aws-cdk-lib 2.115.0__py3-none-any.whl → 2.116.1__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1720,6 +1720,70 @@ instance = ec2.Instance(self, "Instance",
 )
 ```
 
+### Specifying a key pair
+
+To allow SSH access to an EC2 instance by default, a Key Pair must be specified. Key pairs can
+be provided with the `keyPair` property to instances and launch templates. You can create a
+key pair for an instance like this:
+
+```python
+# vpc: ec2.Vpc
+# instance_type: ec2.InstanceType
+
+
+key_pair = ec2.KeyPair(self, "KeyPair",
+    type=ec2.KeyPairType.ED25519,
+    format=ec2.KeyPairFormat.PEM
+)
+instance = ec2.Instance(self, "Instance",
+    vpc=vpc,
+    instance_type=instance_type,
+    machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+    # Use the custom key pair
+    key_pair=key_pair
+)
+```
+
+When a new EC2 Key Pair is created (without imported material), the private key material is
+automatically stored in Systems Manager Parameter Store. This can be retrieved from the key pair
+construct:
+
+```python
+key_pair = ec2.KeyPair(self, "KeyPair")
+private_key = key_pair.private_key
+```
+
+If you already have an SSH key that you wish to use in EC2, that can be provided when constructing the
+`KeyPair`. If public key material is provided, the key pair is considered "imported" and there
+will not be any data automatically stored in Systems Manager Parameter Store and the `type` property
+cannot be specified for the key pair.
+
+```python
+key_pair = ec2.KeyPair(self, "KeyPair",
+    public_key_material="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7jpNzG+YG0s+xIGWbxrxIZiiozHOEuzIJacvASP0mq"
+)
+```
+
+#### Using an existing EC2 Key Pair
+
+If you already have an EC2 Key Pair created outside of the CDK, you can import that key to
+your CDK stack.
+
+You can import it purely by name:
+
+```python
+key_pair = ec2.KeyPair.from_key_pair_name(self, "KeyPair", "the-keypair-name")
+```
+
+Or by specifying additional attributes:
+
+```python
+key_pair = ec2.KeyPair.from_key_pair_attributes(self, "KeyPair",
+    key_pair_name="the-keypair-name",
+    type=ec2.KeyPairType.RSA
+)
+```
+
 ## VPC Flow Logs
 
 VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination. ([https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html)).
@@ -2193,6 +2257,7 @@ from ..aws_s3 import IBucket as _IBucket_42e086fd
 from ..aws_s3_assets import (
     Asset as _Asset_ac2a7e61, AssetOptions as _AssetOptions_2aa69621
 )
+from ..aws_ssm import IStringParameter as _IStringParameter_f2b707f9
 
 
 class AclCidr(
@@ -12573,11 +12638,11 @@ class CfnEC2Fleet(
 
             ``TargetCapacitySpecificationRequest`` is a property of the `AWS::EC2::EC2Fleet <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ec2fleet.html>`_ resource.
 
-            :param total_target_capacity: The number of units to request, filled using ``DefaultTargetCapacityType`` .
-            :param default_target_capacity_type: The default ``TotalTargetCapacity`` , which is either ``Spot`` or ``On-Demand`` .
+            :param total_target_capacity: The number of units to request, filled using the default target capacity type.
+            :param default_target_capacity_type: The default target capacity type.
             :param on_demand_target_capacity: The number of On-Demand units to request.
             :param spot_target_capacity: The number of Spot units to request.
-            :param target_capacity_unit_type: The unit for the target capacity. ``TargetCapacityUnitType`` can only be specified when ``InstanceRequirements`` is specified. Default: ``units`` (translates to number of instances)
+            :param target_capacity_unit_type: The unit for the target capacity. You can specify this parameter only when using attributed-based instance type selection. Default: ``units`` (the number of instances)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-targetcapacityspecificationrequest.html
             :exampleMetadata: fixture=_generated
@@ -12619,7 +12684,7 @@ class CfnEC2Fleet(
 
         @builtins.property
         def total_target_capacity(self) -> jsii.Number:
-            '''The number of units to request, filled using ``DefaultTargetCapacityType`` .
+            '''The number of units to request, filled using the default target capacity type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-targetcapacityspecificationrequest.html#cfn-ec2-ec2fleet-targetcapacityspecificationrequest-totaltargetcapacity
             '''
@@ -12629,7 +12694,7 @@ class CfnEC2Fleet(
 
         @builtins.property
         def default_target_capacity_type(self) -> typing.Optional[builtins.str]:
-            '''The default ``TotalTargetCapacity`` , which is either ``Spot`` or ``On-Demand`` .
+            '''The default target capacity type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-targetcapacityspecificationrequest.html#cfn-ec2-ec2fleet-targetcapacityspecificationrequest-defaulttargetcapacitytype
             '''
@@ -12656,9 +12721,9 @@ class CfnEC2Fleet(
 
         @builtins.property
         def target_capacity_unit_type(self) -> typing.Optional[builtins.str]:
-            '''The unit for the target capacity. ``TargetCapacityUnitType`` can only be specified when ``InstanceRequirements`` is specified.
+            '''The unit for the target capacity. You can specify this parameter only when using attributed-based instance type selection.
 
-            Default: ``units`` (translates to number of instances)
+            Default: ``units`` (the number of instances)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-targetcapacityspecificationrequest.html#cfn-ec2-ec2fleet-targetcapacityspecificationrequest-targetcapacityunittype
             '''
@@ -18551,11 +18616,11 @@ class CfnInstance(
         :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template. If you specify a network interface, you must specify any security groups as part of the network interface.
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can currently associate only one document with an instance.
+        :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
         :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
-        :param user_data: The user data script to make available to the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . User data runs only at instance launch. For more information, see `Run commands on your Linux instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`_ and `Run commands on your Windows instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html>`_ .
+        :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
         :param volumes: The volumes to attach to the instance.
         '''
         if __debug__:
@@ -18657,6 +18722,14 @@ class CfnInstance(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrInstanceId")
+    def attr_instance_id(self) -> builtins.str:
+        '''
+        :cloudformationAttribute: InstanceId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrInstanceId"))
+
     @builtins.property
     @jsii.member(jsii_name="attrPrivateDnsName")
     def attr_private_dns_name(self) -> builtins.str:
@@ -19320,7 +19393,7 @@ class CfnInstance(
     @builtins.property
     @jsii.member(jsii_name="userData")
     def user_data(self) -> typing.Optional[builtins.str]:
-        '''The user data script to make available to the instance.'''
+        '''The parameters or scripts to store as user data.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userData"))
 
     @user_data.setter
@@ -20452,7 +20525,7 @@ class CfnInstance(
 
             :param device_index: The position of the network interface in the attachment order. A primary network interface has a device index of 0. If you create a network interface when launching an instance, you must specify the device index.
             :param associate_carrier_ip_address: Indicates whether to assign a carrier IP address to the network interface. You can only assign a carrier IP address to a network interface that is in a subnet in a Wavelength Zone. For more information about carrier IP addresses, see `Carrier IP address <https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip>`_ in the *AWS Wavelength Developer Guide* .
-            :param associate_public_ip_address: Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is ``true`` .
+            :param associate_public_ip_address: Indicates whether to assign a public IPv4 address to an instance. Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is ``true`` . Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
             :param delete_on_termination: Indicates whether the network interface is deleted when the instance is terminated. Applies only if creating a network interface when launching an instance.
             :param description: The description of the network interface. Applies only if creating a network interface when launching an instance.
             :param group_set: The IDs of the security groups for the network interface. Applies only if creating a network interface when launching an instance.
@@ -20574,6 +20647,8 @@ class CfnInstance(
 
             Applies only if creating a network interface when launching an instance. The network interface must be the primary network interface. If launching into a default subnet, the default value is ``true`` .
 
+            Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-networkinterface.html#cfn-ec2-instance-networkinterface-associatepublicipaddress
             '''
             result = self._values.get("associate_public_ip_address")
@@ -21517,11 +21592,11 @@ class CfnInstanceProps:
         :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template. If you specify a network interface, you must specify any security groups as part of the network interface.
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can currently associate only one document with an instance.
+        :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
         :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
-        :param user_data: The user data script to make available to the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . User data runs only at instance launch. For more information, see `Run commands on your Linux instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`_ and `Run commands on your Windows instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html>`_ .
+        :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
         :param volumes: The volumes to attach to the instance.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html
@@ -22231,7 +22306,7 @@ class CfnInstanceProps:
 
         .. epigraph::
 
-           You can currently associate only one document with an instance.
+           You can associate only one document with an instance.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-ssmassociations
         '''
@@ -22273,11 +22348,11 @@ class CfnInstanceProps:
 
     @builtins.property
     def user_data(self) -> typing.Optional[builtins.str]:
-        '''The user data script to make available to the instance.
+        '''The parameters or scripts to store as user data.
 
-        User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ .
+        Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ .
 
-        User data runs only at instance launch. For more information, see `Run commands on your Linux instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`_ and `Run commands on your Windows instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html>`_ .
+        If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-userdata
         '''
@@ -26561,7 +26636,7 @@ class CfnLaunchTemplate(
             :param http_endpoint: Enables or disables the HTTP metadata endpoint on your instances. If the parameter is not specified, the default state is ``enabled`` . .. epigraph:: If you specify a value of ``disabled`` , you will not be able to access your instance metadata.
             :param http_protocol_ipv6: Enables or disables the IPv6 endpoint for the instance metadata service. Default: ``disabled``
             :param http_put_response_hop_limit: The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Default: ``1`` Possible values: Integers from 1 to 64
-            :param http_tokens: IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to ``optional`` (in other words, set the use of IMDSv2 to ``optional`` ) or ``required`` (in other words, set the use of IMDSv2 to ``required`` ). - ``optional`` - When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned. - ``required`` - When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available. Default: ``optional``
+            :param http_tokens: Indicates whether IMDSv2 is required. - ``optional`` - IMDSv2 is optional. You can choose whether to send a session token in your instance metadata retrieval requests. If you retrieve IAM role credentials without a session token, you receive the IMDSv1 role credentials. If you retrieve IAM role credentials using a valid session token, you receive the IMDSv2 role credentials. - ``required`` - IMDSv2 is required. You must send a session token in your instance metadata retrieval requests. With this option, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available. Default: If the value of ``ImdsSupport`` for the Amazon Machine Image (AMI) for your instance is ``v2.0`` , the default is ``required`` .
             :param instance_metadata_tags: Set to ``enabled`` to allow access to instance tags from the instance metadata. Set to ``disabled`` to turn off access to instance tags from the instance metadata. For more information, see `Work with instance tags using the instance metadata <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS>`_ . Default: ``disabled``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-metadataoptions.html
@@ -26642,14 +26717,12 @@ class CfnLaunchTemplate(
 
         @builtins.property
         def http_tokens(self) -> typing.Optional[builtins.str]:
-            '''IMDSv2 uses token-backed sessions.
+            '''Indicates whether IMDSv2 is required.
 
-            Set the use of HTTP tokens to ``optional`` (in other words, set the use of IMDSv2 to ``optional`` ) or ``required`` (in other words, set the use of IMDSv2 to ``required`` ).
+            - ``optional`` - IMDSv2 is optional. You can choose whether to send a session token in your instance metadata retrieval requests. If you retrieve IAM role credentials without a session token, you receive the IMDSv1 role credentials. If you retrieve IAM role credentials using a valid session token, you receive the IMDSv2 role credentials.
+            - ``required`` - IMDSv2 is required. You must send a session token in your instance metadata retrieval requests. With this option, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.
 
-            - ``optional`` - When IMDSv2 is optional, you can choose to retrieve instance metadata with or without a session token in your request. If you retrieve the IAM role credentials without a token, the IMDSv1 role credentials are returned. If you retrieve the IAM role credentials using a valid session token, the IMDSv2 role credentials are returned.
-            - ``required`` - When IMDSv2 is required, you must send a session token with any instance metadata retrieval requests. In this state, retrieving the IAM role credentials always returns IMDSv2 credentials; IMDSv1 credentials are not available.
-
-            Default: ``optional``
+            Default: If the value of ``ImdsSupport`` for the Amazon Machine Image (AMI) for your instance is ``v2.0`` , the default is ``required`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-metadataoptions.html#cfn-ec2-launchtemplate-metadataoptions-httptokens
             '''
@@ -26955,7 +27028,7 @@ class CfnLaunchTemplate(
             ``NetworkInterface`` is a property of `AWS::EC2::LaunchTemplate LaunchTemplateData <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html>`_ .
 
             :param associate_carrier_ip_address: Associates a Carrier IP address with eth0 for a new network interface. Use this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface. For more information about Carrier IP addresses, see `Carrier IP addresses <https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip>`_ in the *AWS Wavelength Developer Guide* .
-            :param associate_public_ip_address: Associates a public IPv4 address with eth0 for a new network interface.
+            :param associate_public_ip_address: Associates a public IPv4 address with eth0 for a new network interface. Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `Amazon VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
             :param connection_tracking_specification: A connection tracking specification for the network interface.
             :param delete_on_termination: Indicates whether the network interface is deleted when the instance is terminated.
             :param description: A description for the network interface.
@@ -27118,6 +27191,8 @@ class CfnLaunchTemplate(
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
             '''Associates a public IPv4 address with eth0 for a new network interface.
 
+            Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `Amazon VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-networkinterface.html#cfn-ec2-launchtemplate-networkinterface-associatepublicipaddress
             '''
             result = self._values.get("associate_public_ip_address")
@@ -38455,6 +38530,7 @@ class CfnRoute(
         
             # the properties below are optional
             carrier_gateway_id="carrierGatewayId",
+            core_network_arn="coreNetworkArn",
             destination_cidr_block="destinationCidrBlock",
             destination_ipv6_cidr_block="destinationIpv6CidrBlock",
             destination_prefix_list_id="destinationPrefixListId",
@@ -38477,6 +38553,7 @@ class CfnRoute(
         *,
         route_table_id: builtins.str,
         carrier_gateway_id: typing.Optional[builtins.str] = None,
+        core_network_arn: typing.Optional[builtins.str] = None,
         destination_cidr_block: typing.Optional[builtins.str] = None,
         destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
         destination_prefix_list_id: typing.Optional[builtins.str] = None,
@@ -38495,6 +38572,7 @@ class CfnRoute(
         :param id: Construct identifier for this resource (unique in its scope).
         :param route_table_id: The ID of the route table for the route.
         :param carrier_gateway_id: The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.
+        :param core_network_arn: The Amazon Resource Name (ARN) of the core network.
         :param destination_cidr_block: The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify ``100.68.0.18/18`` , we modify it to ``100.68.0.0/18`` .
         :param destination_ipv6_cidr_block: The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.
         :param destination_prefix_list_id: The ID of a prefix list used for the destination match.
@@ -38515,6 +38593,7 @@ class CfnRoute(
         props = CfnRouteProps(
             route_table_id=route_table_id,
             carrier_gateway_id=carrier_gateway_id,
+            core_network_arn=core_network_arn,
             destination_cidr_block=destination_cidr_block,
             destination_ipv6_cidr_block=destination_ipv6_cidr_block,
             destination_prefix_list_id=destination_prefix_list_id,
@@ -38601,6 +38680,19 @@ class CfnRoute(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "carrierGatewayId", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="coreNetworkArn")
+    def core_network_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) of the core network.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "coreNetworkArn"))
+
+    @core_network_arn.setter
+    def core_network_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__535edefe9ec250f819eacd60779bcf6b8d4afa9cd9b9ec8142ddfb03034be5ac)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "coreNetworkArn", value)
+
     @builtins.property
     @jsii.member(jsii_name="destinationCidrBlock")
     def destination_cidr_block(self) -> typing.Optional[builtins.str]:
@@ -38767,6 +38859,7 @@ class CfnRoute(
     name_mapping={
         "route_table_id": "routeTableId",
         "carrier_gateway_id": "carrierGatewayId",
+        "core_network_arn": "coreNetworkArn",
         "destination_cidr_block": "destinationCidrBlock",
         "destination_ipv6_cidr_block": "destinationIpv6CidrBlock",
         "destination_prefix_list_id": "destinationPrefixListId",
@@ -38787,6 +38880,7 @@ class CfnRouteProps:
         *,
         route_table_id: builtins.str,
         carrier_gateway_id: typing.Optional[builtins.str] = None,
+        core_network_arn: typing.Optional[builtins.str] = None,
         destination_cidr_block: typing.Optional[builtins.str] = None,
         destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
         destination_prefix_list_id: typing.Optional[builtins.str] = None,
@@ -38804,6 +38898,7 @@ class CfnRouteProps:
 
         :param route_table_id: The ID of the route table for the route.
         :param carrier_gateway_id: The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.
+        :param core_network_arn: The Amazon Resource Name (ARN) of the core network.
         :param destination_cidr_block: The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify ``100.68.0.18/18`` , we modify it to ``100.68.0.0/18`` .
         :param destination_ipv6_cidr_block: The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.
         :param destination_prefix_list_id: The ID of a prefix list used for the destination match.
@@ -38831,6 +38926,7 @@ class CfnRouteProps:
             
                 # the properties below are optional
                 carrier_gateway_id="carrierGatewayId",
+                core_network_arn="coreNetworkArn",
                 destination_cidr_block="destinationCidrBlock",
                 destination_ipv6_cidr_block="destinationIpv6CidrBlock",
                 destination_prefix_list_id="destinationPrefixListId",
@@ -38849,6 +38945,7 @@ class CfnRouteProps:
             type_hints = typing.get_type_hints(_typecheckingstub__f90e7814d59b7c562ab4b24d54461eba6a4c88fbd5451ba2b2b0adf8441a452e)
             check_type(argname="argument route_table_id", value=route_table_id, expected_type=type_hints["route_table_id"])
             check_type(argname="argument carrier_gateway_id", value=carrier_gateway_id, expected_type=type_hints["carrier_gateway_id"])
+            check_type(argname="argument core_network_arn", value=core_network_arn, expected_type=type_hints["core_network_arn"])
             check_type(argname="argument destination_cidr_block", value=destination_cidr_block, expected_type=type_hints["destination_cidr_block"])
             check_type(argname="argument destination_ipv6_cidr_block", value=destination_ipv6_cidr_block, expected_type=type_hints["destination_ipv6_cidr_block"])
             check_type(argname="argument destination_prefix_list_id", value=destination_prefix_list_id, expected_type=type_hints["destination_prefix_list_id"])
@@ -38866,6 +38963,8 @@ class CfnRouteProps:
         }
         if carrier_gateway_id is not None:
             self._values["carrier_gateway_id"] = carrier_gateway_id
+        if core_network_arn is not None:
+            self._values["core_network_arn"] = core_network_arn
         if destination_cidr_block is not None:
             self._values["destination_cidr_block"] = destination_cidr_block
         if destination_ipv6_cidr_block is not None:
@@ -38912,6 +39011,15 @@ class CfnRouteProps:
         result = self._values.get("carrier_gateway_id")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def core_network_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) of the core network.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html#cfn-ec2-route-corenetworkarn
+        '''
+        result = self._values.get("core_network_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def destination_cidr_block(self) -> typing.Optional[builtins.str]:
         '''The IPv4 CIDR address block used for the destination match.
@@ -40090,7 +40198,8 @@ class CfnSecurityGroupEgress(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The Security Group Rule Id.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -41195,6 +41304,172 @@ class CfnSecurityGroupProps:
         )
 
 
+@jsii.implements(_IInspectable_c2943556)
+class CfnSnapshotBlockPublicAccess(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ec2.CfnSnapshotBlockPublicAccess",
+):
+    '''Specifies the state of the *block public access for snapshots* setting for the Region.
+
+    For more information, see `Block public access for snapshots <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-snapshots.html>`_ .
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-snapshotblockpublicaccess.html
+    :cloudformationResource: AWS::EC2::SnapshotBlockPublicAccess
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ec2 as ec2
+        
+        cfn_snapshot_block_public_access = ec2.CfnSnapshotBlockPublicAccess(self, "MyCfnSnapshotBlockPublicAccess",
+            state="state"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        state: builtins.str,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param state: The mode in which to enable block public access for snapshots for the Region. Specify one of the following values: - ``block-all-sharing`` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available. .. epigraph:: If you enable block public access for snapshots in ``block-all-sharing`` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available. - ``block-new-sharing`` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__995a1a5869d618c24a624831b2ad5e725b73ab6134ba003d66411c58faf1187e)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnSnapshotBlockPublicAccessProps(state=state)
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__856438104299447428cd955093ead73bce11b3f11c039205bcd5e194beb9b322)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5986589d73c46b7a96fd8cdffc5dd783512e594c0f96cf249a7577ed130d1c96)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAccountId")
+    def attr_account_id(self) -> builtins.str:
+        '''``Ref`` returns the ID of the AWS account.
+
+        :cloudformationAttribute: AccountId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAccountId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="state")
+    def state(self) -> builtins.str:
+        '''The mode in which to enable block public access for snapshots for the Region.'''
+        return typing.cast(builtins.str, jsii.get(self, "state"))
+
+    @state.setter
+    def state(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a4c8cd7c082b41fda937b1f6a6a1a59e489b437d498c2b75a58ae1582086af7b)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "state", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.CfnSnapshotBlockPublicAccessProps",
+    jsii_struct_bases=[],
+    name_mapping={"state": "state"},
+)
+class CfnSnapshotBlockPublicAccessProps:
+    def __init__(self, *, state: builtins.str) -> None:
+        '''Properties for defining a ``CfnSnapshotBlockPublicAccess``.
+
+        :param state: The mode in which to enable block public access for snapshots for the Region. Specify one of the following values: - ``block-all-sharing`` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available. .. epigraph:: If you enable block public access for snapshots in ``block-all-sharing`` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available. - ``block-new-sharing`` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-snapshotblockpublicaccess.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_ec2 as ec2
+            
+            cfn_snapshot_block_public_access_props = ec2.CfnSnapshotBlockPublicAccessProps(
+                state="state"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e66d65de803363af49ef406b4229988fd2680cccdc692b106aff40a80ff135ad)
+            check_type(argname="argument state", value=state, expected_type=type_hints["state"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "state": state,
+        }
+
+    @builtins.property
+    def state(self) -> builtins.str:
+        '''The mode in which to enable block public access for snapshots for the Region.
+
+        Specify one of the following values:
+
+        - ``block-all-sharing`` - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.
+
+        .. epigraph::
+
+           If you enable block public access for snapshots in ``block-all-sharing`` mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
+
+        - ``block-new-sharing`` - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-snapshotblockpublicaccess.html#cfn-ec2-snapshotblockpublicaccess-state
+        '''
+        result = self._values.get("state")
+        assert result is not None, "Required property 'state' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnSnapshotBlockPublicAccessProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_IInspectable_c2943556)
 class CfnSpotFleet(
     _CfnResource_9df397a6,
@@ -42495,7 +42770,7 @@ class CfnSpotFleet(
         ) -> None:
             '''Describes a network interface.
 
-            :param associate_public_ip_address: Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is ``true`` .
+            :param associate_public_ip_address: Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is ``true`` . Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `Amazon VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
             :param delete_on_termination: Indicates whether the network interface is deleted when the instance is terminated.
             :param description: The description of the network interface. Applies only if creating a network interface when launching an instance.
             :param device_index: The position of the network interface in the attachment order. A primary network interface has a device index of 0. If you specify a network interface when launching an instance, you must specify the device index.
@@ -42582,6 +42857,8 @@ class CfnSpotFleet(
 
             The public IP address can only be assigned to a network interface for eth0, and can only be assigned to a new network interface, not an existing one. You cannot specify more than one network interface in the request. If launching into a default subnet, the default value is ``true`` .
 
+            Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `Amazon VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancenetworkinterfacespecification.html#cfn-ec2-spotfleet-instancenetworkinterfacespecification-associatepublicipaddress
             '''
             result = self._values.get("associate_public_ip_address")
@@ -44879,7 +45156,7 @@ class CfnSpotFleet(
             :param spot_max_total_price: The maximum amount per hour for Spot Instances that you're willing to pay. You can use the ``spotMaxTotalPrice`` parameter, the ``onDemandMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity. .. epigraph:: If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``spotMaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``spotMaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
             :param spot_price: The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.
             :param tag_specifications: The key-value pair for tagging the Spot Fleet request on creation. The value for ``ResourceType`` must be ``spot-fleet-request`` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ (valid only if you use ``LaunchTemplateConfigs`` ) or in the ``[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)`` (valid only if you use ``LaunchSpecifications`` ). For information about tagging after launch, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
-            :param target_capacity_unit_type: The unit for the target capacity. ``TargetCapacityUnitType`` can only be specified when ``InstanceRequirements`` is specified. Default: ``units`` (translates to number of instances)
+            :param target_capacity_unit_type: The unit for the target capacity. You can specify this parameter only when using attribute-based instance type selection. Default: ``units`` (the number of instances)
             :param terminate_instances_with_expiration: Indicates whether running Spot Instances are terminated when the Spot Fleet request expires.
             :param type: The type of request. Indicates whether the Spot Fleet only requests the target capacity or also attempts to maintain it. When this value is ``request`` , the Spot Fleet only places the required requests. It does not attempt to replenish Spot Instances if capacity is diminished, nor does it submit requests in alternative Spot pools if capacity is not available. When this value is ``maintain`` , the Spot Fleet maintains the target capacity. The Spot Fleet places the required requests to meet capacity and automatically replenishes any interrupted instances. Default: ``maintain`` . ``instant`` is listed but is not used by Spot Fleet.
             :param valid_from: The start date and time of the request, in UTC format ( *YYYY* - *MM* - *DD* T *HH* : *MM* : *SS* Z). By default, Amazon EC2 starts fulfilling the request immediately.
@@ -45433,9 +45710,9 @@ class CfnSpotFleet(
 
         @builtins.property
         def target_capacity_unit_type(self) -> typing.Optional[builtins.str]:
-            '''The unit for the target capacity. ``TargetCapacityUnitType`` can only be specified when ``InstanceRequirements`` is specified.
+            '''The unit for the target capacity. You can specify this parameter only when using attribute-based instance type selection.
 
-            Default: ``units`` (translates to number of instances)
+            Default: ``units`` (the number of instances)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetrequestconfigdata.html#cfn-ec2-spotfleet-spotfleetrequestconfigdata-targetcapacityunittype
             '''
@@ -46368,7 +46645,7 @@ class CfnSubnet(
         :param ipv6_cidr_block: The IPv6 CIDR block. If you specify ``AssignIpv6AddressOnCreation`` , you must also specify ``Ipv6CidrBlock`` .
         :param ipv6_native: Indicates whether this is an IPv6 only subnet. For more information, see `Subnet basics <https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#subnet-basics>`_ in the *Amazon Virtual Private Cloud User Guide* .
         :param ipv6_netmask_length: An IPv6 netmask length for the subnet.
-        :param map_public_ip_on_launch: Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is ``false`` .
+        :param map_public_ip_on_launch: Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is ``false`` . Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
         :param outpost_arn: The Amazon Resource Name (ARN) of the Outpost.
         :param private_dns_name_options_on_launch: The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see `Amazon EC2 instance hostname types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html>`_ in the *Amazon Elastic Compute Cloud User Guide* . Available options: - EnableResourceNameDnsAAAARecord (true | false) - EnableResourceNameDnsARecord (true | false) - HostnameType (ip-name | resource-name)
         :param tags: Any tags assigned to the subnet.
@@ -46666,7 +46943,10 @@ class CfnSubnet(
     def map_public_ip_on_launch(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether instances launched in this subnet receive a public IPv4 address.'''
+        '''Indicates whether instances launched in this subnet receive a public IPv4 address.
+
+        The default value is ``false`` .
+        '''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "mapPublicIpOnLaunch"))
 
     @map_public_ip_on_launch.setter
@@ -47253,7 +47533,7 @@ class CfnSubnetProps:
         :param ipv6_cidr_block: The IPv6 CIDR block. If you specify ``AssignIpv6AddressOnCreation`` , you must also specify ``Ipv6CidrBlock`` .
         :param ipv6_native: Indicates whether this is an IPv6 only subnet. For more information, see `Subnet basics <https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#subnet-basics>`_ in the *Amazon Virtual Private Cloud User Guide* .
         :param ipv6_netmask_length: An IPv6 netmask length for the subnet.
-        :param map_public_ip_on_launch: Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is ``false`` .
+        :param map_public_ip_on_launch: Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is ``false`` . Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
         :param outpost_arn: The Amazon Resource Name (ARN) of the Outpost.
         :param private_dns_name_options_on_launch: The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see `Amazon EC2 instance hostname types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html>`_ in the *Amazon Elastic Compute Cloud User Guide* . Available options: - EnableResourceNameDnsAAAARecord (true | false) - EnableResourceNameDnsARecord (true | false) - HostnameType (ip-name | resource-name)
         :param tags: Any tags assigned to the subnet.
@@ -47452,9 +47732,9 @@ class CfnSubnetProps:
     def map_public_ip_on_launch(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether instances launched in this subnet receive a public IPv4 address.
+        '''Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is ``false`` .
 
-        The default value is ``false`` .
+        Starting on February 1, 2024, AWS will charge for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the `VPC pricing page <https://docs.aws.amazon.com/vpc/pricing/>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch
         '''
@@ -65926,6 +66206,52 @@ class _IIpAddressesProxy:
 typing.cast(typing.Any, IIpAddresses).__jsii_proxy_class__ = lambda : _IIpAddressesProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_ec2.IKeyPair")
+class IKeyPair(_IResource_c80c4260, typing_extensions.Protocol):
+    '''An EC2 Key Pair.'''
+
+    @builtins.property
+    @jsii.member(jsii_name="keyPairName")
+    def key_pair_name(self) -> builtins.str:
+        '''The name of the key pair.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="type")
+    def type(self) -> typing.Optional["KeyPairType"]:
+        '''The type of the key pair.'''
+        ...
+
+
+class _IKeyPairProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''An EC2 Key Pair.'''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_ec2.IKeyPair"
+
+    @builtins.property
+    @jsii.member(jsii_name="keyPairName")
+    def key_pair_name(self) -> builtins.str:
+        '''The name of the key pair.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "keyPairName"))
+
+    @builtins.property
+    @jsii.member(jsii_name="type")
+    def type(self) -> typing.Optional["KeyPairType"]:
+        '''The type of the key pair.'''
+        return typing.cast(typing.Optional["KeyPairType"], jsii.get(self, "type"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IKeyPair).__jsii_proxy_class__ = lambda : _IKeyPairProxy
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_ec2.ILaunchTemplate")
 class ILaunchTemplate(_IResource_c80c4260, typing_extensions.Protocol):
     '''Interface for LaunchTemplate-like objects.'''
@@ -70013,6 +70339,7 @@ class Instance(
         init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         instance_name: typing.Optional[builtins.str] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         private_ip_address: typing.Optional[builtins.str] = None,
         propagate_tags_to_volume_on_creation: typing.Optional[builtins.bool] = None,
         require_imdsv2: typing.Optional[builtins.bool] = None,
@@ -70039,7 +70366,8 @@ class Instance(
         :param init: Apply the given CloudFormation Init configuration to the instance at startup. Default: - no CloudFormation init
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_name: The name of the instance. Default: - CDK generated name
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param private_ip_address: Defines a private IP address to associate with an instance. Private IP should be available within the VPC that the instance is build within. Default: - no association
         :param propagate_tags_to_volume_on_creation: Propagate the EC2 instance tags to the EBS volumes. Default: - false
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
@@ -70069,6 +70397,7 @@ class Instance(
             init_options=init_options,
             instance_name=instance_name,
             key_name=key_name,
+            key_pair=key_pair,
             private_ip_address=private_ip_address,
             propagate_tags_to_volume_on_creation=propagate_tags_to_volume_on_creation,
             require_imdsv2=require_imdsv2,
@@ -70760,6 +71089,7 @@ class InstanceInitiatedShutdownBehavior(enum.Enum):
         "init_options": "initOptions",
         "instance_name": "instanceName",
         "key_name": "keyName",
+        "key_pair": "keyPair",
         "private_ip_address": "privateIpAddress",
         "propagate_tags_to_volume_on_creation": "propagateTagsToVolumeOnCreation",
         "require_imdsv2": "requireImdsv2",
@@ -70789,6 +71119,7 @@ class InstanceProps:
         init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         instance_name: typing.Optional[builtins.str] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         private_ip_address: typing.Optional[builtins.str] = None,
         propagate_tags_to_volume_on_creation: typing.Optional[builtins.bool] = None,
         require_imdsv2: typing.Optional[builtins.bool] = None,
@@ -70814,7 +71145,8 @@ class InstanceProps:
         :param init: Apply the given CloudFormation Init configuration to the instance at startup. Default: - no CloudFormation init
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_name: The name of the instance. Default: - CDK generated name
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param private_ip_address: Defines a private IP address to associate with an instance. Private IP should be available within the VPC that the instance is build within. Default: - no association
         :param propagate_tags_to_volume_on_creation: Propagate the EC2 instance tags to the EBS volumes. Default: - false
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
@@ -70864,6 +71196,7 @@ class InstanceProps:
             check_type(argname="argument init_options", value=init_options, expected_type=type_hints["init_options"])
             check_type(argname="argument instance_name", value=instance_name, expected_type=type_hints["instance_name"])
             check_type(argname="argument key_name", value=key_name, expected_type=type_hints["key_name"])
+            check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
             check_type(argname="argument private_ip_address", value=private_ip_address, expected_type=type_hints["private_ip_address"])
             check_type(argname="argument propagate_tags_to_volume_on_creation", value=propagate_tags_to_volume_on_creation, expected_type=type_hints["propagate_tags_to_volume_on_creation"])
             check_type(argname="argument require_imdsv2", value=require_imdsv2, expected_type=type_hints["require_imdsv2"])
@@ -70898,6 +71231,8 @@ class InstanceProps:
             self._values["instance_name"] = instance_name
         if key_name is not None:
             self._values["key_name"] = key_name
+        if key_pair is not None:
+            self._values["key_pair"] = key_pair
         if private_ip_address is not None:
             self._values["private_ip_address"] = private_ip_address
         if propagate_tags_to_volume_on_creation is not None:
@@ -71029,13 +71364,26 @@ class InstanceProps:
 
     @builtins.property
     def key_name(self) -> typing.Optional[builtins.str]:
-        '''Name of SSH keypair to grant access to instance.
+        '''(deprecated) Name of SSH keypair to grant access to instance.
 
         :default: - No SSH access will be possible.
+
+        :deprecated: - Use {@link keyPair } instead
+
+        :stability: deprecated
         '''
         result = self._values.get("key_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def key_pair(self) -> typing.Optional[IKeyPair]:
+        '''The SSH keypair to grant access to the instance.
+
+        :default: - No SSH access will be possible.
+        '''
+        result = self._values.get("key_pair")
+        return typing.cast(typing.Optional[IKeyPair], result)
+
     @builtins.property
     def private_ip_address(self) -> typing.Optional[builtins.str]:
         '''Defines a private IP address to associate with an instance.
@@ -73202,6 +73550,485 @@ class IpAddresses(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.IpAddr
         return typing.cast(IIpAddresses, jsii.sinvoke(cls, "cidr", [cidr_block]))
 
 
+@jsii.implements(IKeyPair)
+class KeyPair(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ec2.KeyPair",
+):
+    '''An EC2 Key Pair.
+
+    :resource: AWS::EC2::KeyPair
+    :exampleMetadata: infused
+
+    Example::
+
+        key_pair = ec2.KeyPair.from_key_pair_attributes(self, "KeyPair",
+            key_pair_name="the-keypair-name",
+            type=ec2.KeyPairType.RSA
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        format: typing.Optional["KeyPairFormat"] = None,
+        key_pair_name: typing.Optional[builtins.str] = None,
+        public_key_material: typing.Optional[builtins.str] = None,
+        type: typing.Optional["KeyPairType"] = None,
+        account: typing.Optional[builtins.str] = None,
+        environment_from_arn: typing.Optional[builtins.str] = None,
+        physical_name: typing.Optional[builtins.str] = None,
+        region: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param format: The format of the key pair. Default: PEM
+        :param key_pair_name: A unique name for the key pair. Default: A generated name
+        :param public_key_material: The public key material. If this is provided the key is considered "imported". For imported keys, it is assumed that you already have the private key material so the private key material will not be returned or stored in AWS Systems Manager Parameter Store. Default: a public and private key will be generated
+        :param type: The type of key pair. Default: RSA (ignored if keyMaterial is provided)
+        :param account: The AWS account ID this resource belongs to. Default: - the resource is in the same account as the stack it belongs to
+        :param environment_from_arn: ARN to deduce region and account from. The ARN is parsed and the account and region are taken from the ARN. This should be used for imported resources. Cannot be supplied together with either ``account`` or ``region``. Default: - take environment from ``account``, ``region`` parameters, or use Stack environment.
+        :param physical_name: The value passed in by users to the physical name prop of the resource. - ``undefined`` implies that a physical name will be allocated by CloudFormation during deployment. - a concrete value implies a specific physical name - ``PhysicalName.GENERATE_IF_NEEDED`` is a marker that indicates that a physical will only be generated by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation. Default: - The physical name will be allocated by CloudFormation at deployment time
+        :param region: The AWS region this resource belongs to. Default: - the resource is in the same region as the stack it belongs to
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__723c12f80f8f69703f74949dec0a4305b19d6d27efff9d36830815d8e604283c)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = KeyPairProps(
+            format=format,
+            key_pair_name=key_pair_name,
+            public_key_material=public_key_material,
+            type=type,
+            account=account,
+            environment_from_arn=environment_from_arn,
+            physical_name=physical_name,
+            region=region,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromKeyPairAttributes")
+    @builtins.classmethod
+    def from_key_pair_attributes(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        key_pair_name: builtins.str,
+        type: typing.Optional["KeyPairType"] = None,
+    ) -> IKeyPair:
+        '''Imports a key pair with a name and optional type.
+
+        :param scope: -
+        :param id: -
+        :param key_pair_name: The unique name of the key pair.
+        :param type: The type of the key pair. Default: no type specified
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__12d377269b610c395f1583e904a11636e952288b5e3f85a3cc1d865eb21f7715)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        attrs = KeyPairAttributes(key_pair_name=key_pair_name, type=type)
+
+        return typing.cast(IKeyPair, jsii.sinvoke(cls, "fromKeyPairAttributes", [scope, id, attrs]))
+
+    @jsii.member(jsii_name="fromKeyPairName")
+    @builtins.classmethod
+    def from_key_pair_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        key_pair_name: builtins.str,
+    ) -> IKeyPair:
+        '''Imports a key pair based on the name.
+
+        :param scope: -
+        :param id: -
+        :param key_pair_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7bcad8d69b7ac63eda9832fb42b2e78a5f5570d5ccd5ac181f25d55202b6f74c)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument key_pair_name", value=key_pair_name, expected_type=type_hints["key_pair_name"])
+        return typing.cast(IKeyPair, jsii.sinvoke(cls, "fromKeyPairName", [scope, id, key_pair_name]))
+
+    @builtins.property
+    @jsii.member(jsii_name="format")
+    def format(self) -> "KeyPairFormat":
+        '''The format of the key pair.'''
+        return typing.cast("KeyPairFormat", jsii.get(self, "format"))
+
+    @builtins.property
+    @jsii.member(jsii_name="hasImportedMaterial")
+    def has_imported_material(self) -> builtins.bool:
+        '''Whether the key material was imported.
+
+        Keys with imported material do not have their private key material stored
+        or returned automatically.
+        '''
+        return typing.cast(builtins.bool, jsii.get(self, "hasImportedMaterial"))
+
+    @builtins.property
+    @jsii.member(jsii_name="keyPairFingerprint")
+    def key_pair_fingerprint(self) -> builtins.str:
+        '''The fingerprint of the key pair.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "keyPairFingerprint"))
+
+    @builtins.property
+    @jsii.member(jsii_name="keyPairId")
+    def key_pair_id(self) -> builtins.str:
+        '''The unique ID of the key pair.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "keyPairId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="keyPairName")
+    def key_pair_name(self) -> builtins.str:
+        '''The unique name of the key pair.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "keyPairName"))
+
+    @builtins.property
+    @jsii.member(jsii_name="privateKey")
+    def private_key(self) -> _IStringParameter_f2b707f9:
+        '''The Systems Manager Parameter Store parameter with the pair's private key material.'''
+        return typing.cast(_IStringParameter_f2b707f9, jsii.get(self, "privateKey"))
+
+    @builtins.property
+    @jsii.member(jsii_name="type")
+    def type(self) -> typing.Optional["KeyPairType"]:
+        '''The type of the key pair.'''
+        return typing.cast(typing.Optional["KeyPairType"], jsii.get(self, "type"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.KeyPairAttributes",
+    jsii_struct_bases=[],
+    name_mapping={"key_pair_name": "keyPairName", "type": "type"},
+)
+class KeyPairAttributes:
+    def __init__(
+        self,
+        *,
+        key_pair_name: builtins.str,
+        type: typing.Optional["KeyPairType"] = None,
+    ) -> None:
+        '''Attributes of a Key Pair.
+
+        :param key_pair_name: The unique name of the key pair.
+        :param type: The type of the key pair. Default: no type specified
+
+        :exampleMetadata: infused
+
+        Example::
+
+            key_pair = ec2.KeyPair.from_key_pair_attributes(self, "KeyPair",
+                key_pair_name="the-keypair-name",
+                type=ec2.KeyPairType.RSA
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1c0b1d2207b185c203475dcfffe01485ff1d6dd460f5c0308f88afbd59667178)
+            check_type(argname="argument key_pair_name", value=key_pair_name, expected_type=type_hints["key_pair_name"])
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "key_pair_name": key_pair_name,
+        }
+        if type is not None:
+            self._values["type"] = type
+
+    @builtins.property
+    def key_pair_name(self) -> builtins.str:
+        '''The unique name of the key pair.'''
+        result = self._values.get("key_pair_name")
+        assert result is not None, "Required property 'key_pair_name' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def type(self) -> typing.Optional["KeyPairType"]:
+        '''The type of the key pair.
+
+        :default: no type specified
+        '''
+        result = self._values.get("type")
+        return typing.cast(typing.Optional["KeyPairType"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "KeyPairAttributes(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.KeyPairFormat")
+class KeyPairFormat(enum.Enum):
+    '''The format of the Key Pair.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        # instance_type: ec2.InstanceType
+        
+        
+        key_pair = ec2.KeyPair(self, "KeyPair",
+            type=ec2.KeyPairType.ED25519,
+            format=ec2.KeyPairFormat.PEM
+        )
+        instance = ec2.Instance(self, "Instance",
+            vpc=vpc,
+            instance_type=instance_type,
+            machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+            # Use the custom key pair
+            key_pair=key_pair
+        )
+    '''
+
+    PPK = "PPK"
+    '''A PPK file, typically used with PuTTY.'''
+    PEM = "PEM"
+    '''A PEM file.'''
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.KeyPairProps",
+    jsii_struct_bases=[_ResourceProps_15a65b4e],
+    name_mapping={
+        "account": "account",
+        "environment_from_arn": "environmentFromArn",
+        "physical_name": "physicalName",
+        "region": "region",
+        "format": "format",
+        "key_pair_name": "keyPairName",
+        "public_key_material": "publicKeyMaterial",
+        "type": "type",
+    },
+)
+class KeyPairProps(_ResourceProps_15a65b4e):
+    def __init__(
+        self,
+        *,
+        account: typing.Optional[builtins.str] = None,
+        environment_from_arn: typing.Optional[builtins.str] = None,
+        physical_name: typing.Optional[builtins.str] = None,
+        region: typing.Optional[builtins.str] = None,
+        format: typing.Optional[KeyPairFormat] = None,
+        key_pair_name: typing.Optional[builtins.str] = None,
+        public_key_material: typing.Optional[builtins.str] = None,
+        type: typing.Optional["KeyPairType"] = None,
+    ) -> None:
+        '''The properties of a Key Pair.
+
+        :param account: The AWS account ID this resource belongs to. Default: - the resource is in the same account as the stack it belongs to
+        :param environment_from_arn: ARN to deduce region and account from. The ARN is parsed and the account and region are taken from the ARN. This should be used for imported resources. Cannot be supplied together with either ``account`` or ``region``. Default: - take environment from ``account``, ``region`` parameters, or use Stack environment.
+        :param physical_name: The value passed in by users to the physical name prop of the resource. - ``undefined`` implies that a physical name will be allocated by CloudFormation during deployment. - a concrete value implies a specific physical name - ``PhysicalName.GENERATE_IF_NEEDED`` is a marker that indicates that a physical will only be generated by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation. Default: - The physical name will be allocated by CloudFormation at deployment time
+        :param region: The AWS region this resource belongs to. Default: - the resource is in the same region as the stack it belongs to
+        :param format: The format of the key pair. Default: PEM
+        :param key_pair_name: A unique name for the key pair. Default: A generated name
+        :param public_key_material: The public key material. If this is provided the key is considered "imported". For imported keys, it is assumed that you already have the private key material so the private key material will not be returned or stored in AWS Systems Manager Parameter Store. Default: a public and private key will be generated
+        :param type: The type of key pair. Default: RSA (ignored if keyMaterial is provided)
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # vpc: ec2.Vpc
+            # instance_type: ec2.InstanceType
+            
+            
+            key_pair = ec2.KeyPair(self, "KeyPair",
+                type=ec2.KeyPairType.ED25519,
+                format=ec2.KeyPairFormat.PEM
+            )
+            instance = ec2.Instance(self, "Instance",
+                vpc=vpc,
+                instance_type=instance_type,
+                machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+                # Use the custom key pair
+                key_pair=key_pair
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7af23eb9509f044383945f68d46a72f0c94f0542177c255d3d31b42f5e9aa98c)
+            check_type(argname="argument account", value=account, expected_type=type_hints["account"])
+            check_type(argname="argument environment_from_arn", value=environment_from_arn, expected_type=type_hints["environment_from_arn"])
+            check_type(argname="argument physical_name", value=physical_name, expected_type=type_hints["physical_name"])
+            check_type(argname="argument region", value=region, expected_type=type_hints["region"])
+            check_type(argname="argument format", value=format, expected_type=type_hints["format"])
+            check_type(argname="argument key_pair_name", value=key_pair_name, expected_type=type_hints["key_pair_name"])
+            check_type(argname="argument public_key_material", value=public_key_material, expected_type=type_hints["public_key_material"])
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if account is not None:
+            self._values["account"] = account
+        if environment_from_arn is not None:
+            self._values["environment_from_arn"] = environment_from_arn
+        if physical_name is not None:
+            self._values["physical_name"] = physical_name
+        if region is not None:
+            self._values["region"] = region
+        if format is not None:
+            self._values["format"] = format
+        if key_pair_name is not None:
+            self._values["key_pair_name"] = key_pair_name
+        if public_key_material is not None:
+            self._values["public_key_material"] = public_key_material
+        if type is not None:
+            self._values["type"] = type
+
+    @builtins.property
+    def account(self) -> typing.Optional[builtins.str]:
+        '''The AWS account ID this resource belongs to.
+
+        :default: - the resource is in the same account as the stack it belongs to
+        '''
+        result = self._values.get("account")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def environment_from_arn(self) -> typing.Optional[builtins.str]:
+        '''ARN to deduce region and account from.
+
+        The ARN is parsed and the account and region are taken from the ARN.
+        This should be used for imported resources.
+
+        Cannot be supplied together with either ``account`` or ``region``.
+
+        :default: - take environment from ``account``, ``region`` parameters, or use Stack environment.
+        '''
+        result = self._values.get("environment_from_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def physical_name(self) -> typing.Optional[builtins.str]:
+        '''The value passed in by users to the physical name prop of the resource.
+
+        - ``undefined`` implies that a physical name will be allocated by
+          CloudFormation during deployment.
+        - a concrete value implies a specific physical name
+        - ``PhysicalName.GENERATE_IF_NEEDED`` is a marker that indicates that a physical will only be generated
+          by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+        :default: - The physical name will be allocated by CloudFormation at deployment time
+        '''
+        result = self._values.get("physical_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def region(self) -> typing.Optional[builtins.str]:
+        '''The AWS region this resource belongs to.
+
+        :default: - the resource is in the same region as the stack it belongs to
+        '''
+        result = self._values.get("region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def format(self) -> typing.Optional[KeyPairFormat]:
+        '''The format of the key pair.
+
+        :default: PEM
+        '''
+        result = self._values.get("format")
+        return typing.cast(typing.Optional[KeyPairFormat], result)
+
+    @builtins.property
+    def key_pair_name(self) -> typing.Optional[builtins.str]:
+        '''A unique name for the key pair.
+
+        :default: A generated name
+        '''
+        result = self._values.get("key_pair_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def public_key_material(self) -> typing.Optional[builtins.str]:
+        '''The public key material.
+
+        If this is provided the key is considered "imported". For imported
+        keys, it is assumed that you already have the private key material
+        so the private key material will not be returned or stored in
+        AWS Systems Manager Parameter Store.
+
+        :default: a public and private key will be generated
+        '''
+        result = self._values.get("public_key_material")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def type(self) -> typing.Optional["KeyPairType"]:
+        '''The type of key pair.
+
+        :default: RSA (ignored if keyMaterial is provided)
+        '''
+        result = self._values.get("type")
+        return typing.cast(typing.Optional["KeyPairType"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "KeyPairProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.KeyPairType")
+class KeyPairType(enum.Enum):
+    '''The type of the key pair.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        # instance_type: ec2.InstanceType
+        
+        
+        key_pair = ec2.KeyPair(self, "KeyPair",
+            type=ec2.KeyPairType.ED25519,
+            format=ec2.KeyPairFormat.PEM
+        )
+        instance = ec2.Instance(self, "Instance",
+            vpc=vpc,
+            instance_type=instance_type,
+            machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+            # Use the custom key pair
+            key_pair=key_pair
+        )
+    '''
+
+    RSA = "RSA"
+    '''An RSA key.'''
+    ED25519 = "ED25519"
+    '''An ED25519 key.
+
+    Note that ED25519 keys are not supported for Windows instances.
+    '''
+
+
 @jsii.implements(ILaunchTemplate, _IGrantable_71c4f5de, IConnectable)
 class LaunchTemplate(
     _Resource_45bc6135,
@@ -73254,6 +74081,7 @@ class LaunchTemplate(
         instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
         instance_type: typing.Optional[InstanceType] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         launch_template_name: typing.Optional[builtins.str] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         nitro_enclave_enabled: typing.Optional[builtins.bool] = None,
@@ -73281,7 +74109,8 @@ class LaunchTemplate(
         :param instance_metadata_tags: Set to enabled to allow access to instance tags from the instance metadata. Set to disabled to turn off access to instance tags from the instance metadata. Default: false
         :param instance_profile: The instance profile used to pass role information to EC2 instances. Note: You can provide an instanceProfile or a role, but not both. Default: - No instance profile
         :param instance_type: Type of instance to launch. Default: - This Launch Template does not specify a default Instance Type.
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSK keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param launch_template_name: Name for this launch template. Default: Automatically generated name
         :param machine_image: The AMI that will be used by instances. Default: - This Launch Template does not specify a default AMI.
         :param nitro_enclave_enabled: If this parameter is set to true, the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves. Default: - Enablement of Nitro enclaves is not specified in the launch template; defaulting to false.
@@ -73312,6 +74141,7 @@ class LaunchTemplate(
             instance_profile=instance_profile,
             instance_type=instance_type,
             key_name=key_name,
+            key_pair=key_pair,
             launch_template_name=launch_template_name,
             machine_image=machine_image,
             nitro_enclave_enabled=nitro_enclave_enabled,
@@ -73619,6 +74449,7 @@ class LaunchTemplateHttpTokens(enum.Enum):
         "instance_profile": "instanceProfile",
         "instance_type": "instanceType",
         "key_name": "keyName",
+        "key_pair": "keyPair",
         "launch_template_name": "launchTemplateName",
         "machine_image": "machineImage",
         "nitro_enclave_enabled": "nitroEnclaveEnabled",
@@ -73649,6 +74480,7 @@ class LaunchTemplateProps:
         instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
         instance_type: typing.Optional[InstanceType] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         launch_template_name: typing.Optional[builtins.str] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         nitro_enclave_enabled: typing.Optional[builtins.bool] = None,
@@ -73675,7 +74507,8 @@ class LaunchTemplateProps:
         :param instance_metadata_tags: Set to enabled to allow access to instance tags from the instance metadata. Set to disabled to turn off access to instance tags from the instance metadata. Default: false
         :param instance_profile: The instance profile used to pass role information to EC2 instances. Note: You can provide an instanceProfile or a role, but not both. Default: - No instance profile
         :param instance_type: Type of instance to launch. Default: - This Launch Template does not specify a default Instance Type.
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSK keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param launch_template_name: Name for this launch template. Default: Automatically generated name
         :param machine_image: The AMI that will be used by instances. Default: - This Launch Template does not specify a default AMI.
         :param nitro_enclave_enabled: If this parameter is set to true, the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves. Default: - Enablement of Nitro enclaves is not specified in the launch template; defaulting to false.
@@ -73726,6 +74559,7 @@ class LaunchTemplateProps:
             check_type(argname="argument instance_profile", value=instance_profile, expected_type=type_hints["instance_profile"])
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
             check_type(argname="argument key_name", value=key_name, expected_type=type_hints["key_name"])
+            check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
             check_type(argname="argument launch_template_name", value=launch_template_name, expected_type=type_hints["launch_template_name"])
             check_type(argname="argument machine_image", value=machine_image, expected_type=type_hints["machine_image"])
             check_type(argname="argument nitro_enclave_enabled", value=nitro_enclave_enabled, expected_type=type_hints["nitro_enclave_enabled"])
@@ -73767,6 +74601,8 @@ class LaunchTemplateProps:
             self._values["instance_type"] = instance_type
         if key_name is not None:
             self._values["key_name"] = key_name
+        if key_pair is not None:
+            self._values["key_pair"] = key_pair
         if launch_template_name is not None:
             self._values["launch_template_name"] = launch_template_name
         if machine_image is not None:
@@ -73961,13 +74797,26 @@ class LaunchTemplateProps:
 
     @builtins.property
     def key_name(self) -> typing.Optional[builtins.str]:
-        '''Name of SSH keypair to grant access to instance.
+        '''(deprecated) Name of SSH keypair to grant access to instance.
 
         :default: - No SSH access will be possible.
+
+        :deprecated: - Use ``keyPair`` instead.
+
+        :stability: deprecated
         '''
         result = self._values.get("key_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def key_pair(self) -> typing.Optional[IKeyPair]:
+        '''The SSK keypair to grant access to the instance.
+
+        :default: - No SSH access will be possible.
+        '''
+        result = self._values.get("key_pair")
+        return typing.cast(typing.Optional[IKeyPair], result)
+
     @builtins.property
     def launch_template_name(self) -> typing.Optional[builtins.str]:
         '''Name for this launch template.
@@ -75872,6 +76721,7 @@ class NatInstanceImage(
         "instance_type": "instanceType",
         "default_allowed_traffic": "defaultAllowedTraffic",
         "key_name": "keyName",
+        "key_pair": "keyPair",
         "machine_image": "machineImage",
         "security_group": "securityGroup",
     },
@@ -75883,6 +76733,7 @@ class NatInstanceProps:
         instance_type: InstanceType,
         default_allowed_traffic: typing.Optional["NatTrafficDirection"] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
     ) -> None:
@@ -75890,7 +76741,8 @@ class NatInstanceProps:
 
         :param instance_type: Instance type of the NAT instance.
         :param default_allowed_traffic: Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance's security groups in another way, either by passing in a fully configured Security Group using the ``securityGroup`` property, or by configuring it using the ``.securityGroup`` or ``.connections`` members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
 
@@ -75915,6 +76767,7 @@ class NatInstanceProps:
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
             check_type(argname="argument default_allowed_traffic", value=default_allowed_traffic, expected_type=type_hints["default_allowed_traffic"])
             check_type(argname="argument key_name", value=key_name, expected_type=type_hints["key_name"])
+            check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
             check_type(argname="argument machine_image", value=machine_image, expected_type=type_hints["machine_image"])
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -75924,6 +76777,8 @@ class NatInstanceProps:
             self._values["default_allowed_traffic"] = default_allowed_traffic
         if key_name is not None:
             self._values["key_name"] = key_name
+        if key_pair is not None:
+            self._values["key_pair"] = key_pair
         if machine_image is not None:
             self._values["machine_image"] = machine_image
         if security_group is not None:
@@ -75955,13 +76810,26 @@ class NatInstanceProps:
 
     @builtins.property
     def key_name(self) -> typing.Optional[builtins.str]:
-        '''Name of SSH keypair to grant access to instance.
+        '''(deprecated) Name of SSH keypair to grant access to instance.
 
         :default: - No SSH access will be possible.
+
+        :deprecated: - Use ``keyPair`` instead.
+
+        :stability: deprecated
         '''
         result = self._values.get("key_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def key_pair(self) -> typing.Optional[IKeyPair]:
+        '''The SSH keypair to grant access to the instance.
+
+        :default: - No SSH access will be possible.
+        '''
+        result = self._values.get("key_pair")
+        return typing.cast(typing.Optional[IKeyPair], result)
+
     @builtins.property
     def machine_image(self) -> typing.Optional[IMachineImage]:
         '''The machine image (AMI) to use.
@@ -76059,6 +76927,7 @@ class NatProvider(
         instance_type: InstanceType,
         default_allowed_traffic: typing.Optional["NatTrafficDirection"] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
     ) -> "NatInstanceProvider":
@@ -76072,7 +76941,8 @@ class NatProvider(
 
         :param instance_type: Instance type of the NAT instance.
         :param default_allowed_traffic: Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance's security groups in another way, either by passing in a fully configured Security Group using the ``securityGroup`` property, or by configuring it using the ``.securityGroup`` or ``.connections`` members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
 
@@ -76082,6 +76952,7 @@ class NatProvider(
             instance_type=instance_type,
             default_allowed_traffic=default_allowed_traffic,
             key_name=key_name,
+            key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
         )
@@ -88101,13 +88972,15 @@ class NatInstanceProvider(
         instance_type: InstanceType,
         default_allowed_traffic: typing.Optional[NatTrafficDirection] = None,
         key_name: typing.Optional[builtins.str] = None,
+        key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
     ) -> None:
         '''
         :param instance_type: Instance type of the NAT instance.
         :param default_allowed_traffic: Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance's security groups in another way, either by passing in a fully configured Security Group using the ``securityGroup`` property, or by configuring it using the ``.securityGroup`` or ``.connections`` members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND
-        :param key_name: Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
+        :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
         :param security_group: Security Group for NAT instances. Default: - A new security group will be created
         '''
@@ -88115,6 +88988,7 @@ class NatInstanceProvider(
             instance_type=instance_type,
             default_allowed_traffic=default_allowed_traffic,
             key_name=key_name,
+            key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
         )
@@ -90004,6 +90878,8 @@ __all__ = [
     "CfnSecurityGroupIngress",
     "CfnSecurityGroupIngressProps",
     "CfnSecurityGroupProps",
+    "CfnSnapshotBlockPublicAccess",
+    "CfnSnapshotBlockPublicAccessProps",
     "CfnSpotFleet",
     "CfnSpotFleetProps",
     "CfnSubnet",
@@ -90146,6 +91022,7 @@ __all__ = [
     "IInterfaceVpcEndpoint",
     "IInterfaceVpcEndpointService",
     "IIpAddresses",
+    "IKeyPair",
     "ILaunchTemplate",
     "IMachineImage",
     "INetworkAcl",
@@ -90200,6 +91077,11 @@ __all__ = [
     "InterfaceVpcEndpointProps",
     "InterfaceVpcEndpointService",
     "IpAddresses",
+    "KeyPair",
+    "KeyPairAttributes",
+    "KeyPairFormat",
+    "KeyPairProps",
+    "KeyPairType",
     "LaunchTemplate",
     "LaunchTemplateAttributes",
     "LaunchTemplateHttpTokens",
@@ -95255,6 +96137,7 @@ def _typecheckingstub__418aadfc2c6984f0ac75cd67e36ca76f23d9cf7bc23846cf55d7b3cdb
     *,
     route_table_id: builtins.str,
     carrier_gateway_id: typing.Optional[builtins.str] = None,
+    core_network_arn: typing.Optional[builtins.str] = None,
     destination_cidr_block: typing.Optional[builtins.str] = None,
     destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
     destination_prefix_list_id: typing.Optional[builtins.str] = None,
@@ -95295,6 +96178,12 @@ def _typecheckingstub__355c5c80f08453332882507836cf0441e37ed4a5c9fa46ef1c415dd73
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__535edefe9ec250f819eacd60779bcf6b8d4afa9cd9b9ec8142ddfb03034be5ac(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__1ae05f819fd9822a84fcac1033a9bd983835b0e75eb0d432aa89d5973585cc3e(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -95371,6 +96260,7 @@ def _typecheckingstub__f90e7814d59b7c562ab4b24d54461eba6a4c88fbd5451ba2b2b0adf84
     *,
     route_table_id: builtins.str,
     carrier_gateway_id: typing.Optional[builtins.str] = None,
+    core_network_arn: typing.Optional[builtins.str] = None,
     destination_cidr_block: typing.Optional[builtins.str] = None,
     destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
     destination_prefix_list_id: typing.Optional[builtins.str] = None,
@@ -95753,6 +96643,40 @@ def _typecheckingstub__a21c9d7bd7156fd2dd5a288945bbf548f4ab7a9ee07ba36ecb2062ab6
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__995a1a5869d618c24a624831b2ad5e725b73ab6134ba003d66411c58faf1187e(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    state: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__856438104299447428cd955093ead73bce11b3f11c039205bcd5e194beb9b322(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5986589d73c46b7a96fd8cdffc5dd783512e594c0f96cf249a7577ed130d1c96(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a4c8cd7c082b41fda937b1f6a6a1a59e489b437d498c2b75a58ae1582086af7b(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e66d65de803363af49ef406b4229988fd2680cccdc692b106aff40a80ff135ad(
+    *,
+    state: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__507ab221d4bf8e8520b22850e0df945eba1ce8da26b5b5f4800e98249ec0bb9c(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -99966,6 +100890,7 @@ def _typecheckingstub__5fdf31f5ae2497c7efcb56df558011698f38dc19cff28ca7a78a08a6d
     init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     instance_name: typing.Optional[builtins.str] = None,
     key_name: typing.Optional[builtins.str] = None,
+    key_pair: typing.Optional[IKeyPair] = None,
     private_ip_address: typing.Optional[builtins.str] = None,
     propagate_tags_to_volume_on_creation: typing.Optional[builtins.bool] = None,
     require_imdsv2: typing.Optional[builtins.bool] = None,
@@ -100013,6 +100938,7 @@ def _typecheckingstub__2d4dc63c6e6ee3ddc68d5dd204d8ac5ef1f1dec37a7b84d636225df1c
     init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     instance_name: typing.Optional[builtins.str] = None,
     key_name: typing.Optional[builtins.str] = None,
+    key_pair: typing.Optional[IKeyPair] = None,
     private_ip_address: typing.Optional[builtins.str] = None,
     propagate_tags_to_volume_on_creation: typing.Optional[builtins.bool] = None,
     require_imdsv2: typing.Optional[builtins.bool] = None,
@@ -100123,6 +101049,62 @@ def _typecheckingstub__712e8cdff0857893172d9de86affb30950183e037ef537789198de8ca
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__723c12f80f8f69703f74949dec0a4305b19d6d27efff9d36830815d8e604283c(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    format: typing.Optional[KeyPairFormat] = None,
+    key_pair_name: typing.Optional[builtins.str] = None,
+    public_key_material: typing.Optional[builtins.str] = None,
+    type: typing.Optional[KeyPairType] = None,
+    account: typing.Optional[builtins.str] = None,
+    environment_from_arn: typing.Optional[builtins.str] = None,
+    physical_name: typing.Optional[builtins.str] = None,
+    region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__12d377269b610c395f1583e904a11636e952288b5e3f85a3cc1d865eb21f7715(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    key_pair_name: builtins.str,
+    type: typing.Optional[KeyPairType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7bcad8d69b7ac63eda9832fb42b2e78a5f5570d5ccd5ac181f25d55202b6f74c(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    key_pair_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1c0b1d2207b185c203475dcfffe01485ff1d6dd460f5c0308f88afbd59667178(
+    *,
+    key_pair_name: builtins.str,
+    type: typing.Optional[KeyPairType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7af23eb9509f044383945f68d46a72f0c94f0542177c255d3d31b42f5e9aa98c(
+    *,
+    account: typing.Optional[builtins.str] = None,
+    environment_from_arn: typing.Optional[builtins.str] = None,
+    physical_name: typing.Optional[builtins.str] = None,
+    region: typing.Optional[builtins.str] = None,
+    format: typing.Optional[KeyPairFormat] = None,
+    key_pair_name: typing.Optional[builtins.str] = None,
+    public_key_material: typing.Optional[builtins.str] = None,
+    type: typing.Optional[KeyPairType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__544aef11081ec87047935491f75a3d5bc9d5075de77f96969bd2ffd1a0d78cc9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -100143,6 +101125,7 @@ def _typecheckingstub__544aef11081ec87047935491f75a3d5bc9d5075de77f96969bd2ffd1a
     instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
     instance_type: typing.Optional[InstanceType] = None,
     key_name: typing.Optional[builtins.str] = None,
+    key_pair: typing.Optional[IKeyPair] = None,
     launch_template_name: typing.Optional[builtins.str] = None,
     machine_image: typing.Optional[IMachineImage] = None,
     nitro_enclave_enabled: typing.Optional[builtins.bool] = None,
@@ -100199,6 +101182,7 @@ def _typecheckingstub__e2ebb1bf0fbb2f9e894169a610cd9fb7cc3f827d34d3a10351bd2f517
     instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
     instance_type: typing.Optional[InstanceType] = None,
     key_name: typing.Optional[builtins.str] = None,
+    key_pair: typing.Optional[IKeyPair] = None,
     launch_template_name: typing.Optional[builtins.str] = None,
     machine_image: typing.Optional[IMachineImage] = None,
     nitro_enclave_enabled: typing.Optional[builtins.bool] = None,
@@ -100390,6 +101374,7 @@ def _typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac3
     instance_type: InstanceType,
     default_allowed_traffic: typing.Optional[NatTrafficDirection] = None,
     key_name: typing.Optional[builtins.str] = None,
+    key_pair: typing.Optional[IKeyPair] = None,
     machine_image: typing.Optional[IMachineImage] = None,
     security_group: typing.Optional[ISecurityGroup] = None,
 ) -> None: