aws-cdk-lib 2.128.0__py3-none-any.whl → 2.129.0__py3-none-any.whl

aws_cdk/aws_ecs/__init__.py

@@ -635,6 +635,46 @@ task_definition.add_container("windowsservercore",
 )
 ```
 
+### Using Windows authentication with gMSA
+
+Amazon ECS supports Active Directory authentication for Linux containers through a special kind of service account called a group Managed Service Account (gMSA). For more details, please see the [product documentation on how to implement on Windows containers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html), or this [blog post on how to implement on  Linux containers](https://aws.amazon.com/blogs/containers/using-windows-authentication-with-gmsa-on-linux-containers-on-amazon-ecs/).
+
+There are two types of CredentialSpecs, domained-join or domainless. Both types support creation from a S3 bucket, a SSM parameter, or by directly specifying a location for the file in the constructor.
+
+A domian-joined gMSA container looks like:
+
+```python
+# Make sure the task definition's execution role has permissions to read from the S3 bucket or SSM parameter where the CredSpec file is stored.
+# parameter: ssm.IParameter
+# task_definition: ecs.TaskDefinition
+
+
+# Domain-joined gMSA container from a SSM parameter
+task_definition.add_container("gmsa-domain-joined-container",
+    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+    cpu=128,
+    memory_limit_mi_b=256,
+    credential_specs=[ecs.DomainJoinedCredentialSpec.from_ssm_parameter(parameter)]
+)
+```
+
+A domianless gMSA container looks like:
+
+```python
+# Make sure the task definition's execution role has permissions to read from the S3 bucket or SSM parameter where the CredSpec file is stored.
+# bucket: s3.Bucket
+# task_definition: ecs.TaskDefinition
+
+
+# Domainless gMSA container from a S3 bucket object.
+task_definition.add_container("gmsa-domainless-container",
+    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+    cpu=128,
+    memory_limit_mi_b=256,
+    credential_specs=[ecs.DomainlessCredentialSpec.from_s3_bucket(bucket, "credSpec")]
+)
+```
+
 ### Using Graviton2 with Fargate
 
 AWS Graviton2 supports AWS Fargate. For more details, please see this [blog post](https://aws.amazon.com/blogs/aws/announcing-aws-graviton2-support-for-aws-fargate-get-up-to-40-better-price-performance-for-your-serverless-containers/)
@@ -1853,6 +1893,7 @@ from .. import (
     Size as _Size_7b441c34,
     SymlinkFollowMode as _SymlinkFollowMode_047ec1f6,
     TagManager as _TagManager_0a598cb3,
+    TimeZone as _TimeZone_cdd72ac9,
     TreeInspector as _TreeInspector_488e0dd5,
 )
 from ..aws_applicationautoscaling import (
@@ -14384,9 +14425,9 @@ class CfnTaskDefinition(
             add: typing.Optional[typing.Sequence[builtins.str]] = None,
             drop: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''The ``KernelCapabilities`` property specifies the Linux capabilities for the container that are added to or dropped from the default configuration that is provided by Docker.
+            '''The Linux capabilities to add or remove from the default Docker configuration for a container defined in the task definition.
 
-            For more information on the default capabilities and the non-default available capabilities, see `Runtime privilege and Linux capabilities <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities>`_ in the *Docker run reference* . For more detailed information on these Linux capabilities, see the `capabilities(7) <https://docs.aws.amazon.com/http://man7.org/linux/man-pages/man7/capabilities.7.html>`_ Linux manual page.
+            For more information about the default capabilities and the non-default available capabilities, see `Runtime privilege and Linux capabilities <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities>`_ in the *Docker run reference* . For more detailed information about these Linux capabilities, see the `capabilities(7) <https://docs.aws.amazon.com/http://man7.org/linux/man-pages/man7/capabilities.7.html>`_ Linux manual page.
 
             :param add: The Linux capabilities for the container that have been added to the default configuration provided by Docker. This parameter maps to ``CapAdd`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--cap-add`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: Tasks launched on AWS Fargate only support adding the ``SYS_PTRACE`` kernel capability. Valid values: ``"ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND" | "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID" | "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" | "MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE" | "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID" | "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"``
             :param drop: The Linux capabilities for the container that have been removed from the default configuration provided by Docker. This parameter maps to ``CapDrop`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--cap-drop`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . Valid values: ``"ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND" | "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID" | "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" | "MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE" | "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID" | "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" | "SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" | "SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"``
@@ -18843,6 +18884,7 @@ class ContainerDefinition(
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence["CredentialSpec"]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -18883,6 +18925,7 @@ class ContainerDefinition(
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -18924,6 +18967,7 @@ class ContainerDefinition(
             command=command,
             container_name=container_name,
             cpu=cpu,
+            credential_specs=credential_specs,
             disable_networking=disable_networking,
             dns_search_domains=dns_search_domains,
             dns_servers=dns_servers,
@@ -19257,6 +19301,12 @@ class ContainerDefinition(
         '''The number of cpu units reserved for the container.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "cpu"))
 
+    @builtins.property
+    @jsii.member(jsii_name="credentialSpecs")
+    def credential_specs(self) -> typing.Optional[typing.List["CredentialSpecConfig"]]:
+        '''The crdential specifications for this container.'''
+        return typing.cast(typing.Optional[typing.List["CredentialSpecConfig"]], jsii.get(self, "credentialSpecs"))
+
     @builtins.property
     @jsii.member(jsii_name="environmentFiles")
     def environment_files(
@@ -19298,6 +19348,7 @@ class ContainerDefinition(
         "command": "command",
         "container_name": "containerName",
         "cpu": "cpu",
+        "credential_specs": "credentialSpecs",
         "disable_networking": "disableNetworking",
         "dns_search_domains": "dnsSearchDomains",
         "dns_servers": "dnsServers",
@@ -19338,6 +19389,7 @@ class ContainerDefinitionOptions:
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence["CredentialSpec"]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -19374,6 +19426,7 @@ class ContainerDefinitionOptions:
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -19445,6 +19498,7 @@ class ContainerDefinitionOptions:
             check_type(argname="argument command", value=command, expected_type=type_hints["command"])
             check_type(argname="argument container_name", value=container_name, expected_type=type_hints["container_name"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+            check_type(argname="argument credential_specs", value=credential_specs, expected_type=type_hints["credential_specs"])
             check_type(argname="argument disable_networking", value=disable_networking, expected_type=type_hints["disable_networking"])
             check_type(argname="argument dns_search_domains", value=dns_search_domains, expected_type=type_hints["dns_search_domains"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
@@ -19484,6 +19538,8 @@ class ContainerDefinitionOptions:
             self._values["container_name"] = container_name
         if cpu is not None:
             self._values["cpu"] = cpu
+        if credential_specs is not None:
+            self._values["credential_specs"] = credential_specs
         if disable_networking is not None:
             self._values["disable_networking"] = disable_networking
         if dns_search_domains is not None:
@@ -19587,6 +19643,19 @@ class ContainerDefinitionOptions:
         result = self._values.get("cpu")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def credential_specs(self) -> typing.Optional[typing.List["CredentialSpec"]]:
+        '''A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication.
+
+        We recommend that you use this parameter instead of the ``dockerSecurityOptions``.
+
+        Currently, only one credential spec is allowed per container definition.
+
+        :default: - No credential specs.
+        '''
+        result = self._values.get("credential_specs")
+        return typing.cast(typing.Optional[typing.List["CredentialSpec"]], result)
+
     @builtins.property
     def disable_networking(self) -> typing.Optional[builtins.bool]:
         '''Specifies whether networking is disabled within the container.
@@ -19925,6 +19994,7 @@ class ContainerDefinitionOptions:
         "command": "command",
         "container_name": "containerName",
         "cpu": "cpu",
+        "credential_specs": "credentialSpecs",
         "disable_networking": "disableNetworking",
         "dns_search_domains": "dnsSearchDomains",
         "dns_servers": "dnsServers",
@@ -19966,6 +20036,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence["CredentialSpec"]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -20004,6 +20075,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -20047,6 +20119,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             
             # app_protocol: ecs.AppProtocol
             # container_image: ecs.ContainerImage
+            # credential_spec: ecs.CredentialSpec
             # environment_file: ecs.EnvironmentFile
             # linux_parameters: ecs.LinuxParameters
             # log_driver: ecs.LogDriver
@@ -20061,6 +20134,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
                 command=["command"],
                 container_name="containerName",
                 cpu=123,
+                credential_specs=[credential_spec],
                 disable_networking=False,
                 dns_search_domains=["dnsSearchDomains"],
                 dns_servers=["dnsServers"],
@@ -20133,6 +20207,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             check_type(argname="argument command", value=command, expected_type=type_hints["command"])
             check_type(argname="argument container_name", value=container_name, expected_type=type_hints["container_name"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+            check_type(argname="argument credential_specs", value=credential_specs, expected_type=type_hints["credential_specs"])
             check_type(argname="argument disable_networking", value=disable_networking, expected_type=type_hints["disable_networking"])
             check_type(argname="argument dns_search_domains", value=dns_search_domains, expected_type=type_hints["dns_search_domains"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
@@ -20174,6 +20249,8 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             self._values["container_name"] = container_name
         if cpu is not None:
             self._values["cpu"] = cpu
+        if credential_specs is not None:
+            self._values["credential_specs"] = credential_specs
         if disable_networking is not None:
             self._values["disable_networking"] = disable_networking
         if dns_search_domains is not None:
@@ -20277,6 +20354,19 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         result = self._values.get("cpu")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def credential_specs(self) -> typing.Optional[typing.List["CredentialSpec"]]:
+        '''A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication.
+
+        We recommend that you use this parameter instead of the ``dockerSecurityOptions``.
+
+        Currently, only one credential spec is allowed per container definition.
+
+        :default: - No credential specs.
+        '''
+        result = self._values.get("credential_specs")
+        return typing.cast(typing.Optional[typing.List["CredentialSpec"]], result)
+
     @builtins.property
     def disable_networking(self) -> typing.Optional[builtins.bool]:
         '''Specifies whether networking is disabled within the container.
@@ -21290,6 +21380,146 @@ class CpuUtilizationScalingProps(_BaseTargetTrackingProps_540ba713):
         )
 
 
+class CredentialSpec(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ecs.CredentialSpec",
+):
+    '''Base construct for a credential specification (CredSpec).
+
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ecs as ecs
+        
+        credential_spec = ecs.CredentialSpec("prefixId", "fileLocation")
+    '''
+
+    def __init__(self, prefix_id: builtins.str, file_location: builtins.str) -> None:
+        '''
+        :param prefix_id: -
+        :param file_location: Location or ARN from where to retrieve the CredSpec file.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__391919d386090f9ac3aa86dc379e614f3db5fb33b21f6ff1abc79118d879f2b8)
+            check_type(argname="argument prefix_id", value=prefix_id, expected_type=type_hints["prefix_id"])
+            check_type(argname="argument file_location", value=file_location, expected_type=type_hints["file_location"])
+        jsii.create(self.__class__, self, [prefix_id, file_location])
+
+    @jsii.member(jsii_name="arnForS3Object")
+    @builtins.classmethod
+    def arn_for_s3_object(
+        cls,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+    ) -> builtins.str:
+        '''Helper method to generate the ARN for a S3 object.
+
+        Used to avoid duplication of logic in derived classes.
+
+        :param bucket: -
+        :param key: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d920a2dd32552e7bda0ce5cc7f9c3c76e02eb299516c6dd25e088d920e2ad3f6)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        return typing.cast(builtins.str, jsii.sinvoke(cls, "arnForS3Object", [bucket, key]))
+
+    @jsii.member(jsii_name="arnForSsmParameter")
+    @builtins.classmethod
+    def arn_for_ssm_parameter(cls, parameter: _IParameter_509a0f80) -> builtins.str:
+        '''Helper method to generate the ARN for a SSM parameter.
+
+        Used to avoid duplication of logic in derived classes.
+
+        :param parameter: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__60821aa4ad60367f0902adbe993fc7378a3faa775ceb7588ea079af0e39662ff)
+            check_type(argname="argument parameter", value=parameter, expected_type=type_hints["parameter"])
+        return typing.cast(builtins.str, jsii.sinvoke(cls, "arnForSsmParameter", [parameter]))
+
+    @jsii.member(jsii_name="bind")
+    def bind(self) -> "CredentialSpecConfig":
+        '''Called when the container is initialized to allow this object to bind to the stack.'''
+        return typing.cast("CredentialSpecConfig", jsii.invoke(self, "bind", []))
+
+    @builtins.property
+    @jsii.member(jsii_name="fileLocation")
+    def file_location(self) -> builtins.str:
+        '''Location or ARN from where to retrieve the CredSpec file.'''
+        return typing.cast(builtins.str, jsii.get(self, "fileLocation"))
+
+    @builtins.property
+    @jsii.member(jsii_name="prefixId")
+    def prefix_id(self) -> builtins.str:
+        '''Prefix string based on the type of CredSpec.'''
+        return typing.cast(builtins.str, jsii.get(self, "prefixId"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ecs.CredentialSpecConfig",
+    jsii_struct_bases=[],
+    name_mapping={"location": "location", "type_prefix": "typePrefix"},
+)
+class CredentialSpecConfig:
+    def __init__(self, *, location: builtins.str, type_prefix: builtins.str) -> None:
+        '''Configuration for a credential specification (CredSpec) used for a ECS container.
+
+        :param location: Location of the CredSpec file.
+        :param type_prefix: Prefix used for the CredSpec string.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_ecs as ecs
+            
+            credential_spec_config = ecs.CredentialSpecConfig(
+                location="location",
+                type_prefix="typePrefix"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__544ae4082e3c3e478099774412380391075251238b6b9ee0caf06bcc2244eb31)
+            check_type(argname="argument location", value=location, expected_type=type_hints["location"])
+            check_type(argname="argument type_prefix", value=type_prefix, expected_type=type_hints["type_prefix"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "location": location,
+            "type_prefix": type_prefix,
+        }
+
+    @builtins.property
+    def location(self) -> builtins.str:
+        '''Location of the CredSpec file.'''
+        result = self._values.get("location")
+        assert result is not None, "Required property 'location' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def type_prefix(self) -> builtins.str:
+        '''Prefix used for the CredSpec string.'''
+        result = self._values.get("type_prefix")
+        assert result is not None, "Required property 'type_prefix' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CredentialSpecConfig(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ecs.DeploymentAlarmOptions",
     jsii_struct_bases=[],
@@ -21781,6 +22011,150 @@ class DockerVolumeConfiguration:
         )
 
 
+class DomainJoinedCredentialSpec(
+    CredentialSpec,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ecs.DomainJoinedCredentialSpec",
+):
+    '''Credential specification (CredSpec) file.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # Make sure the task definition's execution role has permissions to read from the S3 bucket or SSM parameter where the CredSpec file is stored.
+        # parameter: ssm.IParameter
+        # task_definition: ecs.TaskDefinition
+        
+        
+        # Domain-joined gMSA container from a SSM parameter
+        task_definition.add_container("gmsa-domain-joined-container",
+            image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+            cpu=128,
+            memory_limit_mi_b=256,
+            credential_specs=[ecs.DomainJoinedCredentialSpec.from_ssm_parameter(parameter)]
+        )
+    '''
+
+    def __init__(self, file_location: builtins.str) -> None:
+        '''
+        :param file_location: Location or ARN from where to retrieve the CredSpec file.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__74a7041aa7c44e15b54db11bc6f0846c13a4ab833182edf6cbca8449dcf3e612)
+            check_type(argname="argument file_location", value=file_location, expected_type=type_hints["file_location"])
+        jsii.create(self.__class__, self, [file_location])
+
+    @jsii.member(jsii_name="fromS3Bucket")
+    @builtins.classmethod
+    def from_s3_bucket(
+        cls,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+    ) -> "DomainJoinedCredentialSpec":
+        '''Loads the CredSpec from a S3 bucket object.
+
+        :param bucket: The S3 bucket.
+        :param key: The object key.
+
+        :return: CredSpec with it's locations set to the S3 object's ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__43cea1b75b78653b4276c55fbae915594c59010c5b7887bfa2c3ffac31a62689)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        return typing.cast("DomainJoinedCredentialSpec", jsii.sinvoke(cls, "fromS3Bucket", [bucket, key]))
+
+    @jsii.member(jsii_name="fromSsmParameter")
+    @builtins.classmethod
+    def from_ssm_parameter(
+        cls,
+        parameter: _IParameter_509a0f80,
+    ) -> "DomainJoinedCredentialSpec":
+        '''Loads the CredSpec from a SSM parameter.
+
+        :param parameter: The SSM parameter.
+
+        :return: CredSpec with it's locations set to the SSM parameter's ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8696be467d8036eb57668114fa81fe11aed2147031c222ae9d037530859d0b30)
+            check_type(argname="argument parameter", value=parameter, expected_type=type_hints["parameter"])
+        return typing.cast("DomainJoinedCredentialSpec", jsii.sinvoke(cls, "fromSsmParameter", [parameter]))
+
+
+class DomainlessCredentialSpec(
+    CredentialSpec,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ecs.DomainlessCredentialSpec",
+):
+    '''Credential specification for domainless gMSA.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # Make sure the task definition's execution role has permissions to read from the S3 bucket or SSM parameter where the CredSpec file is stored.
+        # bucket: s3.Bucket
+        # task_definition: ecs.TaskDefinition
+        
+        
+        # Domainless gMSA container from a S3 bucket object.
+        task_definition.add_container("gmsa-domainless-container",
+            image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+            cpu=128,
+            memory_limit_mi_b=256,
+            credential_specs=[ecs.DomainlessCredentialSpec.from_s3_bucket(bucket, "credSpec")]
+        )
+    '''
+
+    def __init__(self, file_location: builtins.str) -> None:
+        '''
+        :param file_location: Location or ARN from where to retrieve the CredSpec file.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6fcbd2e86fb4561db5d7bf362efead4d539ef3cc6549ae8983b679350afdce16)
+            check_type(argname="argument file_location", value=file_location, expected_type=type_hints["file_location"])
+        jsii.create(self.__class__, self, [file_location])
+
+    @jsii.member(jsii_name="fromS3Bucket")
+    @builtins.classmethod
+    def from_s3_bucket(
+        cls,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+    ) -> "DomainlessCredentialSpec":
+        '''Loads the CredSpec from a S3 bucket object.
+
+        :param bucket: The S3 bucket.
+        :param key: The object key.
+
+        :return: CredSpec with it's locations set to the S3 object's ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5d224f1efa706f29234b333c8f7f7d5ec8009d752caab42d939101e3e587206e)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        return typing.cast("DomainlessCredentialSpec", jsii.sinvoke(cls, "fromS3Bucket", [bucket, key]))
+
+    @jsii.member(jsii_name="fromSsmParameter")
+    @builtins.classmethod
+    def from_ssm_parameter(
+        cls,
+        parameter: _IParameter_509a0f80,
+    ) -> "DomainlessCredentialSpec":
+        '''Loads the CredSpec from a SSM parameter.
+
+        :param parameter: The SSM parameter.
+
+        :return: CredSpec with it's locations set to the SSM parameter's ARN.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6f634beca247a8be170631377826bee3090c3455e25aa3e2003763852a5b67a9)
+            check_type(argname="argument parameter", value=parameter, expected_type=type_hints["parameter"])
+        return typing.cast("DomainlessCredentialSpec", jsii.sinvoke(cls, "fromSsmParameter", [parameter]))
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ecs.EBSTagSpecification",
     jsii_struct_bases=[],
@@ -25826,6 +26200,7 @@ class FirelensLogRouter(
         
         # app_protocol: ecs.AppProtocol
         # container_image: ecs.ContainerImage
+        # credential_spec: ecs.CredentialSpec
         # environment_file: ecs.EnvironmentFile
         # linux_parameters: ecs.LinuxParameters
         # log_driver: ecs.LogDriver
@@ -25850,6 +26225,7 @@ class FirelensLogRouter(
             command=["command"],
             container_name="containerName",
             cpu=123,
+            credential_specs=[credential_spec],
             disable_networking=False,
             dns_search_domains=["dnsSearchDomains"],
             dns_servers=["dnsServers"],
@@ -25926,6 +26302,7 @@ class FirelensLogRouter(
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -25967,6 +26344,7 @@ class FirelensLogRouter(
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -26009,6 +26387,7 @@ class FirelensLogRouter(
             command=command,
             container_name=container_name,
             cpu=cpu,
+            credential_specs=credential_specs,
             disable_networking=disable_networking,
             dns_search_domains=dns_search_domains,
             dns_servers=dns_servers,
@@ -26072,6 +26451,7 @@ class FirelensLogRouter(
         "command": "command",
         "container_name": "containerName",
         "cpu": "cpu",
+        "credential_specs": "credentialSpecs",
         "disable_networking": "disableNetworking",
         "dns_search_domains": "dnsSearchDomains",
         "dns_servers": "dnsServers",
@@ -26113,6 +26493,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -26151,6 +26532,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -26194,6 +26576,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             
             # app_protocol: ecs.AppProtocol
             # container_image: ecs.ContainerImage
+            # credential_spec: ecs.CredentialSpec
             # environment_file: ecs.EnvironmentFile
             # linux_parameters: ecs.LinuxParameters
             # log_driver: ecs.LogDriver
@@ -26216,6 +26599,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
                 command=["command"],
                 container_name="containerName",
                 cpu=123,
+                credential_specs=[credential_spec],
                 disable_networking=False,
                 dns_search_domains=["dnsSearchDomains"],
                 dns_servers=["dnsServers"],
@@ -26290,6 +26674,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             check_type(argname="argument command", value=command, expected_type=type_hints["command"])
             check_type(argname="argument container_name", value=container_name, expected_type=type_hints["container_name"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+            check_type(argname="argument credential_specs", value=credential_specs, expected_type=type_hints["credential_specs"])
             check_type(argname="argument disable_networking", value=disable_networking, expected_type=type_hints["disable_networking"])
             check_type(argname="argument dns_search_domains", value=dns_search_domains, expected_type=type_hints["dns_search_domains"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
@@ -26331,6 +26716,8 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             self._values["container_name"] = container_name
         if cpu is not None:
             self._values["cpu"] = cpu
+        if credential_specs is not None:
+            self._values["credential_specs"] = credential_specs
         if disable_networking is not None:
             self._values["disable_networking"] = disable_networking
         if dns_search_domains is not None:
@@ -26434,6 +26821,19 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         result = self._values.get("cpu")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def credential_specs(self) -> typing.Optional[typing.List[CredentialSpec]]:
+        '''A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication.
+
+        We recommend that you use this parameter instead of the ``dockerSecurityOptions``.
+
+        Currently, only one credential spec is allowed per container definition.
+
+        :default: - No credential specs.
+        '''
+        result = self._values.get("credential_specs")
+        return typing.cast(typing.Optional[typing.List[CredentialSpec]], result)
+
     @builtins.property
     def disable_networking(self) -> typing.Optional[builtins.bool]:
         '''Specifies whether networking is disabled within the container.
@@ -26779,6 +27179,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         "command": "command",
         "container_name": "containerName",
         "cpu": "cpu",
+        "credential_specs": "credentialSpecs",
         "disable_networking": "disableNetworking",
         "dns_search_domains": "dnsSearchDomains",
         "dns_servers": "dnsServers",
@@ -26821,6 +27222,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -26860,6 +27262,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -26904,6 +27307,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             
             # app_protocol: ecs.AppProtocol
             # container_image: ecs.ContainerImage
+            # credential_spec: ecs.CredentialSpec
             # environment_file: ecs.EnvironmentFile
             # linux_parameters: ecs.LinuxParameters
             # log_driver: ecs.LogDriver
@@ -26928,6 +27332,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
                 command=["command"],
                 container_name="containerName",
                 cpu=123,
+                credential_specs=[credential_spec],
                 disable_networking=False,
                 dns_search_domains=["dnsSearchDomains"],
                 dns_servers=["dnsServers"],
@@ -27002,6 +27407,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             check_type(argname="argument command", value=command, expected_type=type_hints["command"])
             check_type(argname="argument container_name", value=container_name, expected_type=type_hints["container_name"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+            check_type(argname="argument credential_specs", value=credential_specs, expected_type=type_hints["credential_specs"])
             check_type(argname="argument disable_networking", value=disable_networking, expected_type=type_hints["disable_networking"])
             check_type(argname="argument dns_search_domains", value=dns_search_domains, expected_type=type_hints["dns_search_domains"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
@@ -27045,6 +27451,8 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             self._values["container_name"] = container_name
         if cpu is not None:
             self._values["cpu"] = cpu
+        if credential_specs is not None:
+            self._values["credential_specs"] = credential_specs
         if disable_networking is not None:
             self._values["disable_networking"] = disable_networking
         if dns_search_domains is not None:
@@ -27148,6 +27556,19 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         result = self._values.get("cpu")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def credential_specs(self) -> typing.Optional[typing.List[CredentialSpec]]:
+        '''A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication.
+
+        We recommend that you use this parameter instead of the ``dockerSecurityOptions``.
+
+        Currently, only one credential spec is allowed per container definition.
+
+        :default: - No credential specs.
+        '''
+        result = self._values.get("credential_specs")
+        return typing.cast(typing.Optional[typing.List[CredentialSpec]], result)
+
     @builtins.property
     def disable_networking(self) -> typing.Optional[builtins.bool]:
         '''Specifies whether networking is disabled within the container.
@@ -29093,7 +29514,28 @@ class JsonFileLogDriverProps(BaseLogDriverProps):
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.LaunchType")
 class LaunchType(enum.Enum):
-    '''The launch type of an ECS service.'''
+    '''The launch type of an ECS service.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_ecs as ecs
+        
+        # cluster: ecs.ICluster
+        # task_definition: ecs.TaskDefinition
+        
+        
+        rule = events.Rule(self, "Rule",
+            schedule=events.Schedule.rate(cdk.Duration.hours(1))
+        )
+        
+        rule.add_target(targets.EcsTask(
+            cluster=cluster,
+            task_definition=task_definition,
+            launch_type=ecs.LaunchType.FARGATE
+        ))
+    '''
 
     EC2 = "EC2"
     '''The service will be launched using the EC2 launch type.'''
@@ -31832,6 +32274,7 @@ class ScalableTaskCount(
         max_capacity: typing.Optional[jsii.Number] = None,
         min_capacity: typing.Optional[jsii.Number] = None,
         start_time: typing.Optional[datetime.datetime] = None,
+        time_zone: typing.Optional[_TimeZone_cdd72ac9] = None,
     ) -> None:
         '''Scales in or out based on a specified scheduled time.
 
@@ -31841,6 +32284,7 @@ class ScalableTaskCount(
         :param max_capacity: The new maximum capacity. During the scheduled time, the current capacity is above the maximum capacity, Application Auto Scaling scales in to the maximum capacity. At least one of maxCapacity and minCapacity must be supplied. Default: No new maximum capacity
         :param min_capacity: The new minimum capacity. During the scheduled time, if the current capacity is below the minimum capacity, Application Auto Scaling scales out to the minimum capacity. At least one of maxCapacity and minCapacity must be supplied. Default: No new minimum capacity
         :param start_time: When this scheduled action becomes active. Default: The rule is activate immediately
+        :param time_zone: The time zone used when referring to the date and time of a scheduled action, when the scheduled action uses an at or cron expression. Default: - UTC
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__7ba160d89a841c59234467f87e8a25e0de215bd289f076fee7239d3362c718ca)
@@ -31851,6 +32295,7 @@ class ScalableTaskCount(
             max_capacity=max_capacity,
             min_capacity=min_capacity,
             start_time=start_time,
+            time_zone=time_zone,
         )
 
         return typing.cast(None, jsii.invoke(self, "scaleOnSchedule", [id, props]))
@@ -34443,6 +34888,7 @@ class TaskDefinition(
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -34481,6 +34927,7 @@ class TaskDefinition(
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -34520,6 +34967,7 @@ class TaskDefinition(
             command=command,
             container_name=container_name,
             cpu=cpu,
+            credential_specs=credential_specs,
             disable_networking=disable_networking,
             dns_search_domains=dns_search_domains,
             dns_servers=dns_servers,
@@ -34578,6 +35026,7 @@ class TaskDefinition(
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -34617,6 +35066,7 @@ class TaskDefinition(
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -34657,6 +35107,7 @@ class TaskDefinition(
             command=command,
             container_name=container_name,
             cpu=cpu,
+            credential_specs=credential_specs,
             disable_networking=disable_networking,
             dns_search_domains=dns_search_domains,
             dns_servers=dns_servers,
@@ -38837,6 +39288,7 @@ class Ec2TaskDefinition(
         command: typing.Optional[typing.Sequence[builtins.str]] = None,
         container_name: typing.Optional[builtins.str] = None,
         cpu: typing.Optional[jsii.Number] = None,
+        credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
         disable_networking: typing.Optional[builtins.bool] = None,
         dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -38877,6 +39329,7 @@ class Ec2TaskDefinition(
         :param command: The command that is passed to the container. If you provide a shell command as a single string, you have to quote command-line arguments. Default: - CMD value built into container image.
         :param container_name: The name of the container. Default: - id of node associated with ContainerDefinition.
         :param cpu: The minimum number of CPU units to reserve for the container. Default: - No minimum CPU units reserved.
+        :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec (``CredSpec``) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions``. Currently, only one credential spec is allowed per container definition. Default: - No credential specs.
         :param disable_networking: Specifies whether networking is disabled within the container. When this parameter is true, networking is disabled within the container. Default: false
         :param dns_search_domains: A list of DNS search domains that are presented to the container. Default: - No search domains.
         :param dns_servers: A list of DNS servers that are presented to the container. Default: - Default DNS servers.
@@ -38916,6 +39369,7 @@ class Ec2TaskDefinition(
             command=command,
             container_name=container_name,
             cpu=cpu,
+            credential_specs=credential_specs,
             disable_networking=disable_networking,
             dns_search_domains=dns_search_domains,
             dns_servers=dns_servers,
@@ -39780,6 +40234,8 @@ __all__ = [
     "ContainerMountPoint",
     "CpuArchitecture",
     "CpuUtilizationScalingProps",
+    "CredentialSpec",
+    "CredentialSpecConfig",
     "DeploymentAlarmConfig",
     "DeploymentAlarmOptions",
     "DeploymentCircuitBreaker",
@@ -39788,6 +40244,8 @@ __all__ = [
     "Device",
     "DevicePermission",
     "DockerVolumeConfiguration",
+    "DomainJoinedCredentialSpec",
+    "DomainlessCredentialSpec",
     "EBSTagSpecification",
     "EbsPropagatedTagSource",
     "Ec2Service",
@@ -41613,6 +42071,7 @@ def _typecheckingstub__d8756b492e023ad8d33a399196b15b610f709400ce213e179f17dd1f6
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -41735,6 +42194,7 @@ def _typecheckingstub__f2e5f24c1574825a81dd77783d48886a430a675a0e04f03559eca98b5
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -41775,6 +42235,7 @@ def _typecheckingstub__20c974a49c79829fac0811dffaf78c449f92ae136414b96232160d37c
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -41909,6 +42370,34 @@ def _typecheckingstub__91cac9b5eedaf67c6c8ff49d718cca4a85b40488fc9660a82ad32bd34
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__391919d386090f9ac3aa86dc379e614f3db5fb33b21f6ff1abc79118d879f2b8(
+    prefix_id: builtins.str,
+    file_location: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d920a2dd32552e7bda0ce5cc7f9c3c76e02eb299516c6dd25e088d920e2ad3f6(
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__60821aa4ad60367f0902adbe993fc7378a3faa775ceb7588ea079af0e39662ff(
+    parameter: _IParameter_509a0f80,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__544ae4082e3c3e478099774412380391075251238b6b9ee0caf06bcc2244eb31(
+    *,
+    location: builtins.str,
+    type_prefix: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__85f3395f0bdfd1aaa44a3d8b0888e7649528502db65214cb5feef555dfb7d8c3(
     *,
     behavior: typing.Optional[AlarmBehavior] = None,
@@ -41951,6 +42440,44 @@ def _typecheckingstub__7557a1bae40866fb083429715f1fe59d71ab49e4e4311e053beb1b8be
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__74a7041aa7c44e15b54db11bc6f0846c13a4ab833182edf6cbca8449dcf3e612(
+    file_location: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__43cea1b75b78653b4276c55fbae915594c59010c5b7887bfa2c3ffac31a62689(
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8696be467d8036eb57668114fa81fe11aed2147031c222ae9d037530859d0b30(
+    parameter: _IParameter_509a0f80,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6fcbd2e86fb4561db5d7bf362efead4d539ef3cc6549ae8983b679350afdce16(
+    file_location: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5d224f1efa706f29234b333c8f7f7d5ec8009d752caab42d939101e3e587206e(
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6f634beca247a8be170631377826bee3090c3455e25aa3e2003763852a5b67a9(
+    parameter: _IParameter_509a0f80,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__8d98ce8573765caa8083d2f6d9d3138b4000f482f052a35492131f0e652b86fc(
     *,
     propagate_tags: typing.Optional[EbsPropagatedTagSource] = None,
@@ -42302,6 +42829,7 @@ def _typecheckingstub__aa1e4969dd0e00a5737510c273aa9546ad4ce7bc5a8a146f2a37666b0
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -42348,6 +42876,7 @@ def _typecheckingstub__2bb9382e9a7b1b34a020902905c4bf83e2d4970135e7592e5b5a1da62
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -42389,6 +42918,7 @@ def _typecheckingstub__498b2375cb2035a958edbdd10ad5f4352caa5773be14b63a07c337871
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -42849,6 +43379,7 @@ def _typecheckingstub__7ba160d89a841c59234467f87e8a25e0de215bd289f076fee7239d336
     max_capacity: typing.Optional[jsii.Number] = None,
     min_capacity: typing.Optional[jsii.Number] = None,
     start_time: typing.Optional[datetime.datetime] = None,
+    time_zone: typing.Optional[_TimeZone_cdd72ac9] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -43126,6 +43657,7 @@ def _typecheckingstub__8fe416001b357a118b80b0f9e3432c5bffbeffe29c2f7e67a02e5589c
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -43174,6 +43706,7 @@ def _typecheckingstub__a448c235107c9543bb055362134e3500d0a20b6f51e433675f952a773
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -43803,6 +44336,7 @@ def _typecheckingstub__e16f7a8ab558d24dc81cd83e043fb5a8b37369f32cee89bd310588535
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     container_name: typing.Optional[builtins.str] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[CredentialSpec]] = None,
     disable_networking: typing.Optional[builtins.bool] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,