aws-cdk-lib 2.132.1__py3-none-any.whl → 2.134.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1163,6 +1163,19 @@ ec2.VpcEndpointService(self, "EndpointService",
 )
 ```
 
+You can also include a service principal in the `allowedPrincipals` property by specifying it as a parameter to the  `ArnPrincipal` constructor.
+The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
+
+```python
+# network_load_balancer: elbv2.NetworkLoadBalancer
+
+
+ec2.VpcEndpointService(self, "EndpointService",
+    vpc_endpoint_service_load_balancers=[network_load_balancer],
+    allowed_principals=[iam.ArnPrincipal("ec2.amazonaws.com")]
+)
+```
+
 Endpoint services support private DNS, which makes it easier for clients to connect to your service by automatically setting up DNS in their VPC.
 You can enable private DNS on an endpoint service like so:
 
@@ -9616,6 +9629,7 @@ class CfnDHCPOptions(
         cfn_dHCPOptions = ec2.CfnDHCPOptions(self, "MyCfnDHCPOptions",
             domain_name="domainName",
             domain_name_servers=["domainNameServers"],
+            ipv6_address_preferred_lease_time=123,
             netbios_name_servers=["netbiosNameServers"],
             netbios_node_type=123,
             ntp_servers=["ntpServers"],
@@ -9633,6 +9647,7 @@ class CfnDHCPOptions(
         *,
         domain_name: typing.Optional[builtins.str] = None,
         domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
         netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         netbios_node_type: typing.Optional[jsii.Number] = None,
         ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9643,6 +9658,7 @@ class CfnDHCPOptions(
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain_name: This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in ``us-east-1`` , specify ``ec2.internal`` . If you're using AmazonProvidedDNS in another Region, specify *region* . ``compute.internal`` (for example, ``ap-northeast-1.compute.internal`` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).
         :param domain_name_servers: The IPv4 addresses of up to four domain name servers, or ``AmazonProvidedDNS`` . The default is ``AmazonProvidedDNS`` . To have your instance receive a custom DNS hostname as specified in ``DomainName`` , you must set this property to a custom DNS server.
+        :param ipv6_address_preferred_lease_time: A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
         :param netbios_name_servers: The IPv4 addresses of up to four NetBIOS name servers.
         :param netbios_node_type: The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast are not currently supported).
         :param ntp_servers: The IPv4 addresses of up to four Network Time Protocol (NTP) servers.
@@ -9655,6 +9671,7 @@ class CfnDHCPOptions(
         props = CfnDHCPOptionsProps(
             domain_name=domain_name,
             domain_name_servers=domain_name_servers,
+            ipv6_address_preferred_lease_time=ipv6_address_preferred_lease_time,
             netbios_name_servers=netbios_name_servers,
             netbios_node_type=netbios_node_type,
             ntp_servers=ntp_servers,
@@ -9742,6 +9759,22 @@ class CfnDHCPOptions(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "domainNameServers", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="ipv6AddressPreferredLeaseTime")
+    def ipv6_address_preferred_lease_time(self) -> typing.Optional[jsii.Number]:
+        '''A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal.'''
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "ipv6AddressPreferredLeaseTime"))
+
+    @ipv6_address_preferred_lease_time.setter
+    def ipv6_address_preferred_lease_time(
+        self,
+        value: typing.Optional[jsii.Number],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0cbb91e4162eb4b7aab6b1e90fa6fbbbade04b38a95d6c1bb778946ae93b50a3)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "ipv6AddressPreferredLeaseTime", value)
+
     @builtins.property
     @jsii.member(jsii_name="netbiosNameServers")
     def netbios_name_servers(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -9804,6 +9837,7 @@ class CfnDHCPOptions(
     name_mapping={
         "domain_name": "domainName",
         "domain_name_servers": "domainNameServers",
+        "ipv6_address_preferred_lease_time": "ipv6AddressPreferredLeaseTime",
         "netbios_name_servers": "netbiosNameServers",
         "netbios_node_type": "netbiosNodeType",
         "ntp_servers": "ntpServers",
@@ -9816,6 +9850,7 @@ class CfnDHCPOptionsProps:
         *,
         domain_name: typing.Optional[builtins.str] = None,
         domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
         netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         netbios_node_type: typing.Optional[jsii.Number] = None,
         ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9825,6 +9860,7 @@ class CfnDHCPOptionsProps:
 
         :param domain_name: This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in ``us-east-1`` , specify ``ec2.internal`` . If you're using AmazonProvidedDNS in another Region, specify *region* . ``compute.internal`` (for example, ``ap-northeast-1.compute.internal`` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).
         :param domain_name_servers: The IPv4 addresses of up to four domain name servers, or ``AmazonProvidedDNS`` . The default is ``AmazonProvidedDNS`` . To have your instance receive a custom DNS hostname as specified in ``DomainName`` , you must set this property to a custom DNS server.
+        :param ipv6_address_preferred_lease_time: A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
         :param netbios_name_servers: The IPv4 addresses of up to four NetBIOS name servers.
         :param netbios_node_type: The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast are not currently supported).
         :param ntp_servers: The IPv4 addresses of up to four Network Time Protocol (NTP) servers.
@@ -9842,6 +9878,7 @@ class CfnDHCPOptionsProps:
             cfn_dHCPOptions_props = ec2.CfnDHCPOptionsProps(
                 domain_name="domainName",
                 domain_name_servers=["domainNameServers"],
+                ipv6_address_preferred_lease_time=123,
                 netbios_name_servers=["netbiosNameServers"],
                 netbios_node_type=123,
                 ntp_servers=["ntpServers"],
@@ -9855,6 +9892,7 @@ class CfnDHCPOptionsProps:
             type_hints = typing.get_type_hints(_typecheckingstub__569097ad87e4dddbcfaee4fb50fc7ddb345c4f97ae82fcf897497039e7f81a38)
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
             check_type(argname="argument domain_name_servers", value=domain_name_servers, expected_type=type_hints["domain_name_servers"])
+            check_type(argname="argument ipv6_address_preferred_lease_time", value=ipv6_address_preferred_lease_time, expected_type=type_hints["ipv6_address_preferred_lease_time"])
             check_type(argname="argument netbios_name_servers", value=netbios_name_servers, expected_type=type_hints["netbios_name_servers"])
             check_type(argname="argument netbios_node_type", value=netbios_node_type, expected_type=type_hints["netbios_node_type"])
             check_type(argname="argument ntp_servers", value=ntp_servers, expected_type=type_hints["ntp_servers"])
@@ -9864,6 +9902,8 @@ class CfnDHCPOptionsProps:
             self._values["domain_name"] = domain_name
         if domain_name_servers is not None:
             self._values["domain_name_servers"] = domain_name_servers
+        if ipv6_address_preferred_lease_time is not None:
+            self._values["ipv6_address_preferred_lease_time"] = ipv6_address_preferred_lease_time
         if netbios_name_servers is not None:
             self._values["netbios_name_servers"] = netbios_name_servers
         if netbios_node_type is not None:
@@ -9895,6 +9935,17 @@ class CfnDHCPOptionsProps:
         result = self._values.get("domain_name_servers")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def ipv6_address_preferred_lease_time(self) -> typing.Optional[jsii.Number]:
+        '''A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal.
+
+        Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-dhcpoptions.html#cfn-ec2-dhcpoptions-ipv6addresspreferredleasetime
+        '''
+        result = self._values.get("ipv6_address_preferred_lease_time")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def netbios_name_servers(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The IPv4 addresses of up to four NetBIOS name servers.
@@ -11401,14 +11452,14 @@ class CfnEC2Fleet(
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
             :param local_storage_types: The type of local storage that is required. - For instance types with hard disk drive (HDD) storage, specify ``hdd`` . - For instance types with solid state drive (SSD) storage, specify ``ssd`` . Default: ``hdd`` and ``ssd``
-            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
             :param memory_gib_per_v_cpu: The minimum and maximum amount of memory per vCPU, in GiB. Default: No minimum or maximum limits
             :param memory_mib: The minimum and maximum amount of memory, in MiB.
             :param network_bandwidth_gbps: The minimum and maximum amount of baseline network bandwidth, in gigabits per second (Gbps). For more information, see `Amazon EC2 instance network bandwidth <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
             :param network_interface_count: The minimum and maximum number of network interfaces. Default: No minimum or maximum limits
             :param on_demand_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for On-Demand Instances, as a percentage higher than an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. Default: ``20``
             :param require_hibernate_support: Indicates whether instance types must support hibernation for On-Demand Instances. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ . Default: ``false``
-            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` . Default: ``100``
+            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` . Default: ``100``
             :param total_local_storage_gb: The minimum and maximum amount of total local storage, in GB. Default: No minimum or maximum limits
             :param v_cpu_count: The minimum and maximum number of vCPUs.
 
@@ -11799,12 +11850,10 @@ class CfnEC2Fleet(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price.
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-instancerequirementsrequest.html#cfn-ec2-ec2fleet-instancerequirementsrequest-maxspotpriceaspercentageofoptimalondemandprice
             '''
@@ -11912,14 +11961,12 @@ class CfnEC2Fleet(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price.
 
             This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ .
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             Default: ``100``
 
@@ -14758,8 +14805,8 @@ class CfnFlowLog(
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
         :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
-        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
-        :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination. This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
+        :param destination_options: The destination options.
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
         :param log_destination_type: The type of destination for the flow log data. Default: ``cloud-watch-logs``
         :param log_format: The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see `Flow log records <https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records>`_ in the *Amazon VPC User Guide* or `Transit Gateway Flow Log records <https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records>`_ in the *AWS Transit Gateway Guide* . Specify the fields using the ``${field-id}`` format, separated by spaces.
@@ -14883,7 +14930,7 @@ class CfnFlowLog(
     @builtins.property
     @jsii.member(jsii_name="deliverLogsPermissionArn")
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.'''
+        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "deliverLogsPermissionArn"))
 
     @deliver_logs_permission_arn.setter
@@ -14896,10 +14943,7 @@ class CfnFlowLog(
     @builtins.property
     @jsii.member(jsii_name="destinationOptions")
     def destination_options(self) -> typing.Any:
-        '''The destination options.
-
-        The following options are supported:.
-        '''
+        '''The destination options.'''
         return typing.cast(typing.Any, jsii.get(self, "destinationOptions"))
 
     @destination_options.setter
@@ -15144,8 +15188,8 @@ class CfnFlowLogProps:
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
         :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
-        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
-        :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination. This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
+        :param destination_options: The destination options.
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
         :param log_destination_type: The type of destination for the flow log data. Default: ``cloud-watch-logs``
         :param log_format: The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see `Flow log records <https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records>`_ in the *Amazon VPC User Guide* or `Transit Gateway Flow Log records <https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records>`_ in the *AWS Transit Gateway Guide* . Specify the fields using the ``${field-id}`` format, separated by spaces.
@@ -15257,9 +15301,9 @@ class CfnFlowLogProps:
 
     @builtins.property
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.
+        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination.
 
-        This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
+        This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-deliverlogspermissionarn
         '''
@@ -15268,11 +15312,7 @@ class CfnFlowLogProps:
 
     @builtins.property
     def destination_options(self) -> typing.Any:
-        '''The destination options. The following options are supported:.
-
-        - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` .
-        - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` .
-        - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        '''The destination options.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-destinationoptions
         '''
@@ -19218,10 +19258,7 @@ class CfnInstance(
     @builtins.property
     @jsii.member(jsii_name="attrAvailabilityZone")
     def attr_availability_zone(self) -> builtins.str:
-        '''The Availability Zone where the specified instance is launched. For example: ``us-east-1b`` .
-
-        You can retrieve a list of all Availability Zones for a Region by using the `Fn::GetAZs <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getavailabilityzones.html>`_ intrinsic function.
-
+        '''
         :cloudformationAttribute: AvailabilityZone
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAvailabilityZone"))
@@ -19229,12 +19266,20 @@ class CfnInstance(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''The ID of the instance.
-
+        '''
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrInstanceId")
+    def attr_instance_id(self) -> builtins.str:
+        '''The ID of the instance.
+
+        :cloudformationAttribute: InstanceId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrInstanceId"))
+
     @builtins.property
     @jsii.member(jsii_name="attrPrivateDnsName")
     def attr_private_dns_name(self) -> builtins.str:
@@ -19279,6 +19324,15 @@ class CfnInstance(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPublicIp"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrVpcId")
+    def attr_vpc_id(self) -> builtins.str:
+        '''The ID of the VPC in which the instance is running.
+
+        :cloudformationAttribute: VpcId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrVpcId"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -20721,7 +20775,7 @@ class CfnInstance(
 
             ``HibernationOptions`` is a property of the `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ resource.
 
-            :param configured: Set to ``true`` to enable your instance for hibernation. For Spot Instances, if you set ``Configured`` to ``true`` , either omit the ``InstanceInterruptionBehavior`` parameter (for ```SpotMarketOptions`` <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html>`_ ), or set it to ``hibernate`` . When ``Configured`` is true: - If you omit ``InstanceInterruptionBehavior`` , it defaults to ``hibernate`` . - If you set ``InstanceInterruptionBehavior`` to a value other than ``hibernate`` , you'll get an error. Default: ``false``
+            :param configured: Set to ``true`` to enable your instance for hibernation. For Spot Instances, if you set ``Configured`` to ``true`` , either omit the ``InstanceInterruptionBehavior`` parameter (for ```SpotMarketOptions`` <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html>`_ ), or set it to ``hibernate`` . When ``Configured`` is true: - If you omit ``InstanceInterruptionBehavior`` , it defaults to ``hibernate`` . - If you set ``InstanceInterruptionBehavior`` to a value other than ``hibernate`` , you'll get an error. Default: ``false`` Default: - false
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-hibernationoptions.html
             :exampleMetadata: fixture=_generated
@@ -20756,6 +20810,8 @@ class CfnInstance(
 
             Default: ``false``
 
+            :default: - false
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-hibernationoptions.html#cfn-ec2-instance-hibernationoptions-configured
             '''
             result = self._values.get("configured")
@@ -24429,7 +24485,7 @@ class CfnLaunchTemplate(
             :param snapshot_id: The ID of the snapshot.
             :param throughput: The throughput to provision for a ``gp3`` volume, with a maximum of 1,000 MiB/s. Valid Range: Minimum value of 125. Maximum value of 1000.
             :param volume_size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type: - ``gp2`` and ``gp3`` : 1 - 16,384 GiB - ``io1`` : 4 - 16,384 GiB - ``io2`` : 4 - 65,536 GiB - ``st1`` and ``sc1`` : 125 - 16,384 GiB - ``standard`` : 1 - 1024 GiB
-            :param volume_type: The volume type. For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
+            :param volume_type: The volume type. For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ in the *Amazon EBS User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-ebs.html
             :exampleMetadata: fixture=_generated
@@ -24574,7 +24630,7 @@ class CfnLaunchTemplate(
         def volume_type(self) -> typing.Optional[builtins.str]:
             '''The volume type.
 
-            For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
+            For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ in the *Amazon EBS User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-ebs.html#cfn-ec2-launchtemplate-ebs-volumetype
             '''
@@ -25169,14 +25225,14 @@ class CfnLaunchTemplate(
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
             :param local_storage_types: The type of local storage that is required. - For instance types with hard disk drive (HDD) storage, specify ``hdd`` . - For instance types with solid state drive (SSD) storage, specify ``ssd`` . Default: ``hdd`` and ``ssd``
-            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
             :param memory_gib_per_v_cpu: The minimum and maximum amount of memory per vCPU, in GiB. Default: No minimum or maximum limits
             :param memory_mib: The minimum and maximum amount of memory, in MiB.
             :param network_bandwidth_gbps: The minimum and maximum amount of network bandwidth, in gigabits per second (Gbps). Default: No minimum or maximum limits
             :param network_interface_count: The minimum and maximum number of network interfaces. Default: No minimum or maximum limits
             :param on_demand_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for On-Demand Instances, as a percentage higher than an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To turn off price protection, specify a high value, such as ``999999`` . This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. Default: ``20``
             :param require_hibernate_support: Indicates whether instance types must support hibernation for On-Demand Instances. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ . Default: ``false``
-            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` . Default: ``100``
+            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` . Default: ``100``
             :param total_local_storage_gb: The minimum and maximum amount of total local storage, in GB. Default: No minimum or maximum limits
             :param v_cpu_count: The minimum and maximum number of vCPUs.
 
@@ -25567,12 +25623,10 @@ class CfnLaunchTemplate(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price.
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-instancerequirements.html#cfn-ec2-launchtemplate-instancerequirements-maxspotpriceaspercentageofoptimalondemandprice
             '''
@@ -25678,14 +25732,12 @@ class CfnLaunchTemplate(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price.
 
             This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ .
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             Default: ``100``
 
@@ -36698,19 +36750,19 @@ class CfnNetworkInterface(
         :param connection_tracking_specification: A connection tracking specification for the network interface.
         :param description: A description for the network interface.
         :param enable_primary_ipv6: If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.
-        :param group_set: The security group IDs associated with this network interface.
+        :param group_set: The IDs of the security groups associated with this network interface.
         :param interface_type: The type of network interface. The default is ``interface`` . The supported values are ``efa`` and ``trunk`` .
         :param ipv4_prefix_count: The number of IPv4 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
         :param ipv4_prefixes: The IPv4 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
-        :param ipv6_address_count: The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
-        :param ipv6_addresses: One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_address_count: The number of IPv6 addresses to assign to the network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_addresses: The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
         :param ipv6_prefix_count: The number of IPv6 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
         :param ipv6_prefixes: The IPv6 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
-        :param private_ip_address: Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
-        :param private_ip_addresses: Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
+        :param private_ip_address: The private IPv4 address to assign to the network interface as the primary private IP address. If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
+        :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using ``privateIpAddresses`` . When creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param tags: An arbitrary set of tags (key-value pairs) for this network interface.
+        :param tags: The tags to apply to the network interface.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8393da3cca9727d94c340192bc7d8b11bde1fb62e8d43771091b9a3e120a301a)
@@ -36782,8 +36834,6 @@ class CfnNetworkInterface(
     def attr_primary_ipv6_address(self) -> builtins.str:
         '''The primary IPv6 address of the network interface.
 
-        When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached.
-
         :cloudformationAttribute: PrimaryIpv6Address
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPrimaryIpv6Address"))
@@ -36810,6 +36860,15 @@ class CfnNetworkInterface(
         '''
         return typing.cast(typing.List[builtins.str], jsii.get(self, "attrSecondaryPrivateIpAddresses"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrVpcId")
+    def attr_vpc_id(self) -> builtins.str:
+        '''The ID of the VPC.
+
+        :cloudformationAttribute: VpcId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrVpcId"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -36886,7 +36945,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="groupSet")
     def group_set(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The security group IDs associated with this network interface.'''
+        '''The IDs of the security groups associated with this network interface.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "groupSet"))
 
     @group_set.setter
@@ -36943,7 +37002,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="ipv6AddressCount")
     def ipv6_address_count(self) -> typing.Optional[jsii.Number]:
-        '''The number of IPv6 addresses to assign to a network interface.'''
+        '''The number of IPv6 addresses to assign to the network interface.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "ipv6AddressCount"))
 
     @ipv6_address_count.setter
@@ -36958,7 +37017,7 @@ class CfnNetworkInterface(
     def ipv6_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.InstanceIpv6AddressProperty"]]]]:
-        '''One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface.'''
+        '''The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.InstanceIpv6AddressProperty"]]]], jsii.get(self, "ipv6Addresses"))
 
     @ipv6_addresses.setter
@@ -37005,7 +37064,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="privateIpAddress")
     def private_ip_address(self) -> typing.Optional[builtins.str]:
-        '''Assigns a single private IP address to the network interface, which is used as the primary private IP address.'''
+        '''The private IPv4 address to assign to the network interface as the primary private IP address.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "privateIpAddress"))
 
     @private_ip_address.setter
@@ -37020,7 +37079,7 @@ class CfnNetworkInterface(
     def private_ip_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.PrivateIpAddressSpecificationProperty"]]]]:
-        '''Assigns private IP addresses to the network interface.'''
+        '''The private IPv4 addresses to assign to the network interface.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.PrivateIpAddressSpecificationProperty"]]]], jsii.get(self, "privateIpAddresses"))
 
     @private_ip_addresses.setter
@@ -37070,7 +37129,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''An arbitrary set of tags (key-value pairs) for this network interface.'''
+        '''The tags to apply to the network interface.'''
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tagsRaw"))
 
     @tags_raw.setter
@@ -38165,19 +38224,19 @@ class CfnNetworkInterfaceProps:
         :param connection_tracking_specification: A connection tracking specification for the network interface.
         :param description: A description for the network interface.
         :param enable_primary_ipv6: If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.
-        :param group_set: The security group IDs associated with this network interface.
+        :param group_set: The IDs of the security groups associated with this network interface.
         :param interface_type: The type of network interface. The default is ``interface`` . The supported values are ``efa`` and ``trunk`` .
         :param ipv4_prefix_count: The number of IPv4 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
         :param ipv4_prefixes: The IPv4 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
-        :param ipv6_address_count: The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
-        :param ipv6_addresses: One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_address_count: The number of IPv6 addresses to assign to the network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_addresses: The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
         :param ipv6_prefix_count: The number of IPv6 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
         :param ipv6_prefixes: The IPv6 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
-        :param private_ip_address: Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
-        :param private_ip_addresses: Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
+        :param private_ip_address: The private IPv4 address to assign to the network interface as the primary private IP address. If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
+        :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using ``privateIpAddresses`` . When creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param tags: An arbitrary set of tags (key-value pairs) for this network interface.
+        :param tags: The tags to apply to the network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html
         :exampleMetadata: fixture=_generated
@@ -38326,7 +38385,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def group_set(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The security group IDs associated with this network interface.
+        '''The IDs of the security groups associated with this network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-groupset
         '''
@@ -38370,7 +38429,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def ipv6_address_count(self) -> typing.Optional[jsii.Number]:
-        '''The number of IPv6 addresses to assign to a network interface.
+        '''The number of IPv6 addresses to assign to the network interface.
 
         Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property.
 
@@ -38385,7 +38444,7 @@ class CfnNetworkInterfaceProps:
     def ipv6_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNetworkInterface.InstanceIpv6AddressProperty]]]]:
-        '''One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface.
+        '''The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface.
 
         If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property.
 
@@ -38422,9 +38481,9 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def private_ip_address(self) -> typing.Optional[builtins.str]:
-        '''Assigns a single private IP address to the network interface, which is used as the primary private IP address.
+        '''The private IPv4 address to assign to the network interface as the primary private IP address.
 
-        If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
+        If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-privateipaddress
         '''
@@ -38435,7 +38494,7 @@ class CfnNetworkInterfaceProps:
     def private_ip_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNetworkInterface.PrivateIpAddressSpecificationProperty]]]]:
-        '''Assigns private IP addresses to the network interface.
+        '''The private IPv4 addresses to assign to the network interface.
 
         You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property.
 
@@ -38474,7 +38533,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''An arbitrary set of tags (key-value pairs) for this network interface.
+        '''The tags to apply to the network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-tags
         '''
@@ -40368,6 +40427,7 @@ class CfnSecurityGroup(
                 destination_prefix_list_id="destinationPrefixListId",
                 destination_security_group_id="destinationSecurityGroupId",
                 from_port=123,
+                source_security_group_id="sourceSecurityGroupId",
                 to_port=123
             )],
             security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -40471,7 +40531,8 @@ class CfnSecurityGroup(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The group name or group ID depending on whether the SG is created in default or specific VPC.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -40597,6 +40658,7 @@ class CfnSecurityGroup(
             "destination_prefix_list_id": "destinationPrefixListId",
             "destination_security_group_id": "destinationSecurityGroupId",
             "from_port": "fromPort",
+            "source_security_group_id": "sourceSecurityGroupId",
             "to_port": "toPort",
         },
     )
@@ -40611,25 +40673,27 @@ class CfnSecurityGroup(
             destination_prefix_list_id: typing.Optional[builtins.str] = None,
             destination_security_group_id: typing.Optional[builtins.str] = None,
             from_port: typing.Optional[jsii.Number] = None,
+            source_security_group_id: typing.Optional[builtins.str] = None,
             to_port: typing.Optional[jsii.Number] = None,
         ) -> None:
             '''Adds the specified outbound (egress) rule to a security group.
 
             An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-            You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group.
+            You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
             You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
             Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
 
             :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
             :param description: A description for the security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-            :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-            :param destination_security_group_id: The ID of the destination VPC security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+            :param destination_security_group_id: The ID of the destination VPC security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
+            :param source_security_group_id: 
             :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html
@@ -40651,6 +40715,7 @@ class CfnSecurityGroup(
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
+                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )
             '''
@@ -40663,6 +40728,7 @@ class CfnSecurityGroup(
                 check_type(argname="argument destination_prefix_list_id", value=destination_prefix_list_id, expected_type=type_hints["destination_prefix_list_id"])
                 check_type(argname="argument destination_security_group_id", value=destination_security_group_id, expected_type=type_hints["destination_security_group_id"])
                 check_type(argname="argument from_port", value=from_port, expected_type=type_hints["from_port"])
+                check_type(argname="argument source_security_group_id", value=source_security_group_id, expected_type=type_hints["source_security_group_id"])
                 check_type(argname="argument to_port", value=to_port, expected_type=type_hints["to_port"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "ip_protocol": ip_protocol,
@@ -40679,6 +40745,8 @@ class CfnSecurityGroup(
                 self._values["destination_security_group_id"] = destination_security_group_id
             if from_port is not None:
                 self._values["from_port"] = from_port
+            if source_security_group_id is not None:
+                self._values["source_security_group_id"] = source_security_group_id
             if to_port is not None:
                 self._values["to_port"] = to_port
 
@@ -40698,7 +40766,7 @@ class CfnSecurityGroup(
         def cidr_ip(self) -> typing.Optional[builtins.str]:
             '''The IPv4 address range, in CIDR format.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40711,7 +40779,7 @@ class CfnSecurityGroup(
         def cidr_ipv6(self) -> typing.Optional[builtins.str]:
             '''The IPv6 address range, in CIDR format.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40737,7 +40805,7 @@ class CfnSecurityGroup(
 
             This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-destinationprefixlistid
             '''
@@ -40748,7 +40816,7 @@ class CfnSecurityGroup(
         def destination_security_group_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the destination VPC security group.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-destinationsecuritygroupid
             '''
@@ -40766,6 +40834,14 @@ class CfnSecurityGroup(
             result = self._values.get("from_port")
             return typing.cast(typing.Optional[jsii.Number], result)
 
+        @builtins.property
+        def source_security_group_id(self) -> typing.Optional[builtins.str]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-sourcesecuritygroupid
+            '''
+            result = self._values.get("source_security_group_id")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def to_port(self) -> typing.Optional[jsii.Number]:
             '''If the protocol is TCP or UDP, this is the end of the port range.
@@ -40823,15 +40899,15 @@ class CfnSecurityGroup(
 
             An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-            You must specify exactly one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.
+            You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
             You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
             Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
 
             :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
             :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
             :param source_prefix_list_id: The ID of a prefix list.
@@ -40914,7 +40990,7 @@ class CfnSecurityGroup(
         def cidr_ip(self) -> typing.Optional[builtins.str]:
             '''The IPv4 address range, in CIDR format.
 
-            You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40927,7 +41003,7 @@ class CfnSecurityGroup(
         def cidr_ipv6(self) -> typing.Optional[builtins.str]:
             '''The IPv6 address range, in CIDR format.
 
-            You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41037,7 +41113,7 @@ class CfnSecurityGroupEgress(
 
     An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-    You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group.
+    You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
     You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1.
 
@@ -41088,11 +41164,11 @@ class CfnSecurityGroupEgress(
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_id: The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-        :param destination_security_group_id: The ID of the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+        :param destination_security_group_id: The ID of the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
         :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
         :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
         '''
@@ -41311,11 +41387,11 @@ class CfnSecurityGroupEgressProps:
 
         :param group_id: The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-        :param destination_security_group_id: The ID of the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+        :param destination_security_group_id: The ID of the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
         :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
         :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
 
@@ -41400,7 +41476,7 @@ class CfnSecurityGroupEgressProps:
     def cidr_ip(self) -> typing.Optional[builtins.str]:
         '''The IPv4 address range, in CIDR format.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41413,7 +41489,7 @@ class CfnSecurityGroupEgressProps:
     def cidr_ipv6(self) -> typing.Optional[builtins.str]:
         '''The IPv6 address range, in CIDR format.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41437,9 +41513,9 @@ class CfnSecurityGroupEgressProps:
     def destination_prefix_list_id(self) -> typing.Optional[builtins.str]:
         '''The prefix list IDs for an AWS service.
 
-        This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
+        This is the AWS service to access through a VPC endpoint from instances associated with the security group.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupegress.html#cfn-ec2-securitygroupegress-destinationprefixlistid
         '''
@@ -41450,7 +41526,7 @@ class CfnSecurityGroupEgressProps:
     def destination_security_group_id(self) -> typing.Optional[builtins.str]:
         '''The ID of the security group.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupegress.html#cfn-ec2-securitygroupegress-destinationsecuritygroupid
         '''
@@ -41501,7 +41577,7 @@ class CfnSecurityGroupIngress(
 
     An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-    You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.
+    You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
     You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
@@ -41557,8 +41633,8 @@ class CfnSecurityGroupIngress(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
         :param from_port: The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of ``-1`` indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
         :param group_id: The ID of the security group.
@@ -41832,8 +41908,8 @@ class CfnSecurityGroupIngressProps:
         '''Properties for defining a ``CfnSecurityGroupIngress``.
 
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
         :param from_port: The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of ``-1`` indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
         :param group_id: The ID of the security group.
@@ -41926,7 +42002,7 @@ class CfnSecurityGroupIngressProps:
     def cidr_ip(self) -> typing.Optional[builtins.str]:
         '''The IPv4 address range, in CIDR format.
 
-        You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41939,7 +42015,7 @@ class CfnSecurityGroupIngressProps:
     def cidr_ipv6(self) -> typing.Optional[builtins.str]:
         '''The IPv6 address range, in CIDR format.
 
-        You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -42123,6 +42199,7 @@ class CfnSecurityGroupProps:
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
+                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )],
                 security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -42261,7 +42338,7 @@ class CfnSnapshotBlockPublicAccess(
 ):
     '''Specifies the state of the *block public access for snapshots* setting for the Region.
 
-    For more information, see `Block public access for snapshots <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-snapshots.html>`_ .
+    For more information, see `Block public access for snapshots <https://docs.aws.amazon.com/ebs/latest/userguide/block-public-access-snapshots.html>`_ .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-snapshotblockpublicaccess.html
     :cloudformationResource: AWS::EC2::SnapshotBlockPublicAccess
@@ -43277,7 +43354,7 @@ class CfnSpotFleet(
             :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 16,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS.
             :param snapshot_id: The ID of the snapshot.
             :param volume_size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size. The following are the supported sizes for each volume type: - ``gp2`` and ``gp3`` : 1 - 16,384 GiB - ``io1`` : 4 - 16,384 GiB - ``io2`` : 4 - 65,536 GiB - ``st1`` and ``sc1`` : 125 - 16,384 GiB - ``standard`` : 1 - 1024 GiB
-            :param volume_type: The volume type. For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon EC2 User Guide* .
+            :param volume_type: The volume type. For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ in the *Amazon EBS User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-ebsblockdevice.html
             :exampleMetadata: fixture=_generated
@@ -43404,7 +43481,7 @@ class CfnSpotFleet(
         def volume_type(self) -> typing.Optional[builtins.str]:
             '''The volume type.
 
-            For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon EC2 User Guide* .
+            For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ in the *Amazon EBS User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-ebsblockdevice.html#cfn-ec2-spotfleet-ebsblockdevice-volumetype
             '''
@@ -44036,14 +44113,14 @@ class CfnSpotFleet(
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
             :param local_storage_types: The type of local storage that is required. - For instance types with hard disk drive (HDD) storage, specify ``hdd`` . - For instance types with solid state drive (SSD) storage, specify ``ssd`` . Default: ``hdd`` and ``ssd``
-            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+            :param max_spot_price_as_percentage_of_optimal_on_demand_price: [Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price. .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
             :param memory_gib_per_v_cpu: The minimum and maximum amount of memory per vCPU, in GiB. Default: No minimum or maximum limits
             :param memory_mib: The minimum and maximum amount of memory, in MiB.
             :param network_bandwidth_gbps: The minimum and maximum amount of baseline network bandwidth, in gigabits per second (Gbps). For more information, see `Amazon EC2 instance network bandwidth <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
             :param network_interface_count: The minimum and maximum number of network interfaces. Default: No minimum or maximum limits
             :param on_demand_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for On-Demand Instances, as a percentage higher than an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. Default: ``20``
             :param require_hibernate_support: Indicates whether instance types must support hibernation for On-Demand Instances. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ . Default: ``false``
-            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. To indicate no price protection threshold, specify a high value, such as ``999999`` . If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` . Default: ``100``
+            :param spot_max_price_percentage_over_lowest_price: [Price protection] The price protection threshold for Spot Instances, as a percentage higher than an identified Spot price. The identified Spot price is the Spot price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified Spot price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose Spot price exceeds your specified threshold. The parameter accepts an integer, which Amazon EC2 interprets as a percentage. If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ . .. epigraph:: Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` . Default: ``100``
             :param total_local_storage_gb: The minimum and maximum amount of total local storage, in GB. Default: No minimum or maximum limits
             :param v_cpu_count: The minimum and maximum number of vCPUs.
 
@@ -44434,12 +44511,10 @@ class CfnSpotFleet(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``DesiredCapacityType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is based on the per vCPU or per memory price instead of the per instance price.
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancerequirementsrequest.html#cfn-ec2-spotfleet-instancerequirementsrequest-maxspotpriceaspercentageofoptimalondemandprice
             '''
@@ -44547,14 +44622,12 @@ class CfnSpotFleet(
 
             The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
 
-            To indicate no price protection threshold, specify a high value, such as ``999999`` .
-
             If you set ``TargetCapacityUnitType`` to ``vcpu`` or ``memory-mib`` , the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price.
 
             This parameter is not supported for `GetSpotPlacementScores <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetSpotPlacementScores.html>`_ and `GetInstanceTypesFromInstanceRequirements <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetInstanceTypesFromInstanceRequirements.html>`_ .
             .. epigraph::
 
-               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, then ``SpotMaxPricePercentageOverLowestPrice`` is used and the value for that parameter defaults to ``100`` .
+               Only one of ``SpotMaxPricePercentageOverLowestPrice`` or ``MaxSpotPriceAsPercentageOfOptimalOnDemandPrice`` can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as ``999999`` .
 
             Default: ``100``
 
@@ -44776,7 +44849,7 @@ class CfnSpotFleet(
             :param priority: The priority for the launch template override. The highest priority is launched first. If ``OnDemandAllocationStrategy`` is set to ``prioritized`` , Spot Fleet uses priority to determine which launch template override to use first in fulfilling On-Demand capacity. If the Spot ``AllocationStrategy`` is set to ``capacityOptimizedPrioritized`` , Spot Fleet uses priority on a best-effort basis to determine which launch template override to use in fulfilling Spot capacity, but optimizes for capacity first. Valid values are whole numbers starting at ``0`` . The lower the number, the higher the priority. If no number is set, the launch template override has the lowest priority. You can set the same priority for different launch template overrides.
             :param spot_price: The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.
             :param subnet_id: The ID of the subnet in which to launch the instances.
-            :param weighted_capacity: The number of units provided by the specified instance type.
+            :param weighted_capacity: The number of units provided by the specified instance type. .. epigraph:: When specifying weights, the price used in the ``lowest-price`` and ``price-capacity-optimized`` allocation strategies is per *unit* hour (where the instance price is divided by the specified weight). However, if all the specified weights are above the requested ``TargetCapacity`` , resulting in only 1 instance being launched, the price used is per *instance* hour.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-launchtemplateoverrides.html
             :exampleMetadata: fixture=_generated
@@ -44950,6 +45023,10 @@ class CfnSpotFleet(
         def weighted_capacity(self) -> typing.Optional[jsii.Number]:
             '''The number of units provided by the specified instance type.
 
+            .. epigraph::
+
+               When specifying weights, the price used in the ``lowest-price`` and ``price-capacity-optimized`` allocation strategies is per *unit* hour (where the instance price is divided by the specified weight). However, if all the specified weights are above the requested ``TargetCapacity`` , resulting in only 1 instance being launched, the price used is per *instance* hour.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-launchtemplateoverrides.html#cfn-ec2-spotfleet-launchtemplateoverrides-weightedcapacity
             '''
             result = self._values.get("weighted_capacity")
@@ -55450,7 +55527,8 @@ class CfnVPCCidrBlock(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The Id of the VPC associated CIDR Block.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -62408,7 +62486,7 @@ class CfnVolume(
     - You successfully update an Amazon EBS volume and the update succeeds. When you attempt another update within the cooldown window, that update will be subject to a cooldown period.
     - You successfully update an Amazon EBS volume and the update succeeds but another change in your ``update-stack`` call fails. The rollback will be subject to a cooldown period.
 
-    For more information on the cooldown period, see `Requirements when modifying volumes <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/modify-volume-requirements.html>`_ .
+    For more information, see `Requirements for EBS volume modifications <https://docs.aws.amazon.com/ebs/latest/userguide/modify-volume-requirements.html>`_ .
 
     *DeletionPolicy attribute*
 
@@ -62471,7 +62549,7 @@ class CfnVolume(
         :param id: Construct identifier for this resource (unique in its scope).
         :param availability_zone: The ID of the Availability Zone in which to create the volume. For example, ``us-east-1a`` .
         :param auto_enable_io: Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.
-        :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default>`_ in the *Amazon Elastic Compute Cloud User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances>`_ .
+        :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default>`_ in the *Amazon EBS User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances>`_ .
         :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 16,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS. This parameter is not supported for ``gp2`` , ``st1`` , ``sc1`` , or ``standard`` volumes.
         :param kms_key_id: The identifier of the AWS KMS key to use for Amazon EBS encryption. If ``KmsKeyId`` is specified, the encrypted state must be ``true`` . If you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to ``true`` , then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the AWS managed key . Alternatively, if you want to specify a different key, you can specify one of the following: - Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. - Key alias. Specify the alias for the key, prefixed with ``alias/`` . For example, for a key with the alias ``my_cmk`` , use ``alias/my_cmk`` . Or to specify the AWS managed key , use ``alias/aws/ebs`` . - Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab. - Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
         :param multi_attach_enabled: Indicates whether Amazon EBS Multi-Attach is enabled. AWS CloudFormation does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.
@@ -62480,7 +62558,7 @@ class CfnVolume(
         :param snapshot_id: The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.
         :param tags: The tags to apply to the volume during creation.
         :param throughput: The throughput to provision for a volume, with a maximum of 1,000 MiB/s. This parameter is valid only for ``gp3`` volumes. The default value is 125. Valid Range: Minimum value of 125. Maximum value of 1000.
-        :param volume_type: The volume type. This parameter can be one of the following values:. - General Purpose SSD: ``gp2`` | ``gp3`` - Provisioned IOPS SSD: ``io1`` | ``io2`` - Throughput Optimized HDD: ``st1`` - Cold HDD: ``sc1`` - Magnetic: ``standard`` For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon Elastic Compute Cloud User Guide* . Default: ``gp2``
+        :param volume_type: The volume type. This parameter can be one of the following values:. - General Purpose SSD: ``gp2`` | ``gp3`` - Provisioned IOPS SSD: ``io1`` | ``io2`` - Throughput Optimized HDD: ``st1`` - Cold HDD: ``sc1`` - Magnetic: ``standard`` For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ . Default: ``gp2``
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__915a70f35b9237e059cd8fc78c5da31e1d4f2476ed4857c7ac173e559447905e)
@@ -62998,7 +63076,7 @@ class CfnVolumeProps:
 
         :param availability_zone: The ID of the Availability Zone in which to create the volume. For example, ``us-east-1a`` .
         :param auto_enable_io: Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.
-        :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default>`_ in the *Amazon Elastic Compute Cloud User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances>`_ .
+        :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default>`_ in the *Amazon EBS User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances>`_ .
         :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 16,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS. This parameter is not supported for ``gp2`` , ``st1`` , ``sc1`` , or ``standard`` volumes.
         :param kms_key_id: The identifier of the AWS KMS key to use for Amazon EBS encryption. If ``KmsKeyId`` is specified, the encrypted state must be ``true`` . If you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to ``true`` , then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the AWS managed key . Alternatively, if you want to specify a different key, you can specify one of the following: - Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. - Key alias. Specify the alias for the key, prefixed with ``alias/`` . For example, for a key with the alias ``my_cmk`` , use ``alias/my_cmk`` . Or to specify the AWS managed key , use ``alias/aws/ebs`` . - Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab. - Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
         :param multi_attach_enabled: Indicates whether Amazon EBS Multi-Attach is enabled. AWS CloudFormation does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.
@@ -63007,7 +63085,7 @@ class CfnVolumeProps:
         :param snapshot_id: The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.
         :param tags: The tags to apply to the volume during creation.
         :param throughput: The throughput to provision for a volume, with a maximum of 1,000 MiB/s. This parameter is valid only for ``gp3`` volumes. The default value is 125. Valid Range: Minimum value of 125. Maximum value of 1000.
-        :param volume_type: The volume type. This parameter can be one of the following values:. - General Purpose SSD: ``gp2`` | ``gp3`` - Provisioned IOPS SSD: ``io1`` | ``io2`` - Throughput Optimized HDD: ``st1`` - Cold HDD: ``sc1`` - Magnetic: ``standard`` For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon Elastic Compute Cloud User Guide* . Default: ``gp2``
+        :param volume_type: The volume type. This parameter can be one of the following values:. - General Purpose SSD: ``gp2`` | ``gp3`` - Provisioned IOPS SSD: ``io1`` | ``io2`` - Throughput Optimized HDD: ``st1`` - Cold HDD: ``sc1`` - Magnetic: ``standard`` For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ . Default: ``gp2``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html
         :exampleMetadata: fixture=_generated
@@ -63109,9 +63187,9 @@ class CfnVolumeProps:
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
         '''Indicates whether the volume should be encrypted.
 
-        The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default>`_ in the *Amazon Elastic Compute Cloud User Guide* .
+        The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default>`_ in the *Amazon EBS User Guide* .
 
-        Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances>`_ .
+        Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html#cfn-ec2-volume-encrypted
         '''
@@ -63243,7 +63321,7 @@ class CfnVolumeProps:
         - Cold HDD: ``sc1``
         - Magnetic: ``standard``
 
-        For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
+        For more information, see `Amazon EBS volume types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html>`_ .
 
         Default: ``gp2``
 
@@ -72126,6 +72204,8 @@ class InstanceClass(enum.Enum):
     '''Memory optimized instances based on AMD EPYC, 5th generation.'''
     MEMORY5_AMD_NVME_DRIVE = "MEMORY5_AMD_NVME_DRIVE"
     '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
+    R5AD = "R5AD"
+    '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
     HIGH_MEMORY_3TB_1 = "HIGH_MEMORY_3TB_1"
     '''High memory instances (3TB) based on Intel Xeon Platinum 8176M (Skylake) processors, 1st generation.'''
     U_3TB1 = "U_3TB1"
@@ -72150,8 +72230,6 @@ class InstanceClass(enum.Enum):
     '''High memory instances (24TB) based on Intel Xeon Scalable (Cascade Lake) processors, 1st generation.'''
     U_24TB1 = "U_24TB1"
     '''High memory instances (24TB) based on Intel Xeon Scalable (Cascade Lake) processors, 1st generation.'''
-    R5AD = "R5AD"
-    '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
     MEMORY5_EBS_OPTIMIZED = "MEMORY5_EBS_OPTIMIZED"
     '''Memory optimized instances that are also EBS-optimized, 5th generation.'''
     R5B = "R5B"
@@ -72292,12 +72370,16 @@ class InstanceClass(enum.Enum):
     '''Storage-optimized instances, 3rd generation.'''
     STORAGE_COMPUTE_1 = "STORAGE_COMPUTE_1"
     '''Storage/compute balanced instances, 1st generation.'''
+    H1 = "H1"
+    '''Storage/compute balanced instances, 1st generation.'''
+    TRAINING_ACCELERATOR1 = "TRAINING_ACCELERATOR1"
+    '''High performance computing powered by AWS Trainium.'''
     TRN1 = "TRN1"
     '''High performance computing powered by AWS Trainium.'''
+    TRAINING_ACCELERATOR1_ENHANCED_NETWORK = "TRAINING_ACCELERATOR1_ENHANCED_NETWORK"
+    '''Network-optimized high performance computing powered by AWS Trainium.'''
     TRN1N = "TRN1N"
-    '''High performance computing powered by AWS Trainium.'''
-    H1 = "H1"
-    '''Storage/compute balanced instances, 1st generation.'''
+    '''Network-optimized high performance computing powered by AWS Trainium.'''
     IO3 = "IO3"
     '''I/O-optimized instances, 3rd generation.'''
     I3 = "I3"
@@ -72345,7 +72427,7 @@ class InstanceClass(enum.Enum):
     MEMORY_INTENSIVE_1_EXTENDED = "MEMORY_INTENSIVE_1_EXTENDED"
     '''Memory-intensive instances, extended, 1st generation.'''
     X1E = "X1E"
-    '''Memory-intensive instances, 1st generation.'''
+    '''Memory-intensive instances, extended, 1st generation.'''
     MEMORY_INTENSIVE_2_GRAVITON2 = "MEMORY_INTENSIVE_2_GRAVITON2"
     '''Memory-intensive instances, 2nd generation with Graviton2 processors.
 
@@ -72411,11 +72493,11 @@ class InstanceClass(enum.Enum):
     P2 = "P2"
     '''Parallel-processing optimized instances, 2nd generation.'''
     PARALLEL3 = "PARALLEL3"
-    '''Parallel-processing optimized instances, 3nd generation.'''
+    '''Parallel-processing optimized instances, 3rd generation.'''
     P3 = "P3"
     '''Parallel-processing optimized instances, 3rd generation.'''
     PARALLEL3_NVME_DRIVE_HIGH_PERFORMANCE = "PARALLEL3_NVME_DRIVE_HIGH_PERFORMANCE"
-    '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3nd generation.'''
+    '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3rd generation.'''
     P3DN = "P3DN"
     '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3rd generation.'''
     PARALLEL4_NVME_DRIVE_EXTENDED = "PARALLEL4_NVME_DRIVE_EXTENDED"
@@ -72510,6 +72592,18 @@ class InstanceClass(enum.Enum):
     '''Macintosh instances built on Apple Mac mini computers, 1st generation with Intel procesors.'''
     MAC1 = "MAC1"
     '''Macintosh instances built on Apple Mac mini computers, 1st generation with Intel procesors.'''
+    MACINTOSH2_M1 = "MACINTOSH2_M1"
+    '''Macintosh instances built on Apple Mac mini 2020 computers, 2nd generation with Apple silicon M1 processors.'''
+    MAC2 = "MAC2"
+    '''Macintosh instances built on Apple Mac mini 2020 computers, 2nd generation with Apple silicon M1 processors.'''
+    MACINTOSH2_M2 = "MACINTOSH2_M2"
+    '''Macintosh instances built on Apple Mac mini 2023 computers, 2nd generation with Apple silicon M2 processors.'''
+    MAC2_M2 = "MAC2_M2"
+    '''Macintosh instances built on Apple Mac mini 2023 computers, 2nd generation with Apple silicon M2 processors.'''
+    MACINTOSH2_M2_PRO = "MACINTOSH2_M2_PRO"
+    '''Macintosh instances built on Apple Mac mini 2023 computers, 2nd generation with Apple silicon M2 Pro processors.'''
+    MAC2_M2PRO = "MAC2_M2PRO"
+    '''Macintosh instances built on Apple Mac mini 2023 computers, 2nd generation with Apple silicon M2 Pro processors.'''
     VIDEO_TRANSCODING1 = "VIDEO_TRANSCODING1"
     '''Multi-stream video transcoding instances for resolutions up to 4K UHD, 1st generation.'''
     VT1 = "VT1"
@@ -72518,10 +72612,26 @@ class InstanceClass(enum.Enum):
     '''High performance computing based on AMD EPYC, 6th generation.'''
     HPC6A = "HPC6A"
     '''High performance computing based on AMD EPYC, 6th generation.'''
+    HIGH_PERFORMANCE_COMPUTING6_INTEL_NVME_DRIVE = "HIGH_PERFORMANCE_COMPUTING6_INTEL_NVME_DRIVE"
+    '''High performance computing with local NVME drive based on 6th generation with Intel Xeon Scalable processors (3rd generation processors code named Ice Lake), 6th generation.'''
+    HPC6ID = "HPC6ID"
+    '''High performance computing with local NVME drive based on 6th generation with Intel Xeon Scalable processors (3rd generation processors code named Ice Lake), 6th generation.'''
+    HIGH_PERFORMANCE_COMPUTING7_AMD = "HIGH_PERFORMANCE_COMPUTING7_AMD"
+    '''High performance computing based on AMD EPYC, 7th generation.'''
+    HPC7A = "HPC7A"
+    '''High performance computing based on AMD EPYC, 7th generation.'''
+    HIGH_PERFORMANCE_COMPUTING7_GRAVITON = "HIGH_PERFORMANCE_COMPUTING7_GRAVITON"
+    '''High performance computing based on Graviton, 7th generation.'''
+    HPC7G = "HPC7G"
+    '''High performance computing based on Graviton, 7th generation.'''
     DEEP_LEARNING1 = "DEEP_LEARNING1"
     '''Deep learning instances powered by Gaudi accelerators from Habana Labs (an Intel company), 1st generation.'''
     DL1 = "DL1"
     '''Deep learning instances powered by Gaudi accelerators from Habana Labs (an Intel company), 1st generation.'''
+    DEEP_LEARNING2_QUALCOMM = "DEEP_LEARNING2_QUALCOMM"
+    '''Deep learning instances powered by Qualcomm AI 100 Standard accelerators, 2nd generation.'''
+    DL2Q = "DL2Q"
+    '''Deep learning instances powered by Qualcomm AI 100 Standard accelerators, 2nd generation.'''
 
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.InstanceInitiatedShutdownBehavior")
@@ -73253,10 +73363,20 @@ class InstanceSize(enum.Enum):
     '''Instance size XLARGE48 (48xlarge).'''
     XLARGE56 = "XLARGE56"
     '''Instance size XLARGE56 (56xlarge).'''
+    XLARGE96 = "XLARGE96"
+    '''Instance size XLARGE96 (96xlarge).'''
     XLARGE112 = "XLARGE112"
-    '''Instance size XLARGE56 (112xlarge).'''
+    '''Instance size XLARGE112 (112xlarge).'''
     METAL = "METAL"
     '''Instance size METAL (metal).'''
+    XLARGE16METAL = "XLARGE16METAL"
+    '''Instance size XLARGE16METAL (metal-16xl).'''
+    XLARGE24METAL = "XLARGE24METAL"
+    '''Instance size XLARGE24METAL (metal-24xl).'''
+    XLARGE32METAL = "XLARGE32METAL"
+    '''Instance size XLARGE32METAL (metal-32xl).'''
+    XLARGE48METAL = "XLARGE48METAL"
+    '''Instance size XLARGE48METAL (metal-48xl).'''
 
 
 class InstanceType(
@@ -73526,8 +73646,23 @@ class InterfaceVpcEndpointAwsService(
     @jsii.python.classproperty
     @jsii.member(jsii_name="APP_MESH")
     def APP_MESH(cls) -> "InterfaceVpcEndpointAwsService":
+        '''
+        :deprecated: - Use InterfaceVpcEndpointAwsService.APP_MESH_ENVOY_MANAGEMENT instead.
+
+        :stability: deprecated
+        '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APP_MESH_ENVOY_MANAGEMENT")
+    def APP_MESH_ENVOY_MANAGEMENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH_ENVOY_MANAGEMENT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APP_MESH_OPS")
+    def APP_MESH_OPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH_OPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="APP_RUNNER")
     def APP_RUNNER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73543,6 +73678,16 @@ class InterfaceVpcEndpointAwsService(
     def APP_SYNC(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_SYNC"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APPCONFIG")
+    def APPCONFIG(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APPCONFIG"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APPCONFIGDATA")
+    def APPCONFIGDATA(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APPCONFIGDATA"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="APPLICATION_AUTOSCALING")
     def APPLICATION_AUTOSCALING(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73583,6 +73728,11 @@ class InterfaceVpcEndpointAwsService(
     def AUTOSCALING_PLANS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "AUTOSCALING_PLANS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="B2B_DATA_INTERCHANGE")
+    def B2_B_DATA_INTERCHANGE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "B2B_DATA_INTERCHANGE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BACKUP")
     def BACKUP(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73598,6 +73748,26 @@ class InterfaceVpcEndpointAwsService(
     def BATCH(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BATCH"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK")
+    def BEDROCK(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENT")
+    def BEDROCK_AGENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENT_RUNTIME")
+    def BEDROCK_AGENT_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENT_RUNTIME"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_RUNTIME")
+    def BEDROCK_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BILLING_CONDUCTOR")
     def BILLING_CONDUCTOR(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73608,6 +73778,11 @@ class InterfaceVpcEndpointAwsService(
     def BRAKET(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BRAKET"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLEAN_ROOMS")
+    def CLEAN_ROOMS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLEAN_ROOMS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUD_CONTROL_API")
     def CLOUD_CONTROL_API(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73623,6 +73798,26 @@ class InterfaceVpcEndpointAwsService(
     def CLOUD_DIRECTORY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_DIRECTORY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_DATA_SERVICE_DISCOVERY")
+    def CLOUD_MAP_DATA_SERVICE_DISCOVERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_DATA_SERVICE_DISCOVERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS")
+    def CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_SERVICE_DISCOVERY")
+    def CLOUD_MAP_SERVICE_DISCOVERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_SERVICE_DISCOVERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_SERVICE_DISCOVERY_FIPS")
+    def CLOUD_MAP_SERVICE_DISCOVERY_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_SERVICE_DISCOVERY_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUDFORMATION")
     def CLOUDFORMATION(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73678,6 +73873,11 @@ class InterfaceVpcEndpointAwsService(
     def CLOUDWATCH_MONITORING(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_MONITORING"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUDWATCH_NETWORK_MONITOR")
+    def CLOUDWATCH_NETWORK_MONITOR(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_NETWORK_MONITOR"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUDWATCH_RUM")
     def CLOUDWATCH_RUM(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73713,6 +73913,16 @@ class InterfaceVpcEndpointAwsService(
     def CODEBUILD_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODEBUILD_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODECATALYST_GIT")
+    def CODECATALYST_GIT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODECATALYST_GIT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODECATALYST_PACKAGES")
+    def CODECATALYST_PACKAGES(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODECATALYST_PACKAGES"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CODECOMMIT")
     def CODECOMMIT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73763,6 +73973,11 @@ class InterfaceVpcEndpointAwsService(
     def CODESTAR_CONNECTIONS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODESTAR_CONNECTIONS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODEWHISPERER")
+    def CODEWHISPERER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODEWHISPERER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="COMPREHEND")
     def COMPREHEND(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73828,11 +74043,21 @@ class InterfaceVpcEndpointAwsService(
     def DATASYNC(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DATASYNC"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DATAZONE")
+    def DATAZONE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DATAZONE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="DEVOPS_GURU")
     def DEVOPS_GURU(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DEVOPS_GURU"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DIRECTORY_SERVICE")
+    def DIRECTORY_SERVICE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DIRECTORY_SERVICE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EBS_DIRECT")
     def EBS_DIRECT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73878,6 +74103,11 @@ class InterfaceVpcEndpointAwsService(
     def EKS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EKS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="EKS_AUTH")
+    def EKS_AUTH(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EKS_AUTH"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="ELASTIC_BEANSTALK")
     def ELASTIC_BEANSTALK(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73923,6 +74153,11 @@ class InterfaceVpcEndpointAwsService(
     def ELASTICACHE_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ELASTICACHE_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ELEMENTAL_MEDIACONNECT")
+    def ELEMENTAL_MEDIACONNECT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ELEMENTAL_MEDIACONNECT"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EMAIL_SMTP")
     def EMAIL_SMTP(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73943,6 +74178,16 @@ class InterfaceVpcEndpointAwsService(
     def EMR_SERVERLESS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EMR_SERVERLESS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="EMR_WAL")
+    def EMR_WAL(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EMR_WAL"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ENTITY_RESOLUTION")
+    def ENTITY_RESOLUTION(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ENTITY_RESOLUTION"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EVENTBRIDGE")
     def EVENTBRIDGE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74023,6 +74268,26 @@ class InterfaceVpcEndpointAwsService(
     def GROUNDSTATION(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GROUNDSTATION"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GUARDDUTY_DATA")
+    def GUARDDUTY_DATA(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GUARDDUTY_DATA"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GUARDDUTY_DATA_FIPS")
+    def GUARDDUTY_DATA_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GUARDDUTY_DATA_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HEALTH_IMAGING")
+    def HEALTH_IMAGING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "HEALTH_IMAGING"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HEALTH_IMAGING_RUNTIME")
+    def HEALTH_IMAGING_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "HEALTH_IMAGING_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="HEALTHLAKE")
     def HEALTHLAKE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74048,21 +74313,41 @@ class InterfaceVpcEndpointAwsService(
     def INSPECTOR(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INSPECTOR"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="INSPECTOR_SCAN")
+    def INSPECTOR_SCAN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INSPECTOR_SCAN"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE")
     def IOT_CORE(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_CORE_CREDENTIALS")
+    def IOT_CORE_CREDENTIALS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_CREDENTIALS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE_DEVICE_ADVISOR")
     def IOT_CORE_DEVICE_ADVISOR(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_DEVICE_ADVISOR"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_CORE_FLEETHUB_API")
+    def IOT_CORE_FLEETHUB_API(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_FLEETHUB_API"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE_FOR_LORAWAN")
     def IOT_CORE_FOR_LORAWAN(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_FOR_LORAWAN"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_FLEETWISE")
+    def IOT_FLEETWISE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_FLEETWISE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_GREENGRASS")
     def IOT_GREENGRASS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74173,6 +74458,11 @@ class InterfaceVpcEndpointAwsService(
     def LICENSE_MANAGER_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "LICENSE_MANAGER_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LICENSE_MANAGER_USER_SUBSCRIPTIONS")
+    def LICENSE_MANAGER_USER_SUBSCRIPTIONS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "LICENSE_MANAGER_USER_SUBSCRIPTIONS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="LOOKOUT_EQUIPMENT")
     def LOOKOUT_EQUIPMENT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74198,6 +74488,31 @@ class InterfaceVpcEndpointAwsService(
     def MAINFRAME_MODERNIZATION(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MAINFRAME_MODERNIZATION"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_BITCOIN_MAINNET")
+    def MANAGED_BLOCKCHAIN_BITCOIN_MAINNET(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_BITCOIN_MAINNET"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_BITCOIN_TESTNET")
+    def MANAGED_BLOCKCHAIN_BITCOIN_TESTNET(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_BITCOIN_TESTNET"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_QUERY")
+    def MANAGED_BLOCKCHAIN_QUERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_QUERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGEMENT_CONSOLE")
+    def MANAGEMENT_CONSOLE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGEMENT_CONSOLE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGEMENT_CONSOLE_SIGNIN")
+    def MANAGEMENT_CONSOLE_SIGNIN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGEMENT_CONSOLE_SIGNIN"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="MEMORY_DB")
     def MEMORY_DB(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74223,6 +74538,11 @@ class InterfaceVpcEndpointAwsService(
     def MIGRATIONHUB_STRATEGY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MIGRATIONHUB_STRATEGY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NEPTUNE_ANALYTICS")
+    def NEPTUNE_ANALYTICS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "NEPTUNE_ANALYTICS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="NIMBLE_STUDIO")
     def NIMBLE_STUDIO(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74253,16 +74573,66 @@ class InterfaceVpcEndpointAwsService(
     def OMICS_WORKFLOWS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "OMICS_WORKFLOWS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ORGANIZATIONS")
+    def ORGANIZATIONS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ORGANIZATIONS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ORGANIZATIONS_FIPS")
+    def ORGANIZATIONS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ORGANIZATIONS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PANORAMA")
     def PANORAMA(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PANORAMA"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PAYMENT_CRYPTOGRAPHY_CONTROLPLANE")
+    def PAYMENT_CRYPTOGRAPHY_CONTROLPLANE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PAYMENT_CRYPTOGRAPHY_CONTROLPLANE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PAYMENT_CRYTOGRAPHY_DATAPLANE")
+    def PAYMENT_CRYTOGRAPHY_DATAPLANE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PAYMENT_CRYTOGRAPHY_DATAPLANE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE")
+    def PERSONALIZE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE_EVENTS")
+    def PERSONALIZE_EVENTS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE_EVENTS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE_RUNTIME")
+    def PERSONALIZE_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PINPOINT")
     def PINPOINT(cls) -> "InterfaceVpcEndpointAwsService":
+        '''
+        :deprecated: - Use InterfaceVpcEndpointAwsService.PINPOINT_SMS_VOICE_V2 instead.
+
+        :stability: deprecated
+        '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PINPOINT_SMS_VOICE_V2")
+    def PINPOINT_SMS_VOICE_V2(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT_SMS_VOICE_V2"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PINPOINT_V1")
+    def PINPOINT_V1(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT_V1"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="POLLY")
     def POLLY(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74278,6 +74648,13 @@ class InterfaceVpcEndpointAwsService(
     def PRIVATE_CERTIFICATE_AUTHORITY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRIVATE_CERTIFICATE_AUTHORITY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD")
+    def PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD(
+        cls,
+    ) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PROMETHEUS")
     def PROMETHEUS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74333,6 +74710,21 @@ class InterfaceVpcEndpointAwsService(
     def REKOGNITION_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REKOGNITION_STREAMING")
+    def REKOGNITION_STREAMING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_STREAMING"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REKOGNITION_STREAMING_FIPS")
+    def REKOGNITION_STREAMING_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_STREAMING_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REPOST_SPACE")
+    def REPOST_SPACE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REPOST_SPACE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="ROBOMAKER")
     def ROBOMAKER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74363,6 +74755,11 @@ class InterfaceVpcEndpointAwsService(
     def SAGEMAKER_FEATURESTORE_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_FEATURESTORE_RUNTIME"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SAGEMAKER_GEOSPATIAL")
+    def SAGEMAKER_GEOSPATIAL(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_GEOSPATIAL"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SAGEMAKER_METRICS")
     def SAGEMAKER_METRICS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74433,6 +74830,11 @@ class InterfaceVpcEndpointAwsService(
         '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SES"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SIMSPACE_WEAVER")
+    def SIMSPACE_WEAVER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SIMSPACE_WEAVER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SNOW_DEVICE_MANAGEMENT")
     def SNOW_DEVICE_MANAGEMENT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74488,6 +74890,26 @@ class InterfaceVpcEndpointAwsService(
     def STS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "STS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SUPPLY_CHAIN")
+    def SUPPLY_CHAIN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SUPPLY_CHAIN"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SWF")
+    def SWF(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SWF"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SWF_FIPS")
+    def SWF_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SWF_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TELCO_NETWORK_BUILDER")
+    def TELCO_NETWORK_BUILDER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TELCO_NETWORK_BUILDER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="TEXTRACT")
     def TEXTRACT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74498,6 +74920,11 @@ class InterfaceVpcEndpointAwsService(
     def TEXTRACT_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TEXTRACT_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TIMESTREAM_INFLUXDB")
+    def TIMESTREAM_INFLUXDB(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TIMESTREAM_INFLUXDB"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="TRANSCRIBE")
     def TRANSCRIBE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74523,16 +74950,31 @@ class InterfaceVpcEndpointAwsService(
     def TRANSLATE(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TRANSLATE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TRUSTED_ADVISOR")
+    def TRUSTED_ADVISOR(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TRUSTED_ADVISOR"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VERIFIED_PERMISSIONS")
     def VERIFIED_PERMISSIONS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "VERIFIED_PERMISSIONS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VPC_LATTICE")
+    def VPC_LATTICE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "VPC_LATTICE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="WORKSPACES")
     def WORKSPACES(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "WORKSPACES"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="WORKSPACES_THIN_CLIENT")
+    def WORKSPACES_THIN_CLIENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "WORKSPACES_THIN_CLIENT"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="XRAY")
     def XRAY(cls) -> "InterfaceVpcEndpointAwsService":
@@ -89401,6 +89843,11 @@ class GatewayVpcEndpointAwsService(
     def S3(cls) -> "GatewayVpcEndpointAwsService":
         return typing.cast("GatewayVpcEndpointAwsService", jsii.sget(cls, "S3"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="S3_EXPRESS")
+    def S3_EXPRESS(cls) -> "GatewayVpcEndpointAwsService":
+        return typing.cast("GatewayVpcEndpointAwsService", jsii.sget(cls, "S3_EXPRESS"))
+
     @builtins.property
     @jsii.member(jsii_name="name")
     def name(self) -> builtins.str:
@@ -94221,6 +94668,7 @@ def _typecheckingstub__5f22238da23e1a95528fc55d3e3a28b661b69a5dfe2d1e64620bef1eb
     *,
     domain_name: typing.Optional[builtins.str] = None,
     domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
     netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     netbios_node_type: typing.Optional[jsii.Number] = None,
     ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -94253,6 +94701,12 @@ def _typecheckingstub__d9ee8e87c9581893159e005c5c7c786324d9f9c9a41ba0af4f72aedd3
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__0cbb91e4162eb4b7aab6b1e90fa6fbbbade04b38a95d6c1bb778946ae93b50a3(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e3b8e4bd8f79a27f01b9c18995f6a45e13c80f3ff9f392b3c558b6cc5a5e5dba(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -94281,6 +94735,7 @@ def _typecheckingstub__569097ad87e4dddbcfaee4fb50fc7ddb345c4f97ae82fcf897497039e
     *,
     domain_name: typing.Optional[builtins.str] = None,
     domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
     netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     netbios_node_type: typing.Optional[jsii.Number] = None,
     ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -98480,6 +98935,7 @@ def _typecheckingstub__f7f9c3e8bd9fe395c2fb15fd9d38e6ef1ebca888c954597574840d202
     destination_prefix_list_id: typing.Optional[builtins.str] = None,
     destination_security_group_id: typing.Optional[builtins.str] = None,
     from_port: typing.Optional[jsii.Number] = None,
+    source_security_group_id: typing.Optional[builtins.str] = None,
     to_port: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""