aws-cdk-lib 2.150.0__py3-none-any.whl → 2.151.1__py3-none-any.whl

aws_cdk/aws_cleanrooms/__init__.py

@@ -4403,7 +4403,7 @@ class CfnPrivacyBudgetTemplate(
         :param id: Construct identifier for this resource (unique in its scope).
         :param auto_refresh: How often the privacy budget refreshes. .. epigraph:: If you plan to regularly bring new data into the collaboration, use ``CALENDAR_MONTH`` to automatically get a new privacy budget for the collaboration every calendar month. Choosing this option allows arbitrary amounts of information to be revealed about rows of the data when repeatedly queried across refreshes. Avoid choosing this if the same rows will be repeatedly queried between privacy budget refreshes.
         :param membership_identifier: The identifier for a membership resource.
-        :param parameters: Specifies the epislon and noise parameters for the privacy budget template.
+        :param parameters: Specifies the epsilon and noise parameters for the privacy budget template.
         :param privacy_budget_type: Specifies the type of the privacy budget template.
         :param tags: An arbitrary set of tags (key-value pairs) for this cleanrooms privacy budget template.
         '''
@@ -4540,7 +4540,7 @@ class CfnPrivacyBudgetTemplate(
     def parameters(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, "CfnPrivacyBudgetTemplate.ParametersProperty"]:
-        '''Specifies the epislon and noise parameters for the privacy budget template.'''
+        '''Specifies the epsilon and noise parameters for the privacy budget template.'''
         return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnPrivacyBudgetTemplate.ParametersProperty"], jsii.get(self, "parameters"))
 
     @parameters.setter
@@ -4594,7 +4594,7 @@ class CfnPrivacyBudgetTemplate(
             epsilon: jsii.Number,
             users_noise_per_query: jsii.Number,
         ) -> None:
-            '''Specifies the epislon and noise parameters for the privacy budget template.
+            '''Specifies the epsilon and noise parameters for the privacy budget template.
 
             :param epsilon: The epsilon value that you want to use.
             :param users_noise_per_query: Noise added per query is measured in terms of the number of users whose contributions you want to obscure. This value governs the rate at which the privacy budget is depleted.
@@ -4681,7 +4681,7 @@ class CfnPrivacyBudgetTemplateProps:
 
         :param auto_refresh: How often the privacy budget refreshes. .. epigraph:: If you plan to regularly bring new data into the collaboration, use ``CALENDAR_MONTH`` to automatically get a new privacy budget for the collaboration every calendar month. Choosing this option allows arbitrary amounts of information to be revealed about rows of the data when repeatedly queried across refreshes. Avoid choosing this if the same rows will be repeatedly queried between privacy budget refreshes.
         :param membership_identifier: The identifier for a membership resource.
-        :param parameters: Specifies the epislon and noise parameters for the privacy budget template.
+        :param parameters: Specifies the epsilon and noise parameters for the privacy budget template.
         :param privacy_budget_type: Specifies the type of the privacy budget template.
         :param tags: An arbitrary set of tags (key-value pairs) for this cleanrooms privacy budget template.
 
@@ -4754,7 +4754,7 @@ class CfnPrivacyBudgetTemplateProps:
     def parameters(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, CfnPrivacyBudgetTemplate.ParametersProperty]:
-        '''Specifies the epislon and noise parameters for the privacy budget template.
+        '''Specifies the epsilon and noise parameters for the privacy budget template.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cleanrooms-privacybudgettemplate.html#cfn-cleanrooms-privacybudgettemplate-parameters
         '''

aws_cdk/aws_cloudformation/__init__.py

@@ -4255,7 +4255,7 @@ class CfnStackSet(
         ) -> None:
             '''The AWS OrganizationalUnitIds or Accounts for which to create stack instances in the specified Regions.
 
-            :param account_filter_type: Limit deployment targets to individual accounts or include additional accounts with provided OUs. The following is a list of possible values for the ``AccountFilterType`` operation. - ``INTERSECTION`` : StackSet deploys to the accounts specified in the ``Accounts`` parameter. - ``DIFFERENCE`` : StackSet deploys to the OU, excluding the accounts specified in the ``Accounts`` parameter. - ``UNION`` isn't supported when using StackSet as a resource.
+            :param account_filter_type: Limit deployment targets to individual accounts or include additional accounts with provided OUs. The following is a list of possible values for the ``AccountFilterType`` operation. - ``INTERSECTION`` : StackSet deploys to the accounts specified in the ``Accounts`` parameter. - ``DIFFERENCE`` : StackSet deploys to the OU, excluding the accounts specified in the ``Accounts`` parameter. - ``UNION`` StackSet deploys to the OU, and the accounts specified in the ``Accounts`` parameter. ``UNION`` is not supported for create operations when using StackSet as a resource.
             :param accounts: The names of one or more AWS accounts for which you want to deploy stack set updates. *Pattern* : ``^[0-9]{12}$``
             :param accounts_url: Returns the value of the ``AccountsUrl`` property.
             :param organizational_unit_ids: The organization root ID or organizational unit (OU) IDs to which StackSets deploys. *Pattern* : ``^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})$``
@@ -4300,7 +4300,7 @@ class CfnStackSet(
 
             - ``INTERSECTION`` : StackSet deploys to the accounts specified in the ``Accounts`` parameter.
             - ``DIFFERENCE`` : StackSet deploys to the OU, excluding the accounts specified in the ``Accounts`` parameter.
-            - ``UNION`` isn't supported when using StackSet as a resource.
+            - ``UNION`` StackSet deploys to the OU, and the accounts specified in the ``Accounts`` parameter. ``UNION`` is not supported for create operations when using StackSet as a resource.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-deploymenttargets.html#cfn-cloudformation-stackset-deploymenttargets-accountfiltertype
             '''

aws_cdk/aws_cloudfront/__init__.py

@@ -4184,9 +4184,14 @@ class CfnContinuousDeploymentPolicy(
     )
     class SingleHeaderPolicyConfigProperty:
         def __init__(self, *, header: builtins.str, value: builtins.str) -> None:
-            '''
-            :param header: 
-            :param value: 
+            '''Defines a single header policy for a CloudFront distribution.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `TrafficConfig <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-trafficconfig.html>`_ and specify the `SingleHeaderConfig <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-trafficconfig.html#cfn-cloudfront-continuousdeploymentpolicy-trafficconfig-singleheaderconfig>`_ property instead.
+
+            :param header: The name of the HTTP header that CloudFront uses to configure for the single header policy.
+            :param value: Specifies the value to assign to the header for a single header policy.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleheaderpolicyconfig.html
             :exampleMetadata: fixture=_generated
@@ -4213,7 +4218,8 @@ class CfnContinuousDeploymentPolicy(
 
         @builtins.property
         def header(self) -> builtins.str:
-            '''
+            '''The name of the HTTP header that CloudFront uses to configure for the single header policy.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleheaderpolicyconfig.html#cfn-cloudfront-continuousdeploymentpolicy-singleheaderpolicyconfig-header
             '''
             result = self._values.get("header")
@@ -4222,7 +4228,8 @@ class CfnContinuousDeploymentPolicy(
 
         @builtins.property
         def value(self) -> builtins.str:
-            '''
+            '''Specifies the value to assign to the header for a single header policy.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleheaderpolicyconfig.html#cfn-cloudfront-continuousdeploymentpolicy-singleheaderpolicyconfig-value
             '''
             result = self._values.get("value")
@@ -4338,9 +4345,14 @@ class CfnContinuousDeploymentPolicy(
             weight: jsii.Number,
             session_stickiness_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnContinuousDeploymentPolicy.SessionStickinessConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''
-            :param weight: 
-            :param session_stickiness_config: 
+            '''Configure a policy that CloudFront uses to route requests to different origins or use different cache settings, based on the weight assigned to each option.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `TrafficConfig <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-trafficconfig.html>`_ and specify the `SingleWeightConfig <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-trafficconfig.html#cfn-cloudfront-continuousdeploymentpolicy-trafficconfig-singleweightconfig>`_ property instead.
+
+            :param weight: The percentage of requests that CloudFront will use to send to an associated origin or cache settings.
+            :param session_stickiness_config: Enable session stickiness for the associated origin or cache settings.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleweightpolicyconfig.html
             :exampleMetadata: fixture=_generated
@@ -4373,7 +4385,8 @@ class CfnContinuousDeploymentPolicy(
 
         @builtins.property
         def weight(self) -> jsii.Number:
-            '''
+            '''The percentage of requests that CloudFront will use to send to an associated origin or cache settings.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleweightpolicyconfig.html#cfn-cloudfront-continuousdeploymentpolicy-singleweightpolicyconfig-weight
             '''
             result = self._values.get("weight")
@@ -4384,7 +4397,8 @@ class CfnContinuousDeploymentPolicy(
         def session_stickiness_config(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnContinuousDeploymentPolicy.SessionStickinessConfigProperty"]]:
-            '''
+            '''Enable session stickiness for the associated origin or cache settings.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-continuousdeploymentpolicy-singleweightpolicyconfig.html#cfn-cloudfront-continuousdeploymentpolicy-singleweightpolicyconfig-sessionstickinessconfig
             '''
             result = self._values.get("session_stickiness_config")
@@ -6183,11 +6197,11 @@ class CfnDistribution(
             :param enabled: From this field, you can enable or disable the selected distribution.
             :param aliases: A complex type that contains information about CNAMEs (alternate domain names), if any, for this distribution.
             :param cache_behaviors: A complex type that contains zero or more ``CacheBehavior`` elements.
-            :param cnam_es: 
+            :param cnam_es: An alias for the CloudFront distribution's domain name. .. epigraph:: This property is legacy. We recommend that you use `Aliases <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-aliases>`_ instead.
             :param comment: A comment to describe the distribution. The comment cannot be longer than 128 characters. Default: - ""
             :param continuous_deployment_policy_id: The identifier of a continuous deployment policy. For more information, see ``CreateContinuousDeploymentPolicy`` .
             :param custom_error_responses: A complex type that controls the following:. - Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages before returning the response to the viewer. - How long CloudFront caches HTTP status codes in the 4xx and 5xx range. For more information about custom error pages, see `Customizing Error Responses <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages.html>`_ in the *Amazon CloudFront Developer Guide* .
-            :param custom_origin: 
+            :param custom_origin: The user-defined HTTP server that serves as the origin for content that CloudFront distributes. .. epigraph:: This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
             :param default_root_object: The object that you want CloudFront to request from your origin (for example, ``index.html`` ) when a viewer requests the root URL for your distribution ( ``https://www.example.com`` ) instead of an object in your distribution ( ``https://www.example.com/product-description.html`` ). Specifying a default root object avoids exposing the contents of your distribution. Specify only the object name, for example, ``index.html`` . Don't add a ``/`` before the object name. If you don't want to specify a default root object when you create a distribution, include an empty ``DefaultRootObject`` element. To delete the default root object from an existing distribution, update the distribution configuration and include an empty ``DefaultRootObject`` element. To replace the default root object, update the distribution configuration and specify the new object. For more information about the default root object, see `Creating a Default Root Object <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html>`_ in the *Amazon CloudFront Developer Guide* . Default: - ""
             :param http_version: (Optional) Specify the HTTP version(s) that you want viewers to use to communicate with CloudFront . The default value for new distributions is ``http1.1`` . For viewers and CloudFront to use HTTP/2, viewers must support TLSv1.2 or later, and must support Server Name Indication (SNI). For viewers and CloudFront to use HTTP/3, viewers must support TLSv1.3 and Server Name Indication (SNI). CloudFront supports HTTP/3 connection migration to allow the viewer to switch networks without losing connection. For more information about connection migration, see `Connection Migration <https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc9000.html#name-connection-migration>`_ at RFC 9000. For more information about supported TLSv1.3 ciphers, see `Supported protocols and ciphers between viewers and CloudFront <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html>`_ . Default: - "http1.1"
             :param ipv6_enabled: If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution, specify ``true`` . If you specify ``false`` , CloudFront responds to IPv6 DNS requests with the DNS response code ``NOERROR`` and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution. In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the ``IpAddress`` parameter to restrict the IP addresses that can access your content, don't enable IPv6. If you want to restrict access to some content by IP address and not restrict access to other content (or restrict access but not by IP address), you can create two distributions. For more information, see `Creating a Signed URL Using a Custom Policy <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html>`_ in the *Amazon CloudFront Developer Guide* . If you're using an Amazon Route 53 AWS Integration alias resource record set to route traffic to your CloudFront distribution, you need to create a second alias resource record set when both of the following are true: - You enable IPv6 for the distribution - You're using alternate domain names in the URLs for your objects For more information, see `Routing Traffic to an Amazon CloudFront Web Distribution by Using Your Domain Name <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html>`_ in the *Amazon Route 53 AWS Integration Developer Guide* . If you created a CNAME resource record set, either with Amazon Route 53 AWS Integration or with another DNS service, you don't need to make any changes. A CNAME record will route traffic to your distribution regardless of the IP address format of the viewer request.
@@ -6196,7 +6210,7 @@ class CfnDistribution(
             :param origins: A complex type that contains information about origins for this distribution. Specify a value for either the ``Origins`` or ``OriginGroups`` property.
             :param price_class: The price class that corresponds with the maximum price that you want to pay for CloudFront service. If you specify ``PriceClass_All`` , CloudFront responds to requests for your objects from all CloudFront edge locations. If you specify a price class other than ``PriceClass_All`` , CloudFront serves your objects from the CloudFront edge location that has the lowest latency among the edge locations in your price class. Viewers who are in or near regions that are excluded from your specified price class may encounter slower performance. For more information about price classes, see `Choosing the Price Class for a CloudFront Distribution <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html>`_ in the *Amazon CloudFront Developer Guide* . For information about CloudFront pricing, including how price classes (such as Price Class 100) map to CloudFront regions, see `Amazon CloudFront Pricing <https://docs.aws.amazon.com/cloudfront/pricing/>`_ . Default: - "PriceClass_All"
             :param restrictions: A complex type that identifies ways in which you want to restrict distribution of your content.
-            :param s3_origin: 
+            :param s3_origin: The origin as an Amazon S3 bucket. .. epigraph:: This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
             :param staging: A Boolean that indicates whether this is a staging distribution. When this value is ``true`` , this is a staging distribution. When this value is ``false`` , this is not a staging distribution.
             :param viewer_certificate: A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers.
             :param web_acl_id: A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF , use the ACL ARN, for example ``arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`` . To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example ``a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`` . AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about AWS WAF , see the `AWS WAF Developer Guide <https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html>`_ . Default: - ""
@@ -6519,7 +6533,12 @@ class CfnDistribution(
 
         @builtins.property
         def cnam_es(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''
+            '''An alias for the CloudFront distribution's domain name.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `Aliases <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-aliases>`_ instead.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-cnames
             '''
             result = self._values.get("cnam_es")
@@ -6569,7 +6588,12 @@ class CfnDistribution(
         def custom_origin(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDistribution.LegacyCustomOriginProperty"]]:
-            '''
+            '''The user-defined HTTP server that serves as the origin for content that CloudFront distributes.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-customorigin
             '''
             result = self._values.get("custom_origin")
@@ -6708,7 +6732,12 @@ class CfnDistribution(
         def s3_origin(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnDistribution.LegacyS3OriginProperty"]]:
-            '''
+            '''The origin as an Amazon S3 bucket.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-s3origin
             '''
             result = self._values.get("s3_origin")
@@ -7207,12 +7236,18 @@ class CfnDistribution(
             http_port: typing.Optional[jsii.Number] = None,
             https_port: typing.Optional[jsii.Number] = None,
         ) -> None:
-            '''
-            :param dns_name: 
-            :param origin_protocol_policy: 
-            :param origin_ssl_protocols: 
-            :param http_port: Default: - 80
-            :param https_port: Default: - 443
+            '''A custom origin.
+
+            A custom origin is any origin that is *not* an Amazon S3 bucket, with one exception. An Amazon S3 bucket that is `configured with static website hosting <https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html>`_ *is* a custom origin.
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
+
+            :param dns_name: The domain name assigned to your CloudFront distribution.
+            :param origin_protocol_policy: Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
+            :param origin_ssl_protocols: The minimum SSL/TLS protocol version that CloudFront uses when communicating with your origin server over HTTPs. For more information, see `Minimum Origin SSL Protocol <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols>`_ in the *Amazon CloudFront Developer Guide* .
+            :param http_port: The HTTP port that CloudFront uses to connect to the origin. Specify the HTTP port that the origin listens on. Default: - 80
+            :param https_port: The HTTPS port that CloudFront uses to connect to the origin. Specify the HTTPS port that the origin listens on. Default: - 443
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html
             :exampleMetadata: fixture=_generated
@@ -7252,7 +7287,8 @@ class CfnDistribution(
 
         @builtins.property
         def dns_name(self) -> builtins.str:
-            '''
+            '''The domain name assigned to your CloudFront distribution.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html#cfn-cloudfront-distribution-legacycustomorigin-dnsname
             '''
             result = self._values.get("dns_name")
@@ -7261,7 +7297,8 @@ class CfnDistribution(
 
         @builtins.property
         def origin_protocol_policy(self) -> builtins.str:
-            '''
+            '''Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html#cfn-cloudfront-distribution-legacycustomorigin-originprotocolpolicy
             '''
             result = self._values.get("origin_protocol_policy")
@@ -7270,7 +7307,10 @@ class CfnDistribution(
 
         @builtins.property
         def origin_ssl_protocols(self) -> typing.List[builtins.str]:
-            '''
+            '''The minimum SSL/TLS protocol version that CloudFront uses when communicating with your origin server over HTTPs.
+
+            For more information, see `Minimum Origin SSL Protocol <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols>`_ in the *Amazon CloudFront Developer Guide* .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html#cfn-cloudfront-distribution-legacycustomorigin-originsslprotocols
             '''
             result = self._values.get("origin_ssl_protocols")
@@ -7279,7 +7319,10 @@ class CfnDistribution(
 
         @builtins.property
         def http_port(self) -> typing.Optional[jsii.Number]:
-            '''
+            '''The HTTP port that CloudFront uses to connect to the origin.
+
+            Specify the HTTP port that the origin listens on.
+
             :default: - 80
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html#cfn-cloudfront-distribution-legacycustomorigin-httpport
@@ -7289,7 +7332,10 @@ class CfnDistribution(
 
         @builtins.property
         def https_port(self) -> typing.Optional[jsii.Number]:
-            '''
+            '''The HTTPS port that CloudFront uses to connect to the origin.
+
+            Specify the HTTPS port that the origin listens on.
+
             :default: - 443
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacycustomorigin.html#cfn-cloudfront-distribution-legacycustomorigin-httpsport
@@ -7323,9 +7369,14 @@ class CfnDistribution(
             dns_name: builtins.str,
             origin_access_identity: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param dns_name: 
-            :param origin_access_identity: Default: - ""
+            '''The origin as an Amazon S3 bucket.
+
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `Origin <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html>`_ instead.
+
+            :param dns_name: The domain name assigned to your CloudFront distribution.
+            :param origin_access_identity: The CloudFront origin access identity to associate with the distribution. Use an origin access identity to configure the distribution so that end users can only access objects in an Amazon S3 through CloudFront . .. epigraph:: This property is legacy. We recommend that you use `OriginAccessControl <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originaccesscontrol.html>`_ instead. Default: - ""
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacys3origin.html
             :exampleMetadata: fixture=_generated
@@ -7355,7 +7406,8 @@ class CfnDistribution(
 
         @builtins.property
         def dns_name(self) -> builtins.str:
-            '''
+            '''The domain name assigned to your CloudFront distribution.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacys3origin.html#cfn-cloudfront-distribution-legacys3origin-dnsname
             '''
             result = self._values.get("dns_name")
@@ -7364,7 +7416,13 @@ class CfnDistribution(
 
         @builtins.property
         def origin_access_identity(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The CloudFront origin access identity to associate with the distribution.
+
+            Use an origin access identity to configure the distribution so that end users can only access objects in an Amazon S3 through CloudFront .
+            .. epigraph::
+
+               This property is legacy. We recommend that you use `OriginAccessControl <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originaccesscontrol.html>`_ instead.
+
             :default: - ""
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-legacys3origin.html#cfn-cloudfront-distribution-legacys3origin-originaccessidentity
@@ -22709,6 +22767,18 @@ class CachePolicy(
         '''Designed for use with an origin that is an AWS Elemental MediaPackage endpoint.'''
         return typing.cast(ICachePolicy, jsii.sget(cls, "ELEMENTAL_MEDIA_PACKAGE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="USE_ORIGIN_CACHE_CONTROL_HEADERS")
+    def USE_ORIGIN_CACHE_CONTROL_HEADERS(cls) -> ICachePolicy:
+        '''Designed for use with an origin that returns Cache-Control HTTP response headers and does not serve different content based on values present in the query string.'''
+        return typing.cast(ICachePolicy, jsii.sget(cls, "USE_ORIGIN_CACHE_CONTROL_HEADERS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="USE_ORIGIN_CACHE_CONTROL_HEADERS_QUERY_STRINGS")
+    def USE_ORIGIN_CACHE_CONTROL_HEADERS_QUERY_STRINGS(cls) -> ICachePolicy:
+        '''Designed for use with an origin that returns Cache-Control HTTP response headers and serves different content based on values present in the query string.'''
+        return typing.cast(ICachePolicy, jsii.sget(cls, "USE_ORIGIN_CACHE_CONTROL_HEADERS_QUERY_STRINGS"))
+
     @builtins.property
     @jsii.member(jsii_name="cachePolicyId")
     def cache_policy_id(self) -> builtins.str:

aws_cdk/aws_cloudtrail/__init__.py

@@ -1248,7 +1248,7 @@ class CfnEventDataStore(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::One::UKey`` - ``AWS::One::User`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -1366,6 +1366,8 @@ class CfnEventDataStore(
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
+            - ``AWS::One::UKey``
+            - ``AWS::One::User``
             - ``AWS::PaymentCryptography::Alias``
             - ``AWS::PaymentCryptography::Key``
             - ``AWS::PCAConnectorAD::Connector``
@@ -2675,7 +2677,7 @@ class CfnTrail(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::One::UKey`` - ``AWS::One::User`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -2793,6 +2795,8 @@ class CfnTrail(
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
+            - ``AWS::One::UKey``
+            - ``AWS::One::User``
             - ``AWS::PaymentCryptography::Alias``
             - ``AWS::PaymentCryptography::Key``
             - ``AWS::PCAConnectorAD::Connector``