aws-cdk-lib 2.155.0__py3-none-any.whl → 2.157.0__py3-none-any.whl

aws_cdk/aws_guardduty/__init__.py

@@ -1139,7 +1139,7 @@ class CfnFilter(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param detector_id: The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
+        :param detector_id: The detector ID associated with the GuardDuty account for which you want to create a filter. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param finding_criteria: Represents the criteria to be used in the filter for querying findings.
         :param name: The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
         :param action: Specifies the action that is to be applied to the findings that match the filter.
@@ -1207,7 +1207,7 @@ class CfnFilter(
     @builtins.property
     @jsii.member(jsii_name="detectorId")
     def detector_id(self) -> builtins.str:
-        '''The ID of the detector belonging to the GuardDuty account that you want to create a filter for.'''
+        '''The detector ID associated with the GuardDuty account for which you want to create a filter.'''
         return typing.cast(builtins.str, jsii.get(self, "detectorId"))
 
     @detector_id.setter
@@ -1758,7 +1758,7 @@ class CfnFilterProps:
     ) -> None:
         '''Properties for defining a ``CfnFilter``.
 
-        :param detector_id: The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
+        :param detector_id: The detector ID associated with the GuardDuty account for which you want to create a filter. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param finding_criteria: Represents the criteria to be used in the filter for querying findings.
         :param name: The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
         :param action: Specifies the action that is to be applied to the findings that match the filter.
@@ -1833,7 +1833,10 @@ class CfnFilterProps:
 
     @builtins.property
     def detector_id(self) -> builtins.str:
-        '''The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
+        '''The detector ID associated with the GuardDuty account for which you want to create a filter.
+
+        To find the ``detectorId`` in the current Region, see the
+        Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-filter.html#cfn-guardduty-filter-detectorid
         '''
@@ -1976,7 +1979,7 @@ class CfnIPSet(
         :param format: The format of the file that contains the IPSet.
         :param location: The URI of the file that contains the IPSet.
         :param activate: Indicates whether or not GuardDuty uses the ``IPSet`` .
-        :param detector_id: The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
+        :param detector_id: The unique ID of the detector of the GuardDuty account for which you want to create an IPSet. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param name: The user-friendly name to identify the IPSet. Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
         :param tags: The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
         '''
@@ -2091,7 +2094,7 @@ class CfnIPSet(
     @builtins.property
     @jsii.member(jsii_name="detectorId")
     def detector_id(self) -> typing.Optional[builtins.str]:
-        '''The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.'''
+        '''The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "detectorId"))
 
     @detector_id.setter
@@ -2156,7 +2159,7 @@ class CfnIPSetProps:
         :param format: The format of the file that contains the IPSet.
         :param location: The URI of the file that contains the IPSet.
         :param activate: Indicates whether or not GuardDuty uses the ``IPSet`` .
-        :param detector_id: The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
+        :param detector_id: The unique ID of the detector of the GuardDuty account for which you want to create an IPSet. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param name: The user-friendly name to identify the IPSet. Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
         :param tags: The tags to be added to a new IP set resource. Each tag consists of a key and an optional value, both of which you define. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
 
@@ -2237,7 +2240,10 @@ class CfnIPSetProps:
 
     @builtins.property
     def detector_id(self) -> typing.Optional[builtins.str]:
-        '''The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
+        '''The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.
+
+        To find the ``detectorId`` in the current Region, see the
+        Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-ipset.html#cfn-guardduty-ipset-detectorid
         '''
@@ -3071,7 +3077,7 @@ class CfnMaster(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param detector_id: The unique ID of the detector of the GuardDuty member account.
+        :param detector_id: The unique ID of the detector of the GuardDuty member account. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param master_id: The AWS account ID of the account designated as the GuardDuty administrator account.
         :param invitation_id: The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by running the `ListInvitations <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListInvitations.html>`_ in the *GuardDuty API Reference* .
         '''
@@ -3179,7 +3185,7 @@ class CfnMasterProps:
     ) -> None:
         '''Properties for defining a ``CfnMaster``.
 
-        :param detector_id: The unique ID of the detector of the GuardDuty member account.
+        :param detector_id: The unique ID of the detector of the GuardDuty member account. To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param master_id: The AWS account ID of the account designated as the GuardDuty administrator account.
         :param invitation_id: The ID of the invitation that is sent to the account designated as a member account. You can find the invitation ID by running the `ListInvitations <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListInvitations.html>`_ in the *GuardDuty API Reference* .
 
@@ -3216,6 +3222,9 @@ class CfnMasterProps:
     def detector_id(self) -> builtins.str:
         '''The unique ID of the detector of the GuardDuty member account.
 
+        To find the ``detectorId`` in the current Region, see the
+        Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-master.html#cfn-guardduty-master-detectorid
         '''
         result = self._values.get("detector_id")
@@ -3641,7 +3650,7 @@ class CfnThreatIntelSet(
         :param format: The format of the file that contains the ThreatIntelSet.
         :param location: The URI of the file that contains the ThreatIntelSet.
         :param activate: A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
-        :param detector_id: The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
+        :param detector_id: The unique ID of the detector of the GuardDuty account for which you want to create a ``ThreatIntelSet`` . To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param name: A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
         :param tags: The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
         '''
@@ -3757,7 +3766,7 @@ class CfnThreatIntelSet(
     @builtins.property
     @jsii.member(jsii_name="detectorId")
     def detector_id(self) -> typing.Optional[builtins.str]:
-        '''The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.'''
+        '''The unique ID of the detector of the GuardDuty account for which you want to create a ``ThreatIntelSet`` .'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "detectorId"))
 
     @detector_id.setter
@@ -3822,7 +3831,7 @@ class CfnThreatIntelSetProps:
         :param format: The format of the file that contains the ThreatIntelSet.
         :param location: The URI of the file that contains the ThreatIntelSet.
         :param activate: A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
-        :param detector_id: The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
+        :param detector_id: The unique ID of the detector of the GuardDuty account for which you want to create a ``ThreatIntelSet`` . To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
         :param name: A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
         :param tags: The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
 
@@ -3903,7 +3912,10 @@ class CfnThreatIntelSetProps:
 
     @builtins.property
     def detector_id(self) -> typing.Optional[builtins.str]:
-        '''The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
+        '''The unique ID of the detector of the GuardDuty account for which you want to create a ``ThreatIntelSet`` .
+
+        To find the ``detectorId`` in the current Region, see the
+        Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`_ API.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-threatintelset.html#cfn-guardduty-threatintelset-detectorid
         '''

aws_cdk/aws_iam/__init__.py

@@ -13237,17 +13237,16 @@ class ServicePrincipal(
 
     Example::
 
-        lambda_role = iam.Role(self, "Role",
-            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
-            description="Example role..."
+        # definition: sfn.IChainable
+        role = iam.Role(self, "Role",
+            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
         )
-        
-        stream = kinesis.Stream(self, "MyEncryptedStream",
-            encryption=kinesis.StreamEncryption.KMS
+        state_machine = sfn.StateMachine(self, "StateMachine",
+            definition_body=sfn.DefinitionBody.from_chainable(definition)
         )
         
-        # give lambda permissions to read stream
-        stream.grant_read(lambda_role)
+        # Give role permission to get execution history of ALL executions for the state machine
+        state_machine.grant_execution(role, "states:GetExecutionHistory")
     '''
 
     def __init__(

aws_cdk/aws_iotfleetwise/__init__.py

@@ -98,6 +98,10 @@ class CfnCampaign(
             # the properties below are optional
             compression="compression",
             data_destination_configs=[iotfleetwise.CfnCampaign.DataDestinationConfigProperty(
+                mqtt_topic_config=iotfleetwise.CfnCampaign.MqttTopicConfigProperty(
+                    execution_role_arn="executionRoleArn",
+                    mqtt_topic_arn="mqttTopicArn"
+                ),
                 s3_config=iotfleetwise.CfnCampaign.S3ConfigProperty(
                     bucket_arn="bucketArn",
         
@@ -733,6 +737,7 @@ class CfnCampaign(
         jsii_type="aws-cdk-lib.aws_iotfleetwise.CfnCampaign.DataDestinationConfigProperty",
         jsii_struct_bases=[],
         name_mapping={
+            "mqtt_topic_config": "mqttTopicConfig",
             "s3_config": "s3Config",
             "timestream_config": "timestreamConfig",
         },
@@ -741,6 +746,7 @@ class CfnCampaign(
         def __init__(
             self,
             *,
+            mqtt_topic_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCampaign.MqttTopicConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             s3_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCampaign.S3ConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             timestream_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCampaign.TimestreamConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
@@ -748,6 +754,7 @@ class CfnCampaign(
 
             You can send data to be stored in Amazon S3 or Amazon Timestream .
 
+            :param mqtt_topic_config: 
             :param s3_config: (Optional) The Amazon S3 bucket where the AWS IoT FleetWise campaign sends data.
             :param timestream_config: (Optional) The Amazon Timestream table where the campaign sends data.
 
@@ -761,6 +768,10 @@ class CfnCampaign(
                 from aws_cdk import aws_iotfleetwise as iotfleetwise
                 
                 data_destination_config_property = iotfleetwise.CfnCampaign.DataDestinationConfigProperty(
+                    mqtt_topic_config=iotfleetwise.CfnCampaign.MqttTopicConfigProperty(
+                        execution_role_arn="executionRoleArn",
+                        mqtt_topic_arn="mqttTopicArn"
+                    ),
                     s3_config=iotfleetwise.CfnCampaign.S3ConfigProperty(
                         bucket_arn="bucketArn",
                 
@@ -777,14 +788,27 @@ class CfnCampaign(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__a76d3ecac8a3286ba64142d7bb2621dd82495be58438bdb339be1559bb8129f3)
+                check_type(argname="argument mqtt_topic_config", value=mqtt_topic_config, expected_type=type_hints["mqtt_topic_config"])
                 check_type(argname="argument s3_config", value=s3_config, expected_type=type_hints["s3_config"])
                 check_type(argname="argument timestream_config", value=timestream_config, expected_type=type_hints["timestream_config"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if mqtt_topic_config is not None:
+                self._values["mqtt_topic_config"] = mqtt_topic_config
             if s3_config is not None:
                 self._values["s3_config"] = s3_config
             if timestream_config is not None:
                 self._values["timestream_config"] = timestream_config
 
+        @builtins.property
+        def mqtt_topic_config(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnCampaign.MqttTopicConfigProperty"]]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-campaign-datadestinationconfig.html#cfn-iotfleetwise-campaign-datadestinationconfig-mqtttopicconfig
+            '''
+            result = self._values.get("mqtt_topic_config")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnCampaign.MqttTopicConfigProperty"]], result)
+
         @builtins.property
         def s3_config(
             self,
@@ -818,6 +842,77 @@ class CfnCampaign(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_iotfleetwise.CfnCampaign.MqttTopicConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "execution_role_arn": "executionRoleArn",
+            "mqtt_topic_arn": "mqttTopicArn",
+        },
+    )
+    class MqttTopicConfigProperty:
+        def __init__(
+            self,
+            *,
+            execution_role_arn: builtins.str,
+            mqtt_topic_arn: builtins.str,
+        ) -> None:
+            '''
+            :param execution_role_arn: 
+            :param mqtt_topic_arn: 
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-campaign-mqtttopicconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_iotfleetwise as iotfleetwise
+                
+                mqtt_topic_config_property = iotfleetwise.CfnCampaign.MqttTopicConfigProperty(
+                    execution_role_arn="executionRoleArn",
+                    mqtt_topic_arn="mqttTopicArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__209686ec18cb4107b2d1b131e663816da747fda2930c62c84213e6efecdbbb97)
+                check_type(argname="argument execution_role_arn", value=execution_role_arn, expected_type=type_hints["execution_role_arn"])
+                check_type(argname="argument mqtt_topic_arn", value=mqtt_topic_arn, expected_type=type_hints["mqtt_topic_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "execution_role_arn": execution_role_arn,
+                "mqtt_topic_arn": mqtt_topic_arn,
+            }
+
+        @builtins.property
+        def execution_role_arn(self) -> builtins.str:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-campaign-mqtttopicconfig.html#cfn-iotfleetwise-campaign-mqtttopicconfig-executionrolearn
+            '''
+            result = self._values.get("execution_role_arn")
+            assert result is not None, "Required property 'execution_role_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def mqtt_topic_arn(self) -> builtins.str:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iotfleetwise-campaign-mqtttopicconfig.html#cfn-iotfleetwise-campaign-mqtttopicconfig-mqtttopicarn
+            '''
+            result = self._values.get("mqtt_topic_arn")
+            assert result is not None, "Required property 'mqtt_topic_arn' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "MqttTopicConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_iotfleetwise.CfnCampaign.S3ConfigProperty",
         jsii_struct_bases=[],
@@ -1260,6 +1355,10 @@ class CfnCampaignProps:
                 # the properties below are optional
                 compression="compression",
                 data_destination_configs=[iotfleetwise.CfnCampaign.DataDestinationConfigProperty(
+                    mqtt_topic_config=iotfleetwise.CfnCampaign.MqttTopicConfigProperty(
+                        execution_role_arn="executionRoleArn",
+                        mqtt_topic_arn="mqttTopicArn"
+                    ),
                     s3_config=iotfleetwise.CfnCampaign.S3ConfigProperty(
                         bucket_arn="bucketArn",
             
@@ -6037,12 +6136,21 @@ def _typecheckingstub__dd3351de9470a98f13f006dd95deedef6c30dbfc08cdfe7bde2b9d950
 
 def _typecheckingstub__a76d3ecac8a3286ba64142d7bb2621dd82495be58438bdb339be1559bb8129f3(
     *,
+    mqtt_topic_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCampaign.MqttTopicConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     s3_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCampaign.S3ConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     timestream_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCampaign.TimestreamConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__209686ec18cb4107b2d1b131e663816da747fda2930c62c84213e6efecdbbb97(
+    *,
+    execution_role_arn: builtins.str,
+    mqtt_topic_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__cb82e0c92a9fdd48764ec7ba91d5dabd16d19776d63621d9b09fba43e604eb8a(
     *,
     bucket_arn: builtins.str,

aws_cdk/aws_kms/__init__.py

@@ -708,10 +708,49 @@ class CfnKey(
 
     Example::
 
-        # cfn_template: cfn_inc.CfnInclude
+        import aws_cdk.aws_kms as kms
         
-        cfn_key = cfn_template.get_resource("Key")
-        key = kms.Key.from_cfn_key(cfn_key)
+        
+        kms_key = kms.Key(self, "myKMSKey")
+        my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+            encryption=s3.BucketEncryption.KMS,
+            encryption_key=kms_key,
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+            )
+        )
+        
+        # Add the following to scope down the key policy
+        scoped_down_key_policy = {
+            "Version": "2012-10-17",
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::111122223333:root"
+                },
+                "Action": "kms:*",
+                "Resource": "*"
+            }, {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "cloudfront.amazonaws.com"
+                },
+                "Action": ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+                    }
+                }
+            }
+            ]
+        }
+        cfn_key = (kms_key.node.default_child)
+        cfn_key.key_policy = scoped_down_key_policy
     '''
 
     def __init__(
@@ -2086,15 +2125,19 @@ class Key(
 
     Example::
 
-        # destination_bucket: s3.Bucket
+        import aws_cdk.aws_kms as kms
         
-        source_bucket = s3.Bucket.from_bucket_attributes(self, "SourceBucket",
-            bucket_arn="arn:aws:s3:::my-source-bucket-name",
-            encryption_key=kms.Key.from_key_arn(self, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
+        
+        my_kms_key = kms.Key(self, "myKMSKey")
+        my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+            encryption=s3.BucketEncryption.KMS,
+            encryption_key=my_kms_key,
+            object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
         )
-        deployment = s3deploy.BucketDeployment(self, "DeployFiles",
-            sources=[s3deploy.Source.bucket(source_bucket, "source.zip")],
-            destination_bucket=destination_bucket
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+            )
         )
     '''