnTunnelOptionsSpecification = {
+    /**
+       * The action to take after DPD timeout occurs. Specify ``restart`` to restart the IKE initiation. Specify ``clear`` to end the IKE session.
+       Valid Values: ``clear`` | ``none`` | ``restart``
+       Default: ``clear``
+       */
     DPDTimeoutAction?: "clear" | "none" | "restart";
     /**
-     * @min `30`
-     */
+       * The number of seconds after which a DPD timeout occurs.
+       Constraints: A value greater than or equal to 30.
+       Default: ``30``
+       * @min `30`
+       */
     DPDTimeoutSeconds?: number;
+    /**
+     * Turn on or off tunnel endpoint lifecycle control feature.
+     */
     EnableTunnelLifecycleControl?: boolean;
+    /**
+       * The IKE versions that are permitted for the VPN tunnel.
+       Valid values: ``ikev1`` | ``ikev2``
+       */
     IKEVersions?: EC2VPNConnectionIKEVersionsRequestListValue[];
+    /**
+     * Options for logging VPN tunnel activity.
+     */
     LogOptions?: EC2VPNConnectionVpnTunnelLogOptionsSpecification;
+    /**
+       * One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+       Valid values: ``2`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+       */
     Phase1DHGroupNumbers?: EC2VPNConnectionPhase1DHGroupNumbersRequestListValue[];
+    /**
+       * One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+       Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+       */
     Phase1EncryptionAlgorithms?: EC2VPNConnectionPhase1EncryptionAlgorithmsRequestListValue[];
+    /**
+       * One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+       Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+       */
     Phase1IntegrityAlgorithms?: EC2VPNConnectionPhase1IntegrityAlgorithmsRequestListValue[];
     /**
-     * @min `900`
-     * @max `28800`
-     */
+       * The lifetime for phase 1 of the IKE negotiation, in seconds.
+       Constraints: A value between 900 and 28,800.
+       Default: ``28800``
+       * @min `900`
+       * @max `28800`
+       */
     Phase1LifetimeSeconds?: number;
+    /**
+       * One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+       Valid values: ``2`` | ``5`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+       */
     Phase2DHGroupNumbers?: EC2VPNConnectionPhase2DHGroupNumbersRequestListValue[];
+    /**
+       * One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+       Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+       */
     Phase2EncryptionAlgorithms?: EC2VPNConnectionPhase2EncryptionAlgorithmsRequestListValue[];
+    /**
+       * One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+       Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+       */
     Phase2IntegrityAlgorithms?: EC2VPNConnectionPhase2IntegrityAlgorithmsRequestListValue[];
     /**
-     * @min `900`
-     * @max `3600`
-     */
+       * The lifetime for phase 2 of the IKE negotiation, in seconds.
+       Constraints: A value between 900 and 3,600. The value must be less than the value for ``Phase1LifetimeSeconds``.
+       Default: ``3600``
+       * @min `900`
+       * @max `3600`
+       */
     Phase2LifetimeSeconds?: number;
     /**
        * The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.
@@ -51095,19 +51366,33 @@ export type EC2VPNConnectionVpnTunnelOptionsSpecification = {
        */
     PreSharedKey?: string;
     /**
-     * @min `0`
-     * @max `100`
-     */
+       * The percentage of the rekey window (determined by ``RekeyMarginTimeSeconds``) during which the rekey time is randomly selected.
+       Constraints: A value between 0 and 100.
+       Default: ``100``
+       * @min `0`
+       * @max `100`
+       */
     RekeyFuzzPercentage?: number;
     /**
-     * @min `60`
-     */
+       * The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for ``RekeyFuzzPercentage``.
+       Constraints: A value between 60 and half of ``Phase2LifetimeSeconds``.
+       Default: ``270``
+       * @min `60`
+       */
     RekeyMarginTimeSeconds?: number;
     /**
-     * @min `64`
-     * @max `2048`
-     */
+       * The number of packets in an IKE replay window.
+       Constraints: A value between 64 and 2048.
+       Default: ``1024``
+       * @min `64`
+       * @max `2048`
+       */
     ReplayWindowSize?: number;
+    /**
+       * The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify ``start`` for AWS to initiate the IKE negotiation.
+       Valid Values: ``add`` | ``start``
+       Default: ``add``
+       */
     StartupAction?: "add" | "start";
     /**
        * The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.
@@ -51121,6 +51406,10 @@ export type EC2VPNConnectionVpnTunnelOptionsSpecification = {
         +   ``169.254.169.252/30``
        */
     TunnelInsideCidr?: string;
+    /**
+       * The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.
+       Constraints: A size /126 CIDR block from the local ``fd00::/8`` range.
+       */
     TunnelInsideIpv6Cidr?: string;
 };
 /**
@@ -52345,8 +52634,17 @@ export type ECSServiceLogConfiguration = {
        */
     LogDriver?: string;
     /**
-     * The configuration options to send to the log driver. This parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: ``sudo docker version --format '{{.Server.APIVersion}}'``
-     */
+       * The configuration options to send to the log driver.
+       The options you can specify depend on the log driver. Some of the options you can specify when you use the ``awslogs`` log driver to route logs to Amazon CloudWatch include the following:
+        + awslogs-create-group Required: No Specify whether you want the log group to be created automatically. If this option isn't specified, it defaults to false. Your IAM policy must include the logs:CreateLogGroup permission before you attempt to use awslogs-create-group. + awslogs-region Required: Yes Specify the Region that the awslogs log driver is to send your Docker logs to. You can choose to send all of your logs from clusters in different Regions to a single region in CloudWatch Logs. This is so that they're all visible in one location. Otherwise, you can separate them by Region for more granularity. Make sure that the specified log group exists in the Region that you specify with this option. + awslogs-group Required: Yes Make sure to specify a log group that the awslogs log driver sends its log streams to. + awslogs-stream-prefix Required: Yes, when using the Fargate launch type.Optional for the EC2 launch type, required for the Fargate launch type. Use the awslogs-stream-prefix option to associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to. If you specify a prefix with this option, then the log stream takes the format prefix-name/container-name/ecs-task-id. If you don't specify a prefix with this option, then the log stream is named after the container ID that's assigned by the Docker daemon on the container instance. Because it's difficult to trace logs back to the container that sent them with just the Docker container ID (which is only available on the container instance), we recommend that you specify a prefix with this option. For Amazon ECS services, you can use the service name as the prefix. Doing so, you can trace log streams to the service that the container belongs to, the name of the container that sent them, and the ID of the task that the container belongs to. You must specify a stream-prefix for your logs to have your logs appear in the Log pane when using the Amazon ECS console. + awslogs-datetime-format Required: No This option defines a multiline start pattern in Python strftime format. A log message consists of a line that matches the pattern and any following lines that don’t match the pattern. The matched line is the delimiter between log messages. One example of a use case for using this format is for parsing output such as a stack dump, which might otherwise be logged in multiple entries. The correct pattern allows it to be captured in a single entry. For more information, see awslogs-datetime-format. You cannot configure both the awslogs-datetime-format and awslogs-multiline-pattern options. Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance. + awslogs-multiline-pattern Required: No This option defines a multiline start pattern that uses a regular expression. A log message consists of a line that matches the pattern and any following lines that don’t match the pattern. The matched line is the delimiter between log messages. For more information, see awslogs-multiline-pattern. This option is ignored if awslogs-datetime-format is also configured. You cannot configure both the awslogs-datetime-format and awslogs-multiline-pattern options. Multiline logging performs regular expression parsing and matching of all log messages. This might have a negative impact on logging performance. + mode Required: No Valid values: non-blocking | blocking This option defines the delivery mode of log messages from the container to CloudWatch Logs. The delivery mode you choose affects application availability when the flow of logs from container to CloudWatch is interrupted. If you use the blocking mode and the flow of logs to CloudWatch is interrupted, calls from container code to write to the stdout and stderr streams will block. The logging thread of the application will block as a result. This may cause the application to become unresponsive and lead to container healthcheck failure. If you use the non-blocking mode, the container's logs are instead stored in an in-memory intermediate buffer configured with the max-buffer-size option. This prevents the application from becoming unresponsive when logs cannot be sent to CloudWatch. We recommend using this mode if you want to ensure service availability and are okay with some log loss. For more information, see Preventing log loss with non-blocking mode in the awslogs container log driver. + max-buffer-size Required: No Default value: 1m When non-blocking mode is used, the max-buffer-size log option controls the size of the buffer that's used for intermediate message storage. Make sure to specify an adequate buffer size based on your application. When the buffer fills up, further logs cannot be stored. Logs that cannot be stored are lost.
+       To route logs using the ``splunk`` log router, you need to specify a ``splunk-token`` and a ``splunk-url``.
+       When you use the ``awsfirelens`` log router to route logs to an AWS Service or AWS Partner Network destination for log storage and analytics, you can set the ``log-driver-buffer-limit`` option to limit the number of events that are buffered in memory, before being sent to the log router container. It can help to resolve potential log loss issue because high throughput might result in memory running out for the buffer inside of Docker.
+       Other options you can specify when using ``awsfirelens`` to route logs depend on the destination. When you export logs to Amazon Data Firehose, you can specify the AWS Region with ``region`` and a name for the log stream with ``delivery_stream``.
+       When you export logs to Amazon Kinesis Data Streams, you can specify an AWS Region with ``region`` and a data stream name with ``stream``.
+        When you export logs to Amazon OpenSearch Service, you can specify options like ``Name``, ``Host`` (OpenSearch Service endpoint without protocol), ``Port``, ``Index``, ``Type``, ``Aws_auth``, ``Aws_region``, ``Suppress_Type_Name``, and ``tls``.
+       When you export logs to Amazon S3, you can specify the bucket using the ``bucket`` option. You can also specify ``region``, ``total_file_size``, ``upload_timeout``, and ``use_put_object`` as options.
+       This parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: ``sudo docker version --format '{{.Server.APIVersion}}'``
+       */
     Options?: Record<string, string>;
     /**
      * The secrets to pass to the log configuration. For more information, see [Specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide*.
@@ -55329,6 +55627,10 @@ export type ElastiCacheGlobalReplicationGroupProps = {
      * Cache parameter group name to use for the new engine version. This parameter cannot be modified independently.
      */
     CacheParameterGroupName?: string;
+    /**
+     * The engine of the Global Datastore.
+     */
+    Engine?: string;
     /**
      * The engine version of the Global Datastore.
      */
@@ -70432,7 +70734,7 @@ export type ImageBuilderComponentProps = {
     /**
      * The platform of the component.
      */
-    Platform: "Windows" | "Linux";
+    Platform: "Windows" | "Linux" | "macOS";
     /**
      * The operating system (OS) version supported by the component.
      */
@@ -71409,6 +71711,10 @@ export type ImageBuilderInfrastructureConfigurationProps = {
      * The name of the infrastructure configuration.
      */
     Name: string;
+    /**
+     * The placement option settings for the infrastructure configuration.
+     */
+    Placement?: ImageBuilderInfrastructureConfigurationPlacement;
     /**
      * The tags attached to the resource created by Image Builder.
      */
@@ -71470,6 +71776,29 @@ export type ImageBuilderInfrastructureConfigurationLogging = {
      */
     S3Logs?: ImageBuilderInfrastructureConfigurationS3Logs;
 };
+/**
+ * Type definition for `AWS::ImageBuilder::InfrastructureConfiguration.Placement`.
+ * The placement options
+ * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-imagebuilder-infrastructureconfiguration-placement.html}
+ */
+export type ImageBuilderInfrastructureConfigurationPlacement = {
+    /**
+     * AvailabilityZone
+     */
+    AvailabilityZone?: string;
+    /**
+     * HostId
+     */
+    HostId?: string;
+    /**
+     * HostResourceGroupArn
+     */
+    HostResourceGroupArn?: string;
+    /**
+     * Tenancy
+     */
+    Tenancy?: "default" | "dedicated" | "host";
+};
 /**
  * Type definition for `AWS::ImageBuilder::InfrastructureConfiguration.S3Logs`.
  * The S3 path in which to store the logs.
@@ -81434,14 +81763,14 @@ export type IVSEncoderConfigurationProps = {
          */
         Framerate?: number;
         /**
-         * Video-resolution height. Note that the maximum value is determined by width times height, such that the maximum total pixels is 2073600 (1920x1080 or 1080x1920). Default: 720.
-         * @min `1`
+         * Video-resolution height. This must be an even number. Note that the maximum value is determined by width times height, such that the maximum total pixels is 2073600 (1920x1080 or 1080x1920). Default: 720.
+         * @min `2`
          * @max `1920`
          */
         Height?: number;
         /**
-         * Video-resolution width. Note that the maximum value is determined by width times height, such that the maximum total pixels is 2073600 (1920x1080 or 1080x1920). Default: 1280.
-         * @min `1`
+         * Video-resolution width. This must be an even number. Note that the maximum value is determined by width times height, such that the maximum total pixels is 2073600 (1920x1080 or 1080x1920). Default: 1280.
+         * @min `2`
          * @max `1920`
          */
         Width?: number;
@@ -102238,6 +102567,10 @@ export type MemoryDBClusterProps = {
      * An optional description of the cluster.
      */
     Description?: string;
+    /**
+     * The engine type used by the cluster.
+     */
+    Engine?: string;
     /**
      * The Redis engine version used by the cluster.
      */
@@ -144476,8 +144809,8 @@ export type RefactorSpacesEnvironmentProps = {
      * @maxLength `63`
      * @pattern `^(?!env-)[a-zA-Z0-9]+[a-zA-Z0-9-_ ]+$`
      */
-    Name: string;
-    NetworkFabricType: RefactorSpacesEnvironmentNetworkFabricType;
+    Name?: string;
+    NetworkFabricType?: RefactorSpacesEnvironmentNetworkFabricType;
     /**
      * Metadata that you can assign to help organize the frameworks that you create. Each tag is a key-value pair.
      */
@@ -149604,32 +149937,41 @@ export type S3BucketS3KeyFilter = {
 };
 /**
  * Type definition for `AWS::S3::Bucket.ServerSideEncryptionByDefault`.
- * Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference*.
-  If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+ * Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html).
+   +   *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key (``aws/s3``) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
+  +   *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket for the lifetime of the bucket. The [managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (``aws/s3``) isn't supported.
+  +   *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html}
  */
 export type S3BucketServerSideEncryptionByDefault = {
     /**
-       * AWS Key Management Service (KMS) customer AWS KMS key ID to use for the default encryption. This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``.
-       You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
+       * AWS Key Management Service (KMS) customer managed key ID to use for the default encryption.
+         +   *General purpose buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms`` or ``aws:kms:dsse``.
+        +   *Directory buckets* - This parameter is allowed if and only if ``SSEAlgorithm`` is set to ``aws:kms``.
+        
+        You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS key.
         +  Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab``
         +  Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``
         +  Key Alias: ``alias/alias-name``
         
-       If you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
-       If you are using encryption with cross-account or AWS service operations you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy).
-        Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*.
+       If you are using encryption with cross-account or AWS service operations, you must use a fully qualified KMS key ARN. For more information, see [Using encryption for cross-account operations](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-update-bucket-policy).
+         +   *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. Also, if you use a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow log.
+        +   *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
+        
+         Amazon S3 only supports symmetric encryption KMS keys. For more information, see [Asymmetric keys in KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html) in the *Key Management Service Developer Guide*.
        */
     KMSMasterKeyID?: string;
     /**
-     * Server-side encryption algorithm to use for the default encryption.
-     */
+       * Server-side encryption algorithm to use for the default encryption.
+        For directory buckets, there are only two supported values for server-side encryption: ``AES256`` and ``aws:kms``.
+       */
     SSEAlgorithm: "aws:kms" | "AES256" | "aws:kms:dsse";
 };
 /**
  * Type definition for `AWS::S3::Bucket.ServerSideEncryptionRule`.
  * Specifies the default server-side encryption configuration.
-  If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+   +   *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
+  +   *Directory buckets* - When you specify an [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
  * @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionrule.html}
  */
 export type S3BucketServerSideEncryptionRule = {
@@ -176063,6 +176405,7 @@ export interface ResourceTypes {
     "AWS::Backup::BackupSelection": BackupBackupSelectionProps;
     "AWS::Backup::BackupVault": BackupBackupVaultProps;
     "AWS::Backup::Framework": BackupFrameworkProps;
+    "AWS::Backup::LogicallyAirGappedBackupVault": BackupLogicallyAirGappedBackupVaultProps;
     "AWS::Backup::ReportPlan": BackupReportPlanProps;
     "AWS::Backup::RestoreTestingPlan": BackupRestoreTestingPlanProps;
     "AWS::Backup::RestoreTestingSelection": BackupRestoreTestingSelectionProps;
@@ -177362,6 +177705,7 @@ export interface AttributeTypes {
     "AWS::Backup::BackupSelection": BackupBackupSelectionAttributes;
     "AWS::Backup::BackupVault": BackupBackupVaultAttributes;
     "AWS::Backup::Framework": BackupFrameworkAttributes;
+    "AWS::Backup::LogicallyAirGappedBackupVault": BackupLogicallyAirGappedBackupVaultAttributes;
     "AWS::Backup::ReportPlan": BackupReportPlanAttributes;
     "AWS::Backup::RestoreTestingPlan": BackupRestoreTestingPlanAttributes;
     "AWS::BackupGateway::Hypervisor": BackupGatewayHypervisorAttributes;
@@ -177466,7 +177810,6 @@ export interface AttributeTypes {
     "AWS::Cognito::UserPool": CognitoUserPoolAttributes;
     "AWS::Cognito::UserPoolClient": CognitoUserPoolClientAttributes;
     "AWS::Cognito::UserPoolDomain": CognitoUserPoolDomainAttributes;
-    "AWS::Cognito::UserPoolIdentityProvider": CognitoUserPoolIdentityProviderAttributes;
     "AWS::Comprehend::DocumentClassifier": ComprehendDocumentClassifierAttributes;
     "AWS::Comprehend::Flywheel": ComprehendFlywheelAttributes;
     "AWS::Config::AggregationAuthorization": ConfigAggregationAuthorizationAttributes;
@@ -178548,6 +178891,7 @@ export declare const ResourceType: {
     readonly BackupBackupSelection: "AWS::Backup::BackupSelection";
     readonly BackupBackupVault: "AWS::Backup::BackupVault";
     readonly BackupFramework: "AWS::Backup::Framework";
+    readonly BackupLogicallyAirGappedBackupVault: "AWS::Backup::LogicallyAirGappedBackupVault";
     readonly BackupReportPlan: "AWS::Backup::ReportPlan";
     readonly BackupRestoreTestingPlan: "AWS::Backup::RestoreTestingPlan";
     readonly BackupRestoreTestingSelection: "AWS::Backup::RestoreTestingSelection";