aws-cdk-lib 2.133.0__py3-none-any.whl → 2.134.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1163,6 +1163,19 @@ ec2.VpcEndpointService(self, "EndpointService",
 )
 ```
 
+You can also include a service principal in the `allowedPrincipals` property by specifying it as a parameter to the  `ArnPrincipal` constructor.
+The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
+
+```python
+# network_load_balancer: elbv2.NetworkLoadBalancer
+
+
+ec2.VpcEndpointService(self, "EndpointService",
+    vpc_endpoint_service_load_balancers=[network_load_balancer],
+    allowed_principals=[iam.ArnPrincipal("ec2.amazonaws.com")]
+)
+```
+
 Endpoint services support private DNS, which makes it easier for clients to connect to your service by automatically setting up DNS in their VPC.
 You can enable private DNS on an endpoint service like so:
 
@@ -9616,6 +9629,7 @@ class CfnDHCPOptions(
         cfn_dHCPOptions = ec2.CfnDHCPOptions(self, "MyCfnDHCPOptions",
             domain_name="domainName",
             domain_name_servers=["domainNameServers"],
+            ipv6_address_preferred_lease_time=123,
             netbios_name_servers=["netbiosNameServers"],
             netbios_node_type=123,
             ntp_servers=["ntpServers"],
@@ -9633,6 +9647,7 @@ class CfnDHCPOptions(
         *,
         domain_name: typing.Optional[builtins.str] = None,
         domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
         netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         netbios_node_type: typing.Optional[jsii.Number] = None,
         ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9643,6 +9658,7 @@ class CfnDHCPOptions(
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain_name: This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in ``us-east-1`` , specify ``ec2.internal`` . If you're using AmazonProvidedDNS in another Region, specify *region* . ``compute.internal`` (for example, ``ap-northeast-1.compute.internal`` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).
         :param domain_name_servers: The IPv4 addresses of up to four domain name servers, or ``AmazonProvidedDNS`` . The default is ``AmazonProvidedDNS`` . To have your instance receive a custom DNS hostname as specified in ``DomainName`` , you must set this property to a custom DNS server.
+        :param ipv6_address_preferred_lease_time: A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
         :param netbios_name_servers: The IPv4 addresses of up to four NetBIOS name servers.
         :param netbios_node_type: The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast are not currently supported).
         :param ntp_servers: The IPv4 addresses of up to four Network Time Protocol (NTP) servers.
@@ -9655,6 +9671,7 @@ class CfnDHCPOptions(
         props = CfnDHCPOptionsProps(
             domain_name=domain_name,
             domain_name_servers=domain_name_servers,
+            ipv6_address_preferred_lease_time=ipv6_address_preferred_lease_time,
             netbios_name_servers=netbios_name_servers,
             netbios_node_type=netbios_node_type,
             ntp_servers=ntp_servers,
@@ -9742,6 +9759,22 @@ class CfnDHCPOptions(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "domainNameServers", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="ipv6AddressPreferredLeaseTime")
+    def ipv6_address_preferred_lease_time(self) -> typing.Optional[jsii.Number]:
+        '''A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal.'''
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "ipv6AddressPreferredLeaseTime"))
+
+    @ipv6_address_preferred_lease_time.setter
+    def ipv6_address_preferred_lease_time(
+        self,
+        value: typing.Optional[jsii.Number],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0cbb91e4162eb4b7aab6b1e90fa6fbbbade04b38a95d6c1bb778946ae93b50a3)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "ipv6AddressPreferredLeaseTime", value)
+
     @builtins.property
     @jsii.member(jsii_name="netbiosNameServers")
     def netbios_name_servers(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -9804,6 +9837,7 @@ class CfnDHCPOptions(
     name_mapping={
         "domain_name": "domainName",
         "domain_name_servers": "domainNameServers",
+        "ipv6_address_preferred_lease_time": "ipv6AddressPreferredLeaseTime",
         "netbios_name_servers": "netbiosNameServers",
         "netbios_node_type": "netbiosNodeType",
         "ntp_servers": "ntpServers",
@@ -9816,6 +9850,7 @@ class CfnDHCPOptionsProps:
         *,
         domain_name: typing.Optional[builtins.str] = None,
         domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
         netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         netbios_node_type: typing.Optional[jsii.Number] = None,
         ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9825,6 +9860,7 @@ class CfnDHCPOptionsProps:
 
         :param domain_name: This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in ``us-east-1`` , specify ``ec2.internal`` . If you're using AmazonProvidedDNS in another Region, specify *region* . ``compute.internal`` (for example, ``ap-northeast-1.compute.internal`` ). Otherwise, specify a domain name (for example, *MyCompany.com* ).
         :param domain_name_servers: The IPv4 addresses of up to four domain name servers, or ``AmazonProvidedDNS`` . The default is ``AmazonProvidedDNS`` . To have your instance receive a custom DNS hostname as specified in ``DomainName`` , you must set this property to a custom DNS server.
+        :param ipv6_address_preferred_lease_time: A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
         :param netbios_name_servers: The IPv4 addresses of up to four NetBIOS name servers.
         :param netbios_node_type: The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast are not currently supported).
         :param ntp_servers: The IPv4 addresses of up to four Network Time Protocol (NTP) servers.
@@ -9842,6 +9878,7 @@ class CfnDHCPOptionsProps:
             cfn_dHCPOptions_props = ec2.CfnDHCPOptionsProps(
                 domain_name="domainName",
                 domain_name_servers=["domainNameServers"],
+                ipv6_address_preferred_lease_time=123,
                 netbios_name_servers=["netbiosNameServers"],
                 netbios_node_type=123,
                 ntp_servers=["ntpServers"],
@@ -9855,6 +9892,7 @@ class CfnDHCPOptionsProps:
             type_hints = typing.get_type_hints(_typecheckingstub__569097ad87e4dddbcfaee4fb50fc7ddb345c4f97ae82fcf897497039e7f81a38)
             check_type(argname="argument domain_name", value=domain_name, expected_type=type_hints["domain_name"])
             check_type(argname="argument domain_name_servers", value=domain_name_servers, expected_type=type_hints["domain_name_servers"])
+            check_type(argname="argument ipv6_address_preferred_lease_time", value=ipv6_address_preferred_lease_time, expected_type=type_hints["ipv6_address_preferred_lease_time"])
             check_type(argname="argument netbios_name_servers", value=netbios_name_servers, expected_type=type_hints["netbios_name_servers"])
             check_type(argname="argument netbios_node_type", value=netbios_node_type, expected_type=type_hints["netbios_node_type"])
             check_type(argname="argument ntp_servers", value=ntp_servers, expected_type=type_hints["ntp_servers"])
@@ -9864,6 +9902,8 @@ class CfnDHCPOptionsProps:
             self._values["domain_name"] = domain_name
         if domain_name_servers is not None:
             self._values["domain_name_servers"] = domain_name_servers
+        if ipv6_address_preferred_lease_time is not None:
+            self._values["ipv6_address_preferred_lease_time"] = ipv6_address_preferred_lease_time
         if netbios_name_servers is not None:
             self._values["netbios_name_servers"] = netbios_name_servers
         if netbios_node_type is not None:
@@ -9895,6 +9935,17 @@ class CfnDHCPOptionsProps:
         result = self._values.get("domain_name_servers")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def ipv6_address_preferred_lease_time(self) -> typing.Optional[jsii.Number]:
+        '''A value (in seconds, minutes, hours, or years) for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal.
+
+        Acceptable values are between 140 and 2147483647 seconds (approximately 68 years). If no value is entered, the default lease time is 140 seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-dhcpoptions.html#cfn-ec2-dhcpoptions-ipv6addresspreferredleasetime
+        '''
+        result = self._values.get("ipv6_address_preferred_lease_time")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
     @builtins.property
     def netbios_name_servers(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The IPv4 addresses of up to four NetBIOS name servers.
@@ -14754,8 +14805,8 @@ class CfnFlowLog(
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
         :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
-        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
-        :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination. This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
+        :param destination_options: The destination options.
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
         :param log_destination_type: The type of destination for the flow log data. Default: ``cloud-watch-logs``
         :param log_format: The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see `Flow log records <https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records>`_ in the *Amazon VPC User Guide* or `Transit Gateway Flow Log records <https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records>`_ in the *AWS Transit Gateway Guide* . Specify the fields using the ``${field-id}`` format, separated by spaces.
@@ -14879,7 +14930,7 @@ class CfnFlowLog(
     @builtins.property
     @jsii.member(jsii_name="deliverLogsPermissionArn")
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.'''
+        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "deliverLogsPermissionArn"))
 
     @deliver_logs_permission_arn.setter
@@ -14892,10 +14943,7 @@ class CfnFlowLog(
     @builtins.property
     @jsii.member(jsii_name="destinationOptions")
     def destination_options(self) -> typing.Any:
-        '''The destination options.
-
-        The following options are supported:.
-        '''
+        '''The destination options.'''
         return typing.cast(typing.Any, jsii.get(self, "destinationOptions"))
 
     @destination_options.setter
@@ -15140,8 +15188,8 @@ class CfnFlowLogProps:
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
         :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
-        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
-        :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination. This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
+        :param destination_options: The destination options.
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
         :param log_destination_type: The type of destination for the flow log data. Default: ``cloud-watch-logs``
         :param log_format: The fields to include in the flow log record, in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see `Flow log records <https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records>`_ in the *Amazon VPC User Guide* or `Transit Gateway Flow Log records <https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records>`_ in the *AWS Transit Gateway Guide* . Specify the fields using the ``${field-id}`` format, separated by spaces.
@@ -15253,9 +15301,9 @@ class CfnFlowLogProps:
 
     @builtins.property
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
-        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.
+        '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to the log destination.
 
-        This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
+        This parameter is required if the destination type is ``cloud-watch-logs`` , or if the destination type is ``kinesis-data-firehose`` and the delivery stream and the resources to monitor are in different accounts.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-deliverlogspermissionarn
         '''
@@ -15264,11 +15312,7 @@ class CfnFlowLogProps:
 
     @builtins.property
     def destination_options(self) -> typing.Any:
-        '''The destination options. The following options are supported:.
-
-        - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` .
-        - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` .
-        - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
+        '''The destination options.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-destinationoptions
         '''
@@ -19214,10 +19258,7 @@ class CfnInstance(
     @builtins.property
     @jsii.member(jsii_name="attrAvailabilityZone")
     def attr_availability_zone(self) -> builtins.str:
-        '''The Availability Zone where the specified instance is launched. For example: ``us-east-1b`` .
-
-        You can retrieve a list of all Availability Zones for a Region by using the `Fn::GetAZs <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getavailabilityzones.html>`_ intrinsic function.
-
+        '''
         :cloudformationAttribute: AvailabilityZone
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAvailabilityZone"))
@@ -19225,12 +19266,20 @@ class CfnInstance(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''The ID of the instance.
-
+        '''
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrInstanceId")
+    def attr_instance_id(self) -> builtins.str:
+        '''The ID of the instance.
+
+        :cloudformationAttribute: InstanceId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrInstanceId"))
+
     @builtins.property
     @jsii.member(jsii_name="attrPrivateDnsName")
     def attr_private_dns_name(self) -> builtins.str:
@@ -19275,6 +19324,15 @@ class CfnInstance(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPublicIp"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrVpcId")
+    def attr_vpc_id(self) -> builtins.str:
+        '''The ID of the VPC in which the instance is running.
+
+        :cloudformationAttribute: VpcId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrVpcId"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -20717,7 +20775,7 @@ class CfnInstance(
 
             ``HibernationOptions`` is a property of the `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ resource.
 
-            :param configured: Set to ``true`` to enable your instance for hibernation. For Spot Instances, if you set ``Configured`` to ``true`` , either omit the ``InstanceInterruptionBehavior`` parameter (for ```SpotMarketOptions`` <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html>`_ ), or set it to ``hibernate`` . When ``Configured`` is true: - If you omit ``InstanceInterruptionBehavior`` , it defaults to ``hibernate`` . - If you set ``InstanceInterruptionBehavior`` to a value other than ``hibernate`` , you'll get an error. Default: ``false``
+            :param configured: Set to ``true`` to enable your instance for hibernation. For Spot Instances, if you set ``Configured`` to ``true`` , either omit the ``InstanceInterruptionBehavior`` parameter (for ```SpotMarketOptions`` <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotMarketOptions.html>`_ ), or set it to ``hibernate`` . When ``Configured`` is true: - If you omit ``InstanceInterruptionBehavior`` , it defaults to ``hibernate`` . - If you set ``InstanceInterruptionBehavior`` to a value other than ``hibernate`` , you'll get an error. Default: ``false`` Default: - false
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-hibernationoptions.html
             :exampleMetadata: fixture=_generated
@@ -20752,6 +20810,8 @@ class CfnInstance(
 
             Default: ``false``
 
+            :default: - false
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-hibernationoptions.html#cfn-ec2-instance-hibernationoptions-configured
             '''
             result = self._values.get("configured")
@@ -36690,19 +36750,19 @@ class CfnNetworkInterface(
         :param connection_tracking_specification: A connection tracking specification for the network interface.
         :param description: A description for the network interface.
         :param enable_primary_ipv6: If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.
-        :param group_set: The security group IDs associated with this network interface.
+        :param group_set: The IDs of the security groups associated with this network interface.
         :param interface_type: The type of network interface. The default is ``interface`` . The supported values are ``efa`` and ``trunk`` .
         :param ipv4_prefix_count: The number of IPv4 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
         :param ipv4_prefixes: The IPv4 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
-        :param ipv6_address_count: The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
-        :param ipv6_addresses: One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_address_count: The number of IPv6 addresses to assign to the network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_addresses: The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
         :param ipv6_prefix_count: The number of IPv6 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
         :param ipv6_prefixes: The IPv6 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
-        :param private_ip_address: Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
-        :param private_ip_addresses: Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
+        :param private_ip_address: The private IPv4 address to assign to the network interface as the primary private IP address. If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
+        :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using ``privateIpAddresses`` . When creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param tags: An arbitrary set of tags (key-value pairs) for this network interface.
+        :param tags: The tags to apply to the network interface.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8393da3cca9727d94c340192bc7d8b11bde1fb62e8d43771091b9a3e120a301a)
@@ -36774,8 +36834,6 @@ class CfnNetworkInterface(
     def attr_primary_ipv6_address(self) -> builtins.str:
         '''The primary IPv6 address of the network interface.
 
-        When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached.
-
         :cloudformationAttribute: PrimaryIpv6Address
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrPrimaryIpv6Address"))
@@ -36802,6 +36860,15 @@ class CfnNetworkInterface(
         '''
         return typing.cast(typing.List[builtins.str], jsii.get(self, "attrSecondaryPrivateIpAddresses"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrVpcId")
+    def attr_vpc_id(self) -> builtins.str:
+        '''The ID of the VPC.
+
+        :cloudformationAttribute: VpcId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrVpcId"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -36878,7 +36945,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="groupSet")
     def group_set(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The security group IDs associated with this network interface.'''
+        '''The IDs of the security groups associated with this network interface.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "groupSet"))
 
     @group_set.setter
@@ -36935,7 +37002,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="ipv6AddressCount")
     def ipv6_address_count(self) -> typing.Optional[jsii.Number]:
-        '''The number of IPv6 addresses to assign to a network interface.'''
+        '''The number of IPv6 addresses to assign to the network interface.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "ipv6AddressCount"))
 
     @ipv6_address_count.setter
@@ -36950,7 +37017,7 @@ class CfnNetworkInterface(
     def ipv6_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.InstanceIpv6AddressProperty"]]]]:
-        '''One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface.'''
+        '''The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.InstanceIpv6AddressProperty"]]]], jsii.get(self, "ipv6Addresses"))
 
     @ipv6_addresses.setter
@@ -36997,7 +37064,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="privateIpAddress")
     def private_ip_address(self) -> typing.Optional[builtins.str]:
-        '''Assigns a single private IP address to the network interface, which is used as the primary private IP address.'''
+        '''The private IPv4 address to assign to the network interface as the primary private IP address.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "privateIpAddress"))
 
     @private_ip_address.setter
@@ -37012,7 +37079,7 @@ class CfnNetworkInterface(
     def private_ip_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.PrivateIpAddressSpecificationProperty"]]]]:
-        '''Assigns private IP addresses to the network interface.'''
+        '''The private IPv4 addresses to assign to the network interface.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnNetworkInterface.PrivateIpAddressSpecificationProperty"]]]], jsii.get(self, "privateIpAddresses"))
 
     @private_ip_addresses.setter
@@ -37062,7 +37129,7 @@ class CfnNetworkInterface(
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''An arbitrary set of tags (key-value pairs) for this network interface.'''
+        '''The tags to apply to the network interface.'''
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tagsRaw"))
 
     @tags_raw.setter
@@ -38157,19 +38224,19 @@ class CfnNetworkInterfaceProps:
         :param connection_tracking_specification: A connection tracking specification for the network interface.
         :param description: A description for the network interface.
         :param enable_primary_ipv6: If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that this ENI will be attached to relies on its IPv6 address not changing. AWS will automatically assign an IPv6 address associated with the ENI attached to your instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. If you have multiple IPv6 addresses associated with an ENI attached to your instance and you enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI becomes the primary IPv6 address.
-        :param group_set: The security group IDs associated with this network interface.
+        :param group_set: The IDs of the security groups associated with this network interface.
         :param interface_type: The type of network interface. The default is ``interface`` . The supported values are ``efa`` and ``trunk`` .
         :param ipv4_prefix_count: The number of IPv4 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
         :param ipv4_prefixes: The IPv4 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
-        :param ipv6_address_count: The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
-        :param ipv6_addresses: One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_address_count: The number of IPv6 addresses to assign to the network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property. When creating a network interface, you can't specify a count of IPv6 addresses if you've specified one of the following: specific IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
+        :param ipv6_addresses: The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface. If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property. When creating a network interface, you can't specify IPv6 addresses if you've specified one of the following: a count of IPv6 addresses, specific IPv6 prefixes, or a count of IPv6 prefixes.
         :param ipv6_prefix_count: The number of IPv6 prefixes to be automatically assigned to the network interface. When creating a network interface, you can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
         :param ipv6_prefixes: The IPv6 delegated prefixes that are assigned to the network interface. When creating a network interface, you can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
-        :param private_ip_address: Assigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
-        :param private_ip_addresses: Assigns private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
+        :param private_ip_address: The private IPv4 address to assign to the network interface as the primary private IP address. If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
+        :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property. When creating a network interface, you can't specify private IPv4 addresses if you've specified one of the following: a count of private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using ``privateIpAddresses`` . When creating a Network Interface, you can't specify a count of private IPv4 addresses if you've specified one of the following: specific private IPv4 addresses, specific IPv4 prefixes, or a count of IPv4 prefixes.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
-        :param tags: An arbitrary set of tags (key-value pairs) for this network interface.
+        :param tags: The tags to apply to the network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html
         :exampleMetadata: fixture=_generated
@@ -38318,7 +38385,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def group_set(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The security group IDs associated with this network interface.
+        '''The IDs of the security groups associated with this network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-groupset
         '''
@@ -38362,7 +38429,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def ipv6_address_count(self) -> typing.Optional[jsii.Number]:
-        '''The number of IPv6 addresses to assign to a network interface.
+        '''The number of IPv6 addresses to assign to the network interface.
 
         Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the ``Ipv6Addresses`` property and don't specify this property.
 
@@ -38377,7 +38444,7 @@ class CfnNetworkInterfaceProps:
     def ipv6_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNetworkInterface.InstanceIpv6AddressProperty]]]]:
-        '''One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface.
+        '''The IPv6 addresses from the IPv6 CIDR block range of your subnet to assign to the network interface.
 
         If you're specifying a number of IPv6 addresses, use the ``Ipv6AddressCount`` property and don't specify this property.
 
@@ -38414,9 +38481,9 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def private_ip_address(self) -> typing.Optional[builtins.str]:
-        '''Assigns a single private IP address to the network interface, which is used as the primary private IP address.
+        '''The private IPv4 address to assign to the network interface as the primary private IP address.
 
-        If you want to specify multiple private IP address, use the ``PrivateIpAddresses`` property.
+        If you want to specify multiple private IP addresses, use the ``PrivateIpAddresses`` property.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-privateipaddress
         '''
@@ -38427,7 +38494,7 @@ class CfnNetworkInterfaceProps:
     def private_ip_addresses(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnNetworkInterface.PrivateIpAddressSpecificationProperty]]]]:
-        '''Assigns private IP addresses to the network interface.
+        '''The private IPv4 addresses to assign to the network interface.
 
         You can specify a primary private IP address by setting the value of the ``Primary`` property to ``true`` in the ``PrivateIpAddressSpecification`` property. If you want EC2 to automatically assign private IP addresses, use the ``SecondaryPrivateIpAddressCount`` property and do not specify this property.
 
@@ -38466,7 +38533,7 @@ class CfnNetworkInterfaceProps:
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
-        '''An arbitrary set of tags (key-value pairs) for this network interface.
+        '''The tags to apply to the network interface.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterface.html#cfn-ec2-networkinterface-tags
         '''
@@ -40613,18 +40680,18 @@ class CfnSecurityGroup(
 
             An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-            You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group.
+            You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
             You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
             Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
 
             :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
             :param description: A description for the security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-            :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-            :param destination_security_group_id: The ID of the destination VPC security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+            :param destination_security_group_id: The ID of the destination VPC security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
             :param source_security_group_id: 
             :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
@@ -40699,7 +40766,7 @@ class CfnSecurityGroup(
         def cidr_ip(self) -> typing.Optional[builtins.str]:
             '''The IPv4 address range, in CIDR format.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40712,7 +40779,7 @@ class CfnSecurityGroup(
         def cidr_ipv6(self) -> typing.Optional[builtins.str]:
             '''The IPv6 address range, in CIDR format.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40738,7 +40805,7 @@ class CfnSecurityGroup(
 
             This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-destinationprefixlistid
             '''
@@ -40749,7 +40816,7 @@ class CfnSecurityGroup(
         def destination_security_group_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the destination VPC security group.
 
-            You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-destinationsecuritygroupid
             '''
@@ -40832,15 +40899,15 @@ class CfnSecurityGroup(
 
             An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-            You must specify exactly one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.
+            You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
             You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
             Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
 
             :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+            :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
             :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
             :param source_prefix_list_id: The ID of a prefix list.
@@ -40923,7 +40990,7 @@ class CfnSecurityGroup(
         def cidr_ip(self) -> typing.Optional[builtins.str]:
             '''The IPv4 address range, in CIDR format.
 
-            You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -40936,7 +41003,7 @@ class CfnSecurityGroup(
         def cidr_ipv6(self) -> typing.Optional[builtins.str]:
             '''The IPv6 address range, in CIDR format.
 
-            You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+            You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
             For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41046,7 +41113,7 @@ class CfnSecurityGroupEgress(
 
     An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-    You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group.
+    You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
     You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1.
 
@@ -41097,11 +41164,11 @@ class CfnSecurityGroupEgress(
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_id: The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-        :param destination_security_group_id: The ID of the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+        :param destination_security_group_id: The ID of the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
         :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
         :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
         '''
@@ -41320,11 +41387,11 @@ class CfnSecurityGroupEgressProps:
 
         :param group_id: The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
-        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
-        :param destination_security_group_id: The ID of the security group. You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        :param destination_prefix_list_id: The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
+        :param destination_security_group_id: The ID of the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
         :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
         :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
 
@@ -41409,7 +41476,7 @@ class CfnSecurityGroupEgressProps:
     def cidr_ip(self) -> typing.Optional[builtins.str]:
         '''The IPv4 address range, in CIDR format.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41422,7 +41489,7 @@ class CfnSecurityGroupEgressProps:
     def cidr_ipv6(self) -> typing.Optional[builtins.str]:
         '''The IPv6 address range, in CIDR format.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41446,9 +41513,9 @@ class CfnSecurityGroupEgressProps:
     def destination_prefix_list_id(self) -> typing.Optional[builtins.str]:
         '''The prefix list IDs for an AWS service.
 
-        This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
+        This is the AWS service to access through a VPC endpoint from instances associated with the security group.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupegress.html#cfn-ec2-securitygroupegress-destinationprefixlistid
         '''
@@ -41459,7 +41526,7 @@ class CfnSecurityGroupEgressProps:
     def destination_security_group_id(self) -> typing.Optional[builtins.str]:
         '''The ID of the security group.
 
-        You must specify a destination security group ( ``DestinationPrefixListId`` or ``DestinationSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupegress.html#cfn-ec2-securitygroupegress-destinationsecuritygroupid
         '''
@@ -41510,7 +41577,7 @@ class CfnSecurityGroupIngress(
 
     An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see `Security group rules <https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html>`_ .
 
-    You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group.
+    You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
 
     You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
 
@@ -41566,8 +41633,8 @@ class CfnSecurityGroupIngress(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
         :param from_port: The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of ``-1`` indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
         :param group_id: The ID of the security group.
@@ -41841,8 +41908,8 @@ class CfnSecurityGroupIngressProps:
         '''Properties for defining a ``CfnSecurityGroupIngress``.
 
         :param ip_protocol: The IP protocol name ( ``tcp`` , ``udp`` , ``icmp`` , ``icmpv6`` ) or number (see `Protocol Numbers <https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ ). Use ``-1`` to specify all protocols. When authorizing security group rules, specifying ``-1`` or a protocol number other than ``tcp`` , ``udp`` , ``icmp`` , or ``icmpv6`` allows traffic on all ports, regardless of any port range you specify. For ``tcp`` , ``udp`` , and ``icmp`` , you must specify a port range. For ``icmpv6`` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
-        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
-        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ). For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ip: The IPv4 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
+        :param cidr_ipv6: The IPv6 address range, in CIDR format. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` . For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
         :param description: Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
         :param from_port: The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of ``-1`` indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
         :param group_id: The ID of the security group.
@@ -41935,7 +42002,7 @@ class CfnSecurityGroupIngressProps:
     def cidr_ip(self) -> typing.Optional[builtins.str]:
         '''The IPv4 address range, in CIDR format.
 
-        You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -41948,7 +42015,7 @@ class CfnSecurityGroupIngressProps:
     def cidr_ipv6(self) -> typing.Optional[builtins.str]:
         '''The IPv6 address range, in CIDR format.
 
-        You must specify a source security group ( ``SourcePrefixListId`` or ``SourceSecurityGroupId`` ) or a CIDR range ( ``CidrIp`` or ``CidrIpv6`` ).
+        You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``SourcePrefixListId`` , or ``SourceSecurityGroupId`` .
 
         For examples of rules that you can add to security groups for specific access scenarios, see `Security group rules for different use cases <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html>`_ in the *Amazon EC2 User Guide* .
 
@@ -72137,6 +72204,8 @@ class InstanceClass(enum.Enum):
     '''Memory optimized instances based on AMD EPYC, 5th generation.'''
     MEMORY5_AMD_NVME_DRIVE = "MEMORY5_AMD_NVME_DRIVE"
     '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
+    R5AD = "R5AD"
+    '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
     HIGH_MEMORY_3TB_1 = "HIGH_MEMORY_3TB_1"
     '''High memory instances (3TB) based on Intel Xeon Platinum 8176M (Skylake) processors, 1st generation.'''
     U_3TB1 = "U_3TB1"
@@ -72161,8 +72230,6 @@ class InstanceClass(enum.Enum):
     '''High memory instances (24TB) based on Intel Xeon Scalable (Cascade Lake) processors, 1st generation.'''
     U_24TB1 = "U_24TB1"
     '''High memory instances (24TB) based on Intel Xeon Scalable (Cascade Lake) processors, 1st generation.'''
-    R5AD = "R5AD"
-    '''Memory optimized instances based on AMD EPYC with local NVME drive, 5th generation.'''
     MEMORY5_EBS_OPTIMIZED = "MEMORY5_EBS_OPTIMIZED"
     '''Memory optimized instances that are also EBS-optimized, 5th generation.'''
     R5B = "R5B"
@@ -72303,12 +72370,16 @@ class InstanceClass(enum.Enum):
     '''Storage-optimized instances, 3rd generation.'''
     STORAGE_COMPUTE_1 = "STORAGE_COMPUTE_1"
     '''Storage/compute balanced instances, 1st generation.'''
+    H1 = "H1"
+    '''Storage/compute balanced instances, 1st generation.'''
+    TRAINING_ACCELERATOR1 = "TRAINING_ACCELERATOR1"
+    '''High performance computing powered by AWS Trainium.'''
     TRN1 = "TRN1"
     '''High performance computing powered by AWS Trainium.'''
+    TRAINING_ACCELERATOR1_ENHANCED_NETWORK = "TRAINING_ACCELERATOR1_ENHANCED_NETWORK"
+    '''Network-optimized high performance computing powered by AWS Trainium.'''
     TRN1N = "TRN1N"
-    '''High performance computing powered by AWS Trainium.'''
-    H1 = "H1"
-    '''Storage/compute balanced instances, 1st generation.'''
+    '''Network-optimized high performance computing powered by AWS Trainium.'''
     IO3 = "IO3"
     '''I/O-optimized instances, 3rd generation.'''
     I3 = "I3"
@@ -72356,7 +72427,7 @@ class InstanceClass(enum.Enum):
     MEMORY_INTENSIVE_1_EXTENDED = "MEMORY_INTENSIVE_1_EXTENDED"
     '''Memory-intensive instances, extended, 1st generation.'''
     X1E = "X1E"
-    '''Memory-intensive instances, 1st generation.'''
+    '''Memory-intensive instances, extended, 1st generation.'''
     MEMORY_INTENSIVE_2_GRAVITON2 = "MEMORY_INTENSIVE_2_GRAVITON2"
     '''Memory-intensive instances, 2nd generation with Graviton2 processors.
 
@@ -72422,11 +72493,11 @@ class InstanceClass(enum.Enum):
     P2 = "P2"
     '''Parallel-processing optimized instances, 2nd generation.'''
     PARALLEL3 = "PARALLEL3"
-    '''Parallel-processing optimized instances, 3nd generation.'''
+    '''Parallel-processing optimized instances, 3rd generation.'''
     P3 = "P3"
     '''Parallel-processing optimized instances, 3rd generation.'''
     PARALLEL3_NVME_DRIVE_HIGH_PERFORMANCE = "PARALLEL3_NVME_DRIVE_HIGH_PERFORMANCE"
-    '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3nd generation.'''
+    '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3rd generation.'''
     P3DN = "P3DN"
     '''Parallel-processing optimized instances with local NVME drive for high performance computing, 3rd generation.'''
     PARALLEL4_NVME_DRIVE_EXTENDED = "PARALLEL4_NVME_DRIVE_EXTENDED"
@@ -72557,6 +72628,10 @@ class InstanceClass(enum.Enum):
     '''Deep learning instances powered by Gaudi accelerators from Habana Labs (an Intel company), 1st generation.'''
     DL1 = "DL1"
     '''Deep learning instances powered by Gaudi accelerators from Habana Labs (an Intel company), 1st generation.'''
+    DEEP_LEARNING2_QUALCOMM = "DEEP_LEARNING2_QUALCOMM"
+    '''Deep learning instances powered by Qualcomm AI 100 Standard accelerators, 2nd generation.'''
+    DL2Q = "DL2Q"
+    '''Deep learning instances powered by Qualcomm AI 100 Standard accelerators, 2nd generation.'''
 
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.InstanceInitiatedShutdownBehavior")
@@ -73571,8 +73646,23 @@ class InterfaceVpcEndpointAwsService(
     @jsii.python.classproperty
     @jsii.member(jsii_name="APP_MESH")
     def APP_MESH(cls) -> "InterfaceVpcEndpointAwsService":
+        '''
+        :deprecated: - Use InterfaceVpcEndpointAwsService.APP_MESH_ENVOY_MANAGEMENT instead.
+
+        :stability: deprecated
+        '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APP_MESH_ENVOY_MANAGEMENT")
+    def APP_MESH_ENVOY_MANAGEMENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH_ENVOY_MANAGEMENT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APP_MESH_OPS")
+    def APP_MESH_OPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APP_MESH_OPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="APP_RUNNER")
     def APP_RUNNER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73638,6 +73728,11 @@ class InterfaceVpcEndpointAwsService(
     def AUTOSCALING_PLANS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "AUTOSCALING_PLANS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="B2B_DATA_INTERCHANGE")
+    def B2_B_DATA_INTERCHANGE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "B2B_DATA_INTERCHANGE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BACKUP")
     def BACKUP(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73653,6 +73748,26 @@ class InterfaceVpcEndpointAwsService(
     def BATCH(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BATCH"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK")
+    def BEDROCK(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENT")
+    def BEDROCK_AGENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENT_RUNTIME")
+    def BEDROCK_AGENT_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENT_RUNTIME"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_RUNTIME")
+    def BEDROCK_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BILLING_CONDUCTOR")
     def BILLING_CONDUCTOR(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73663,6 +73778,11 @@ class InterfaceVpcEndpointAwsService(
     def BRAKET(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BRAKET"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLEAN_ROOMS")
+    def CLEAN_ROOMS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLEAN_ROOMS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUD_CONTROL_API")
     def CLOUD_CONTROL_API(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73678,6 +73798,26 @@ class InterfaceVpcEndpointAwsService(
     def CLOUD_DIRECTORY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_DIRECTORY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_DATA_SERVICE_DISCOVERY")
+    def CLOUD_MAP_DATA_SERVICE_DISCOVERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_DATA_SERVICE_DISCOVERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS")
+    def CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_DATA_SERVICE_DISCOVERY_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_SERVICE_DISCOVERY")
+    def CLOUD_MAP_SERVICE_DISCOVERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_SERVICE_DISCOVERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUD_MAP_SERVICE_DISCOVERY_FIPS")
+    def CLOUD_MAP_SERVICE_DISCOVERY_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUD_MAP_SERVICE_DISCOVERY_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUDFORMATION")
     def CLOUDFORMATION(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73733,6 +73873,11 @@ class InterfaceVpcEndpointAwsService(
     def CLOUDWATCH_MONITORING(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_MONITORING"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUDWATCH_NETWORK_MONITOR")
+    def CLOUDWATCH_NETWORK_MONITOR(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_NETWORK_MONITOR"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CLOUDWATCH_RUM")
     def CLOUDWATCH_RUM(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73768,6 +73913,16 @@ class InterfaceVpcEndpointAwsService(
     def CODEBUILD_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODEBUILD_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODECATALYST_GIT")
+    def CODECATALYST_GIT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODECATALYST_GIT"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODECATALYST_PACKAGES")
+    def CODECATALYST_PACKAGES(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODECATALYST_PACKAGES"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CODECOMMIT")
     def CODECOMMIT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73818,6 +73973,11 @@ class InterfaceVpcEndpointAwsService(
     def CODESTAR_CONNECTIONS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODESTAR_CONNECTIONS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CODEWHISPERER")
+    def CODEWHISPERER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CODEWHISPERER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="COMPREHEND")
     def COMPREHEND(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73883,11 +74043,21 @@ class InterfaceVpcEndpointAwsService(
     def DATASYNC(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DATASYNC"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DATAZONE")
+    def DATAZONE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DATAZONE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="DEVOPS_GURU")
     def DEVOPS_GURU(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DEVOPS_GURU"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DIRECTORY_SERVICE")
+    def DIRECTORY_SERVICE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "DIRECTORY_SERVICE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EBS_DIRECT")
     def EBS_DIRECT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73933,6 +74103,11 @@ class InterfaceVpcEndpointAwsService(
     def EKS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EKS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="EKS_AUTH")
+    def EKS_AUTH(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EKS_AUTH"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="ELASTIC_BEANSTALK")
     def ELASTIC_BEANSTALK(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73978,6 +74153,11 @@ class InterfaceVpcEndpointAwsService(
     def ELASTICACHE_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ELASTICACHE_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ELEMENTAL_MEDIACONNECT")
+    def ELEMENTAL_MEDIACONNECT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ELEMENTAL_MEDIACONNECT"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EMAIL_SMTP")
     def EMAIL_SMTP(cls) -> "InterfaceVpcEndpointAwsService":
@@ -73998,6 +74178,16 @@ class InterfaceVpcEndpointAwsService(
     def EMR_SERVERLESS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EMR_SERVERLESS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="EMR_WAL")
+    def EMR_WAL(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "EMR_WAL"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ENTITY_RESOLUTION")
+    def ENTITY_RESOLUTION(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ENTITY_RESOLUTION"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="EVENTBRIDGE")
     def EVENTBRIDGE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74078,6 +74268,26 @@ class InterfaceVpcEndpointAwsService(
     def GROUNDSTATION(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GROUNDSTATION"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GUARDDUTY_DATA")
+    def GUARDDUTY_DATA(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GUARDDUTY_DATA"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GUARDDUTY_DATA_FIPS")
+    def GUARDDUTY_DATA_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GUARDDUTY_DATA_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HEALTH_IMAGING")
+    def HEALTH_IMAGING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "HEALTH_IMAGING"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HEALTH_IMAGING_RUNTIME")
+    def HEALTH_IMAGING_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "HEALTH_IMAGING_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="HEALTHLAKE")
     def HEALTHLAKE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74103,21 +74313,41 @@ class InterfaceVpcEndpointAwsService(
     def INSPECTOR(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INSPECTOR"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="INSPECTOR_SCAN")
+    def INSPECTOR_SCAN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INSPECTOR_SCAN"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE")
     def IOT_CORE(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_CORE_CREDENTIALS")
+    def IOT_CORE_CREDENTIALS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_CREDENTIALS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE_DEVICE_ADVISOR")
     def IOT_CORE_DEVICE_ADVISOR(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_DEVICE_ADVISOR"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_CORE_FLEETHUB_API")
+    def IOT_CORE_FLEETHUB_API(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_FLEETHUB_API"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE_FOR_LORAWAN")
     def IOT_CORE_FOR_LORAWAN(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_CORE_FOR_LORAWAN"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IOT_FLEETWISE")
+    def IOT_FLEETWISE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "IOT_FLEETWISE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_GREENGRASS")
     def IOT_GREENGRASS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74228,6 +74458,11 @@ class InterfaceVpcEndpointAwsService(
     def LICENSE_MANAGER_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "LICENSE_MANAGER_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LICENSE_MANAGER_USER_SUBSCRIPTIONS")
+    def LICENSE_MANAGER_USER_SUBSCRIPTIONS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "LICENSE_MANAGER_USER_SUBSCRIPTIONS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="LOOKOUT_EQUIPMENT")
     def LOOKOUT_EQUIPMENT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74253,6 +74488,31 @@ class InterfaceVpcEndpointAwsService(
     def MAINFRAME_MODERNIZATION(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MAINFRAME_MODERNIZATION"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_BITCOIN_MAINNET")
+    def MANAGED_BLOCKCHAIN_BITCOIN_MAINNET(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_BITCOIN_MAINNET"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_BITCOIN_TESTNET")
+    def MANAGED_BLOCKCHAIN_BITCOIN_TESTNET(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_BITCOIN_TESTNET"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGED_BLOCKCHAIN_QUERY")
+    def MANAGED_BLOCKCHAIN_QUERY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGED_BLOCKCHAIN_QUERY"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGEMENT_CONSOLE")
+    def MANAGEMENT_CONSOLE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGEMENT_CONSOLE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MANAGEMENT_CONSOLE_SIGNIN")
+    def MANAGEMENT_CONSOLE_SIGNIN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MANAGEMENT_CONSOLE_SIGNIN"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="MEMORY_DB")
     def MEMORY_DB(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74278,6 +74538,11 @@ class InterfaceVpcEndpointAwsService(
     def MIGRATIONHUB_STRATEGY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MIGRATIONHUB_STRATEGY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NEPTUNE_ANALYTICS")
+    def NEPTUNE_ANALYTICS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "NEPTUNE_ANALYTICS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="NIMBLE_STUDIO")
     def NIMBLE_STUDIO(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74308,16 +74573,66 @@ class InterfaceVpcEndpointAwsService(
     def OMICS_WORKFLOWS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "OMICS_WORKFLOWS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ORGANIZATIONS")
+    def ORGANIZATIONS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ORGANIZATIONS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="ORGANIZATIONS_FIPS")
+    def ORGANIZATIONS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "ORGANIZATIONS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PANORAMA")
     def PANORAMA(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PANORAMA"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PAYMENT_CRYPTOGRAPHY_CONTROLPLANE")
+    def PAYMENT_CRYPTOGRAPHY_CONTROLPLANE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PAYMENT_CRYPTOGRAPHY_CONTROLPLANE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PAYMENT_CRYTOGRAPHY_DATAPLANE")
+    def PAYMENT_CRYTOGRAPHY_DATAPLANE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PAYMENT_CRYTOGRAPHY_DATAPLANE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE")
+    def PERSONALIZE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE_EVENTS")
+    def PERSONALIZE_EVENTS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE_EVENTS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PERSONALIZE_RUNTIME")
+    def PERSONALIZE_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PERSONALIZE_RUNTIME"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PINPOINT")
     def PINPOINT(cls) -> "InterfaceVpcEndpointAwsService":
+        '''
+        :deprecated: - Use InterfaceVpcEndpointAwsService.PINPOINT_SMS_VOICE_V2 instead.
+
+        :stability: deprecated
+        '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PINPOINT_SMS_VOICE_V2")
+    def PINPOINT_SMS_VOICE_V2(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT_SMS_VOICE_V2"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PINPOINT_V1")
+    def PINPOINT_V1(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PINPOINT_V1"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="POLLY")
     def POLLY(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74333,6 +74648,13 @@ class InterfaceVpcEndpointAwsService(
     def PRIVATE_CERTIFICATE_AUTHORITY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRIVATE_CERTIFICATE_AUTHORITY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD")
+    def PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD(
+        cls,
+    ) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRIVATE_CERTIFICATE_AUTHORITY_CONNECTOR_AD"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PROMETHEUS")
     def PROMETHEUS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74388,6 +74710,21 @@ class InterfaceVpcEndpointAwsService(
     def REKOGNITION_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REKOGNITION_STREAMING")
+    def REKOGNITION_STREAMING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_STREAMING"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REKOGNITION_STREAMING_FIPS")
+    def REKOGNITION_STREAMING_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REKOGNITION_STREAMING_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="REPOST_SPACE")
+    def REPOST_SPACE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "REPOST_SPACE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="ROBOMAKER")
     def ROBOMAKER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74418,6 +74755,11 @@ class InterfaceVpcEndpointAwsService(
     def SAGEMAKER_FEATURESTORE_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_FEATURESTORE_RUNTIME"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SAGEMAKER_GEOSPATIAL")
+    def SAGEMAKER_GEOSPATIAL(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_GEOSPATIAL"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SAGEMAKER_METRICS")
     def SAGEMAKER_METRICS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74488,6 +74830,11 @@ class InterfaceVpcEndpointAwsService(
         '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SES"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SIMSPACE_WEAVER")
+    def SIMSPACE_WEAVER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SIMSPACE_WEAVER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SNOW_DEVICE_MANAGEMENT")
     def SNOW_DEVICE_MANAGEMENT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74543,6 +74890,26 @@ class InterfaceVpcEndpointAwsService(
     def STS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "STS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SUPPLY_CHAIN")
+    def SUPPLY_CHAIN(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SUPPLY_CHAIN"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SWF")
+    def SWF(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SWF"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SWF_FIPS")
+    def SWF_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SWF_FIPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TELCO_NETWORK_BUILDER")
+    def TELCO_NETWORK_BUILDER(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TELCO_NETWORK_BUILDER"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="TEXTRACT")
     def TEXTRACT(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74553,6 +74920,11 @@ class InterfaceVpcEndpointAwsService(
     def TEXTRACT_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TEXTRACT_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TIMESTREAM_INFLUXDB")
+    def TIMESTREAM_INFLUXDB(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TIMESTREAM_INFLUXDB"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="TRANSCRIBE")
     def TRANSCRIBE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -74578,16 +74950,31 @@ class InterfaceVpcEndpointAwsService(
     def TRANSLATE(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TRANSLATE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TRUSTED_ADVISOR")
+    def TRUSTED_ADVISOR(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TRUSTED_ADVISOR"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VERIFIED_PERMISSIONS")
     def VERIFIED_PERMISSIONS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "VERIFIED_PERMISSIONS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VPC_LATTICE")
+    def VPC_LATTICE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "VPC_LATTICE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="WORKSPACES")
     def WORKSPACES(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "WORKSPACES"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="WORKSPACES_THIN_CLIENT")
+    def WORKSPACES_THIN_CLIENT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "WORKSPACES_THIN_CLIENT"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="XRAY")
     def XRAY(cls) -> "InterfaceVpcEndpointAwsService":
@@ -89456,6 +89843,11 @@ class GatewayVpcEndpointAwsService(
     def S3(cls) -> "GatewayVpcEndpointAwsService":
         return typing.cast("GatewayVpcEndpointAwsService", jsii.sget(cls, "S3"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="S3_EXPRESS")
+    def S3_EXPRESS(cls) -> "GatewayVpcEndpointAwsService":
+        return typing.cast("GatewayVpcEndpointAwsService", jsii.sget(cls, "S3_EXPRESS"))
+
     @builtins.property
     @jsii.member(jsii_name="name")
     def name(self) -> builtins.str:
@@ -94276,6 +94668,7 @@ def _typecheckingstub__5f22238da23e1a95528fc55d3e3a28b661b69a5dfe2d1e64620bef1eb
     *,
     domain_name: typing.Optional[builtins.str] = None,
     domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
     netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     netbios_node_type: typing.Optional[jsii.Number] = None,
     ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -94308,6 +94701,12 @@ def _typecheckingstub__d9ee8e87c9581893159e005c5c7c786324d9f9c9a41ba0af4f72aedd3
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__0cbb91e4162eb4b7aab6b1e90fa6fbbbade04b38a95d6c1bb778946ae93b50a3(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e3b8e4bd8f79a27f01b9c18995f6a45e13c80f3ff9f392b3c558b6cc5a5e5dba(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -94336,6 +94735,7 @@ def _typecheckingstub__569097ad87e4dddbcfaee4fb50fc7ddb345c4f97ae82fcf897497039e
     *,
     domain_name: typing.Optional[builtins.str] = None,
     domain_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ipv6_address_preferred_lease_time: typing.Optional[jsii.Number] = None,
     netbios_name_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     netbios_node_type: typing.Optional[jsii.Number] = None,
     ntp_servers: typing.Optional[typing.Sequence[builtins.str]] = None,