aws-cdk-lib 2.128.0__py3-none-any.whl → 2.129.0__py3-none-any.whl

aws_cdk/aws_sns/__init__.py

@@ -213,6 +213,44 @@ topic_policy = sns.TopicPolicy(self, "Policy",
 )
 ```
 
+### Enforce encryption of data in transit when publishing to a topic
+
+You can enforce SSL when creating a topic policy by setting the `enforceSSL` flag:
+
+```python
+topic = sns.Topic(self, "Topic")
+policy_document = iam.PolicyDocument(
+    assign_sids=True,
+    statements=[
+        iam.PolicyStatement(
+            actions=["sns:Publish"],
+            principals=[iam.ServicePrincipal("s3.amazonaws.com")],
+            resources=[topic.topic_arn]
+        )
+    ]
+)
+
+topic_policy = sns.TopicPolicy(self, "Policy",
+    topics=[topic],
+    policy_document=policy_document,
+    enforce_sSL=True
+)
+```
+
+Similiarly you can enforce SSL by setting the `enforceSSL` flag on the topic:
+
+```python
+topic = sns.Topic(self, "TopicAddPolicy",
+    enforce_sSL=True
+)
+
+topic.add_to_resource_policy(iam.PolicyStatement(
+    principals=[iam.ServicePrincipal("s3.amazonaws.com")],
+    actions=["sns:Publish"],
+    resources=[topic.topic_arn]
+))
+```
+
 ## Delivery status logging
 
 Amazon SNS provides support to log the delivery status of notification messages sent to topics with the following Amazon SNS endpoints:
@@ -476,7 +514,7 @@ class CfnSubscription(
         :param redrive_policy: When specified, sends undeliverable messages to the specified Amazon SQS dead-letter queue. Messages that can't be delivered due to client errors (for example, when the subscribed endpoint is unreachable) or server errors (for example, when the service that powers the subscribed endpoint becomes unavailable) are held in the dead-letter queue for further analysis or reprocessing. For more information about the redrive policy and dead-letter queues, see `Amazon SQS dead-letter queues <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html>`_ in the *Amazon SQS Developer Guide* .
         :param region: For cross-region subscriptions, the region in which the topic resides. If no region is specified, AWS CloudFormation uses the region of the caller as the default. If you perform an update operation that only updates the ``Region`` property of a ``AWS::SNS::Subscription`` resource, that operation will fail unless you are either: - Updating the ``Region`` from ``NULL`` to the caller region. - Updating the ``Region`` from the caller region to ``NULL`` .
         :param replay_policy: 
-        :param subscription_role_arn: This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following: - Permission to write to the Amazon Kinesis Data Firehose delivery stream - Amazon SNS listed as a trusted entity Specifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Kinesis Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
+        :param subscription_role_arn: This property applies only to Amazon Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following: - Permission to write to the Amazon Data Firehose delivery stream - Amazon SNS listed as a trusted entity Specifying a valid ARN for this attribute is required for Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3f3839647e73879ccdb1519ec2afccf78b6168046279d32c5390b3e2543d1fec)
@@ -678,7 +716,7 @@ class CfnSubscription(
     @builtins.property
     @jsii.member(jsii_name="subscriptionRoleArn")
     def subscription_role_arn(self) -> typing.Optional[builtins.str]:
-        '''This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions.'''
+        '''This property applies only to Amazon Data Firehose delivery stream subscriptions.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "subscriptionRoleArn"))
 
     @subscription_role_arn.setter
@@ -734,7 +772,7 @@ class CfnSubscriptionProps:
         :param redrive_policy: When specified, sends undeliverable messages to the specified Amazon SQS dead-letter queue. Messages that can't be delivered due to client errors (for example, when the subscribed endpoint is unreachable) or server errors (for example, when the service that powers the subscribed endpoint becomes unavailable) are held in the dead-letter queue for further analysis or reprocessing. For more information about the redrive policy and dead-letter queues, see `Amazon SQS dead-letter queues <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html>`_ in the *Amazon SQS Developer Guide* .
         :param region: For cross-region subscriptions, the region in which the topic resides. If no region is specified, AWS CloudFormation uses the region of the caller as the default. If you perform an update operation that only updates the ``Region`` property of a ``AWS::SNS::Subscription`` resource, that operation will fail unless you are either: - Updating the ``Region`` from ``NULL`` to the caller region. - Updating the ``Region`` from the caller region to ``NULL`` .
         :param replay_policy: 
-        :param subscription_role_arn: This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following: - Permission to write to the Amazon Kinesis Data Firehose delivery stream - Amazon SNS listed as a trusted entity Specifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Kinesis Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
+        :param subscription_role_arn: This property applies only to Amazon Data Firehose delivery stream subscriptions. Specify the ARN of the IAM role that has the following: - Permission to write to the Amazon Data Firehose delivery stream - Amazon SNS listed as a trusted entity Specifying a valid ARN for this attribute is required for Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html
         :exampleMetadata: fixture=_generated
@@ -921,14 +959,14 @@ class CfnSubscriptionProps:
 
     @builtins.property
     def subscription_role_arn(self) -> typing.Optional[builtins.str]:
-        '''This property applies only to Amazon Kinesis Data Firehose delivery stream subscriptions.
+        '''This property applies only to Amazon Data Firehose delivery stream subscriptions.
 
         Specify the ARN of the IAM role that has the following:
 
-        - Permission to write to the Amazon Kinesis Data Firehose delivery stream
+        - Permission to write to the Amazon Data Firehose delivery stream
         - Amazon SNS listed as a trusted entity
 
-        Specifying a valid ARN for this attribute is required for Kinesis Data Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Kinesis Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
+        Specifying a valid ARN for this attribute is required for Firehose delivery stream subscriptions. For more information, see `Fanout to Amazon Data Firehose delivery streams <https://docs.aws.amazon.com/sns/latest/dg/sns-firehose-as-subscriber.html>`_ in the *Amazon SNS Developer Guide.*
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html#cfn-sns-subscription-subscriptionrolearn
         '''
@@ -2319,7 +2357,7 @@ class ITopic(
         '''Adds a statement to the IAM resource policy associated with this topic.
 
         If this topic was created in this stack (``new Topic``), a topic policy
-        will be automatically created upon the first call to ``addToPolicy``. If
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
         the topic is imported (``Topic.import``), then this is a no-op.
 
         :param statement: -
@@ -2680,7 +2718,7 @@ class _ITopicProxy(
         '''Adds a statement to the IAM resource policy associated with this topic.
 
         If this topic was created in this stack (``new Topic``), a topic policy
-        will be automatically created upon the first call to ``addToPolicy``. If
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
         the topic is imported (``Topic.import``), then this is a no-op.
 
         :param statement: -
@@ -4308,7 +4346,7 @@ class TopicBase(
         '''Adds a statement to the IAM resource policy associated with this topic.
 
         If this topic was created in this stack (``new Topic``), a topic policy
-        will be automatically created upon the first call to ``addToPolicy``. If
+        will be automatically created upon the first call to ``addToResourcePolicy``. If
         the topic is imported (``Topic.import``), then this is a no-op.
 
         :param statement: -
@@ -4332,6 +4370,14 @@ class TopicBase(
             check_type(argname="argument _scope", value=_scope, expected_type=type_hints["_scope"])
         return typing.cast(_NotificationRuleTargetConfig_ea27e095, jsii.invoke(self, "bindAsNotificationRuleTarget", [_scope]))
 
+    @jsii.member(jsii_name="createSSLPolicyDocument")
+    def _create_ssl_policy_document(self) -> _PolicyStatement_0fe33853:
+        '''Adds a statement to enforce encryption of data in transit when publishing to the topic.
+
+        For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
+        '''
+        return typing.cast(_PolicyStatement_0fe33853, jsii.invoke(self, "createSSLPolicyDocument", []))
+
     @jsii.member(jsii_name="grantPublish")
     def grant_publish(self, grantee: _IGrantable_71c4f5de) -> _Grant_a7ae64f8:
         '''Grant topic publishing permissions to the given identity.
@@ -4777,6 +4823,19 @@ class TopicBase(
         '''The name of the topic.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="enforceSSL")
+    def _enforce_ssl(self) -> typing.Optional[builtins.bool]:
+        '''Adds a statement to enforce encryption of data in transit when publishing to the topic.'''
+        return typing.cast(typing.Optional[builtins.bool], jsii.get(self, "enforceSSL"))
+
+    @_enforce_ssl.setter
+    def _enforce_ssl(self, value: typing.Optional[builtins.bool]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__41d14f58fd3a68985cc9146f591de9ef04f0766e0e4ab580bec4fe74fde70eee)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "enforceSSL", value)
+
 
 class _TopicBaseProxy(
     TopicBase,
@@ -4845,15 +4904,21 @@ class TopicPolicy(
     Example::
 
         topic = sns.Topic(self, "Topic")
-        topic_policy = sns.TopicPolicy(self, "TopicPolicy",
-            topics=[topic]
+        policy_document = iam.PolicyDocument(
+            assign_sids=True,
+            statements=[
+                iam.PolicyStatement(
+                    actions=["sns:Subscribe"],
+                    principals=[iam.AnyPrincipal()],
+                    resources=[topic.topic_arn]
+                )
+            ]
         )
         
-        topic_policy.document.add_statements(iam.PolicyStatement(
-            actions=["sns:Subscribe"],
-            principals=[iam.AnyPrincipal()],
-            resources=[topic.topic_arn]
-        ))
+        topic_policy = sns.TopicPolicy(self, "Policy",
+            topics=[topic],
+            policy_document=policy_document
+        )
     '''
 
     def __init__(
@@ -4862,22 +4927,42 @@ class TopicPolicy(
         id: builtins.str,
         *,
         topics: typing.Sequence[ITopic],
+        enforce_ssl: typing.Optional[builtins.bool] = None,
         policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
     ) -> None:
         '''
         :param scope: -
         :param id: -
         :param topics: The set of topics this policy applies to.
+        :param enforce_ssl: Adds a statement to enforce encryption of data in transit when publishing to the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. Default: false
         :param policy_document: IAM policy document to apply to topic(s). Default: empty policy document
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__12a056cfcdc8bff96e7fe29bb021bebfb1f092d261da925723087b52a2a52c91)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = TopicPolicyProps(topics=topics, policy_document=policy_document)
+        props = TopicPolicyProps(
+            topics=topics, enforce_ssl=enforce_ssl, policy_document=policy_document
+        )
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="createSSLPolicyDocument")
+    def _create_ssl_policy_document(
+        self,
+        topic_arn: builtins.str,
+    ) -> _PolicyStatement_0fe33853:
+        '''Adds a statement to enforce encryption of data in transit when publishing to the topic.
+
+        For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
+
+        :param topic_arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__68fd01009ddae128e0ad9f5816da32ac0ad127b82df6140a2431cf829c9a7488)
+            check_type(argname="argument topic_arn", value=topic_arn, expected_type=type_hints["topic_arn"])
+        return typing.cast(_PolicyStatement_0fe33853, jsii.invoke(self, "createSSLPolicyDocument", [topic_arn]))
+
     @builtins.property
     @jsii.member(jsii_name="document")
     def document(self) -> _PolicyDocument_3ac34393:
@@ -4888,18 +4973,24 @@ class TopicPolicy(
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_sns.TopicPolicyProps",
     jsii_struct_bases=[],
-    name_mapping={"topics": "topics", "policy_document": "policyDocument"},
+    name_mapping={
+        "topics": "topics",
+        "enforce_ssl": "enforceSSL",
+        "policy_document": "policyDocument",
+    },
 )
 class TopicPolicyProps:
     def __init__(
         self,
         *,
         topics: typing.Sequence[ITopic],
+        enforce_ssl: typing.Optional[builtins.bool] = None,
         policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
     ) -> None:
         '''Properties to associate SNS topics with a policy.
 
         :param topics: The set of topics this policy applies to.
+        :param enforce_ssl: Adds a statement to enforce encryption of data in transit when publishing to the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. Default: false
         :param policy_document: IAM policy document to apply to topic(s). Default: empty policy document
 
         :exampleMetadata: infused
@@ -4907,23 +4998,32 @@ class TopicPolicyProps:
         Example::
 
             topic = sns.Topic(self, "Topic")
-            topic_policy = sns.TopicPolicy(self, "TopicPolicy",
-                topics=[topic]
+            policy_document = iam.PolicyDocument(
+                assign_sids=True,
+                statements=[
+                    iam.PolicyStatement(
+                        actions=["sns:Subscribe"],
+                        principals=[iam.AnyPrincipal()],
+                        resources=[topic.topic_arn]
+                    )
+                ]
             )
             
-            topic_policy.document.add_statements(iam.PolicyStatement(
-                actions=["sns:Subscribe"],
-                principals=[iam.AnyPrincipal()],
-                resources=[topic.topic_arn]
-            ))
+            topic_policy = sns.TopicPolicy(self, "Policy",
+                topics=[topic],
+                policy_document=policy_document
+            )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4116dddf14d28d4bd4bb7d68b0eda71322f8faeb2468828dde6eca112513ba6b)
             check_type(argname="argument topics", value=topics, expected_type=type_hints["topics"])
+            check_type(argname="argument enforce_ssl", value=enforce_ssl, expected_type=type_hints["enforce_ssl"])
             check_type(argname="argument policy_document", value=policy_document, expected_type=type_hints["policy_document"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "topics": topics,
         }
+        if enforce_ssl is not None:
+            self._values["enforce_ssl"] = enforce_ssl
         if policy_document is not None:
             self._values["policy_document"] = policy_document
 
@@ -4934,6 +5034,17 @@ class TopicPolicyProps:
         assert result is not None, "Required property 'topics' is missing"
         return typing.cast(typing.List[ITopic], result)
 
+    @builtins.property
+    def enforce_ssl(self) -> typing.Optional[builtins.bool]:
+        '''Adds a statement to enforce encryption of data in transit when publishing to the topic.
+
+        For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
+
+        :default: false
+        '''
+        result = self._values.get("enforce_ssl")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def policy_document(self) -> typing.Optional[_PolicyDocument_3ac34393]:
         '''IAM policy document to apply to topic(s).
@@ -4961,6 +5072,7 @@ class TopicPolicyProps:
     name_mapping={
         "content_based_deduplication": "contentBasedDeduplication",
         "display_name": "displayName",
+        "enforce_ssl": "enforceSSL",
         "fifo": "fifo",
         "logging_configs": "loggingConfigs",
         "master_key": "masterKey",
@@ -4974,6 +5086,7 @@ class TopicProps:
         *,
         content_based_deduplication: typing.Optional[builtins.bool] = None,
         display_name: typing.Optional[builtins.str] = None,
+        enforce_ssl: typing.Optional[builtins.bool] = None,
         fifo: typing.Optional[builtins.bool] = None,
         logging_configs: typing.Optional[typing.Sequence[typing.Union[LoggingConfig, typing.Dict[builtins.str, typing.Any]]]] = None,
         master_key: typing.Optional[_IKey_5f11635f] = None,
@@ -4984,6 +5097,7 @@ class TopicProps:
 
         :param content_based_deduplication: Enables content-based deduplication for FIFO topics. Default: None
         :param display_name: A developer-defined string that can be used to identify this SNS topic. Default: None
+        :param enforce_ssl: Adds a statement to enforce encryption of data in transit when publishing to the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. Default: false
         :param fifo: Set to true to create a FIFO topic. Default: None
         :param logging_configs: The list of delivery status logging configurations for the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html. Default: None
         :param master_key: A KMS Key, either managed by this CDK app, or imported. Default: None
@@ -4994,17 +5108,17 @@ class TopicProps:
 
         Example::
 
-            # role: iam.Role
-            
-            topic = sns.Topic(self, "MyTopic",
-                fifo=True,
-                message_retention_period_in_days=7
+            topic = sns.Topic(self, "Topic",
+                content_based_deduplication=True,
+                display_name="Customer subscription topic",
+                fifo=True
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__093960c1ab5457cc6797eb4a06c9e8fc74e41d4eaa9d0a17f00fa896dadf9161)
             check_type(argname="argument content_based_deduplication", value=content_based_deduplication, expected_type=type_hints["content_based_deduplication"])
             check_type(argname="argument display_name", value=display_name, expected_type=type_hints["display_name"])
+            check_type(argname="argument enforce_ssl", value=enforce_ssl, expected_type=type_hints["enforce_ssl"])
             check_type(argname="argument fifo", value=fifo, expected_type=type_hints["fifo"])
             check_type(argname="argument logging_configs", value=logging_configs, expected_type=type_hints["logging_configs"])
             check_type(argname="argument master_key", value=master_key, expected_type=type_hints["master_key"])
@@ -5015,6 +5129,8 @@ class TopicProps:
             self._values["content_based_deduplication"] = content_based_deduplication
         if display_name is not None:
             self._values["display_name"] = display_name
+        if enforce_ssl is not None:
+            self._values["enforce_ssl"] = enforce_ssl
         if fifo is not None:
             self._values["fifo"] = fifo
         if logging_configs is not None:
@@ -5044,6 +5160,17 @@ class TopicProps:
         result = self._values.get("display_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def enforce_ssl(self) -> typing.Optional[builtins.bool]:
+        '''Adds a statement to enforce encryption of data in transit when publishing to the topic.
+
+        For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit.
+
+        :default: false
+        '''
+        result = self._values.get("enforce_ssl")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def fifo(self) -> typing.Optional[builtins.bool]:
         '''Set to true to create a FIFO topic.
@@ -5420,17 +5547,18 @@ class Topic(TopicBase, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_sns.T
 
     Example::
 
-        from aws_cdk.aws_kinesisfirehose_alpha import DeliveryStream
-        # stream: DeliveryStream
+        import aws_cdk.aws_sns as sns
         
         
-        topic = sns.Topic(self, "Topic")
+        topic = sns.Topic(self, "MyTopic")
         
-        sns.Subscription(self, "Subscription",
-            topic=topic,
-            endpoint=stream.delivery_stream_arn,
-            protocol=sns.SubscriptionProtocol.FIREHOSE,
-            subscription_role_arn="SAMPLE_ARN"
+        topic_rule = iot.TopicRule(self, "TopicRule",
+            sql=iot.IotSql.from_string_as_ver20160323("SELECT topic(2) as device_id, year, month, day FROM 'device/+/data'"),
+            actions=[
+                actions.SnsTopicAction(topic,
+                    message_format=actions.SnsActionMessageFormat.JSON
+                )
+            ]
         )
     '''
 
@@ -5441,6 +5569,7 @@ class Topic(TopicBase, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_sns.T
         *,
         content_based_deduplication: typing.Optional[builtins.bool] = None,
         display_name: typing.Optional[builtins.str] = None,
+        enforce_ssl: typing.Optional[builtins.bool] = None,
         fifo: typing.Optional[builtins.bool] = None,
         logging_configs: typing.Optional[typing.Sequence[typing.Union[LoggingConfig, typing.Dict[builtins.str, typing.Any]]]] = None,
         master_key: typing.Optional[_IKey_5f11635f] = None,
@@ -5452,6 +5581,7 @@ class Topic(TopicBase, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_sns.T
         :param id: -
         :param content_based_deduplication: Enables content-based deduplication for FIFO topics. Default: None
         :param display_name: A developer-defined string that can be used to identify this SNS topic. Default: None
+        :param enforce_ssl: Adds a statement to enforce encryption of data in transit when publishing to the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#enforce-encryption-data-in-transit. Default: false
         :param fifo: Set to true to create a FIFO topic. Default: None
         :param logging_configs: The list of delivery status logging configurations for the topic. For more information, see https://docs.aws.amazon.com/sns/latest/dg/sns-topic-attributes.html. Default: None
         :param master_key: A KMS Key, either managed by this CDK app, or imported. Default: None
@@ -5465,6 +5595,7 @@ class Topic(TopicBase, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_sns.T
         props = TopicProps(
             content_based_deduplication=content_based_deduplication,
             display_name=display_name,
+            enforce_ssl=enforce_ssl,
             fifo=fifo,
             logging_configs=logging_configs,
             master_key=master_key,
@@ -6131,19 +6262,33 @@ def _typecheckingstub__b07969d7a2c71869715d0fe87d9b0d9d67f663ddecc9d81d353ba532f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__41d14f58fd3a68985cc9146f591de9ef04f0766e0e4ab580bec4fe74fde70eee(
+    value: typing.Optional[builtins.bool],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__12a056cfcdc8bff96e7fe29bb021bebfb1f092d261da925723087b52a2a52c91(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
     topics: typing.Sequence[ITopic],
+    enforce_ssl: typing.Optional[builtins.bool] = None,
     policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__68fd01009ddae128e0ad9f5816da32ac0ad127b82df6140a2431cf829c9a7488(
+    topic_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__4116dddf14d28d4bd4bb7d68b0eda71322f8faeb2468828dde6eca112513ba6b(
     *,
     topics: typing.Sequence[ITopic],
+    enforce_ssl: typing.Optional[builtins.bool] = None,
     policy_document: typing.Optional[_PolicyDocument_3ac34393] = None,
 ) -> None:
     """Type checking stubs"""
@@ -6153,6 +6298,7 @@ def _typecheckingstub__093960c1ab5457cc6797eb4a06c9e8fc74e41d4eaa9d0a17f00fa896d
     *,
     content_based_deduplication: typing.Optional[builtins.bool] = None,
     display_name: typing.Optional[builtins.str] = None,
+    enforce_ssl: typing.Optional[builtins.bool] = None,
     fifo: typing.Optional[builtins.bool] = None,
     logging_configs: typing.Optional[typing.Sequence[typing.Union[LoggingConfig, typing.Dict[builtins.str, typing.Any]]]] = None,
     master_key: typing.Optional[_IKey_5f11635f] = None,
@@ -6191,6 +6337,7 @@ def _typecheckingstub__5bf7b7a1001dc600e81a7f1c5015e367dc471dcd727360f62a7eaf6eb
     *,
     content_based_deduplication: typing.Optional[builtins.bool] = None,
     display_name: typing.Optional[builtins.str] = None,
+    enforce_ssl: typing.Optional[builtins.bool] = None,
     fifo: typing.Optional[builtins.bool] = None,
     logging_configs: typing.Optional[typing.Sequence[typing.Union[LoggingConfig, typing.Dict[builtins.str, typing.Any]]]] = None,
     master_key: typing.Optional[_IKey_5f11635f] = None,

aws_cdk/aws_ssm/__init__.py

@@ -258,7 +258,7 @@ class CfnAssociation(
         :param max_concurrency: The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time. If a new managed node starts and attempts to run an association while Systems Manager is running ``MaxConcurrency`` associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for ``MaxConcurrency`` .
         :param max_errors: The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set ``MaxError`` to 10%, then the system stops sending the request when the sixth error is received. Executions that are already running an association when ``MaxErrors`` is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set ``MaxConcurrency`` to 1 so that executions proceed one at a time.
         :param output_location: An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
-        :param parameters: Parameter values that the SSM document uses at runtime.
+        :param parameters: The parameters for the runtime configuration of the document.
         :param schedule_expression: A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).
         :param schedule_offset: Number of days to wait after the scheduled day to run an association.
         :param sync_compliance: The mode for generating association compliance. You can specify ``AUTO`` or ``MANUAL`` . In ``AUTO`` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is ``COMPLIANT`` . If the association execution doesn't run successfully, the association is ``NON-COMPLIANT`` . In ``MANUAL`` mode, you must specify the ``AssociationId`` as a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action. By default, all associations use ``AUTO`` mode.
@@ -494,7 +494,7 @@ class CfnAssociation(
     @builtins.property
     @jsii.member(jsii_name="parameters")
     def parameters(self) -> typing.Any:
-        '''Parameter values that the SSM document uses at runtime.'''
+        '''The parameters for the runtime configuration of the document.'''
         return typing.cast(typing.Any, jsii.get(self, "parameters"))
 
     @parameters.setter
@@ -863,7 +863,7 @@ class CfnAssociationProps:
         :param max_concurrency: The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time. If a new managed node starts and attempts to run an association while Systems Manager is running ``MaxConcurrency`` associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for ``MaxConcurrency`` .
         :param max_errors: The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set ``MaxError`` to 10%, then the system stops sending the request when the sixth error is received. Executions that are already running an association when ``MaxErrors`` is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set ``MaxConcurrency`` to 1 so that executions proceed one at a time.
         :param output_location: An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
-        :param parameters: Parameter values that the SSM document uses at runtime.
+        :param parameters: The parameters for the runtime configuration of the document.
         :param schedule_expression: A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC).
         :param schedule_offset: Number of days to wait after the scheduled day to run an association.
         :param sync_compliance: The mode for generating association compliance. You can specify ``AUTO`` or ``MANUAL`` . In ``AUTO`` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is ``COMPLIANT`` . If the association execution doesn't run successfully, the association is ``NON-COMPLIANT`` . In ``MANUAL`` mode, you must specify the ``AssociationId`` as a parameter for the PutComplianceItems API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the PutComplianceItems API action. By default, all associations use ``AUTO`` mode.
@@ -1107,7 +1107,7 @@ class CfnAssociationProps:
 
     @builtins.property
     def parameters(self) -> typing.Any:
-        '''Parameter values that the SSM document uses at runtime.
+        '''The parameters for the runtime configuration of the document.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html#cfn-ssm-association-parameters
         '''
@@ -1199,7 +1199,7 @@ class CfnDocument(
     This document defines the actions that Systems Manager performs on your AWS resources.
     .. epigraph::
 
-       This resource does not support CloudFormation drift detection.
+       This resource does not support AWS CloudFormation drift detection.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html
     :cloudformationResource: AWS::SSM::Document
@@ -1944,7 +1944,7 @@ class CfnMaintenanceWindow(
         :param end_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive.
         :param schedule_offset: The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
         :param schedule_timezone: The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format.
-        :param start_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. StartDate allows you to delay activation of the Maintenance Window until the specified future date.
+        :param start_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. ``StartDate`` allows you to delay activation of the maintenance window until the specified future date.
         :param tags: Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in.
         '''
         if __debug__:
@@ -2209,7 +2209,7 @@ class CfnMaintenanceWindowProps:
         :param end_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive.
         :param schedule_offset: The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
         :param schedule_timezone: The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format.
-        :param start_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. StartDate allows you to delay activation of the Maintenance Window until the specified future date.
+        :param start_date: The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. ``StartDate`` allows you to delay activation of the maintenance window until the specified future date.
         :param tags: Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html
@@ -2367,7 +2367,7 @@ class CfnMaintenanceWindowProps:
     def start_date(self) -> typing.Optional[builtins.str]:
         '''The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active.
 
-        StartDate allows you to delay activation of the Maintenance Window until the specified future date.
+        ``StartDate`` allows you to delay activation of the maintenance window until the specified future date.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html#cfn-ssm-maintenancewindow-startdate
         '''
@@ -3410,7 +3410,7 @@ class CfnMaintenanceWindowTask(
             For information about available parameters in Automation runbooks, you can view the content of the runbook itself in the Systems Manager console. For information, see `View runbook content <https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents-reference-details.html#view-automation-json>`_ in the *AWS Systems Manager User Guide* .
 
             :param document_version: The version of an Automation runbook to use during task execution.
-            :param parameters: The parameters for the AUTOMATION task.
+            :param parameters: The parameters for the ``AUTOMATION`` type task.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-maintenancewindowautomationparameters.html
             :exampleMetadata: fixture=_generated
@@ -3449,7 +3449,7 @@ class CfnMaintenanceWindowTask(
 
         @builtins.property
         def parameters(self) -> typing.Any:
-            '''The parameters for the AUTOMATION task.
+            '''The parameters for the ``AUTOMATION`` type task.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-maintenancewindowautomationparameters.html#cfn-ssm-maintenancewindowtask-maintenancewindowautomationparameters-parameters
             '''
@@ -4648,7 +4648,7 @@ class CfnParameter(
         :param id: Construct identifier for this resource (unique in its scope).
         :param type: The type of parameter. .. epigraph:: Although ``SecureString`` is included in the list of valid values, AWS CloudFormation does *not* currently support creating a ``SecureString`` parameter type.
         :param value: The parameter value. .. epigraph:: If type is ``StringList`` , the system returns a comma-separated string with no spaces between commas in the ``Value`` field.
-        :param allowed_pattern: A regular expression used to validate the parameter value. For example, for String types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
+        :param allowed_pattern: A regular expression used to validate the parameter value. For example, for ``String`` types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
         :param data_type: The data type of the parameter, such as ``text`` or ``aws:ec2:image`` . The default is ``text`` .
         :param description: Information about the parameter.
         :param name: The name of the parameter. .. epigraph:: The maximum length constraint listed below includes capacity for additional system attributes that aren't part of the name. The maximum length for a parameter name, including the full length of the parameter ARN, is 1011 characters. For example, the length of the following parameter name is 65 characters, not 20 characters: ``arn:aws:ssm:us-east-2:111222333444:parameter/ExampleParameterName``
@@ -4889,7 +4889,7 @@ class CfnParameterProps:
 
         :param type: The type of parameter. .. epigraph:: Although ``SecureString`` is included in the list of valid values, AWS CloudFormation does *not* currently support creating a ``SecureString`` parameter type.
         :param value: The parameter value. .. epigraph:: If type is ``StringList`` , the system returns a comma-separated string with no spaces between commas in the ``Value`` field.
-        :param allowed_pattern: A regular expression used to validate the parameter value. For example, for String types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
+        :param allowed_pattern: A regular expression used to validate the parameter value. For example, for ``String`` types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
         :param data_type: The data type of the parameter, such as ``text`` or ``aws:ec2:image`` . The default is ``text`` .
         :param description: Information about the parameter.
         :param name: The name of the parameter. .. epigraph:: The maximum length constraint listed below includes capacity for additional system attributes that aren't part of the name. The maximum length for a parameter name, including the full length of the parameter ARN, is 1011 characters. For example, the length of the following parameter name is 65 characters, not 20 characters: ``arn:aws:ssm:us-east-2:111222333444:parameter/ExampleParameterName``
@@ -4984,7 +4984,7 @@ class CfnParameterProps:
     def allowed_pattern(self) -> typing.Optional[builtins.str]:
         '''A regular expression used to validate the parameter value.
 
-        For example, for String types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
+        For example, for ``String`` types with values restricted to numbers, you can specify the following: ``AllowedPattern=^\\d+$``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-parameter.html#cfn-ssm-parameter-allowedpattern
         '''
@@ -6344,7 +6344,7 @@ class CfnResourceDataSync(
         :param bucket_name: The name of the S3 bucket where the aggregated data is stored.
         :param bucket_prefix: An Amazon S3 prefix for the bucket.
         :param bucket_region: The AWS Region with the S3 bucket targeted by the resource data sync.
-        :param kms_key_arn: The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same region as the destination Amazon S3 bucket.
+        :param kms_key_arn: The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same Region as the destination Amazon S3 bucket.
         :param s3_destination: Configuration information for the target S3 bucket.
         :param sync_format: A supported sync format. The following format is currently supported: JsonSerDe
         :param sync_source: Information about the source where the data was synchronized.
@@ -6903,7 +6903,7 @@ class CfnResourceDataSyncProps:
         :param bucket_name: The name of the S3 bucket where the aggregated data is stored.
         :param bucket_prefix: An Amazon S3 prefix for the bucket.
         :param bucket_region: The AWS Region with the S3 bucket targeted by the resource data sync.
-        :param kms_key_arn: The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same region as the destination Amazon S3 bucket.
+        :param kms_key_arn: The ARN of an encryption key for a destination in Amazon S3 . You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same Region as the destination Amazon S3 bucket.
         :param s3_destination: Configuration information for the target S3 bucket.
         :param sync_format: A supported sync format. The following format is currently supported: JsonSerDe
         :param sync_source: Information about the source where the data was synchronized.
@@ -7023,7 +7023,7 @@ class CfnResourceDataSyncProps:
     def kms_key_arn(self) -> typing.Optional[builtins.str]:
         '''The ARN of an encryption key for a destination in Amazon S3 .
 
-        You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same region as the destination Amazon S3 bucket.
+        You can use a KMS key to encrypt inventory data in Amazon S3 . You must specify a key that exist in the same Region as the destination Amazon S3 bucket.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-resourcedatasync.html#cfn-ssm-resourcedatasync-kmskeyarn
         '''

aws_cdk/aws_ssmincidents/__init__.py

@@ -57,7 +57,7 @@ class CfnReplicationSet(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_ssmincidents.CfnReplicationSet",
 ):
-    '''The ``AWS::SSMIncidents::ReplicationSet`` resource specifies a set of Regions that Incident Manager data is replicated to and the KMS key used to encrypt the data.
+    '''The ``AWS::SSMIncidents::ReplicationSet`` resource specifies a set of Regions that Incident Manager data is replicated to and the AWS Key Management Service ( AWS KMS key used to encrypt the data.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmincidents-replicationset.html
     :cloudformationResource: AWS::SSMIncidents::ReplicationSet