@pulumi/aws 7.0.0-alpha.1 → 7.0.0-alpha.3

package/types/output.d.ts

@@ -32,33 +32,63 @@ export interface GetRegionsFilter {
 export declare namespace accessanalyzer {
     interface AnalyzerConfiguration {
         /**
-         * A block that specifies the configuration of an unused access analyzer for an AWS organization or account. Documented below
+         * Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates access within your AWS environment. See `internalAccess` Block for details.
+         */
+        internalAccess?: outputs.accessanalyzer.AnalyzerConfigurationInternalAccess;
+        /**
+         * Specifies the configuration of an unused access analyzer for an AWS organization or account. See `unusedAccess` Block for details.
          */
         unusedAccess?: outputs.accessanalyzer.AnalyzerConfigurationUnusedAccess;
     }
+    interface AnalyzerConfigurationInternalAccess {
+        /**
+         * Information about analysis rules for the internal access analyzer. These rules determine which resources and access patterns will be analyzed. See `analysisRule` Block for Internal Access Analyzer for details.
+         */
+        analysisRule?: outputs.accessanalyzer.AnalyzerConfigurationInternalAccessAnalysisRule;
+    }
+    interface AnalyzerConfigurationInternalAccessAnalysisRule {
+        /**
+         * List of rules for the internal access analyzer containing criteria to include in analysis. Only resources that meet the rule criteria will generate findings. See `inclusion` Block for details.
+         */
+        inclusions?: outputs.accessanalyzer.AnalyzerConfigurationInternalAccessAnalysisRuleInclusion[];
+    }
+    interface AnalyzerConfigurationInternalAccessAnalysisRuleInclusion {
+        /**
+         * List of AWS account IDs to apply to the internal access analysis rule criteria. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
+         */
+        accountIds?: string[];
+        /**
+         * List of resource ARNs to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources that match these ARNs.
+         */
+        resourceArns?: string[];
+        /**
+         * List of resource types to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources of these types. Refer to [InternalAccessAnalysisRuleCriteria](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessAnalysisRuleCriteria.html) in the AWS IAM Access Analyzer API Reference for valid values.
+         */
+        resourceTypes?: string[];
+    }
     interface AnalyzerConfigurationUnusedAccess {
         /**
-         * A block for analysis rules. Documented below
+         * Information about analysis rules for the analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule. See `analysisRule` Block for Unused Access Analyzer for details.
          */
         analysisRule?: outputs.accessanalyzer.AnalyzerConfigurationUnusedAccessAnalysisRule;
         /**
-         * The specified access age in days for which to generate findings for unused access.
+         * Specified access age in days for which to generate findings for unused access.
          */
         unusedAccessAge?: number;
     }
     interface AnalyzerConfigurationUnusedAccessAnalysisRule {
         /**
-         * A block for the analyzer rules containing criteria to exclude from analysis. Documented below
+         * List of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings. See `exclusion` Block for details.
          */
         exclusions?: outputs.accessanalyzer.AnalyzerConfigurationUnusedAccessAnalysisRuleExclusion[];
     }
     interface AnalyzerConfigurationUnusedAccessAnalysisRuleExclusion {
         /**
-         * A list of account IDs to exclude from the analysis.
+         * List of AWS account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
          */
         accountIds?: string[];
         /**
-         * A list of key-value pairs for resource tags to exclude from the analysis.
+         * List of key-value pairs for resource tags to exclude from the analysis.
          */
         resourceTags?: {
             [key: string]: string;
@@ -1225,6 +1255,12 @@ export declare namespace amplify {
          */
         target: string;
     }
+    interface AppJobConfig {
+        /**
+         * Size of the build instance. Valid values: `STANDARD_8GB`, `LARGE_16GB`, and `XLARGE_72GB`. Default: `STANDARD_8GB`.
+         */
+        buildComputeType: string;
+    }
     interface AppProductionBranch {
         /**
          * Branch name for the production branch.
@@ -16159,6 +16195,10 @@ export declare namespace codebuild {
          * the [CodeBuild User Guide](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html).
          */
         computeType: string;
+        /**
+         * Configuration block. Detailed below.
+         */
+        dockerServer?: outputs.codebuild.ProjectEnvironmentDockerServer;
         /**
          * Configuration block. Detailed below.
          */
@@ -16198,6 +16238,16 @@ export declare namespace codebuild {
          */
         type: string;
     }
+    interface ProjectEnvironmentDockerServer {
+        /**
+         * Compute type for the Docker server. Valid values: `BUILD_GENERAL1_SMALL`, `BUILD_GENERAL1_MEDIUM`, `BUILD_GENERAL1_LARGE`, `BUILD_GENERAL1_XLARGE`, and `BUILD_GENERAL1_2XLARGE`.
+         */
+        computeType: string;
+        /**
+         * List of security group IDs to assign to the Docker server.
+         */
+        securityGroupIds?: string[];
+    }
     interface ProjectEnvironmentEnvironmentVariable {
         /**
          * Environment variable's name or key.
@@ -60991,25 +61041,23 @@ export declare namespace lightsail {
          */
         cidrListAliases: string[];
         /**
-         * Set of CIDR blocks.
+         * Set of IPv4 addresses or ranges of IPv4 addresses (in CIDR notation) that are allowed to connect to an instance through the ports, and the protocol.
          */
         cidrs: string[];
         /**
-         * First port in a range of open ports on an instance.
+         * First port in a range of open ports on an instance. See [PortInfo](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_PortInfo.html) for details.
          */
         fromPort: number;
         /**
-         * Set of IPv6 CIDR blocks.
+         * Set of IPv6 addresses or ranges of IPv6 addresses (in CIDR notation) that are allowed to connect to an instance through the ports, and the protocol.
          */
         ipv6Cidrs: string[];
         /**
-         * IP protocol name. Valid values: `tcp`, `all`, `udp`, `icmp`.
+         * IP protocol name. Valid values: `tcp`, `all`, `udp`, `icmp`, `icmpv6`. See [PortInfo](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_PortInfo.html) for details.
          */
         protocol: string;
         /**
-         * Last port in a range of open ports on an instance.
-         *
-         * The following arguments are optional:
+         * Last port in a range of open ports on an instance. See [PortInfo](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_PortInfo.html) for details.
          */
         toPort: number;
     }
@@ -65409,6 +65457,12 @@ export declare namespace networkfirewall {
         tcpIdleTimeoutSeconds?: number;
     }
     interface FirewallPolicyFirewallPolicyStatefulRuleGroupReference {
+        /**
+         * Whether to enable deep threat inspection, which allows AWS to analyze service logs of network traffic processed by these rule groups to identify threat indicators across customers. AWS will use these threat indicators to improve the active threat defense managed rule groups and protect the security of AWS customers and services. This only applies to active threat defense maanaged rule groups.
+         *
+         * For details, refer to [AWS active threat defense for AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-atd.html) in the AWS Network Firewall Developer Guide.
+         */
+        deepThreatInspection: string;
         /**
          * Configuration block for override values
          */
@@ -65574,6 +65628,7 @@ export declare namespace networkfirewall {
         streamExceptionPolicy: string;
     }
     interface GetFirewallPolicyFirewallPolicyStatefulRuleGroupReference {
+        deepThreatInspection: string;
         overrides?: outputs.networkfirewall.GetFirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride[];
         priority: number;
         resourceArn: string;
@@ -73223,6 +73278,58 @@ export declare namespace s3 {
          */
         id: string;
     }
+    interface BucketAclV2AccessControlPolicy {
+        /**
+         * Set of `grant` configuration blocks. See below.
+         */
+        grants?: outputs.s3.BucketAclV2AccessControlPolicyGrant[];
+        /**
+         * Configuration block for the bucket owner's display name and ID. See below.
+         */
+        owner: outputs.s3.BucketAclV2AccessControlPolicyOwner;
+    }
+    interface BucketAclV2AccessControlPolicyGrant {
+        /**
+         * Configuration block for the person being granted permissions. See below.
+         */
+        grantee?: outputs.s3.BucketAclV2AccessControlPolicyGrantGrantee;
+        /**
+         * Logging permissions assigned to the grantee for the bucket. Valid values: `FULL_CONTROL`, `WRITE`, `WRITE_ACP`, `READ`, `READ_ACP`. See [What permissions can I grant?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#permissions) for more details about what each permission means in the context of buckets.
+         */
+        permission: string;
+    }
+    interface BucketAclV2AccessControlPolicyGrantGrantee {
+        /**
+         * Display name of the owner.
+         */
+        displayName: string;
+        /**
+         * Email address of the grantee. See [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) for supported AWS regions where this argument can be specified.
+         */
+        emailAddress?: string;
+        /**
+         * Canonical user ID of the grantee.
+         */
+        id?: string;
+        /**
+         * Type of grantee. Valid values: `CanonicalUser`, `AmazonCustomerByEmail`, `Group`.
+         */
+        type: string;
+        /**
+         * URI of the grantee group.
+         */
+        uri?: string;
+    }
+    interface BucketAclV2AccessControlPolicyOwner {
+        /**
+         * Display name of the owner.
+         */
+        displayName: string;
+        /**
+         * ID of the owner.
+         */
+        id: string;
+    }
     interface BucketCorsConfigurationCorsRule {
         /**
          * Set of Headers that are specified in the `Access-Control-Request-Headers` header.
@@ -73249,6 +73356,32 @@ export declare namespace s3 {
          */
         maxAgeSeconds?: number;
     }
+    interface BucketCorsConfigurationV2CorsRule {
+        /**
+         * Set of Headers that are specified in the `Access-Control-Request-Headers` header.
+         */
+        allowedHeaders?: string[];
+        /**
+         * Set of HTTP methods that you allow the origin to execute. Valid values are `GET`, `PUT`, `HEAD`, `POST`, and `DELETE`.
+         */
+        allowedMethods: string[];
+        /**
+         * Set of origins you want customers to be able to access the bucket from.
+         */
+        allowedOrigins: string[];
+        /**
+         * Set of headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript `XMLHttpRequest` object).
+         */
+        exposeHeaders?: string[];
+        /**
+         * Unique identifier for the rule. The value cannot be longer than 255 characters.
+         */
+        id?: string;
+        /**
+         * Time in seconds that your browser is to cache the preflight response for the specified resource.
+         */
+        maxAgeSeconds?: number;
+    }
     interface BucketCorsRule {
         /**
          * List of headers allowed.
@@ -73480,6 +73613,175 @@ export declare namespace s3 {
          */
         update?: string;
     }
+    interface BucketLifecycleConfigurationV2Rule {
+        /**
+         * Configuration block that specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. See below.
+         */
+        abortIncompleteMultipartUpload?: outputs.s3.BucketLifecycleConfigurationV2RuleAbortIncompleteMultipartUpload;
+        /**
+         * Configuration block that specifies the expiration for the lifecycle of the object in the form of date, days and, whether the object has a delete marker. See below.
+         */
+        expiration?: outputs.s3.BucketLifecycleConfigurationV2RuleExpiration;
+        /**
+         * Configuration block used to identify objects that a Lifecycle Rule applies to.
+         * See below.
+         * If not specified, the `rule` will default to using `prefix`.
+         * One of `filter` or `prefix` should be specified.
+         */
+        filter?: outputs.s3.BucketLifecycleConfigurationV2RuleFilter;
+        /**
+         * Unique identifier for the rule. The value cannot be longer than 255 characters.
+         */
+        id: string;
+        /**
+         * Configuration block that specifies when noncurrent object versions expire. See below.
+         */
+        noncurrentVersionExpiration?: outputs.s3.BucketLifecycleConfigurationV2RuleNoncurrentVersionExpiration;
+        /**
+         * Set of configuration blocks that specify the transition rule for the lifecycle rule that describes when noncurrent objects transition to a specific storage class. See below.
+         */
+        noncurrentVersionTransitions?: outputs.s3.BucketLifecycleConfigurationV2RuleNoncurrentVersionTransition[];
+        /**
+         * **DEPRECATED** Use `filter` instead.
+         * This has been deprecated by Amazon S3.
+         * Prefix identifying one or more objects to which the rule applies.
+         * Defaults to an empty string (`""`) if `filter` is not specified.
+         * One of `prefix` or `filter` should be specified.
+         *
+         * @deprecated Specify a prefix using 'filter' instead
+         */
+        prefix: string;
+        /**
+         * Whether the rule is currently being applied. Valid values: `Enabled` or `Disabled`.
+         */
+        status: string;
+        /**
+         * Set of configuration blocks that specify when an Amazon S3 object transitions to a specified storage class. See below.
+         */
+        transitions?: outputs.s3.BucketLifecycleConfigurationV2RuleTransition[];
+    }
+    interface BucketLifecycleConfigurationV2RuleAbortIncompleteMultipartUpload {
+        /**
+         * Number of days after which Amazon S3 aborts an incomplete multipart upload.
+         */
+        daysAfterInitiation?: number;
+    }
+    interface BucketLifecycleConfigurationV2RuleExpiration {
+        /**
+         * Date the object is to be moved or deleted. The date value must be in [RFC3339 full-date format](https://datatracker.ietf.org/doc/html/rfc3339#section-5.6) e.g. `2023-08-22`.
+         */
+        date?: string;
+        /**
+         * Lifetime, in days, of the objects that are subject to the rule. The value must be a non-zero positive integer.
+         */
+        days: number;
+        /**
+         * Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to `true`, the delete marker will be expired; if set to `false` the policy takes no action.
+         */
+        expiredObjectDeleteMarker: boolean;
+    }
+    interface BucketLifecycleConfigurationV2RuleFilter {
+        /**
+         * Configuration block used to apply a logical `AND` to two or more predicates. See below. The Lifecycle Rule will apply to any object matching all the predicates configured inside the `and` block.
+         */
+        and?: outputs.s3.BucketLifecycleConfigurationV2RuleFilterAnd;
+        /**
+         * Minimum object size (in bytes) to which the rule applies.
+         */
+        objectSizeGreaterThan: number;
+        /**
+         * Maximum object size (in bytes) to which the rule applies.
+         */
+        objectSizeLessThan: number;
+        /**
+         * Prefix identifying one or more objects to which the rule applies. Defaults to an empty string (`""`) if not specified.
+         */
+        prefix: string;
+        /**
+         * Configuration block for specifying a tag key and value. See below.
+         */
+        tag?: outputs.s3.BucketLifecycleConfigurationV2RuleFilterTag;
+    }
+    interface BucketLifecycleConfigurationV2RuleFilterAnd {
+        /**
+         * Minimum object size to which the rule applies. Value must be at least `0` if specified. Defaults to 128000 (128 KB) for all `storageClass` values unless `transitionDefaultMinimumObjectSize` specifies otherwise.
+         */
+        objectSizeGreaterThan: number;
+        /**
+         * Maximum object size to which the rule applies. Value must be at least `1` if specified.
+         */
+        objectSizeLessThan: number;
+        /**
+         * Prefix identifying one or more objects to which the rule applies.
+         */
+        prefix: string;
+        /**
+         * Key-value map of resource tags.
+         * All of these tags must exist in the object's tag set in order for the rule to apply.
+         * If set, must contain at least one key-value pair.
+         */
+        tags?: {
+            [key: string]: string;
+        };
+    }
+    interface BucketLifecycleConfigurationV2RuleFilterTag {
+        /**
+         * Name of the object key.
+         */
+        key: string;
+        /**
+         * Value of the tag.
+         */
+        value: string;
+    }
+    interface BucketLifecycleConfigurationV2RuleNoncurrentVersionExpiration {
+        /**
+         * Number of noncurrent versions Amazon S3 will retain. Must be a non-zero positive integer.
+         */
+        newerNoncurrentVersions: number;
+        /**
+         * Number of days an object is noncurrent before Amazon S3 can perform the associated action. Must be a positive integer.
+         */
+        noncurrentDays: number;
+    }
+    interface BucketLifecycleConfigurationV2RuleNoncurrentVersionTransition {
+        /**
+         * Number of noncurrent versions Amazon S3 will retain. Must be a non-zero positive integer.
+         */
+        newerNoncurrentVersions: number;
+        /**
+         * Number of days an object is noncurrent before Amazon S3 can perform the associated action.
+         */
+        noncurrentDays: number;
+        /**
+         * Class of storage used to store the object. Valid Values: `GLACIER`, `STANDARD_IA`, `ONEZONE_IA`, `INTELLIGENT_TIERING`, `DEEP_ARCHIVE`, `GLACIER_IR`.
+         */
+        storageClass: string;
+    }
+    interface BucketLifecycleConfigurationV2RuleTransition {
+        /**
+         * Date objects are transitioned to the specified storage class. The date value must be in [RFC3339 full-date format](https://datatracker.ietf.org/doc/html/rfc3339#section-5.6) e.g. `2023-08-22`.
+         */
+        date?: string;
+        /**
+         * Number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. If both `days` and `date` are not specified, defaults to `0`. Valid values depend on `storageClass`, see [Transition objects using Amazon S3 Lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html) for more details.
+         */
+        days: number;
+        /**
+         * Class of storage used to store the object. Valid Values: `GLACIER`, `STANDARD_IA`, `ONEZONE_IA`, `INTELLIGENT_TIERING`, `DEEP_ARCHIVE`, `GLACIER_IR`.
+         */
+        storageClass: string;
+    }
+    interface BucketLifecycleConfigurationV2Timeouts {
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        create?: string;
+        /**
+         * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+         */
+        update?: string;
+    }
     interface BucketLifecycleRule {
         /**
          * Specifies the number of days after initiating a multipart upload when the multipart upload must be completed.
@@ -73621,6 +73923,53 @@ export declare namespace s3 {
     }
     interface BucketLoggingTargetObjectKeyFormatSimplePrefix {
     }
+    interface BucketLoggingV2TargetGrant {
+        /**
+         * Configuration block for the person being granted permissions. See below.
+         */
+        grantee: outputs.s3.BucketLoggingV2TargetGrantGrantee;
+        /**
+         * Logging permissions assigned to the grantee for the bucket. Valid values: `FULL_CONTROL`, `READ`, `WRITE`.
+         */
+        permission: string;
+    }
+    interface BucketLoggingV2TargetGrantGrantee {
+        displayName: string;
+        /**
+         * Email address of the grantee. See [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) for supported AWS regions where this argument can be specified.
+         */
+        emailAddress?: string;
+        /**
+         * Canonical user ID of the grantee.
+         */
+        id?: string;
+        /**
+         * Type of grantee. Valid values: `CanonicalUser`, `AmazonCustomerByEmail`, `Group`.
+         */
+        type: string;
+        /**
+         * URI of the grantee group.
+         */
+        uri?: string;
+    }
+    interface BucketLoggingV2TargetObjectKeyFormat {
+        /**
+         * Partitioned S3 key for log objects. See below.
+         */
+        partitionedPrefix?: outputs.s3.BucketLoggingV2TargetObjectKeyFormatPartitionedPrefix;
+        /**
+         * Use the simple format for S3 keys for log objects. To use, set `simplePrefix {}`.
+         */
+        simplePrefix?: outputs.s3.BucketLoggingV2TargetObjectKeyFormatSimplePrefix;
+    }
+    interface BucketLoggingV2TargetObjectKeyFormatPartitionedPrefix {
+        /**
+         * Specifies the partition date source for the partitioned prefix. Valid values: `EventTime`, `DeliveryTime`.
+         */
+        partitionDateSource: string;
+    }
+    interface BucketLoggingV2TargetObjectKeyFormatSimplePrefix {
+    }
     interface BucketMetricFilter {
         /**
          * S3 Access Point ARN for filtering (singular).
@@ -73737,6 +74086,26 @@ export declare namespace s3 {
          */
         years?: number;
     }
+    interface BucketObjectLockConfigurationV2Rule {
+        /**
+         * Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below.
+         */
+        defaultRetention: outputs.s3.BucketObjectLockConfigurationV2RuleDefaultRetention;
+    }
+    interface BucketObjectLockConfigurationV2RuleDefaultRetention {
+        /**
+         * Number of days that you want to specify for the default retention period.
+         */
+        days?: number;
+        /**
+         * Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: `COMPLIANCE`, `GOVERNANCE`.
+         */
+        mode?: string;
+        /**
+         * Number of years that you want to specify for the default retention period.
+         */
+        years?: number;
+    }
     interface BucketObjectv2OverrideProvider {
         /**
          * Override the provider `defaultTags` configuration block.
@@ -74097,6 +74466,376 @@ export declare namespace s3 {
          */
         sseAlgorithm: string;
     }
+    interface BucketServerSideEncryptionConfigurationV2Rule {
+        /**
+         * Single object for setting server-side encryption by default. See below.
+         */
+        applyServerSideEncryptionByDefault?: outputs.s3.BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault;
+        /**
+         * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
+         */
+        bucketKeyEnabled?: boolean;
+    }
+    interface BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault {
+        /**
+         * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`.
+         */
+        kmsMasterKeyId?: string;
+        /**
+         * Server-side encryption algorithm to use. Valid values are `AES256`, `aws:kms`, and `aws:kms:dsse`
+         */
+        sseAlgorithm: string;
+    }
+    interface BucketV2CorsRule {
+        /**
+         * List of headers allowed.
+         */
+        allowedHeaders?: string[];
+        /**
+         * One or more HTTP methods that you allow the origin to execute. Can be `GET`, `PUT`, `POST`, `DELETE` or `HEAD`.
+         */
+        allowedMethods: string[];
+        /**
+         * One or more origins you want customers to be able to access the bucket from.
+         */
+        allowedOrigins: string[];
+        /**
+         * One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript `XMLHttpRequest` object).
+         */
+        exposeHeaders?: string[];
+        /**
+         * Specifies time in seconds that browser can cache the response for a preflight request.
+         */
+        maxAgeSeconds?: number;
+    }
+    interface BucketV2Grant {
+        /**
+         * Canonical user id to grant for. Used only when `type` is `CanonicalUser`.
+         */
+        id?: string;
+        /**
+         * List of permissions to apply for grantee. Valid values are `READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`.
+         */
+        permissions: string[];
+        /**
+         * Type of grantee to apply for. Valid values are `CanonicalUser` and `Group`. `AmazonCustomerByEmail` is not supported.
+         */
+        type: string;
+        /**
+         * Uri address to grant for. Used only when `type` is `Group`.
+         */
+        uri?: string;
+    }
+    interface BucketV2LifecycleRule {
+        /**
+         * Specifies the number of days after initiating a multipart upload when the multipart upload must be completed.
+         */
+        abortIncompleteMultipartUploadDays?: number;
+        /**
+         * Specifies lifecycle rule status.
+         */
+        enabled: boolean;
+        /**
+         * Specifies a period in the object's expire. See Expiration below for details.
+         */
+        expirations?: outputs.s3.BucketV2LifecycleRuleExpiration[];
+        /**
+         * Unique identifier for the rule. Must be less than or equal to 255 characters in length.
+         */
+        id: string;
+        /**
+         * Specifies when noncurrent object versions expire. See Noncurrent Version Expiration below for details.
+         */
+        noncurrentVersionExpirations?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionExpiration[];
+        /**
+         * Specifies when noncurrent object versions transitions. See Noncurrent Version Transition below for details.
+         */
+        noncurrentVersionTransitions?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionTransition[];
+        /**
+         * Object key prefix identifying one or more objects to which the rule applies.
+         */
+        prefix?: string;
+        /**
+         * Specifies object tags key and value.
+         */
+        tags?: {
+            [key: string]: string;
+        };
+        /**
+         * Specifies a period in the object's transitions. See Transition below for details.
+         */
+        transitions?: outputs.s3.BucketV2LifecycleRuleTransition[];
+    }
+    interface BucketV2LifecycleRuleExpiration {
+        /**
+         * Specifies the date after which you want the corresponding action to take effect.
+         */
+        date?: string;
+        /**
+         * Specifies the number of days after object creation when the specific rule action takes effect.
+         */
+        days?: number;
+        /**
+         * On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers. This cannot be specified with Days or Date in a Lifecycle Expiration Policy.
+         */
+        expiredObjectDeleteMarker?: boolean;
+    }
+    interface BucketV2LifecycleRuleNoncurrentVersionExpiration {
+        /**
+         * Specifies the number of days noncurrent object versions expire.
+         */
+        days?: number;
+    }
+    interface BucketV2LifecycleRuleNoncurrentVersionTransition {
+        /**
+         * Specifies the number of days noncurrent object versions transition.
+         */
+        days?: number;
+        /**
+         * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition.
+         */
+        storageClass: string;
+    }
+    interface BucketV2LifecycleRuleTransition {
+        /**
+         * Specifies the date after which you want the corresponding action to take effect.
+         */
+        date?: string;
+        /**
+         * Specifies the number of days after object creation when the specific rule action takes effect.
+         */
+        days?: number;
+        /**
+         * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition.
+         */
+        storageClass: string;
+    }
+    interface BucketV2Logging {
+        /**
+         * Name of the bucket that will receive the log objects.
+         */
+        targetBucket: string;
+        /**
+         * To specify a key prefix for log objects.
+         */
+        targetPrefix?: string;
+    }
+    interface BucketV2ObjectLockConfiguration {
+        /**
+         * Indicates whether this bucket has an Object Lock configuration enabled. Valid values are `true` or `false`. This argument is not supported in all regions or partitions.
+         *
+         * @deprecated object_lock_enabled is deprecated. Use the top-level parameter objectLockEnabled instead.
+         */
+        objectLockEnabled?: string;
+        /**
+         * Object Lock rule in place for this bucket (documented below).
+         *
+         * @deprecated rule is deprecated. Use the aws.s3.BucketObjectLockConfiguration resource instead.
+         */
+        rules?: outputs.s3.BucketV2ObjectLockConfigurationRule[];
+    }
+    interface BucketV2ObjectLockConfigurationRule {
+        /**
+         * Default retention period that you want to apply to new objects placed in this bucket (documented below).
+         */
+        defaultRetentions: outputs.s3.BucketV2ObjectLockConfigurationRuleDefaultRetention[];
+    }
+    interface BucketV2ObjectLockConfigurationRuleDefaultRetention {
+        /**
+         * Number of days that you want to specify for the default retention period.
+         */
+        days?: number;
+        /**
+         * Default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are `GOVERNANCE` and `COMPLIANCE`.
+         */
+        mode: string;
+        /**
+         * Number of years that you want to specify for the default retention period.
+         */
+        years?: number;
+    }
+    interface BucketV2ReplicationConfiguration {
+        /**
+         * ARN of the IAM role for Amazon S3 to assume when replicating the objects.
+         */
+        role: string;
+        /**
+         * Specifies the rules managing the replication (documented below).
+         */
+        rules: outputs.s3.BucketV2ReplicationConfigurationRule[];
+    }
+    interface BucketV2ReplicationConfigurationRule {
+        /**
+         * Whether delete markers are replicated. The only valid value is `Enabled`. To disable, omit this argument. This argument is only valid with V2 replication configurations (i.e., when `filter` is used).
+         */
+        deleteMarkerReplicationStatus?: string;
+        /**
+         * Specifies the destination for the rule (documented below).
+         */
+        destinations: outputs.s3.BucketV2ReplicationConfigurationRuleDestination[];
+        /**
+         * Filter that identifies subset of objects to which the replication rule applies (documented below).
+         */
+        filters?: outputs.s3.BucketV2ReplicationConfigurationRuleFilter[];
+        /**
+         * Unique identifier for the rule. Must be less than or equal to 255 characters in length.
+         */
+        id?: string;
+        /**
+         * Object keyname prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length.
+         */
+        prefix?: string;
+        /**
+         * Priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules.
+         */
+        priority?: number;
+        /**
+         * Specifies special object selection criteria (documented below).
+         */
+        sourceSelectionCriterias?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteria[];
+        /**
+         * Status of the rule. Either `Enabled` or `Disabled`. The rule is ignored if status is not Enabled.
+         */
+        status: string;
+    }
+    interface BucketV2ReplicationConfigurationRuleDestination {
+        /**
+         * Specifies the overrides to use for object owners on replication (documented below). Must be used in conjunction with `accountId` owner override configuration.
+         */
+        accessControlTranslations?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation[];
+        /**
+         * Account ID to use for overriding the object owner on replication. Must be used in conjunction with `accessControlTranslation` override configuration.
+         */
+        accountId?: string;
+        /**
+         * ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule.
+         */
+        bucket: string;
+        /**
+         * Enables replication metrics (required for S3 RTC) (documented below).
+         */
+        metrics?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationMetric[];
+        /**
+         * Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with
+         * `sseKmsEncryptedObjects` source selection criteria.
+         */
+        replicaKmsKeyId?: string;
+        /**
+         * Enables S3 Replication Time Control (S3 RTC) (documented below).
+         */
+        replicationTimes?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationReplicationTime[];
+        /**
+         * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica.
+         */
+        storageClass?: string;
+    }
+    interface BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation {
+        /**
+         * Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html) in the Amazon S3 API Reference. The only valid value is `Destination`.
+         */
+        owner: string;
+    }
+    interface BucketV2ReplicationConfigurationRuleDestinationMetric {
+        /**
+         * Threshold within which objects are to be replicated. The only valid value is `15`.
+         */
+        minutes?: number;
+        /**
+         * Status of replication metrics. Either `Enabled` or `Disabled`.
+         */
+        status?: string;
+    }
+    interface BucketV2ReplicationConfigurationRuleDestinationReplicationTime {
+        /**
+         * Threshold within which objects are to be replicated. The only valid value is `15`.
+         */
+        minutes?: number;
+        /**
+         * Status of RTC. Either `Enabled` or `Disabled`.
+         */
+        status?: string;
+    }
+    interface BucketV2ReplicationConfigurationRuleFilter {
+        /**
+         * Object keyname prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length.
+         */
+        prefix?: string;
+        /**
+         * A map of tags that identifies subset of objects to which the rule applies.
+         * The rule applies only to objects having all the tags in its tagset.
+         */
+        tags?: {
+            [key: string]: string;
+        };
+    }
+    interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteria {
+        /**
+         * Match SSE-KMS encrypted objects (documented below). If specified, `replicaKmsKeyId`
+         * in `destination` must be specified as well.
+         */
+        sseKmsEncryptedObjects?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject[];
+    }
+    interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject {
+        /**
+         * Boolean which indicates if this criteria is enabled.
+         */
+        enabled: boolean;
+    }
+    interface BucketV2ServerSideEncryptionConfiguration {
+        /**
+         * Single object for server-side encryption by default configuration. (documented below)
+         */
+        rules: outputs.s3.BucketV2ServerSideEncryptionConfigurationRule[];
+    }
+    interface BucketV2ServerSideEncryptionConfigurationRule {
+        /**
+         * Single object for setting server-side encryption by default. (documented below)
+         */
+        applyServerSideEncryptionByDefaults: outputs.s3.BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault[];
+        /**
+         * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS.
+         */
+        bucketKeyEnabled?: boolean;
+    }
+    interface BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault {
+        /**
+         * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`.
+         */
+        kmsMasterKeyId?: string;
+        /**
+         * Server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`
+         */
+        sseAlgorithm: string;
+    }
+    interface BucketV2Versioning {
+        /**
+         * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket.
+         */
+        enabled?: boolean;
+        /**
+         * Enable MFA delete for either `Change the versioning state of your bucket` or `Permanently delete an object version`. Default is `false`. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS
+         */
+        mfaDelete?: boolean;
+    }
+    interface BucketV2Website {
+        /**
+         * Absolute path to the document to return in case of a 4XX error.
+         */
+        errorDocument?: string;
+        /**
+         * Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders.
+         */
+        indexDocument?: string;
+        /**
+         * Hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (`http://` or `https://`) to use when redirecting requests. The default is the protocol that is used in the original request.
+         */
+        redirectAllRequestsTo?: string;
+        /**
+         * JSON array containing [routing rules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html)
+         * describing redirect behavior and when redirects are applied.
+         */
+        routingRules?: string;
+    }
     interface BucketVersioning {
         /**
          * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket.
@@ -74107,6 +74846,16 @@ export declare namespace s3 {
          */
         mfaDelete?: boolean;
     }
+    interface BucketVersioningV2VersioningConfiguration {
+        /**
+         * Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: `Enabled` or `Disabled`.
+         */
+        mfaDelete: string;
+        /**
+         * Versioning state of the bucket. Valid values: `Enabled`, `Suspended`, or `Disabled`. `Disabled` should only be used when creating or importing resources that correspond to unversioned S3 buckets.
+         */
+        status: string;
+    }
     interface BucketVersioningVersioningConfiguration {
         /**
          * Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: `Enabled` or `Disabled`.
@@ -74202,6 +74951,72 @@ export declare namespace s3 {
          */
         replaceKeyWith?: string;
     }
+    interface BucketWebsiteConfigurationV2ErrorDocument {
+        /**
+         * Object key name to use when a 4XX class error occurs.
+         */
+        key: string;
+    }
+    interface BucketWebsiteConfigurationV2IndexDocument {
+        /**
+         * Suffix that is appended to a request that is for a directory on the website endpoint.
+         * For example, if the suffix is `index.html` and you make a request to `samplebucket/images/`, the data that is returned will be for the object with the key name `images/index.html`.
+         * The suffix must not be empty and must not include a slash character.
+         */
+        suffix: string;
+    }
+    interface BucketWebsiteConfigurationV2RedirectAllRequestsTo {
+        /**
+         * Name of the host where requests are redirected.
+         */
+        hostName: string;
+        /**
+         * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`.
+         */
+        protocol?: string;
+    }
+    interface BucketWebsiteConfigurationV2RoutingRule {
+        /**
+         * Configuration block for describing a condition that must be met for the specified redirect to apply. See below.
+         */
+        condition?: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleCondition;
+        /**
+         * Configuration block for redirect information. See below.
+         */
+        redirect: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleRedirect;
+    }
+    interface BucketWebsiteConfigurationV2RoutingRuleCondition {
+        /**
+         * HTTP error code when the redirect is applied. If specified with `keyPrefixEquals`, then both must be true for the redirect to be applied.
+         */
+        httpErrorCodeReturnedEquals?: string;
+        /**
+         * Object key name prefix when the redirect is applied. If specified with `httpErrorCodeReturnedEquals`, then both must be true for the redirect to be applied.
+         */
+        keyPrefixEquals?: string;
+    }
+    interface BucketWebsiteConfigurationV2RoutingRuleRedirect {
+        /**
+         * Host name to use in the redirect request.
+         */
+        hostName?: string;
+        /**
+         * HTTP redirect code to use on the response.
+         */
+        httpRedirectCode?: string;
+        /**
+         * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`.
+         */
+        protocol?: string;
+        /**
+         * Object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix `docs/` (objects in the `docs/` folder) to `documents/`, you can set a `condition` block with `keyPrefixEquals` set to `docs/` and in the `redirect` set `replaceKeyPrefixWith` to `/documents`.
+         */
+        replaceKeyPrefixWith?: string;
+        /**
+         * Specific object key to use in the redirect request. For example, redirect request to `error.html`.
+         */
+        replaceKeyWith?: string;
+    }
     interface DirectoryBucketLocation {
         /**
          * [Availability Zone ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids) or Local Zone ID.
@@ -74858,6 +75673,41 @@ export declare namespace s3tables {
          */
         minSnapshotsToKeep: number;
     }
+    interface TableMetadata {
+        /**
+         * Contains details about the metadata for an Iceberg table. This block defines the schema structure for the Apache Iceberg table format.
+         * See `iceberg` below.
+         */
+        iceberg: outputs.s3tables.TableMetadataIceberg;
+    }
+    interface TableMetadataIceberg {
+        /**
+         * Schema configuration for the Iceberg table.
+         * See `schema` below.
+         */
+        schema: outputs.s3tables.TableMetadataIcebergSchema;
+    }
+    interface TableMetadataIcebergSchema {
+        /**
+         * List of schema fields for the Iceberg table. Each field defines a column in the table schema.
+         * See `field` below.
+         */
+        fields?: outputs.s3tables.TableMetadataIcebergSchemaField[];
+    }
+    interface TableMetadataIcebergSchemaField {
+        /**
+         * The name of the field.
+         */
+        name: string;
+        /**
+         * A Boolean value that specifies whether values are required for each row in this field. Defaults to `false`.
+         */
+        required: boolean;
+        /**
+         * The field type. S3 Tables supports all Apache Iceberg primitive types including: `boolean`, `int`, `long`, `float`, `double`, `decimal(precision,scale)`, `date`, `time`, `timestamp`, `timestamptz`, `string`, `uuid`, `fixed(length)`, `binary`.
+         */
+        type: string;
+    }
 }
 export declare namespace sagemaker {
     interface AppImageConfigCodeEditorAppImageConfig {
@@ -89464,6 +90314,10 @@ export declare namespace wafv2 {
          * Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client.
          */
         awsManagedRulesAcfpRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet;
+        /**
+         * Configuration for using the anti-DDoS managed rule group. See `awsManagedRulesAntiDdosRuleSet` for more details.
+         */
+        awsManagedRulesAntiDdosRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSet;
         /**
          * Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client.
          */
@@ -89633,6 +90487,36 @@ export declare namespace wafv2 {
          */
         successCodes: number[];
     }
+    interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSet {
+        /**
+         * Configuration for the request handling that's applied by the managed rule group rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` during a distributed denial of service (DDoS) attack. See `clientSideActionConfig` for more details.
+         */
+        clientSideActionConfig: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfig;
+        /**
+         * Sensitivity that the rule group rule DDoSRequests uses when matching against the DDoS suspicion labeling on a request. Valid values are `LOW` (Default), `MEDIUM`, and `HIGH`.
+         */
+        sensitivityToBlock?: string;
+    }
+    interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfig {
+        /**
+         * Configuration for the use of the `AWSManagedRulesAntiDDoSRuleSet` rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests`.
+         */
+        challenge: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfigChallenge;
+    }
+    interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfigChallenge {
+        exemptUriRegularExpressions?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfigChallengeExemptUriRegularExpression[];
+        /**
+         * Sensitivity that the rule group rule ChallengeDDoSRequests uses when matching against the DDoS suspicion labeling on a request. Valid values are `LOW`, `MEDIUM` and `HIGH` (Default).
+         */
+        sensitivity?: string;
+        /**
+         * Configuration whether to use the `AWSManagedRulesAntiDDoSRuleSet` rules `ChallengeAllDuringEvent` and `ChallengeDDoSRequests` in the rule group evaluation. Valid values are `ENABLED` and `DISABLED`.
+         */
+        usageOfAction: string;
+    }
+    interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAntiDdosRuleSetClientSideActionConfigChallengeExemptUriRegularExpression {
+        regexString?: string;
+    }
     interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet {
         /**
          * Whether or not to allow the use of regular expressions in the login page path.
@@ -89782,9 +90666,6 @@ export declare namespace wafv2 {
          * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details.
          */
         captcha?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha;
-        /**
-         * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details.
-         */
         challenge?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge;
         count?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount;
     }
@@ -93427,9 +94308,6 @@ export declare namespace wafv2 {
          * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details.
          */
         captcha?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha;
-        /**
-         * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details.
-         */
         challenge?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge;
         count?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount;
     }