aws-cdk-lib 2.154.1__py3-none-any.whl → 2.156.0__py3-none-any.whl

aws_cdk/aws_ivs/__init__.py

@@ -2558,7 +2558,7 @@ class CfnStage(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param auto_participant_recording_configuration: An object representing a configuration to record a channel stream.
+        :param auto_participant_recording_configuration: Configuration object for individual participant recording, to attach to the new stage.
         :param name: Stage name.
         :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-tag.html>`_ .
         '''
@@ -2642,7 +2642,7 @@ class CfnStage(
     def auto_participant_recording_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnStage.AutoParticipantRecordingConfigurationProperty"]]:
-        '''An object representing a configuration to record a channel stream.'''
+        '''Configuration object for individual participant recording, to attach to the new stage.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnStage.AutoParticipantRecordingConfigurationProperty"]], jsii.get(self, "autoParticipantRecordingConfiguration"))
 
     @auto_participant_recording_configuration.setter
@@ -2696,10 +2696,10 @@ class CfnStage(
             storage_configuration_arn: builtins.str,
             media_types: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''Configuration object for individual participant recording, to attach to the new stage.
+            '''The ``AWS::IVS::AutoParticipantRecordingConfiguration`` property type describes a configuration for individual participant recording.
 
-            :param storage_configuration_arn: ARN of the StorageConfiguration resource to use for individual participant recording.
-            :param media_types: Types of media to be recorded. Default: AUDIO_VIDEO.
+            :param storage_configuration_arn: ARN of the StorageConfiguration resource to use for individual participant recording. Default: "" (empty string, no storage configuration is specified). Individual participant recording cannot be started unless a storage configuration is specified, when a Stage is created or updated.
+            :param media_types: Types of media to be recorded. Default: ``AUDIO_VIDEO`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-autoparticipantrecordingconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -2731,6 +2731,8 @@ class CfnStage(
         def storage_configuration_arn(self) -> builtins.str:
             '''ARN of the StorageConfiguration resource to use for individual participant recording.
 
+            Default: "" (empty string, no storage configuration is specified). Individual participant recording cannot be started unless a storage configuration is specified, when a Stage is created or updated.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-autoparticipantrecordingconfiguration.html#cfn-ivs-stage-autoparticipantrecordingconfiguration-storageconfigurationarn
             '''
             result = self._values.get("storage_configuration_arn")
@@ -2741,7 +2743,7 @@ class CfnStage(
         def media_types(self) -> typing.Optional[typing.List[builtins.str]]:
             '''Types of media to be recorded.
 
-            Default: AUDIO_VIDEO.
+            Default: ``AUDIO_VIDEO`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-autoparticipantrecordingconfiguration.html#cfn-ivs-stage-autoparticipantrecordingconfiguration-mediatypes
             '''
@@ -2779,7 +2781,7 @@ class CfnStageProps:
     ) -> None:
         '''Properties for defining a ``CfnStage``.
 
-        :param auto_participant_recording_configuration: An object representing a configuration to record a channel stream.
+        :param auto_participant_recording_configuration: Configuration object for individual participant recording, to attach to the new stage.
         :param name: Stage name.
         :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ivs-stage-tag.html>`_ .
 
@@ -2823,7 +2825,7 @@ class CfnStageProps:
     def auto_participant_recording_configuration(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnStage.AutoParticipantRecordingConfigurationProperty]]:
-        '''An object representing a configuration to record a channel stream.
+        '''Configuration object for individual participant recording, to attach to the new stage.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ivs-stage.html#cfn-ivs-stage-autoparticipantrecordingconfiguration
         '''

aws_cdk/aws_kms/__init__.py

@@ -39,6 +39,14 @@ key = kms.Key(self, "MyKey",
 )
 ```
 
+Create a multi-Region primary key:
+
+```python
+key = kms.Key(self, "MyKey",
+    multi_region=True
+)
+```
+
 ## Sharing keys between stacks
 
 To use a KMS key in a different stack in the same CDK application,
@@ -700,10 +708,49 @@ class CfnKey(
 
     Example::
 
-        # cfn_template: cfn_inc.CfnInclude
+        import aws_cdk.aws_kms as kms
         
-        cfn_key = cfn_template.get_resource("Key")
-        key = kms.Key.from_cfn_key(cfn_key)
+        
+        kms_key = kms.Key(self, "myKMSKey")
+        my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+            encryption=s3.BucketEncryption.KMS,
+            encryption_key=kms_key,
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+            )
+        )
+        
+        # Add the following to scope down the key policy
+        scoped_down_key_policy = {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::111122223333:root"
+                },
+                "Action": "kms:*",
+                "Resource": "*"
+            }, {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "cloudfront.amazonaws.com"
+                },
+                "Action": ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+                    }
+                }
+            }
+            ]
+        }
+        cfn_key = (kms_key.node.default_child)
+        cfn_key.key_policy = scoped_down_key_policy
     '''
 
     def __init__(
@@ -2078,15 +2125,19 @@ class Key(
 
     Example::
 
-        # destination_bucket: s3.Bucket
+        import aws_cdk.aws_kms as kms
         
-        source_bucket = s3.Bucket.from_bucket_attributes(self, "SourceBucket",
-            bucket_arn="arn:aws:s3:::my-source-bucket-name",
-            encryption_key=kms.Key.from_key_arn(self, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
+        
+        my_kms_key = kms.Key(self, "myKMSKey")
+        my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+            encryption=s3.BucketEncryption.KMS,
+            encryption_key=my_kms_key,
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
         )
-        deployment = s3deploy.BucketDeployment(self, "DeployFiles",
-            sources=[s3deploy.Source.bucket(source_bucket, "source.zip")],
-            destination_bucket=destination_bucket
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+            )
         )
     '''
 
@@ -2102,6 +2153,7 @@ class Key(
         enable_key_rotation: typing.Optional[builtins.bool] = None,
         key_spec: typing.Optional["KeySpec"] = None,
         key_usage: typing.Optional["KeyUsage"] = None,
+        multi_region: typing.Optional[builtins.bool] = None,
         pending_window: typing.Optional[_Duration_4839e8c3] = None,
         policy: typing.Optional[_PolicyDocument_3ac34393] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
@@ -2117,6 +2169,7 @@ class Key(
         :param enable_key_rotation: Indicates whether AWS KMS rotates the key. Default: false
         :param key_spec: The cryptographic configuration of the key. The valid value depends on usage of the key. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeySpec.SYMMETRIC_DEFAULT
         :param key_usage: The cryptographic operations for which the key can be used. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeyUsage.ENCRYPT_DECRYPT
+        :param multi_region: Creates a multi-Region primary key that you can replicate in other AWS Regions. You can't change the ``multiRegion`` value after the KMS key is created. IMPORTANT: If you change the value of the ``multiRegion`` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Default: false
         :param pending_window: Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK. Enter a value between 7 and 30 days. Default: - 30 days
         :param policy: Custom policy document to attach to the KMS key. NOTE - If the ``@aws-cdk/aws-kms:defaultKeyPolicies`` feature flag is set (the default for new projects), this policy will *override* the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy. Default: - A policy document with permissions for the account root to administer the key will be created.
         :param removal_policy: Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retain
@@ -2134,6 +2187,7 @@ class Key(
             enable_key_rotation=enable_key_rotation,
             key_spec=key_spec,
             key_usage=key_usage,
+            multi_region=multi_region,
             pending_window=pending_window,
             policy=policy,
             removal_policy=removal_policy,
@@ -2439,6 +2493,7 @@ class KeyLookupOptions:
         "enable_key_rotation": "enableKeyRotation",
         "key_spec": "keySpec",
         "key_usage": "keyUsage",
+        "multi_region": "multiRegion",
         "pending_window": "pendingWindow",
         "policy": "policy",
         "removal_policy": "removalPolicy",
@@ -2456,6 +2511,7 @@ class KeyProps:
         enable_key_rotation: typing.Optional[builtins.bool] = None,
         key_spec: typing.Optional["KeySpec"] = None,
         key_usage: typing.Optional["KeyUsage"] = None,
+        multi_region: typing.Optional[builtins.bool] = None,
         pending_window: typing.Optional[_Duration_4839e8c3] = None,
         policy: typing.Optional[_PolicyDocument_3ac34393] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
@@ -2470,6 +2526,7 @@ class KeyProps:
         :param enable_key_rotation: Indicates whether AWS KMS rotates the key. Default: false
         :param key_spec: The cryptographic configuration of the key. The valid value depends on usage of the key. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeySpec.SYMMETRIC_DEFAULT
         :param key_usage: The cryptographic operations for which the key can be used. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeyUsage.ENCRYPT_DECRYPT
+        :param multi_region: Creates a multi-Region primary key that you can replicate in other AWS Regions. You can't change the ``multiRegion`` value after the KMS key is created. IMPORTANT: If you change the value of the ``multiRegion`` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Default: false
         :param pending_window: Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK. Enter a value between 7 and 30 days. Default: - 30 days
         :param policy: Custom policy document to attach to the KMS key. NOTE - If the ``@aws-cdk/aws-kms:defaultKeyPolicies`` feature flag is set (the default for new projects), this policy will *override* the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy. Default: - A policy document with permissions for the account root to administer the key will be created.
         :param removal_policy: Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retain
@@ -2509,6 +2566,7 @@ class KeyProps:
             check_type(argname="argument enable_key_rotation", value=enable_key_rotation, expected_type=type_hints["enable_key_rotation"])
             check_type(argname="argument key_spec", value=key_spec, expected_type=type_hints["key_spec"])
             check_type(argname="argument key_usage", value=key_usage, expected_type=type_hints["key_usage"])
+            check_type(argname="argument multi_region", value=multi_region, expected_type=type_hints["multi_region"])
             check_type(argname="argument pending_window", value=pending_window, expected_type=type_hints["pending_window"])
             check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
@@ -2528,6 +2586,8 @@ class KeyProps:
             self._values["key_spec"] = key_spec
         if key_usage is not None:
             self._values["key_usage"] = key_usage
+        if multi_region is not None:
+            self._values["multi_region"] = multi_region
         if pending_window is not None:
             self._values["pending_window"] = pending_window
         if policy is not None:
@@ -2616,6 +2676,23 @@ class KeyProps:
         result = self._values.get("key_usage")
         return typing.cast(typing.Optional["KeyUsage"], result)
 
+    @builtins.property
+    def multi_region(self) -> typing.Optional[builtins.bool]:
+        '''Creates a multi-Region primary key that you can replicate in other AWS Regions.
+
+        You can't change the ``multiRegion`` value after the KMS key is created.
+
+        IMPORTANT: If you change the value of the ``multiRegion`` property on an existing KMS key, the update request fails,
+        regardless of the value of the UpdateReplacePolicy attribute.
+        This prevents you from accidentally deleting a KMS key by changing an immutable property value.
+
+        :default: false
+
+        :see: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+        '''
+        result = self._values.get("multi_region")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def pending_window(self) -> typing.Optional[_Duration_4839e8c3]:
         '''Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
@@ -3491,6 +3568,7 @@ def _typecheckingstub__2cde9534bdfe7c19d6e24354f8a0de8ca349632d3f565addcaed7e86a
     enable_key_rotation: typing.Optional[builtins.bool] = None,
     key_spec: typing.Optional[KeySpec] = None,
     key_usage: typing.Optional[KeyUsage] = None,
+    multi_region: typing.Optional[builtins.bool] = None,
     pending_window: typing.Optional[_Duration_4839e8c3] = None,
     policy: typing.Optional[_PolicyDocument_3ac34393] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
@@ -3594,6 +3672,7 @@ def _typecheckingstub__b3cbd21baa1113e5b2864ce6b440a0d87704642442943c3a554ab23ae
     enable_key_rotation: typing.Optional[builtins.bool] = None,
     key_spec: typing.Optional[KeySpec] = None,
     key_usage: typing.Optional[KeyUsage] = None,
+    multi_region: typing.Optional[builtins.bool] = None,
     pending_window: typing.Optional[_Duration_4839e8c3] = None,
     policy: typing.Optional[_PolicyDocument_3ac34393] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,

aws_cdk/aws_lambda/__init__.py

@@ -85,6 +85,10 @@ configurations as well as choosing a specific tag or digest. See their docs for
 To deploy a `DockerImageFunction` on Lambda `arm64` architecture, specify `Architecture.ARM_64` in `architecture`.
 This will bundle docker image assets for `arm64` architecture with `--platform linux/arm64` even if build within an `x86_64` host.
 
+With that being said, if you are bundling `DockerImageFunction` for Lambda `amd64` architecture from a `arm64` machine like a Macbook with `arm64` CPU, you would
+need to specify `architecture: lambda.Architecture.X86_64` as well. This ensures the `--platform` argument is passed to the image assets
+bundling process so you can bundle up `X86_64` images from the `arm64` machine.
+
 ```python
 lambda_.DockerImageFunction(self, "AssetFunction",
     code=lambda_.DockerImageCode.from_image_asset(path.join(__dirname, "docker-arm64-handler")),
@@ -10120,7 +10124,7 @@ class CfnVersion(
     @builtins.property
     @jsii.member(jsii_name="attrFunctionArn")
     def attr_function_arn(self) -> builtins.str:
-        '''The ARN of the version.
+        '''The ARN of the function.
 
         :cloudformationAttribute: FunctionArn
         '''
@@ -13774,21 +13778,25 @@ class FilterCriteria(
 
     Example::
 
-        import aws_cdk.aws_lambda_event_sources as eventsources
         import aws_cdk.aws_dynamodb as dynamodb
+        from aws_cdk.aws_lambda_event_sources import DynamoEventSource
+        
+        # table: dynamodb.Table
         
         # fn: lambda.Function
         
-        table = dynamodb.Table(self, "Table",
-            partition_key=dynamodb.Attribute(
-                name="id",
-                type=dynamodb.AttributeType.STRING
-            ),
-            stream=dynamodb.StreamViewType.NEW_IMAGE
-        )
-        fn.add_event_source(eventsources.DynamoEventSource(table,
+        fn.add_event_source(DynamoEventSource(table,
             starting_position=lambda_.StartingPosition.LATEST,
-            filters=[lambda_.FilterCriteria.filter({"event_name": lambda_.FilterRule.is_equal("INSERT")})]
+            filters=[
+                lambda_.FilterCriteria.filter({
+                    "event_name": lambda_.FilterRule.is_equal("INSERT"),
+                    "dynamodb": {
+                        "NewImage": {
+                            "id": {"BOOL": lambda_.FilterRule.is_equal(True)}
+                        }
+                    }
+                })
+            ]
         ))
     '''
 
@@ -13821,21 +13829,25 @@ class FilterRule(
 
     Example::
 
-        import aws_cdk.aws_lambda_event_sources as eventsources
         import aws_cdk.aws_dynamodb as dynamodb
+        from aws_cdk.aws_lambda_event_sources import DynamoEventSource
+        
+        # table: dynamodb.Table
         
         # fn: lambda.Function
         
-        table = dynamodb.Table(self, "Table",
-            partition_key=dynamodb.Attribute(
-                name="id",
-                type=dynamodb.AttributeType.STRING
-            ),
-            stream=dynamodb.StreamViewType.NEW_IMAGE
-        )
-        fn.add_event_source(eventsources.DynamoEventSource(table,
+        fn.add_event_source(DynamoEventSource(table,
             starting_position=lambda_.StartingPosition.LATEST,
-            filters=[lambda_.FilterCriteria.filter({"event_name": lambda_.FilterRule.is_equal("INSERT")})]
+            filters=[
+                lambda_.FilterCriteria.filter({
+                    "event_name": lambda_.FilterRule.is_equal("INSERT"),
+                    "dynamodb": {
+                        "NewImage": {
+                            "id": {"BOOL": lambda_.FilterRule.is_equal(True)}
+                        }
+                    }
+                })
+            ]
         ))
     '''
 
@@ -13889,7 +13901,10 @@ class FilterRule(
 
     @jsii.member(jsii_name="isEqual")
     @builtins.classmethod
-    def is_equal(cls, item: typing.Union[builtins.str, jsii.Number]) -> typing.Any:
+    def is_equal(
+        cls,
+        item: typing.Union[builtins.str, jsii.Number, builtins.bool],
+    ) -> typing.Any:
         '''Equals comparison operator.
 
         :param item: -
@@ -29506,7 +29521,7 @@ def _typecheckingstub__e532ccec0d2d2a11fd00b0da70142d367dca7a52eb785533bf0fe354f
     pass
 
 def _typecheckingstub__6ffacf0ca301bfbc6a30c7fc32201cecba4e3530eb53e51d1b21c3349a4e5ba5(
-    item: typing.Union[builtins.str, jsii.Number],
+    item: typing.Union[builtins.str, jsii.Number, builtins.bool],
 ) -> None:
     """Type checking stubs"""
     pass

aws_cdk/aws_lambda_event_sources/__init__.py

@@ -175,6 +175,7 @@ and add it to your Lambda function. The following parameters will impact Amazon
 * **startingPosition**: Will determine where to being consumption, either at the most recent ('LATEST') record or the oldest record ('TRIM_HORIZON'). 'TRIM_HORIZON' will ensure you process all available data, while 'LATEST' will ignore all records that arrived prior to attaching the event source.
 * **tumblingWindow**: The duration in seconds of a processing window when using streams.
 * **enabled**: If the DynamoDB Streams event source mapping should be enabled. The default is true.
+* **filters**: Filters to apply before sending a change event from a DynamoDB table to a Lambda function. Events that are filtered out are not sent to the Lambda function.
 
 ```python
 import aws_cdk.aws_dynamodb as dynamodb
@@ -195,6 +196,32 @@ fn.add_event_source(DynamoEventSource(table,
 ))
 ```
 
+The following code sets up a Lambda function with a DynamoDB event source. A filter is applied to only send DynamoDB events to
+the Lambda function when the `id` column is a boolean that equals `true`.
+
+```python
+import aws_cdk.aws_dynamodb as dynamodb
+from aws_cdk.aws_lambda_event_sources import DynamoEventSource
+
+# table: dynamodb.Table
+
+# fn: lambda.Function
+
+fn.add_event_source(DynamoEventSource(table,
+    starting_position=lambda_.StartingPosition.LATEST,
+    filters=[
+        lambda_.FilterCriteria.filter({
+            "event_name": lambda_.FilterRule.is_equal("INSERT"),
+            "dynamodb": {
+                "NewImage": {
+                    "id": {"BOOL": lambda_.FilterRule.is_equal(True)}
+                }
+            }
+        })
+    ]
+))
+```
+
 ## Kinesis
 
 You can write Lambda functions to process streaming data in Amazon Kinesis Streams. For more information about Amazon Kinesis, see [Amazon Kinesis

aws_cdk/aws_rds/__init__.py

@@ -30343,6 +30343,12 @@ class MysqlEngineVersion(
         '''Version "5.7.44-rds.20240529".'''
         return typing.cast("MysqlEngineVersion", jsii.sget(cls, "VER_5_7_44_RDS_20240529"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_5_7_44_RDS_20240808")
+    def VER_5_7_44_RDS_20240808(cls) -> "MysqlEngineVersion":
+        '''Version "5.7.44-rds.20240808".'''
+        return typing.cast("MysqlEngineVersion", jsii.sget(cls, "VER_5_7_44_RDS_20240808"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_8_0")
     def VER_8_0(cls) -> "MysqlEngineVersion":
@@ -33229,6 +33235,12 @@ class PostgresEngineVersion(
         '''Version "11.22-rds.20240509".'''
         return typing.cast("PostgresEngineVersion", jsii.sget(cls, "VER_11_22_RDS_20240509"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="VER_11_22_RDS_20240808")
+    def VER_11_22_RDS_20240808(cls) -> "PostgresEngineVersion":
+        '''Version "11.22-rds.20240808".'''
+        return typing.cast("PostgresEngineVersion", jsii.sget(cls, "VER_11_22_RDS_20240808"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="VER_11_4")
     def VER_11_4(cls) -> "PostgresEngineVersion":

aws_cdk/aws_s3/__init__.py

@@ -1328,7 +1328,8 @@ class BucketEncryption(enum.Enum):
             default_stack_synthesizer=AppStagingSynthesizer.default_resources(
                 app_id="my-app-id",
                 staging_bucket_encryption=BucketEncryption.S3_MANAGED,
-                deployment_identities=DeploymentIdentities.cli_credentials()
+                file_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/S3Access"),
+                image_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/ECRAccess")
             )
         )
     '''
@@ -1827,21 +1828,19 @@ class BucketProps:
 
         Example::
 
-            source_bucket = s3.Bucket(self, "MyBucket",
-                versioned=True
-            )
+            import aws_cdk.aws_kms as kms
+            
             
-            pipeline = codepipeline.Pipeline(self, "MyPipeline")
-            source_output = codepipeline.Artifact()
-            source_action = codepipeline_actions.S3SourceAction(
-                action_name="S3Source",
-                bucket=source_bucket,
-                bucket_key="path/to/file.zip",
-                output=source_output
+            my_kms_key = kms.Key(self, "myKMSKey")
+            my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+                encryption=s3.BucketEncryption.KMS,
+                encryption_key=my_kms_key,
+                object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
             )
-            pipeline.add_stage(
-                stage_name="Source",
-                actions=[source_action]
+            cloudfront.Distribution(self, "myDist",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+                )
             )
         '''
         if isinstance(website_redirect, dict):

aws_cdk/aws_secretsmanager/__init__.py

@@ -2251,7 +2251,7 @@ class CfnSecretTargetAttachment(
         :param id: Construct identifier for this resource (unique in its scope).
         :param secret_id: The ARN or name of the secret. To reference a secret also created in this template, use the see `Ref <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html>`_ function with the secret's logical ID.
         :param target_id: The ID of the database or cluster.
-        :param target_type: A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: - AWS::RDS::DBInstance - AWS::RDS::DBCluster - AWS::Redshift::Cluster - AWS::DocDB::DBInstance - AWS::DocDB::DBCluster
+        :param target_type: A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: - AWS::RDS::DBInstance - AWS::RDS::DBCluster - AWS::Redshift::Cluster - AWS::DocDB::DBInstance - AWS::DocDB::DBCluster - AWS::DocDBElastic::Cluster
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f27548ced74eb3d06a9cd3710e7d562d307b5a2c264476a3e685fcb94ccdee58)
@@ -2367,7 +2367,7 @@ class CfnSecretTargetAttachmentProps:
 
         :param secret_id: The ARN or name of the secret. To reference a secret also created in this template, use the see `Ref <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html>`_ function with the secret's logical ID.
         :param target_id: The ID of the database or cluster.
-        :param target_type: A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: - AWS::RDS::DBInstance - AWS::RDS::DBCluster - AWS::Redshift::Cluster - AWS::DocDB::DBInstance - AWS::DocDB::DBCluster
+        :param target_type: A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: - AWS::RDS::DBInstance - AWS::RDS::DBCluster - AWS::Redshift::Cluster - AWS::DocDB::DBInstance - AWS::DocDB::DBCluster - AWS::DocDBElastic::Cluster
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html
         :exampleMetadata: fixture=_generated
@@ -2428,6 +2428,7 @@ class CfnSecretTargetAttachmentProps:
         - AWS::Redshift::Cluster
         - AWS::DocDB::DBInstance
         - AWS::DocDB::DBCluster
+        - AWS::DocDBElastic::Cluster
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html#cfn-secretsmanager-secrettargetattachment-targettype
         '''

aws_cdk/aws_ses/__init__.py

@@ -10850,7 +10850,7 @@ class CfnReceiptRule(
             For information about specifying Amazon S3 actions in receipt rules, see the `Amazon SES Developer Guide <https://docs.aws.amazon.com/ses/latest/dg/receiving-email-action-s3.html>`_ .
 
             :param bucket_name: The name of the Amazon S3 bucket for incoming email.
-            :param kms_key_arn: The customer master key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. You can use the default master key or a custom master key that you created in AWS KMS as follows: - To use the default master key, provide an ARN in the form of ``arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses`` . For example, if your AWS account ID is 123456789012 and you want to use the default master key in the US West (Oregon) Region, the ARN of the default master key would be ``arn:aws:kms:us-west-2:123456789012:alias/aws/ses`` . If you use the default master key, you don't need to perform any extra steps to give Amazon SES permission to use the key. - To use a custom master key that you created in AWS KMS, provide the ARN of the master key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the `Amazon SES Developer Guide <https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html>`_ . For more information about key policies, see the `AWS KMS Developer Guide <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html>`_ . If you do not specify a master key, Amazon SES does not encrypt your emails. .. epigraph:: Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is currently available with the `AWS SDK for Java <https://docs.aws.amazon.com/sdk-for-java/>`_ and `AWS SDK for Ruby <https://docs.aws.amazon.com/sdk-for-ruby/>`_ only. For more information about client-side encryption using AWS KMS master keys, see the `Amazon S3 Developer Guide <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html>`_ .
+            :param kms_key_arn: The customer managed key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. You can use the AWS managed key or a customer managed key that you created in AWS KMS as follows: - To use the AWS managed key, provide an ARN in the form of ``arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses`` . For example, if your AWS account ID is 123456789012 and you want to use the AWS managed key in the US West (Oregon) Region, the ARN of the AWS managed key would be ``arn:aws:kms:us-west-2:123456789012:alias/aws/ses`` . If you use the AWS managed key, you don't need to perform any extra steps to give Amazon SES permission to use the key. - To use a customer managed key that you created in AWS KMS, provide the ARN of the customer managed key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the `Amazon SES Developer Guide <https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html>`_ . For more information about key policies, see the `AWS KMS Developer Guide <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html>`_ . If you do not specify an AWS KMS key, Amazon SES does not encrypt your emails. .. epigraph:: Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is currently available with the `AWS SDK for Java <https://docs.aws.amazon.com/sdk-for-java/>`_ and `AWS SDK for Ruby <https://docs.aws.amazon.com/sdk-for-ruby/>`_ only. For more information about client-side encryption using AWS KMS managed keys, see the `Amazon S3 Developer Guide <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html>`_ .
             :param object_key_prefix: The key prefix of the Amazon S3 bucket. The key prefix is similar to a directory name that enables you to store similar data under the same directory in a bucket.
             :param topic_arn: The ARN of the Amazon SNS topic to notify when the message is saved to the Amazon S3 bucket. You can find the ARN of a topic by using the `ListTopics <https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html>`_ operation in Amazon SNS. For more information about Amazon SNS topics, see the `Amazon SNS Developer Guide <https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html>`_ .
 
@@ -10900,17 +10900,17 @@ class CfnReceiptRule(
 
         @builtins.property
         def kms_key_arn(self) -> typing.Optional[builtins.str]:
-            '''The customer master key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket.
+            '''The customer managed key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket.
 
-            You can use the default master key or a custom master key that you created in AWS KMS as follows:
+            You can use the AWS managed key or a customer managed key that you created in AWS KMS as follows:
 
-            - To use the default master key, provide an ARN in the form of ``arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses`` . For example, if your AWS account ID is 123456789012 and you want to use the default master key in the US West (Oregon) Region, the ARN of the default master key would be ``arn:aws:kms:us-west-2:123456789012:alias/aws/ses`` . If you use the default master key, you don't need to perform any extra steps to give Amazon SES permission to use the key.
-            - To use a custom master key that you created in AWS KMS, provide the ARN of the master key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the `Amazon SES Developer Guide <https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html>`_ .
+            - To use the AWS managed key, provide an ARN in the form of ``arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses`` . For example, if your AWS account ID is 123456789012 and you want to use the AWS managed key in the US West (Oregon) Region, the ARN of the AWS managed key would be ``arn:aws:kms:us-west-2:123456789012:alias/aws/ses`` . If you use the AWS managed key, you don't need to perform any extra steps to give Amazon SES permission to use the key.
+            - To use a customer managed key that you created in AWS KMS, provide the ARN of the customer managed key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the `Amazon SES Developer Guide <https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html>`_ .
 
-            For more information about key policies, see the `AWS KMS Developer Guide <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html>`_ . If you do not specify a master key, Amazon SES does not encrypt your emails.
+            For more information about key policies, see the `AWS KMS Developer Guide <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html>`_ . If you do not specify an AWS KMS key, Amazon SES does not encrypt your emails.
             .. epigraph::
 
-               Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is currently available with the `AWS SDK for Java <https://docs.aws.amazon.com/sdk-for-java/>`_ and `AWS SDK for Ruby <https://docs.aws.amazon.com/sdk-for-ruby/>`_ only. For more information about client-side encryption using AWS KMS master keys, see the `Amazon S3 Developer Guide <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html>`_ .
+               Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is currently available with the `AWS SDK for Java <https://docs.aws.amazon.com/sdk-for-java/>`_ and `AWS SDK for Ruby <https://docs.aws.amazon.com/sdk-for-ruby/>`_ only. For more information about client-side encryption using AWS KMS managed keys, see the `Amazon S3 Developer Guide <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ses-receiptrule-s3action.html#cfn-ses-receiptrule-s3action-kmskeyarn
             '''

aws_cdk/aws_ssmcontacts/__init__.py

@@ -565,6 +565,10 @@ class CfnContactChannel(
 ):
     '''The ``AWS::SSMContacts::ContactChannel`` resource specifies a contact channel as the method that Incident Manager uses to engage your contact.
 
+    .. epigraph::
+
+       *Template example* : We recommend creating all Incident Manager ``Contacts`` resources using a single AWS CloudFormation template. For a demonstration, see the examples for `AWS::SSMContacts::Contacts <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-contact.html>`_ .
+
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-contactchannel.html
     :cloudformationResource: AWS::SSMContacts::ContactChannel
     :exampleMetadata: fixture=_generated
@@ -1009,6 +1013,10 @@ class CfnPlan(
 ):
     '''Information about the stages and on-call rotation teams associated with an escalation plan or engagement plan.
 
+    .. epigraph::
+
+       *Template example* : We recommend creating all Incident Manager ``Contacts`` resources using a single AWS CloudFormation template. For a demonstration, see the examples for `AWS::SSMContacts::Contacts <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-contact.html>`_ .
+
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-plan.html
     :cloudformationResource: AWS::SSMContacts::Plan
     :exampleMetadata: fixture=_generated
@@ -1591,6 +1599,10 @@ class CfnRotation(
 ):
     '''Specifies a rotation in an on-call schedule.
 
+    .. epigraph::
+
+       *Template example* : We recommend creating all Incident Manager ``Contacts`` resources using a single AWS CloudFormation template. For a demonstration, see the examples for `AWS::SSMContacts::Contacts <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-contact.html>`_ .
+
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssmcontacts-rotation.html
     :cloudformationResource: AWS::SSMContacts::Rotation
     :exampleMetadata: fixture=_generated