aws-cdk-lib 2.159.1__py3-none-any.whl → 2.160.0__py3-none-any.whl

aws_cdk/aws_stepfunctions/__init__.py

@@ -940,6 +940,132 @@ sfn.StateMachine(self, "MyStateMachine",
 )
 ```
 
+## Encryption
+
+You can encrypt your data using a customer managed key for AWS Step Functions state machines and activities. You can configure a symmetric AWS KMS key and data key reuse period when creating or updating a State Machine or when creating an Activity. The execution history and state machine definition will be encrypted with the key applied to the State Machine. Activity inputs will be encrypted with the key applied to the Activity.
+
+### Encrypting state machines
+
+You can provide a symmetric KMS key to encrypt the state machine definition and execution history:
+
+```python
+import aws_cdk.aws_kms as kms
+import aws_cdk as cdk
+
+
+kms_key = kms.Key(self, "Key")
+state_machine = sfn.StateMachine(self, "StateMachineWithCMKEncryptionConfiguration",
+    state_machine_name="StateMachineWithCMKEncryptionConfiguration",
+    definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+    state_machine_type=sfn.StateMachineType.STANDARD,
+    encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
+)
+```
+
+### Encrypting state machine logs in Cloud Watch Logs
+
+If a state machine is encrypted with a customer managed key and has logging enabled, its decrypted execution history will be stored in CloudWatch Logs. If you want to encrypt the logs from the state machine using your own KMS key, you can do so by configuring the `LogGroup` associated with the state machine to use a KMS key.
+
+```python
+import aws_cdk.aws_kms as kms
+import aws_cdk as cdk
+import aws_cdk.aws_logs as logs
+
+
+state_machine_kms_key = kms.Key(self, "StateMachine Key")
+log_group_key = kms.Key(self, "LogGroup Key")
+
+#
+#   Required KMS key policy which allows the CloudWatchLogs service principal to encrypt the entire log group using the
+#   customer managed kms key. See: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#cmk-permissions
+#
+log_group_key.add_to_resource_policy(cdk.aws_iam.PolicyStatement(
+    resources=["*"],
+    actions=["kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*"],
+    principals=[cdk.aws_iam.ServicePrincipal(f"logs.{cdk.Stack.of(this).region}.amazonaws.com")],
+    conditions={
+        "ArnEquals": {
+            "kms:EncryptionContext:aws:logs:arn": cdk.Stack.of(self).format_arn(
+                service="logs",
+                resource="log-group",
+                sep=":",
+                resource_name="/aws/vendedlogs/states/MyLogGroup"
+            )
+        }
+    }
+))
+
+# Create logGroup and provding encryptionKey which will be used to encrypt the log group
+log_group = logs.LogGroup(self, "MyLogGroup",
+    log_group_name="/aws/vendedlogs/states/MyLogGroup",
+    encryption_key=log_group_key
+)
+
+# Create state machine with CustomerManagedEncryptionConfiguration
+state_machine = sfn.StateMachine(self, "StateMachineWithCMKWithCWLEncryption",
+    state_machine_name="StateMachineWithCMKWithCWLEncryption",
+    definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "PassState",
+        result=sfn.Result.from_string("Hello World")
+    ))),
+    state_machine_type=sfn.StateMachineType.STANDARD,
+    encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(state_machine_kms_key),
+    logs=sfn.LogOptions(
+        destination=log_group,
+        level=sfn.LogLevel.ALL,
+        include_execution_data=True
+    )
+)
+```
+
+### Encrypting activity inputs
+
+When you provide a symmetric KMS key, all inputs from the Step Functions Activity will be encrypted using the provided KMS key:
+
+```python
+import aws_cdk.aws_kms as kms
+import aws_cdk as cdk
+
+
+kms_key = kms.Key(self, "Key")
+activity = sfn.Activity(self, "ActivityWithCMKEncryptionConfiguration",
+    activity_name="ActivityWithCMKEncryptionConfiguration",
+    encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(75))
+)
+```
+
+### Changing Encryption
+
+If you want to switch encryption from a customer provided key to a Step Functions owned key or vice-versa you must explicitly provide `encryptionConfiguration?`
+
+#### Example: Switching from a customer managed key to a Step Functions owned key for StateMachine
+
+#### Before
+
+```python
+import aws_cdk.aws_kms as kms
+import aws_cdk as cdk
+
+
+kms_key = kms.Key(self, "Key")
+state_machine = sfn.StateMachine(self, "StateMachine",
+    state_machine_name="StateMachine",
+    definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+    state_machine_type=sfn.StateMachineType.STANDARD,
+    encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
+)
+```
+
+#### After
+
+```python
+state_machine = sfn.StateMachine(self, "StateMachine",
+    state_machine_name="StateMachine",
+    definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+    state_machine_type=sfn.StateMachineType.STANDARD,
+    encryption_configuration=sfn.AwsOwnedEncryptionConfiguration()
+)
+```
+
 ## X-Ray tracing
 
 Enable X-Ray tracing for StateMachine:
@@ -1149,6 +1275,7 @@ from ..aws_iam import (
     IRole as _IRole_235f5d8e,
     PolicyStatement as _PolicyStatement_0fe33853,
 )
+from ..aws_kms import IKey as _IKey_5f11635f
 from ..aws_logs import ILogGroup as _ILogGroup_3c4fa718
 from ..aws_s3 import IBucket as _IBucket_42e086fd
 from ..aws_s3_assets import AssetOptions as _AssetOptions_2aa69621
@@ -1157,32 +1284,46 @@ from ..aws_s3_assets import AssetOptions as _AssetOptions_2aa69621
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_stepfunctions.ActivityProps",
     jsii_struct_bases=[],
-    name_mapping={"activity_name": "activityName"},
+    name_mapping={
+        "activity_name": "activityName",
+        "encryption_configuration": "encryptionConfiguration",
+    },
 )
 class ActivityProps:
-    def __init__(self, *, activity_name: typing.Optional[builtins.str] = None) -> None:
+    def __init__(
+        self,
+        *,
+        activity_name: typing.Optional[builtins.str] = None,
+        encryption_configuration: typing.Optional["EncryptionConfiguration"] = None,
+    ) -> None:
         '''Properties for defining a new Step Functions Activity.
 
         :param activity_name: The name for this activity. Default: - If not supplied, a name is generated
+        :param encryption_configuration: The encryptionConfiguration object used for server-side encryption of the activity inputs. Default: - data is transparently encrypted using an AWS owned key
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_stepfunctions as stepfunctions
+            import aws_cdk.aws_kms as kms
+            import aws_cdk as cdk
+            
             
-            activity_props = stepfunctions.ActivityProps(
-                activity_name="activityName"
+            kms_key = kms.Key(self, "Key")
+            activity = sfn.Activity(self, "ActivityWithCMKEncryptionConfiguration",
+                activity_name="ActivityWithCMKEncryptionConfiguration",
+                encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(75))
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b22b644ed0224ed8911beae00f4c015272b0b6846f925702d315e05b17bfc26e)
             check_type(argname="argument activity_name", value=activity_name, expected_type=type_hints["activity_name"])
+            check_type(argname="argument encryption_configuration", value=encryption_configuration, expected_type=type_hints["encryption_configuration"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if activity_name is not None:
             self._values["activity_name"] = activity_name
+        if encryption_configuration is not None:
+            self._values["encryption_configuration"] = encryption_configuration
 
     @builtins.property
     def activity_name(self) -> typing.Optional[builtins.str]:
@@ -1193,6 +1334,15 @@ class ActivityProps:
         result = self._values.get("activity_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def encryption_configuration(self) -> typing.Optional["EncryptionConfiguration"]:
+        '''The encryptionConfiguration object used for server-side encryption of the activity inputs.
+
+        :default: - data is transparently encrypted using an AWS owned key
+        '''
+        result = self._values.get("encryption_configuration")
+        return typing.cast(typing.Optional["EncryptionConfiguration"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -5033,15 +5183,16 @@ class DefinitionBody(
 
     Example::
 
-        state_machine = stepfunctions.StateMachine(self, "SM",
-            definition_body=stepfunctions.DefinitionBody.from_chainable(stepfunctions.Wait(self, "Hello", time=stepfunctions.WaitTime.duration(Duration.seconds(10))))
-        )
+        import aws_cdk.aws_kms as kms
+        import aws_cdk as cdk
+        
         
-        iot.TopicRule(self, "TopicRule",
-            sql=iot.IotSql.from_string_as_ver20160323("SELECT * FROM 'device/+/data'"),
-            actions=[
-                actions.StepFunctionsStateMachineAction(state_machine)
-            ]
+        kms_key = kms.Key(self, "Key")
+        state_machine = sfn.StateMachine(self, "StateMachineWithCMKEncryptionConfiguration",
+            state_machine_name="StateMachineWithCMKEncryptionConfiguration",
+            definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+            state_machine_type=sfn.StateMachineType.STANDARD,
+            encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
         )
     '''
 
@@ -5246,6 +5397,62 @@ class DefinitionConfig:
         )
 
 
+class EncryptionConfiguration(
+    metaclass=jsii.JSIIAbstractClass,
+    jsii_type="aws-cdk-lib.aws_stepfunctions.EncryptionConfiguration",
+):
+    '''Base class for creating an EncryptionConfiguration for either state machines or activities.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_kms as kms
+        import aws_cdk as cdk
+        
+        
+        kms_key = kms.Key(self, "Key")
+        state_machine = sfn.StateMachine(self, "StateMachineWithCMKEncryptionConfiguration",
+            state_machine_name="StateMachineWithCMKEncryptionConfiguration",
+            definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+            state_machine_type=sfn.StateMachineType.STANDARD,
+            encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
+        )
+    '''
+
+    def __init__(self, type: builtins.str) -> None:
+        '''
+        :param type: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c113cc29a83ef32340618ec6ac8314a8dcfa2f673103f63dd377e6550c5fa288)
+            check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+        jsii.create(self.__class__, self, [type])
+
+    @builtins.property
+    @jsii.member(jsii_name="type")
+    def type(self) -> builtins.str:
+        '''Encryption option for the state machine or activity.
+
+        Can be either CUSTOMER_MANAGED_KMS_KEY or AWS_OWNED_KEY.
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "type"))
+
+    @type.setter
+    def type(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8a2804b763864fbee1b32e3adb87dca68d59b11748f0449749b31ff8c5f91264)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "type", value) # pyright: ignore[reportArgumentType]
+
+
+class _EncryptionConfigurationProxy(EncryptionConfiguration):
+    pass
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the abstract class
+typing.cast(typing.Any, EncryptionConfiguration).__jsii_proxy_class__ = lambda : _EncryptionConfigurationProxy
+
+
 class Errors(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_stepfunctions.Errors"):
     '''Predefined error strings Error names in Amazon States Language - https://states-language.net/spec.html#appendix-a Error handling in Step Functions - https://docs.aws.amazon.com/step-functions/latest/dg/concepts-error-handling.html.
 
@@ -5722,6 +5929,15 @@ class IActivity(_IResource_c80c4260, typing_extensions.Protocol):
         '''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionConfiguration")
+    def encryption_configuration(self) -> typing.Optional[EncryptionConfiguration]:
+        '''The encryptionConfiguration object used for server-side encryption of the activity inputs.
+
+        :attribute: true
+        '''
+        ...
+
 
 class _IActivityProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
@@ -5748,6 +5964,15 @@ class _IActivityProxy(
         '''
         return typing.cast(builtins.str, jsii.get(self, "activityName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionConfiguration")
+    def encryption_configuration(self) -> typing.Optional[EncryptionConfiguration]:
+        '''The encryptionConfiguration object used for server-side encryption of the activity inputs.
+
+        :attribute: true
+        '''
+        return typing.cast(typing.Optional[EncryptionConfiguration], jsii.get(self, "encryptionConfiguration"))
+
 # Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
 typing.cast(typing.Any, IActivity).__jsii_proxy_class__ = lambda : _IActivityProxy
 
@@ -10419,6 +10644,7 @@ class StateMachine(
         definition: typing.Optional[IChainable] = None,
         definition_body: typing.Optional[DefinitionBody] = None,
         definition_substitutions: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
         logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         role: typing.Optional[_IRole_235f5d8e] = None,
@@ -10434,6 +10660,7 @@ class StateMachine(
         :param definition: (deprecated) Definition for this state machine.
         :param definition_body: Definition for this state machine.
         :param definition_substitutions: substitutions for the definition body as a key-value map.
+        :param encryption_configuration: Configures server-side encryption of the state machine definition and execution history. Default: - data is transparently encrypted using an AWS owned key
         :param logs: Defines what execution history events are logged and where they are logged. Default: No logging
         :param removal_policy: The removal policy to apply to state machine. Default: RemovalPolicy.DESTROY
         :param role: The execution role for the state machine service. Default: A role is automatically created
@@ -10451,6 +10678,7 @@ class StateMachine(
             definition=definition,
             definition_body=definition_body,
             definition_substitutions=definition_substitutions,
+            encryption_configuration=encryption_configuration,
             logs=logs,
             removal_policy=removal_policy,
             role=role,
@@ -11129,6 +11357,7 @@ typing.cast(typing.Any, StateMachineFragment).__jsii_proxy_class__ = lambda : _S
         "definition": "definition",
         "definition_body": "definitionBody",
         "definition_substitutions": "definitionSubstitutions",
+        "encryption_configuration": "encryptionConfiguration",
         "logs": "logs",
         "removal_policy": "removalPolicy",
         "role": "role",
@@ -11146,6 +11375,7 @@ class StateMachineProps:
         definition: typing.Optional[IChainable] = None,
         definition_body: typing.Optional[DefinitionBody] = None,
         definition_substitutions: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
         logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         role: typing.Optional[_IRole_235f5d8e] = None,
@@ -11160,6 +11390,7 @@ class StateMachineProps:
         :param definition: (deprecated) Definition for this state machine.
         :param definition_body: Definition for this state machine.
         :param definition_substitutions: substitutions for the definition body as a key-value map.
+        :param encryption_configuration: Configures server-side encryption of the state machine definition and execution history. Default: - data is transparently encrypted using an AWS owned key
         :param logs: Defines what execution history events are logged and where they are logged. Default: No logging
         :param removal_policy: The removal policy to apply to state machine. Default: RemovalPolicy.DESTROY
         :param role: The execution role for the state machine service. Default: A role is automatically created
@@ -11199,6 +11430,7 @@ class StateMachineProps:
             check_type(argname="argument definition", value=definition, expected_type=type_hints["definition"])
             check_type(argname="argument definition_body", value=definition_body, expected_type=type_hints["definition_body"])
             check_type(argname="argument definition_substitutions", value=definition_substitutions, expected_type=type_hints["definition_substitutions"])
+            check_type(argname="argument encryption_configuration", value=encryption_configuration, expected_type=type_hints["encryption_configuration"])
             check_type(argname="argument logs", value=logs, expected_type=type_hints["logs"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument role", value=role, expected_type=type_hints["role"])
@@ -11215,6 +11447,8 @@ class StateMachineProps:
             self._values["definition_body"] = definition_body
         if definition_substitutions is not None:
             self._values["definition_substitutions"] = definition_substitutions
+        if encryption_configuration is not None:
+            self._values["encryption_configuration"] = encryption_configuration
         if logs is not None:
             self._values["logs"] = logs
         if removal_policy is not None:
@@ -11264,6 +11498,15 @@ class StateMachineProps:
         result = self._values.get("definition_substitutions")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def encryption_configuration(self) -> typing.Optional[EncryptionConfiguration]:
+        '''Configures server-side encryption of the state machine definition and execution history.
+
+        :default: - data is transparently encrypted using an AWS owned key
+        '''
+        result = self._values.get("encryption_configuration")
+        return typing.cast(typing.Optional[EncryptionConfiguration], result)
+
     @builtins.property
     def logs(self) -> typing.Optional[LogOptions]:
         '''Defines what execution history events are logged and where they are logged.
@@ -11350,13 +11593,16 @@ class StateMachineType(enum.Enum):
 
     Example::
 
-        distributed_map = sfn.DistributedMap(self, "DistributedMap",
-            map_execution_type=sfn.StateMachineType.EXPRESS
-        )
+        import aws_cdk.aws_kms as kms
+        import aws_cdk as cdk
         
-        distributed_map.item_processor(sfn.Pass(self, "Pass"),
-            mode=sfn.ProcessorMode.DISTRIBUTED,
-            execution_type=sfn.ProcessorType.STANDARD
+        
+        kms_key = kms.Key(self, "Key")
+        state_machine = sfn.StateMachine(self, "StateMachineWithCMKEncryptionConfiguration",
+            state_machine_name="StateMachineWithCMKEncryptionConfiguration",
+            definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+            state_machine_type=sfn.StateMachineType.STANDARD,
+            encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
         )
     '''
 
@@ -13539,17 +13785,22 @@ class Activity(
         id: builtins.str,
         *,
         activity_name: typing.Optional[builtins.str] = None,
+        encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
     ) -> None:
         '''
         :param scope: -
         :param id: -
         :param activity_name: The name for this activity. Default: - If not supplied, a name is generated
+        :param encryption_configuration: The encryptionConfiguration object used for server-side encryption of the activity inputs. Default: - data is transparently encrypted using an AWS owned key
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__a9e3c9e855deb3c2b532345b0d2587dc14ad685d296794311bbf280ab9f6b10d)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = ActivityProps(activity_name=activity_name)
+        props = ActivityProps(
+            activity_name=activity_name,
+            encryption_configuration=encryption_configuration,
+        )
 
         jsii.create(self.__class__, self, [scope, id, props])
 
@@ -14025,6 +14276,38 @@ class Activity(
         '''
         return typing.cast(builtins.str, jsii.get(self, "activityName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="encryptionConfiguration")
+    def encryption_configuration(self) -> typing.Optional[EncryptionConfiguration]:
+        '''The encryptionConfiguration object used for server-side encryption of the activity inputs.
+
+        :attribute: true
+        '''
+        return typing.cast(typing.Optional[EncryptionConfiguration], jsii.get(self, "encryptionConfiguration"))
+
+
+class AwsOwnedEncryptionConfiguration(
+    EncryptionConfiguration,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_stepfunctions.AwsOwnedEncryptionConfiguration",
+):
+    '''Define a new AwsOwnedEncryptionConfiguration.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        state_machine = sfn.StateMachine(self, "StateMachine",
+            state_machine_name="StateMachine",
+            definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+            state_machine_type=sfn.StateMachineType.STANDARD,
+            encryption_configuration=sfn.AwsOwnedEncryptionConfiguration()
+        )
+    '''
+
+    def __init__(self) -> None:
+        jsii.create(self.__class__, self, [])
+
 
 @jsii.implements(IChainable)
 class Chain(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_stepfunctions.Chain"):
@@ -14541,6 +14824,68 @@ class CustomState(
         return typing.cast(typing.List[INextable], jsii.get(self, "endStates"))
 
 
+class CustomerManagedEncryptionConfiguration(
+    EncryptionConfiguration,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_stepfunctions.CustomerManagedEncryptionConfiguration",
+):
+    '''Define a new CustomerManagedEncryptionConfiguration.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_kms as kms
+        import aws_cdk as cdk
+        
+        
+        kms_key = kms.Key(self, "Key")
+        state_machine = sfn.StateMachine(self, "StateMachineWithCMKEncryptionConfiguration",
+            state_machine_name="StateMachineWithCMKEncryptionConfiguration",
+            definition_body=sfn.DefinitionBody.from_chainable(sfn.Chain.start(sfn.Pass(self, "Pass"))),
+            state_machine_type=sfn.StateMachineType.STANDARD,
+            encryption_configuration=sfn.CustomerManagedEncryptionConfiguration(kms_key, cdk.Duration.seconds(60))
+        )
+    '''
+
+    def __init__(
+        self,
+        kms_key: _IKey_5f11635f,
+        kms_data_key_reuse_period_seconds: typing.Optional[_Duration_4839e8c3] = None,
+    ) -> None:
+        '''
+        :param kms_key: -
+        :param kms_data_key_reuse_period_seconds: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__49c419f1b0cde6ecd2360bc2aeba72512cfc8d5f6b3745284a5b2819a1fc37bf)
+            check_type(argname="argument kms_key", value=kms_key, expected_type=type_hints["kms_key"])
+            check_type(argname="argument kms_data_key_reuse_period_seconds", value=kms_data_key_reuse_period_seconds, expected_type=type_hints["kms_data_key_reuse_period_seconds"])
+        jsii.create(self.__class__, self, [kms_key, kms_data_key_reuse_period_seconds])
+
+    @builtins.property
+    @jsii.member(jsii_name="kmsKey")
+    def kms_key(self) -> _IKey_5f11635f:
+        '''The symmetric customer managed KMS key for server-side encryption of the state machine definition, and execution history or activity inputs.
+
+        Step Functions will reuse the key for a maximum of ``kmsDataKeyReusePeriodSeconds``.
+
+        :default: - data is transparently encrypted using an AWS owned key
+        '''
+        return typing.cast(_IKey_5f11635f, jsii.get(self, "kmsKey"))
+
+    @builtins.property
+    @jsii.member(jsii_name="kmsDataKeyReusePeriodSeconds")
+    def kms_data_key_reuse_period_seconds(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Maximum duration that Step Functions will reuse customer managed data keys. When the period expires, Step Functions will call GenerateDataKey.
+
+        Must be between 60 and 900 seconds.
+
+        :default: Duration.seconds(300)
+        '''
+        return typing.cast(typing.Optional[_Duration_4839e8c3], jsii.get(self, "kmsDataKeyReusePeriodSeconds"))
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_stepfunctions.DistributedMapProps",
     jsii_struct_bases=[MapBaseProps],
@@ -15305,17 +15650,26 @@ class Pass(
 
     Example::
 
-        choice = sfn.Choice(self, "Did it work?")
+        # Define a state machine with one Pass state
+        child = sfn.StateMachine(self, "ChildStateMachine",
+            definition=sfn.Chain.start(sfn.Pass(self, "PassState"))
+        )
         
-        # Add conditions with .when()
-        success_state = sfn.Pass(self, "SuccessState")
-        failure_state = sfn.Pass(self, "FailureState")
-        choice.when(sfn.Condition.string_equals("$.status", "SUCCESS"), success_state)
-        choice.when(sfn.Condition.number_greater_than("$.attempts", 5), failure_state)
+        # Include the state machine in a Task state with callback pattern
+        task = tasks.StepFunctionsStartExecution(self, "ChildTask",
+            state_machine=child,
+            integration_pattern=sfn.IntegrationPattern.WAIT_FOR_TASK_TOKEN,
+            input=sfn.TaskInput.from_object({
+                "token": sfn.JsonPath.task_token,
+                "foo": "bar"
+            }),
+            name="MyExecutionName"
+        )
         
-        # Use .otherwise() to indicate what should be done if none of the conditions match
-        try_again_state = sfn.Pass(self, "TryAgainState")
-        choice.otherwise(try_again_state)
+        # Define a second state machine with the Task state above
+        sfn.StateMachine(self, "ParentStateMachine",
+            definition=task
+        )
     '''
 
     def __init__(
@@ -15918,6 +16272,7 @@ __all__ = [
     "Activity",
     "ActivityProps",
     "AfterwardsOptions",
+    "AwsOwnedEncryptionConfiguration",
     "CatchProps",
     "CfnActivity",
     "CfnActivityProps",
@@ -15938,10 +16293,12 @@ __all__ = [
     "CsvHeaders",
     "CustomState",
     "CustomStateProps",
+    "CustomerManagedEncryptionConfiguration",
     "DefinitionBody",
     "DefinitionConfig",
     "DistributedMap",
     "DistributedMapProps",
+    "EncryptionConfiguration",
     "Errors",
     "Fail",
     "FailProps",
@@ -16013,6 +16370,7 @@ publication.publish()
 def _typecheckingstub__b22b644ed0224ed8911beae00f4c015272b0b6846f925702d315e05b17bfc26e(
     *,
     activity_name: typing.Optional[builtins.str] = None,
+    encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -16800,6 +17158,18 @@ def _typecheckingstub__0110b36a0362589a48107daf28e3afe725be68dbbc869656e5a397d95
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c113cc29a83ef32340618ec6ac8314a8dcfa2f673103f63dd377e6550c5fa288(
+    type: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8a2804b763864fbee1b32e3adb87dca68d59b11748f0449749b31ff8c5f91264(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e34991edae92aa24b2bb75c9df693e2185f13c40aaf16ee220fc07ef991eaa7c(
     *,
     cause: typing.Optional[builtins.str] = None,
@@ -17424,6 +17794,7 @@ def _typecheckingstub__efdfc02291401a50a1d945e5208e9becb9828352fec32bc109ccebafc
     definition: typing.Optional[IChainable] = None,
     definition_body: typing.Optional[DefinitionBody] = None,
     definition_substitutions: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
     logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     role: typing.Optional[_IRole_235f5d8e] = None,
@@ -17535,6 +17906,7 @@ def _typecheckingstub__24d23b501c893898901860f31ff1a0a0fa81eb89f06a7acf3eef4f15e
     definition: typing.Optional[IChainable] = None,
     definition_body: typing.Optional[DefinitionBody] = None,
     definition_substitutions: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
     logs: typing.Optional[typing.Union[LogOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     role: typing.Optional[_IRole_235f5d8e] = None,
@@ -17791,6 +18163,7 @@ def _typecheckingstub__a9e3c9e855deb3c2b532345b0d2587dc14ad685d296794311bbf280ab
     id: builtins.str,
     *,
     activity_name: typing.Optional[builtins.str] = None,
+    encryption_configuration: typing.Optional[EncryptionConfiguration] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -17939,6 +18312,13 @@ def _typecheckingstub__c55cf19adb97a87b3d9f8561497d58ec4f0dc221883c0d757f4bec5f4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__49c419f1b0cde6ecd2360bc2aeba72512cfc8d5f6b3745284a5b2819a1fc37bf(
+    kms_key: _IKey_5f11635f,
+    kms_data_key_reuse_period_seconds: typing.Optional[_Duration_4839e8c3] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e484af477b46c0e70f635ed9610c7183f70c2184fd7a48f091a5477df9ee3d5d(
     *,
     comment: typing.Optional[builtins.str] = None,