aws-cdk-lib 2.115.0__py3-none-any.whl → 2.116.1__py3-none-any.whl

aws_cdk/aws_cloudtrail/__init__.py

@@ -781,8 +781,8 @@ class CfnEventDataStore(
         :param id: Construct identifier for this resource (unique in its scope).
         :param advanced_event_selectors: The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store. For more information about how to use advanced event selectors to log CloudTrail events, see `Log events by using advanced event selectors <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced>`_ in the CloudTrail User Guide. For more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see `Create an event data store for AWS Config configuration items <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-eds-config>`_ in the CloudTrail User Guide. For more information about how to use advanced event selectors to include non- AWS events in your event data store, see `Create an integration to log events from outside AWS <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-integration>`_ in the CloudTrail User Guide.
         :param billing_mode: The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store. The following are the possible values: - ``EXTENDABLE_RETENTION_PRICING`` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days. - ``FIXED_RETENTION_PRICING`` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days. The default value is ``EXTENDABLE_RETENTION_PRICING`` . For more information about CloudTrail pricing, see `AWS CloudTrail Pricing <https://docs.aws.amazon.com/cloudtrail/pricing/>`_ and `Managing CloudTrail Lake costs <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html>`_ .
-        :param federation_enabled: Indicates whether federation is enabled on an event data store.
-        :param federation_role_arn: The ARN of the role used for event data store federation.
+        :param federation_enabled: Indicates if `Lake query federation <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html>`_ is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.
+        :param federation_role_arn: If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store. The federation role must exist in your account and provide the `required minimum permissions <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role>`_ .
         :param ingestion_enabled: Specifies whether the event data store should start ingesting live events. The default is true.
         :param insights_destination: The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see `Create an event data store for CloudTrail Insights events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html>`_ .
         :param insight_selectors: A JSON string that contains the Insights types you want to log on an event data store. ``ApiCallRateInsight`` and ``ApiErrorRateInsight`` are valid Insight types. The ``ApiCallRateInsight`` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume. The ``ApiErrorRateInsight`` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.
@@ -930,7 +930,7 @@ class CfnEventDataStore(
     def federation_enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether federation is enabled on an event data store.'''
+        '''Indicates if `Lake query federation <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html>`_ is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.'''
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "federationEnabled"))
 
     @federation_enabled.setter
@@ -946,7 +946,7 @@ class CfnEventDataStore(
     @builtins.property
     @jsii.member(jsii_name="federationRoleArn")
     def federation_role_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the role used for event data store federation.'''
+        '''If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "federationRoleArn"))
 
     @federation_role_arn.setter
@@ -1234,7 +1234,7 @@ class CfnEventDataStore(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::CloudFront:KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::CloudFront:KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>`` When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>`` When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -1317,6 +1317,7 @@ class CfnEventDataStore(
             - ``AWS::DynamoDB::Table``
             - ``AWS::Lambda::Function``
             - ``AWS::S3::Object``
+            - ``AWS::B2BI::Transformer``
             - ``AWS::Bedrock::AgentAlias``
             - ``AWS::Bedrock::KnowledgeBase``
             - ``AWS::CloudFront:KeyValueStore``
@@ -1337,6 +1338,10 @@ class CfnEventDataStore(
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::QBusiness::Application``
+            - ``AWS::QBusiness::DataSource``
+            - ``AWS::QBusiness::Index``
+            - ``AWS::QBusiness::WebExperience``
             - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
@@ -1349,6 +1354,8 @@ class CfnEventDataStore(
             - ``AWS::S3ObjectLambda::AccessPoint``
             - ``AWS::S3Outposts::Object``
             - ``AWS::SSMMessages::ControlChannel``
+            - ``AWS::ThinClient::Device``
+            - ``AWS::ThinClient::Environment``
             - ``AWS::Timestream::Database``
             - ``AWS::Timestream::Table``
             - ``AWS::VerifiedPermissions::PolicyStore``
@@ -1370,6 +1377,10 @@ class CfnEventDataStore(
 
             - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>``
 
+            When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>``
+
             When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>``
@@ -1450,6 +1461,22 @@ class CfnEventDataStore(
 
             - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
 
+            When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>``
+
             When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
@@ -1499,6 +1526,14 @@ class CfnEventDataStore(
 
             - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>``
 
+            When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>``
+
+            When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>``
+
             When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>``
@@ -1687,8 +1722,8 @@ class CfnEventDataStoreProps:
 
         :param advanced_event_selectors: The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store. For more information about how to use advanced event selectors to log CloudTrail events, see `Log events by using advanced event selectors <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced>`_ in the CloudTrail User Guide. For more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see `Create an event data store for AWS Config configuration items <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-eds-config>`_ in the CloudTrail User Guide. For more information about how to use advanced event selectors to include non- AWS events in your event data store, see `Create an integration to log events from outside AWS <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-lake-cli.html#lake-cli-create-integration>`_ in the CloudTrail User Guide.
         :param billing_mode: The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store. The following are the possible values: - ``EXTENDABLE_RETENTION_PRICING`` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days. - ``FIXED_RETENTION_PRICING`` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days. The default value is ``EXTENDABLE_RETENTION_PRICING`` . For more information about CloudTrail pricing, see `AWS CloudTrail Pricing <https://docs.aws.amazon.com/cloudtrail/pricing/>`_ and `Managing CloudTrail Lake costs <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html>`_ .
-        :param federation_enabled: Indicates whether federation is enabled on an event data store.
-        :param federation_role_arn: The ARN of the role used for event data store federation.
+        :param federation_enabled: Indicates if `Lake query federation <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html>`_ is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.
+        :param federation_role_arn: If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store. The federation role must exist in your account and provide the `required minimum permissions <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role>`_ .
         :param ingestion_enabled: Specifies whether the event data store should start ingesting live events. The default is true.
         :param insights_destination: The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. For more information, see `Create an event data store for CloudTrail Insights events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-insights.html>`_ .
         :param insight_selectors: A JSON string that contains the Insights types you want to log on an event data store. ``ApiCallRateInsight`` and ``ApiErrorRateInsight`` are valid Insight types. The ``ApiCallRateInsight`` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume. The ``ApiErrorRateInsight`` Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.
@@ -1833,7 +1868,7 @@ class CfnEventDataStoreProps:
     def federation_enabled(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Indicates whether federation is enabled on an event data store.
+        '''Indicates if `Lake query federation <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html>`_ is enabled. By default, Lake query federation is disabled. You cannot delete an event data store if Lake query federation is enabled.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html#cfn-cloudtrail-eventdatastore-federationenabled
         '''
@@ -1842,7 +1877,9 @@ class CfnEventDataStoreProps:
 
     @builtins.property
     def federation_role_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the role used for event data store federation.
+        '''If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.
+
+        The federation role must exist in your account and provide the `required minimum permissions <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-eventdatastore.html#cfn-cloudtrail-eventdatastore-federationrolearn
         '''
@@ -2764,7 +2801,7 @@ class CfnTrail(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::CloudFront:KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::CloudFront:KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>`` When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>`` When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -2847,6 +2884,7 @@ class CfnTrail(
             - ``AWS::DynamoDB::Table``
             - ``AWS::Lambda::Function``
             - ``AWS::S3::Object``
+            - ``AWS::B2BI::Transformer``
             - ``AWS::Bedrock::AgentAlias``
             - ``AWS::Bedrock::KnowledgeBase``
             - ``AWS::CloudFront:KeyValueStore``
@@ -2867,6 +2905,10 @@ class CfnTrail(
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::QBusiness::Application``
+            - ``AWS::QBusiness::DataSource``
+            - ``AWS::QBusiness::Index``
+            - ``AWS::QBusiness::WebExperience``
             - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
@@ -2879,6 +2921,8 @@ class CfnTrail(
             - ``AWS::S3ObjectLambda::AccessPoint``
             - ``AWS::S3Outposts::Object``
             - ``AWS::SSMMessages::ControlChannel``
+            - ``AWS::ThinClient::Device``
+            - ``AWS::ThinClient::Environment``
             - ``AWS::Timestream::Database``
             - ``AWS::Timestream::Table``
             - ``AWS::VerifiedPermissions::PolicyStore``
@@ -2900,6 +2944,10 @@ class CfnTrail(
 
             - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>``
 
+            When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>``
+
             When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>``
@@ -2980,6 +3028,22 @@ class CfnTrail(
 
             - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
 
+            When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>``
+
+            When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>``
+
             When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
@@ -3029,6 +3093,14 @@ class CfnTrail(
 
             - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>``
 
+            When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>``
+
+            When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>``
+
             When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>``
@@ -3148,7 +3220,7 @@ class CfnTrail(
             - The ``Invoke`` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
             - The ``Invoke`` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the ``Invoke`` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
 
-            :param type: The resource type in which you want to log data events. You can specify the following *basic* event selector resource types: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` The following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see `AdvancedFieldSelector <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html>`_ . - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore``
+            :param type: The resource type in which you want to log data events. You can specify the following *basic* event selector resource types: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` The following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see `AdvancedFieldSelector <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html>`_ . - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::CloudFront:KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore``
             :param values: An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified objects. - To log data events for all objects in all S3 buckets in your AWS account , specify the prefix as ``arn:aws:s3`` . .. epigraph:: This also enables logging of data event activity performed by any user or role in your AWS account , even if that activity is performed on a bucket that belongs to another AWS account . - To log data events for all objects in an S3 bucket, specify the bucket and an empty object prefix such as ``arn:aws:s3:::bucket-1/`` . The trail logs data events for all objects in this S3 bucket. - To log data events for specific objects, specify the S3 bucket and object prefix such as ``arn:aws:s3:::bucket-1/example-images`` . The trail logs data events for objects in this S3 bucket that match the prefix. - To log data events for all Lambda functions in your AWS account , specify the prefix as ``arn:aws:lambda`` . .. epigraph:: This also enables logging of ``Invoke`` activity performed by any user or role in your AWS account , even if that activity is performed on a function that belongs to another AWS account . - To log data events for a specific Lambda function, specify the function ARN. .. epigraph:: Lambda function ARNs are exact. For example, if you specify a function ARN *arn:aws:lambda:us-west-2:111111111111:function:helloworld* , data events will only be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld* . They will not be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld2* . - To log data events for all DynamoDB tables in your AWS account , specify the prefix as ``arn:aws:dynamodb`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-dataresource.html
@@ -3189,6 +3261,7 @@ class CfnTrail(
 
             The following resource types are only available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see `AdvancedFieldSelector <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html>`_ .
 
+            - ``AWS::B2BI::Transformer``
             - ``AWS::Bedrock::AgentAlias``
             - ``AWS::Bedrock::KnowledgeBase``
             - ``AWS::CloudFront:KeyValueStore``
@@ -3209,6 +3282,10 @@ class CfnTrail(
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::QBusiness::Application``
+            - ``AWS::QBusiness::DataSource``
+            - ``AWS::QBusiness::Index``
+            - ``AWS::QBusiness::WebExperience``
             - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
@@ -3221,6 +3298,8 @@ class CfnTrail(
             - ``AWS::S3ObjectLambda::AccessPoint``
             - ``AWS::S3Outposts::Object``
             - ``AWS::SSMMessages::ControlChannel``
+            - ``AWS::ThinClient::Device``
+            - ``AWS::ThinClient::Environment``
             - ``AWS::Timestream::Database``
             - ``AWS::Timestream::Table``
             - ``AWS::VerifiedPermissions::PolicyStore``

aws_cdk/aws_cloudwatch/__init__.py

@@ -5169,13 +5169,13 @@ class CfnMetricStream(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param firehose_arn: The ARN of the Amazon Kinesis Firehose delivery stream to use for this metric stream. This Amazon Kinesis Firehose delivery stream must already exist and must be in the same account as the metric stream.
-        :param output_format: The output format for the stream. Valid values are ``json`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ . This parameter is required.
+        :param output_format: The output format for the stream. Valid values are ``json`` , ``opentelemetry1.0`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ . This parameter is required.
         :param role_arn: The ARN of an IAM role that this metric stream will use to access Amazon Kinesis Firehose resources. This IAM role must already exist and must be in the same account as the metric stream. This IAM role must include the ``firehose:PutRecord`` and ``firehose:PutRecordBatch`` permissions.
         :param exclude_filters: If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces that you specify here. You cannot specify both ``IncludeFilters`` and ``ExcludeFilters`` in the same metric stream. When you modify the ``IncludeFilters`` or ``ExcludeFilters`` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.
         :param include_filters: If you specify this parameter, the stream sends only the metrics from the metric namespaces that you specify here. You cannot specify both ``IncludeFilters`` and ``ExcludeFilters`` in the same metric stream. When you modify the ``IncludeFilters`` or ``ExcludeFilters`` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.
         :param include_linked_accounts_metrics: If you are creating a metric stream in a monitoring account, specify ``true`` to include metrics from source accounts that are linked to this monitoring account, in the metric stream. The default is ``false`` . For more information about linking accounts, see `CloudWatch cross-account observability <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html>`_
         :param name: If you are creating a new metric stream, this is the name for the new stream. The name must be different than the names of other metric streams in this account and Region. If you are updating a metric stream, specify the name of that stream here.
-        :param statistics_configurations: By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members. For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is ``opentelemetry0`` .7, you can stream percentile statistics *(p??)* .
+        :param statistics_configurations: By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members. For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is OpenTelemetry, you can stream percentile statistics.
         :param tags: An array of key-value pairs to apply to the metric stream. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
         '''
         if __debug__:
@@ -5676,13 +5676,13 @@ class CfnMetricStreamProps:
         '''Properties for defining a ``CfnMetricStream``.
 
         :param firehose_arn: The ARN of the Amazon Kinesis Firehose delivery stream to use for this metric stream. This Amazon Kinesis Firehose delivery stream must already exist and must be in the same account as the metric stream.
-        :param output_format: The output format for the stream. Valid values are ``json`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ . This parameter is required.
+        :param output_format: The output format for the stream. Valid values are ``json`` , ``opentelemetry1.0`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ . This parameter is required.
         :param role_arn: The ARN of an IAM role that this metric stream will use to access Amazon Kinesis Firehose resources. This IAM role must already exist and must be in the same account as the metric stream. This IAM role must include the ``firehose:PutRecord`` and ``firehose:PutRecordBatch`` permissions.
         :param exclude_filters: If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces that you specify here. You cannot specify both ``IncludeFilters`` and ``ExcludeFilters`` in the same metric stream. When you modify the ``IncludeFilters`` or ``ExcludeFilters`` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.
         :param include_filters: If you specify this parameter, the stream sends only the metrics from the metric namespaces that you specify here. You cannot specify both ``IncludeFilters`` and ``ExcludeFilters`` in the same metric stream. When you modify the ``IncludeFilters`` or ``ExcludeFilters`` of an existing metric stream in any way, the metric stream is effectively restarted, so after such a change you will get only the datapoints that have a timestamp after the time of the update.
         :param include_linked_accounts_metrics: If you are creating a metric stream in a monitoring account, specify ``true`` to include metrics from source accounts that are linked to this monitoring account, in the metric stream. The default is ``false`` . For more information about linking accounts, see `CloudWatch cross-account observability <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html>`_
         :param name: If you are creating a new metric stream, this is the name for the new stream. The name must be different than the names of other metric streams in this account and Region. If you are updating a metric stream, specify the name of that stream here.
-        :param statistics_configurations: By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members. For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is ``opentelemetry0`` .7, you can stream percentile statistics *(p??)* .
+        :param statistics_configurations: By default, a metric stream always sends the MAX, MIN, SUM, and SAMPLECOUNT statistics for each metric that is streamed. You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members. For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is OpenTelemetry, you can stream percentile statistics.
         :param tags: An array of key-value pairs to apply to the metric stream. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-metricstream.html
@@ -5772,7 +5772,7 @@ class CfnMetricStreamProps:
     def output_format(self) -> builtins.str:
         '''The output format for the stream.
 
-        Valid values are ``json`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ .
+        Valid values are ``json`` , ``opentelemetry1.0`` and ``opentelemetry0.7`` For more information about metric stream output formats, see `Metric streams output formats <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-metric-streams-formats.html>`_ .
 
         This parameter is required.
 
@@ -5860,7 +5860,7 @@ class CfnMetricStreamProps:
 
         You can use this parameter to have the metric stream also send additional statistics in the stream. This array can have up to 100 members.
 
-        For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is ``opentelemetry0`` .7, you can stream percentile statistics *(p??)* .
+        For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's ``OutputFormat`` . If the ``OutputFormat`` is ``json`` , you can stream any additional statistic that is supported by CloudWatch , listed in `CloudWatch statistics definitions <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html>`_ . If the ``OutputFormat`` is OpenTelemetry, you can stream percentile statistics.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudwatch-metricstream.html#cfn-cloudwatch-metricstream-statisticsconfigurations
         '''