aws-cdk-lib 2.151.1__py3-none-any.whl → 2.153.0__py3-none-any.whl

aws_cdk/aws_lambda_event_sources/__init__.py

@@ -324,6 +324,36 @@ my_function.add_event_source(ManagedKafkaEventSource(
 ))
 ```
 
+By default, Lambda will encrypt Filter Criteria using AWS managed keys. But if you want to use a self managed KMS key to encrypt the filters, You can specify the self managed key using the `filterEncryption` property.
+
+```python
+from aws_cdk.aws_lambda_event_sources import ManagedKafkaEventSource
+from aws_cdk.aws_kms import Key
+
+# my_function: lambda.Function
+
+
+# Your MSK cluster arn
+cluster_arn = "arn:aws:kafka:us-east-1:0123456789019:cluster/SalesCluster/abcd1234-abcd-cafe-abab-9876543210ab-4"
+
+# The Kafka topic you want to subscribe to
+topic = "some-cool-topic"
+
+# Your self managed KMS key
+my_key = Key.from_key_arn(self, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
+my_function.add_event_source(ManagedKafkaEventSource(
+    cluster_arn=cluster_arn,
+    topic=topic,
+    starting_position=lambda_.StartingPosition.TRIM_HORIZON,
+    filters=[
+        lambda_.FilterCriteria.filter({
+            "string_equals": lambda_.FilterRule.is_equal("test")
+        })
+    ],
+    filter_encryption=my_key
+))
+```
+
 You can also specify an S3 bucket as an "on failure" destination:
 
 ```python
@@ -391,6 +421,7 @@ from ..aws_ec2 import (
     SubnetSelection as _SubnetSelection_e57d76df,
 )
 from ..aws_kinesis import IStream as _IStream_4e2457d2
+from ..aws_kms import IKey as _IKey_5f11635f
 from ..aws_lambda import (
     DlqDestinationConfig as _DlqDestinationConfig_5fe54cfa,
     EventSourceMappingOptions as _EventSourceMappingOptions_b3f2bb85,
@@ -677,6 +708,7 @@ class BaseStreamEventSourceProps:
         "max_batching_window": "maxBatchingWindow",
         "topic": "topic",
         "consumer_group_id": "consumerGroupId",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "on_failure": "onFailure",
         "secret": "secret",
@@ -692,6 +724,7 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         topic: builtins.str,
         consumer_group_id: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
         secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -704,6 +737,7 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param topic: The Kafka topic to subscribe to.
         :param consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. Default: - none
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param on_failure: Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported Default: - discarded records are ignored
         :param secret: The secret with the Kafka credentials, see https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html for details This field is required if your Kafka brokers are accessed over the Internet. Default: none
@@ -715,12 +749,14 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
             import aws_cdk as cdk
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
             from aws_cdk import aws_lambda_event_sources as lambda_event_sources
             from aws_cdk import aws_secretsmanager as secretsmanager
             
             # event_source_dlq: lambda.IEventSourceDlq
             # filters: Any
+            # key: kms.Key
             # secret: secretsmanager.Secret
             
             kafka_event_source_props = lambda_event_sources.KafkaEventSourceProps(
@@ -731,6 +767,7 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
                 batch_size=123,
                 consumer_group_id="consumerGroupId",
                 enabled=False,
+                filter_encryption=key,
                 filters=[{
                     "filters_key": filters
                 }],
@@ -747,6 +784,7 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument topic", value=topic, expected_type=type_hints["topic"])
             check_type(argname="argument consumer_group_id", value=consumer_group_id, expected_type=type_hints["consumer_group_id"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
             check_type(argname="argument secret", value=secret, expected_type=type_hints["secret"])
@@ -762,6 +800,8 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if consumer_group_id is not None:
             self._values["consumer_group_id"] = consumer_group_id
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if on_failure is not None:
@@ -838,6 +878,17 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
         result = self._values.get("consumer_group_id")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -893,6 +944,7 @@ class KafkaEventSourceProps(BaseStreamEventSourceProps):
         "max_batching_window": "maxBatchingWindow",
         "topic": "topic",
         "consumer_group_id": "consumerGroupId",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "on_failure": "onFailure",
         "secret": "secret",
@@ -909,6 +961,7 @@ class ManagedKafkaEventSourceProps(KafkaEventSourceProps):
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         topic: builtins.str,
         consumer_group_id: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
         secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -922,6 +975,7 @@ class ManagedKafkaEventSourceProps(KafkaEventSourceProps):
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param topic: The Kafka topic to subscribe to.
         :param consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. Default: - none
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param on_failure: Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported Default: - discarded records are ignored
         :param secret: The secret with the Kafka credentials, see https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html for details This field is required if your Kafka brokers are accessed over the Internet. Default: none
@@ -962,6 +1016,7 @@ class ManagedKafkaEventSourceProps(KafkaEventSourceProps):
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument topic", value=topic, expected_type=type_hints["topic"])
             check_type(argname="argument consumer_group_id", value=consumer_group_id, expected_type=type_hints["consumer_group_id"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
             check_type(argname="argument secret", value=secret, expected_type=type_hints["secret"])
@@ -979,6 +1034,8 @@ class ManagedKafkaEventSourceProps(KafkaEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if consumer_group_id is not None:
             self._values["consumer_group_id"] = consumer_group_id
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if on_failure is not None:
@@ -1055,6 +1112,17 @@ class ManagedKafkaEventSourceProps(KafkaEventSourceProps):
         result = self._values.get("consumer_group_id")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -1364,6 +1432,7 @@ class S3OnFailureDestination(
         "max_batching_window": "maxBatchingWindow",
         "topic": "topic",
         "consumer_group_id": "consumerGroupId",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "on_failure": "onFailure",
         "secret": "secret",
@@ -1385,6 +1454,7 @@ class SelfManagedKafkaEventSourceProps(KafkaEventSourceProps):
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         topic: builtins.str,
         consumer_group_id: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
         secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -1405,6 +1475,7 @@ class SelfManagedKafkaEventSourceProps(KafkaEventSourceProps):
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param topic: The Kafka topic to subscribe to.
         :param consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. Default: - none
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param on_failure: Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported Default: - discarded records are ignored
         :param secret: The secret with the Kafka credentials, see https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html for details This field is required if your Kafka brokers are accessed over the Internet. Default: none
@@ -1455,6 +1526,7 @@ class SelfManagedKafkaEventSourceProps(KafkaEventSourceProps):
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument topic", value=topic, expected_type=type_hints["topic"])
             check_type(argname="argument consumer_group_id", value=consumer_group_id, expected_type=type_hints["consumer_group_id"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
             check_type(argname="argument secret", value=secret, expected_type=type_hints["secret"])
@@ -1477,6 +1549,8 @@ class SelfManagedKafkaEventSourceProps(KafkaEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if consumer_group_id is not None:
             self._values["consumer_group_id"] = consumer_group_id
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if on_failure is not None:
@@ -1563,6 +1637,17 @@ class SelfManagedKafkaEventSourceProps(KafkaEventSourceProps):
         result = self._values.get("consumer_group_id")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -1960,6 +2045,7 @@ class SqsEventSource(
         *,
         batch_size: typing.Optional[jsii.Number] = None,
         enabled: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         max_concurrency: typing.Optional[jsii.Number] = None,
@@ -1969,6 +2055,7 @@ class SqsEventSource(
         :param queue: -
         :param batch_size: The largest number of records that AWS Lambda will retrieve from your event source at the time of invoking your function. Your function receives an event with all the retrieved records. Valid Range: Minimum value of 1. Maximum value of 10. If ``maxBatchingWindow`` is configured, this value can go up to 10,000. Default: 10
         :param enabled: If the SQS event source mapping should be enabled. Default: true
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Valid Range: Minimum value of 0 minutes. Maximum value of 5 minutes. Default: - no batching window. The lambda function will be invoked immediately with the records that are available.
         :param max_concurrency: The maximum concurrency setting limits the number of concurrent instances of the function that an Amazon SQS event source can invoke. Default: - No specific limit.
@@ -1980,6 +2067,7 @@ class SqsEventSource(
         props = SqsEventSourceProps(
             batch_size=batch_size,
             enabled=enabled,
+            filter_encryption=filter_encryption,
             filters=filters,
             max_batching_window=max_batching_window,
             max_concurrency=max_concurrency,
@@ -2023,6 +2111,7 @@ class SqsEventSource(
     name_mapping={
         "batch_size": "batchSize",
         "enabled": "enabled",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "max_batching_window": "maxBatchingWindow",
         "max_concurrency": "maxConcurrency",
@@ -2035,6 +2124,7 @@ class SqsEventSourceProps:
         *,
         batch_size: typing.Optional[jsii.Number] = None,
         enabled: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         max_concurrency: typing.Optional[jsii.Number] = None,
@@ -2043,6 +2133,7 @@ class SqsEventSourceProps:
         '''
         :param batch_size: The largest number of records that AWS Lambda will retrieve from your event source at the time of invoking your function. Your function receives an event with all the retrieved records. Valid Range: Minimum value of 1. Maximum value of 10. If ``maxBatchingWindow`` is configured, this value can go up to 10,000. Default: 10
         :param enabled: If the SQS event source mapping should be enabled. Default: true
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Valid Range: Minimum value of 0 minutes. Maximum value of 5 minutes. Default: - no batching window. The lambda function will be invoked immediately with the records that are available.
         :param max_concurrency: The maximum concurrency setting limits the number of concurrent instances of the function that an Amazon SQS event source can invoke. Default: - No specific limit.
@@ -2070,6 +2161,7 @@ class SqsEventSourceProps:
             type_hints = typing.get_type_hints(_typecheckingstub__15f8ac7c8dd3ede272e50988fdcd091f07e9c5d7ef95ab596dc66b4c940652b4)
             check_type(argname="argument batch_size", value=batch_size, expected_type=type_hints["batch_size"])
             check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument max_concurrency", value=max_concurrency, expected_type=type_hints["max_concurrency"])
@@ -2079,6 +2171,8 @@ class SqsEventSourceProps:
             self._values["batch_size"] = batch_size
         if enabled is not None:
             self._values["enabled"] = enabled
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if max_batching_window is not None:
@@ -2112,6 +2206,17 @@ class SqsEventSourceProps:
         result = self._values.get("enabled")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -2183,6 +2288,7 @@ class StreamEventSource(
         self,
         *,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -2197,6 +2303,7 @@ class StreamEventSource(
     ) -> None:
         '''
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -2211,6 +2318,7 @@ class StreamEventSource(
         '''
         props = StreamEventSourceProps(
             bisect_batch_on_error=bisect_batch_on_error,
+            filter_encryption=filter_encryption,
             filters=filters,
             max_record_age=max_record_age,
             on_failure=on_failure,
@@ -2243,6 +2351,7 @@ class StreamEventSource(
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
         enabled: typing.Optional[builtins.bool] = None,
         event_source_arn: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         kafka_bootstrap_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         kafka_consumer_group_id: typing.Optional[builtins.str] = None,
@@ -2265,6 +2374,7 @@ class StreamEventSource(
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
         :param enabled: Set to false to disable the event source upon creation. Default: true
         :param event_source_arn: The Amazon Resource Name (ARN) of the event source. Any record added to this stream can invoke the Lambda function. Default: - not set if using a self managed Kafka cluster, throws an error otherwise
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param kafka_bootstrap_servers: A list of host and port pairs that are the addresses of the Kafka brokers in a self managed "bootstrap" Kafka cluster that a Kafka client connects to initially to bootstrap itself. They are in the format ``abc.example.com:9096``. Default: - none
         :param kafka_consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. For more information, see `Customizable consumer group ID <https://docs.aws.amazon.com/lambda/latest/dg/with-msk.html#services-msk-consumer-group-id>`_. Default: - none
@@ -2287,6 +2397,7 @@ class StreamEventSource(
             bisect_batch_on_error=bisect_batch_on_error,
             enabled=enabled,
             event_source_arn=event_source_arn,
+            filter_encryption=filter_encryption,
             filters=filters,
             kafka_bootstrap_servers=kafka_bootstrap_servers,
             kafka_consumer_group_id=kafka_consumer_group_id,
@@ -2338,6 +2449,7 @@ typing.cast(typing.Any, StreamEventSource).__jsii_proxy_class__ = lambda : _Stre
         "enabled": "enabled",
         "max_batching_window": "maxBatchingWindow",
         "bisect_batch_on_error": "bisectBatchOnError",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "max_record_age": "maxRecordAge",
         "on_failure": "onFailure",
@@ -2356,6 +2468,7 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
         enabled: typing.Optional[builtins.bool] = None,
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -2371,6 +2484,7 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
         :param enabled: If the stream event source mapping should be enabled. Default: true
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -2386,11 +2500,13 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
             import aws_cdk as cdk
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
             from aws_cdk import aws_lambda_event_sources as lambda_event_sources
             
             # event_source_dlq: lambda.IEventSourceDlq
             # filters: Any
+            # key: kms.Key
             
             stream_event_source_props = lambda_event_sources.StreamEventSourceProps(
                 starting_position=lambda_.StartingPosition.TRIM_HORIZON,
@@ -2399,6 +2515,7 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
                 batch_size=123,
                 bisect_batch_on_error=False,
                 enabled=False,
+                filter_encryption=key,
                 filters=[{
                     "filters_key": filters
                 }],
@@ -2418,6 +2535,7 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
             check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument bisect_batch_on_error", value=bisect_batch_on_error, expected_type=type_hints["bisect_batch_on_error"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument max_record_age", value=max_record_age, expected_type=type_hints["max_record_age"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
@@ -2436,6 +2554,8 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if bisect_batch_on_error is not None:
             self._values["bisect_batch_on_error"] = bisect_batch_on_error
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if max_record_age is not None:
@@ -2509,6 +2629,17 @@ class StreamEventSourceProps(BaseStreamEventSourceProps):
         result = self._values.get("bisect_batch_on_error")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -2640,6 +2771,7 @@ class DynamoEventSource(
         table: _ITable_504fd401,
         *,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -2655,6 +2787,7 @@ class DynamoEventSource(
         '''
         :param table: -
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -2672,6 +2805,7 @@ class DynamoEventSource(
             check_type(argname="argument table", value=table, expected_type=type_hints["table"])
         props = DynamoEventSourceProps(
             bisect_batch_on_error=bisect_batch_on_error,
+            filter_encryption=filter_encryption,
             filters=filters,
             max_record_age=max_record_age,
             on_failure=on_failure,
@@ -2720,6 +2854,7 @@ class DynamoEventSource(
         "enabled": "enabled",
         "max_batching_window": "maxBatchingWindow",
         "bisect_batch_on_error": "bisectBatchOnError",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "max_record_age": "maxRecordAge",
         "on_failure": "onFailure",
@@ -2738,6 +2873,7 @@ class DynamoEventSourceProps(StreamEventSourceProps):
         enabled: typing.Optional[builtins.bool] = None,
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -2752,6 +2888,7 @@ class DynamoEventSourceProps(StreamEventSourceProps):
         :param enabled: If the stream event source mapping should be enabled. Default: true
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -2788,6 +2925,7 @@ class DynamoEventSourceProps(StreamEventSourceProps):
             check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument bisect_batch_on_error", value=bisect_batch_on_error, expected_type=type_hints["bisect_batch_on_error"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument max_record_age", value=max_record_age, expected_type=type_hints["max_record_age"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
@@ -2806,6 +2944,8 @@ class DynamoEventSourceProps(StreamEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if bisect_batch_on_error is not None:
             self._values["bisect_batch_on_error"] = bisect_batch_on_error
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if max_record_age is not None:
@@ -2879,6 +3019,17 @@ class DynamoEventSourceProps(StreamEventSourceProps):
         result = self._values.get("bisect_batch_on_error")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -3006,6 +3157,7 @@ class KinesisEventSource(
         *,
         starting_position_timestamp: typing.Optional[jsii.Number] = None,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3022,6 +3174,7 @@ class KinesisEventSource(
         :param stream: -
         :param starting_position_timestamp: The time from which to start reading, in Unix time seconds. Default: - no timestamp
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -3040,6 +3193,7 @@ class KinesisEventSource(
         props = KinesisEventSourceProps(
             starting_position_timestamp=starting_position_timestamp,
             bisect_batch_on_error=bisect_batch_on_error,
+            filter_encryption=filter_encryption,
             filters=filters,
             max_record_age=max_record_age,
             on_failure=on_failure,
@@ -3093,6 +3247,7 @@ class KinesisEventSource(
         "enabled": "enabled",
         "max_batching_window": "maxBatchingWindow",
         "bisect_batch_on_error": "bisectBatchOnError",
+        "filter_encryption": "filterEncryption",
         "filters": "filters",
         "max_record_age": "maxRecordAge",
         "on_failure": "onFailure",
@@ -3112,6 +3267,7 @@ class KinesisEventSourceProps(StreamEventSourceProps):
         enabled: typing.Optional[builtins.bool] = None,
         max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
         bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         max_record_age: typing.Optional[_Duration_4839e8c3] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3127,6 +3283,7 @@ class KinesisEventSourceProps(StreamEventSourceProps):
         :param enabled: If the stream event source mapping should be enabled. Default: true
         :param max_batching_window: The maximum amount of time to gather records before invoking the function. Maximum of Duration.minutes(5). Default: - Duration.seconds(0) for Kinesis, DynamoDB, and SQS event sources, Duration.millis(500) for MSK, self-managed Kafka, and Amazon MQ.
         :param bisect_batch_on_error: If the function returns an error, split the batch in two and retry. Default: false
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria option. Default: - None
         :param max_record_age: The maximum age of a record that Lambda sends to a function for processing. Valid Range: - Minimum value of 60 seconds - Maximum value of 7 days The default value is -1, which sets the maximum age to infinite. When the value is set to infinite, Lambda never discards old records. Record are valid until it expires in the event source. Default: -1
         :param on_failure: An Amazon SQS queue or Amazon SNS topic destination for discarded records. Default: - discarded records are ignored
@@ -3159,6 +3316,7 @@ class KinesisEventSourceProps(StreamEventSourceProps):
             check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
             check_type(argname="argument max_batching_window", value=max_batching_window, expected_type=type_hints["max_batching_window"])
             check_type(argname="argument bisect_batch_on_error", value=bisect_batch_on_error, expected_type=type_hints["bisect_batch_on_error"])
+            check_type(argname="argument filter_encryption", value=filter_encryption, expected_type=type_hints["filter_encryption"])
             check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
             check_type(argname="argument max_record_age", value=max_record_age, expected_type=type_hints["max_record_age"])
             check_type(argname="argument on_failure", value=on_failure, expected_type=type_hints["on_failure"])
@@ -3178,6 +3336,8 @@ class KinesisEventSourceProps(StreamEventSourceProps):
             self._values["max_batching_window"] = max_batching_window
         if bisect_batch_on_error is not None:
             self._values["bisect_batch_on_error"] = bisect_batch_on_error
+        if filter_encryption is not None:
+            self._values["filter_encryption"] = filter_encryption
         if filters is not None:
             self._values["filters"] = filters
         if max_record_age is not None:
@@ -3253,6 +3413,17 @@ class KinesisEventSourceProps(StreamEventSourceProps):
         result = self._values.get("bisect_batch_on_error")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def filter_encryption(self) -> typing.Optional[_IKey_5f11635f]:
+        '''Add Customer managed KMS key to encrypt Filter Criteria.
+
+        :default: - none
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+        '''
+        result = self._values.get("filter_encryption")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def filters(
         self,
@@ -3400,6 +3571,7 @@ class ManagedKafkaEventSource(
         cluster_arn: builtins.str,
         topic: builtins.str,
         consumer_group_id: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
         secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -3412,6 +3584,7 @@ class ManagedKafkaEventSource(
         :param cluster_arn: An MSK cluster construct.
         :param topic: The Kafka topic to subscribe to.
         :param consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. Default: - none
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param on_failure: Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported Default: - discarded records are ignored
         :param secret: The secret with the Kafka credentials, see https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html for details This field is required if your Kafka brokers are accessed over the Internet. Default: none
@@ -3424,6 +3597,7 @@ class ManagedKafkaEventSource(
             cluster_arn=cluster_arn,
             topic=topic,
             consumer_group_id=consumer_group_id,
+            filter_encryption=filter_encryption,
             filters=filters,
             on_failure=on_failure,
             secret=secret,
@@ -3508,6 +3682,7 @@ class SelfManagedKafkaEventSource(
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
         topic: builtins.str,
         consumer_group_id: typing.Optional[builtins.str] = None,
+        filter_encryption: typing.Optional[_IKey_5f11635f] = None,
         filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
         on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
         secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -3525,6 +3700,7 @@ class SelfManagedKafkaEventSource(
         :param vpc_subnets: If your Kafka brokers are only reachable via VPC, provide the subnets selection here. Default: - none, required if setting vpc
         :param topic: The Kafka topic to subscribe to.
         :param consumer_group_id: The identifier for the Kafka consumer group to join. The consumer group ID must be unique among all your Kafka event sources. After creating a Kafka event source mapping with the consumer group ID specified, you cannot update this value. The value must have a lenght between 1 and 200 and full the pattern '[a-zA-Z0-9-/*:_+=.@-]*'. Default: - none
+        :param filter_encryption: Add Customer managed KMS key to encrypt Filter Criteria. Default: - none
         :param filters: Add filter criteria to Event Source. Default: - none
         :param on_failure: Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported Default: - discarded records are ignored
         :param secret: The secret with the Kafka credentials, see https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html for details This field is required if your Kafka brokers are accessed over the Internet. Default: none
@@ -3542,6 +3718,7 @@ class SelfManagedKafkaEventSource(
             vpc_subnets=vpc_subnets,
             topic=topic,
             consumer_group_id=consumer_group_id,
+            filter_encryption=filter_encryption,
             filters=filters,
             on_failure=on_failure,
             secret=secret,
@@ -3636,6 +3813,7 @@ def _typecheckingstub__980041697091a50415a7444df02a046d910ddd83f1229789d80780bf7
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     topic: builtins.str,
     consumer_group_id: typing.Optional[builtins.str] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
     secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -3651,6 +3829,7 @@ def _typecheckingstub__e930f585c1bae37174885c54f0f224909bfb0a75d9f1b652bbcf33461
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     topic: builtins.str,
     consumer_group_id: typing.Optional[builtins.str] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
     secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -3718,6 +3897,7 @@ def _typecheckingstub__0100a45aa91b9c2103378e2ba54dd41b054f1d6a50733797256d6971b
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     topic: builtins.str,
     consumer_group_id: typing.Optional[builtins.str] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
     secret: typing.Optional[_ISecret_6e020e6a] = None,
@@ -3787,6 +3967,7 @@ def _typecheckingstub__bf54c2a4adfa05b385a456a89f23dd0699f8e61461cae79f7a40b0a82
     *,
     batch_size: typing.Optional[jsii.Number] = None,
     enabled: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     max_concurrency: typing.Optional[jsii.Number] = None,
@@ -3805,6 +3986,7 @@ def _typecheckingstub__15f8ac7c8dd3ede272e50988fdcd091f07e9c5d7ef95ab596dc66b4c9
     *,
     batch_size: typing.Optional[jsii.Number] = None,
     enabled: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     max_concurrency: typing.Optional[jsii.Number] = None,
@@ -3826,6 +4008,7 @@ def _typecheckingstub__f846cf48a1cd8d8120ed4973fabeee827928eff2de72d372506124b7d
     enabled: typing.Optional[builtins.bool] = None,
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_record_age: typing.Optional[_Duration_4839e8c3] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3841,6 +4024,7 @@ def _typecheckingstub__826ee32f5239c7c242a7200ffc24778bee01c1101c3cc939fed4a8615
     table: _ITable_504fd401,
     *,
     bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_record_age: typing.Optional[_Duration_4839e8c3] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3869,6 +4053,7 @@ def _typecheckingstub__ec371d5e4612e8923bbdcc024d90e26915d64be2dc40151f22fc41139
     enabled: typing.Optional[builtins.bool] = None,
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_record_age: typing.Optional[_Duration_4839e8c3] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3885,6 +4070,7 @@ def _typecheckingstub__9f81acc98c12b4967363bdd43130a7e674a566679a7b200f5ccd6a0ae
     *,
     starting_position_timestamp: typing.Optional[jsii.Number] = None,
     bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_record_age: typing.Optional[_Duration_4839e8c3] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,
@@ -3913,6 +4099,7 @@ def _typecheckingstub__a0e5c31953f1ef382a7863484f36982000428c40cc94325c4f41de1e3
     enabled: typing.Optional[builtins.bool] = None,
     max_batching_window: typing.Optional[_Duration_4839e8c3] = None,
     bisect_batch_on_error: typing.Optional[builtins.bool] = None,
+    filter_encryption: typing.Optional[_IKey_5f11635f] = None,
     filters: typing.Optional[typing.Sequence[typing.Mapping[builtins.str, typing.Any]]] = None,
     max_record_age: typing.Optional[_Duration_4839e8c3] = None,
     on_failure: typing.Optional[_IEventSourceDlq_5e2c6ad9] = None,