aws-cdk-lib 2.115.0__py3-none-any.whl → 2.116.1__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -3863,7 +3863,8 @@ class CfnUserPool(
     @builtins.property
     @jsii.member(jsii_name="attrUserPoolId")
     def attr_user_pool_id(self) -> builtins.str:
-        '''
+        '''The ID of the user pool.
+
         :cloudformationAttribute: UserPoolId
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrUserPoolId"))
@@ -6339,7 +6340,7 @@ class CfnUserPoolClient(
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours.
-        :param allowed_o_auth_flows: The allowed OAuth flows. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
+        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
         :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. .. epigraph:: In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
@@ -6479,7 +6480,7 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="allowedOAuthFlows")
     def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The allowed OAuth flows.'''
+        '''The OAuth grant types that you want your app client to generate.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthFlows"))
 
     @allowed_o_auth_flows.setter
@@ -7081,7 +7082,7 @@ class CfnUserPoolClientProps:
 
         :param user_pool_id: The user pool ID for the user pool where you want to create a user pool client.
         :param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours.
-        :param allowed_o_auth_flows: The allowed OAuth flows. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
+        :param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user using a combination of the client ID and client secret.
         :param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your user pool app client. ``AllowedOAuthFlowsUserPoolClient`` must be ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` .
         :param allowed_o_auth_scopes: The allowed OAuth scopes. Possible values provided by OAuth are ``phone`` , ``email`` , ``openid`` , and ``profile`` . Possible values provided by AWS are ``aws.cognito.signin.user.admin`` . Custom scopes created in Resource Servers are also supported.
         :param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. .. epigraph:: In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
@@ -7245,7 +7246,9 @@ class CfnUserPoolClientProps:
 
     @builtins.property
     def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The allowed OAuth flows.
+        '''The OAuth grant types that you want your app client to generate.
+
+        To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow.
 
         - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint.
         - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
@@ -7862,12 +7865,7 @@ class CfnUserPoolGroup(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolGroup",
 ):
-    '''Specifies a new group in the identified user pool.
-
-    Calling this action requires developer credentials.
-    .. epigraph::
-
-       If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.
+    '''A user pool group that you can add a user to.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
     :cloudformationResource: AWS::Cognito::UserPoolGroup
@@ -10984,7 +10982,7 @@ class CfnUserPoolUser(
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (in ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ or in the *Attributes* tab of the console) must be supplied either by you (in your call to ``AdminCreateUser`` ) or by the user (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . (You can also do this by calling ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .) - *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
         '''
@@ -11123,7 +11121,7 @@ class CfnUserPoolUser(
     def user_attributes(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPoolUser.AttributeTypeProperty"]]]]:
-        '''The user attributes and attribute values to be set for the user to be created.'''
+        '''An array of name-value pairs that contain user attributes and attribute values.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnUserPoolUser.AttributeTypeProperty"]]]], jsii.get(self, "userAttributes"))
 
     @user_attributes.setter
@@ -11272,7 +11270,7 @@ class CfnUserPoolUserProps:
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
-        :param user_attributes: The user attributes and attribute values to be set for the user to be created. These are name-value pairs You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (in ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ or in the *Attributes* tab of the console) must be supplied either by you (in your call to ``AdminCreateUser`` ) or by the user (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . (You can also do this by calling ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .) - *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter. - *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        :param user_attributes: An array of name-value pairs that contain user attributes and attribute values.
         :param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
         :param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
 
@@ -11409,18 +11407,7 @@ class CfnUserPoolUserProps:
     def user_attributes(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnUserPoolUser.AttributeTypeProperty]]]]:
-        '''The user attributes and attribute values to be set for the user to be created.
-
-        These are name-value pairs You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (in ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html>`_ or in the *Attributes* tab of the console) must be supplied either by you (in your call to ``AdminCreateUser`` ) or by the user (when they sign up in response to your welcome message).
-
-        For custom attributes, you must prepend the ``custom:`` prefix to the attribute name.
-
-        To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
-
-        In your call to ``AdminCreateUser`` , you can set the ``email_verified`` attribute to ``True`` , and you can set the ``phone_number_verified`` attribute to ``True`` . (You can also do this by calling ` <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html>`_ .)
-
-        - *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the ``email_verified`` attribute is set to ``True`` , or if ``"EMAIL"`` is specified in the ``DesiredDeliveryMediums`` parameter.
-        - *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
+        '''An array of name-value pairs that contain user attributes and attribute values.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userattributes
         '''

aws_cdk/aws_config/__init__.py

@@ -2203,6 +2203,18 @@ class CfnConfigurationRecorder(
                     use_only="useOnly"
                 ),
                 resource_types=["resourceTypes"]
+            ),
+            recording_mode=config.CfnConfigurationRecorder.RecordingModeProperty(
+                recording_frequency="recordingFrequency",
+        
+                # the properties below are optional
+                recording_mode_overrides=[config.CfnConfigurationRecorder.RecordingModeOverrideProperty(
+                    recording_frequency="recordingFrequency",
+                    resource_types=["resourceTypes"],
+        
+                    # the properties below are optional
+                    description="description"
+                )]
             )
         )
     '''
@@ -2215,6 +2227,7 @@ class CfnConfigurationRecorder(
         role_arn: builtins.str,
         name: typing.Optional[builtins.str] = None,
         recording_group: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationRecorder.RecordingGroupProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        recording_mode: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationRecorder.RecordingModeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -2222,13 +2235,17 @@ class CfnConfigurationRecorder(
         :param role_arn: Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see `Permissions for the IAM Role Assigned <https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html>`_ to AWS Config in the AWS Config Developer Guide. .. epigraph:: *Pre-existing AWS Config role* If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected. For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see `*Identity and Access Management for AWS Config* <https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html>`_ in the *AWS Config Developer Guide* .
         :param name: The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder. You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.
         :param recording_group: Specifies which resource types AWS Config records for configuration changes. .. epigraph:: *High Number of AWS Config Evaluations* You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record. If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.
+        :param recording_mode: Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* . - Continuous recording allows you to record configuration changes continuously whenever a change occurs. - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. .. epigraph:: AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. You can also override the recording frequency for specific resource types.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8cc1fca38c04598953e44108edff915ed0a33e7e99e047d1bffcbd31ac2e3b03)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnConfigurationRecorderProps(
-            role_arn=role_arn, name=name, recording_group=recording_group
+            role_arn=role_arn,
+            name=name,
+            recording_group=recording_group,
+            recording_mode=recording_mode,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -2323,6 +2340,24 @@ class CfnConfigurationRecorder(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "recordingGroup", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="recordingMode")
+    def recording_mode(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationRecorder.RecordingModeProperty"]]:
+        '''Specifies the default recording frequency that AWS Config uses to record configuration changes.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationRecorder.RecordingModeProperty"]], jsii.get(self, "recordingMode"))
+
+    @recording_mode.setter
+    def recording_mode(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationRecorder.RecordingModeProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__79c601a52da19c88133151b63852ca6a6ba71894cd962c2e118e75d604e83fe5)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "recordingMode", value)
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_config.CfnConfigurationRecorder.ExclusionByResourceTypesProperty",
         jsii_struct_bases=[],
@@ -2629,6 +2664,220 @@ class CfnConfigurationRecorder(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_config.CfnConfigurationRecorder.RecordingModeOverrideProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "recording_frequency": "recordingFrequency",
+            "resource_types": "resourceTypes",
+            "description": "description",
+        },
+    )
+    class RecordingModeOverrideProperty:
+        def __init__(
+            self,
+            *,
+            recording_frequency: builtins.str,
+            resource_types: typing.Sequence[builtins.str],
+            description: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''An object for you to specify your overrides for the recording mode.
+
+            :param recording_frequency: The recording frequency that will be applied to all the resource types specified in the override. - Continuous recording allows you to record configuration changes continuously whenever a change occurs. - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. .. epigraph:: AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
+            :param resource_types: A comma-separated list that specifies which resource types AWS Config includes in the override. .. epigraph:: Daily recording is not supported for the following resource types: - ``AWS::Config::ResourceCompliance`` - ``AWS::Config::ConformancePackCompliance`` - ``AWS::Config::ConfigurationRecorder``
+            :param description: A description that you provide for the override.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmodeoverride.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_config as config
+                
+                recording_mode_override_property = config.CfnConfigurationRecorder.RecordingModeOverrideProperty(
+                    recording_frequency="recordingFrequency",
+                    resource_types=["resourceTypes"],
+                
+                    # the properties below are optional
+                    description="description"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__301d91ec25370b3d9c2f7b2aef5e6913cf2370b1c4e1ffda877aafd174d11165)
+                check_type(argname="argument recording_frequency", value=recording_frequency, expected_type=type_hints["recording_frequency"])
+                check_type(argname="argument resource_types", value=resource_types, expected_type=type_hints["resource_types"])
+                check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "recording_frequency": recording_frequency,
+                "resource_types": resource_types,
+            }
+            if description is not None:
+                self._values["description"] = description
+
+        @builtins.property
+        def recording_frequency(self) -> builtins.str:
+            '''The recording frequency that will be applied to all the resource types specified in the override.
+
+            - Continuous recording allows you to record configuration changes continuously whenever a change occurs.
+            - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
+
+            .. epigraph::
+
+               AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmodeoverride.html#cfn-config-configurationrecorder-recordingmodeoverride-recordingfrequency
+            '''
+            result = self._values.get("recording_frequency")
+            assert result is not None, "Required property 'recording_frequency' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def resource_types(self) -> typing.List[builtins.str]:
+            '''A comma-separated list that specifies which resource types AWS Config includes in the override.
+
+            .. epigraph::
+
+               Daily recording is not supported for the following resource types:
+
+               - ``AWS::Config::ResourceCompliance``
+               - ``AWS::Config::ConformancePackCompliance``
+               - ``AWS::Config::ConfigurationRecorder``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmodeoverride.html#cfn-config-configurationrecorder-recordingmodeoverride-resourcetypes
+            '''
+            result = self._values.get("resource_types")
+            assert result is not None, "Required property 'resource_types' is missing"
+            return typing.cast(typing.List[builtins.str], result)
+
+        @builtins.property
+        def description(self) -> typing.Optional[builtins.str]:
+            '''A description that you provide for the override.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmodeoverride.html#cfn-config-configurationrecorder-recordingmodeoverride-description
+            '''
+            result = self._values.get("description")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "RecordingModeOverrideProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_config.CfnConfigurationRecorder.RecordingModeProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "recording_frequency": "recordingFrequency",
+            "recording_mode_overrides": "recordingModeOverrides",
+        },
+    )
+    class RecordingModeProperty:
+        def __init__(
+            self,
+            *,
+            recording_frequency: builtins.str,
+            recording_mode_overrides: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationRecorder.RecordingModeOverrideProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        ) -> None:
+            '''Specifies the default recording frequency that AWS Config uses to record configuration changes.
+
+            AWS Config supports *Continuous recording* and *Daily recording* .
+
+            - Continuous recording allows you to record configuration changes continuously whenever a change occurs.
+            - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
+
+            .. epigraph::
+
+               AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
+
+            You can also override the recording frequency for specific resource types.
+
+            :param recording_frequency: The default recording frequency that AWS Config uses to record configuration changes. .. epigraph:: Daily recording is not supported for the following resource types: - ``AWS::Config::ResourceCompliance`` - ``AWS::Config::ConformancePackCompliance`` - ``AWS::Config::ConfigurationRecorder`` For the *allSupported* ( ``ALL_SUPPORTED_RESOURCE_TYPES`` ) recording strategy, these resource types will be set to Continuous recording.
+            :param recording_mode_overrides: An array of ``recordingModeOverride`` objects for you to specify your overrides for the recording mode. The ``recordingModeOverride`` object in the ``recordingModeOverrides`` array consists of three fields: a ``description`` , the new ``recordingFrequency`` , and an array of ``resourceTypes`` to override.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmode.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_config as config
+                
+                recording_mode_property = config.CfnConfigurationRecorder.RecordingModeProperty(
+                    recording_frequency="recordingFrequency",
+                
+                    # the properties below are optional
+                    recording_mode_overrides=[config.CfnConfigurationRecorder.RecordingModeOverrideProperty(
+                        recording_frequency="recordingFrequency",
+                        resource_types=["resourceTypes"],
+                
+                        # the properties below are optional
+                        description="description"
+                    )]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__2db8a0d318e287d3329642f2526ea9c788965e7dbe0f581278bef988ee908d63)
+                check_type(argname="argument recording_frequency", value=recording_frequency, expected_type=type_hints["recording_frequency"])
+                check_type(argname="argument recording_mode_overrides", value=recording_mode_overrides, expected_type=type_hints["recording_mode_overrides"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "recording_frequency": recording_frequency,
+            }
+            if recording_mode_overrides is not None:
+                self._values["recording_mode_overrides"] = recording_mode_overrides
+
+        @builtins.property
+        def recording_frequency(self) -> builtins.str:
+            '''The default recording frequency that AWS Config uses to record configuration changes.
+
+            .. epigraph::
+
+               Daily recording is not supported for the following resource types:
+
+               - ``AWS::Config::ResourceCompliance``
+               - ``AWS::Config::ConformancePackCompliance``
+               - ``AWS::Config::ConfigurationRecorder``
+
+               For the *allSupported* ( ``ALL_SUPPORTED_RESOURCE_TYPES`` ) recording strategy, these resource types will be set to Continuous recording.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmode.html#cfn-config-configurationrecorder-recordingmode-recordingfrequency
+            '''
+            result = self._values.get("recording_frequency")
+            assert result is not None, "Required property 'recording_frequency' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def recording_mode_overrides(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnConfigurationRecorder.RecordingModeOverrideProperty"]]]]:
+            '''An array of ``recordingModeOverride`` objects for you to specify your overrides for the recording mode.
+
+            The ``recordingModeOverride`` object in the ``recordingModeOverrides`` array consists of three fields: a ``description`` , the new ``recordingFrequency`` , and an array of ``resourceTypes`` to override.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingmode.html#cfn-config-configurationrecorder-recordingmode-recordingmodeoverrides
+            '''
+            result = self._values.get("recording_mode_overrides")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnConfigurationRecorder.RecordingModeOverrideProperty"]]]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "RecordingModeProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_config.CfnConfigurationRecorder.RecordingStrategyProperty",
         jsii_struct_bases=[],
@@ -2722,6 +2971,7 @@ class CfnConfigurationRecorder(
         "role_arn": "roleArn",
         "name": "name",
         "recording_group": "recordingGroup",
+        "recording_mode": "recordingMode",
     },
 )
 class CfnConfigurationRecorderProps:
@@ -2731,12 +2981,14 @@ class CfnConfigurationRecorderProps:
         role_arn: builtins.str,
         name: typing.Optional[builtins.str] = None,
         recording_group: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingGroupProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        recording_mode: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingModeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnConfigurationRecorder``.
 
         :param role_arn: Amazon Resource Name (ARN) of the IAM role assumed by AWS Config and used by the configuration recorder. For more information, see `Permissions for the IAM Role Assigned <https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html>`_ to AWS Config in the AWS Config Developer Guide. .. epigraph:: *Pre-existing AWS Config role* If you have used an AWS service that uses AWS Config , such as AWS Security Hub or AWS Control Tower , and an AWS Config role has already been created, make sure that the IAM role that you use when setting up AWS Config keeps the same minimum permissions as the already created AWS Config role. You must do this so that the other AWS service continues to run as expected. For example, if AWS Control Tower has an IAM role that allows AWS Config to read Amazon Simple Storage Service ( Amazon S3 ) objects, make sure that the same permissions are granted within the IAM role you use when setting up AWS Config . Otherwise, it may interfere with how AWS Control Tower operates. For more information about IAM roles for AWS Config , see `*Identity and Access Management for AWS Config* <https://docs.aws.amazon.com/config/latest/developerguide/security-iam.html>`_ in the *AWS Config Developer Guide* .
         :param name: The name of the configuration recorder. AWS Config automatically assigns the name of "default" when creating the configuration recorder. You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.
         :param recording_group: Specifies which resource types AWS Config records for configuration changes. .. epigraph:: *High Number of AWS Config Evaluations* You may notice increased activity in your account during your initial month recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config runs evaluations on all the resources in your account that you have selected for AWS Config to record. If you are running ephemeral workloads, you may see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud ( Amazon EC2 ) Spot Instances, Amazon EMR jobs, and AWS Auto Scaling . If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off to avoid increased configuration recording and rule evaluations.
+        :param recording_mode: Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* . - Continuous recording allows you to record configuration changes continuously whenever a change occurs. - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. .. epigraph:: AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. You can also override the recording frequency for specific resource types.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html
         :exampleMetadata: fixture=_generated
@@ -2762,6 +3014,18 @@ class CfnConfigurationRecorderProps:
                         use_only="useOnly"
                     ),
                     resource_types=["resourceTypes"]
+                ),
+                recording_mode=config.CfnConfigurationRecorder.RecordingModeProperty(
+                    recording_frequency="recordingFrequency",
+            
+                    # the properties below are optional
+                    recording_mode_overrides=[config.CfnConfigurationRecorder.RecordingModeOverrideProperty(
+                        recording_frequency="recordingFrequency",
+                        resource_types=["resourceTypes"],
+            
+                        # the properties below are optional
+                        description="description"
+                    )]
                 )
             )
         '''
@@ -2770,6 +3034,7 @@ class CfnConfigurationRecorderProps:
             check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
             check_type(argname="argument recording_group", value=recording_group, expected_type=type_hints["recording_group"])
+            check_type(argname="argument recording_mode", value=recording_mode, expected_type=type_hints["recording_mode"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "role_arn": role_arn,
         }
@@ -2777,6 +3042,8 @@ class CfnConfigurationRecorderProps:
             self._values["name"] = name
         if recording_group is not None:
             self._values["recording_group"] = recording_group
+        if recording_mode is not None:
+            self._values["recording_mode"] = recording_mode
 
     @builtins.property
     def role_arn(self) -> builtins.str:
@@ -2827,6 +3094,28 @@ class CfnConfigurationRecorderProps:
         result = self._values.get("recording_group")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConfigurationRecorder.RecordingGroupProperty]], result)
 
+    @builtins.property
+    def recording_mode(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConfigurationRecorder.RecordingModeProperty]]:
+        '''Specifies the default recording frequency that AWS Config uses to record configuration changes.
+
+        AWS Config supports *Continuous recording* and *Daily recording* .
+
+        - Continuous recording allows you to record configuration changes continuously whenever a change occurs.
+        - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded.
+
+        .. epigraph::
+
+           AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
+
+        You can also override the recording frequency for specific resource types.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html#cfn-config-configurationrecorder-recordingmode
+        '''
+        result = self._values.get("recording_mode")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConfigurationRecorder.RecordingModeProperty]], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -13243,6 +13532,7 @@ def _typecheckingstub__8cc1fca38c04598953e44108edff915ed0a33e7e99e047d1bffcbd31a
     role_arn: builtins.str,
     name: typing.Optional[builtins.str] = None,
     recording_group: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingGroupProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    recording_mode: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingModeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -13277,6 +13567,12 @@ def _typecheckingstub__0e1878a10e77a1aa31c809535803af7748be10257943ccb0147e9c083
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__79c601a52da19c88133151b63852ca6a6ba71894cd962c2e118e75d604e83fe5(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConfigurationRecorder.RecordingModeProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1bfeeb41a82e166dbe5ee3f6a4cb224863af8ea802ed4106641b03f2b048f32a(
     *,
     resource_types: typing.Sequence[builtins.str],
@@ -13295,6 +13591,23 @@ def _typecheckingstub__574b2463724d6487e33926405844644e49df72910787a048a5ca19855
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__301d91ec25370b3d9c2f7b2aef5e6913cf2370b1c4e1ffda877aafd174d11165(
+    *,
+    recording_frequency: builtins.str,
+    resource_types: typing.Sequence[builtins.str],
+    description: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__2db8a0d318e287d3329642f2526ea9c788965e7dbe0f581278bef988ee908d63(
+    *,
+    recording_frequency: builtins.str,
+    recording_mode_overrides: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingModeOverrideProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__cdc0c3a0d4a9aa5083c337e0372ddbd0be93f7adadc83df65d33ce75c0b906bb(
     *,
     use_only: builtins.str,
@@ -13307,6 +13620,7 @@ def _typecheckingstub__68cc2049b8c095672250d1c12a5af6fc05b3421a6c23124f87e5e31e2
     role_arn: builtins.str,
     name: typing.Optional[builtins.str] = None,
     recording_group: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingGroupProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    recording_mode: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationRecorder.RecordingModeProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass