aws-cdk-lib 2.162.0__py3-none-any.whl → 2.163.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -2105,6 +2105,23 @@ instance = ec2.Instance(self, "Instance",
 > NOTE: You must use an instance type and operating system that support Nitro Enclaves.
 > For more information, see [Requirements](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-reqs).
 
+### Enabling Termination Protection
+
+You can enable [Termination Protection](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_ChangingDisableAPITermination.html) for
+your EC2 instances by setting the `disableApiTermination` property to `true`. Termination Protection controls whether the instance can be terminated using the AWS Management Console, AWS Command Line Interface (AWS CLI), or API.
+
+```python
+# vpc: ec2.Vpc
+
+
+instance = ec2.Instance(self, "Instance",
+    instance_type=ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.XLARGE),
+    machine_image=ec2.AmazonLinuxImage(),
+    vpc=vpc,
+    disable_api_termination=True
+)
+```
+
 ### Enabling Instance Hibernation
 
 You can enable [Instance Hibernation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) for
@@ -5069,6 +5086,7 @@ class AwsIpamProps:
         "require_imdsv2": "requireImdsv2",
         "security_group": "securityGroup",
         "subnet_selection": "subnetSelection",
+        "user_data_causes_replacement": "userDataCausesReplacement",
     },
 )
 class BastionHostLinuxProps:
@@ -5086,6 +5104,7 @@ class BastionHostLinuxProps:
         require_imdsv2: typing.Optional[builtins.bool] = None,
         security_group: typing.Optional["ISecurityGroup"] = None,
         subnet_selection: typing.Optional[typing.Union["SubnetSelection", typing.Dict[builtins.str, typing.Any]]] = None,
+        user_data_causes_replacement: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''Properties of the bastion host.
 
@@ -5100,6 +5119,7 @@ class BastionHostLinuxProps:
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param security_group: Security Group to assign to this instance. Default: - create new security group with no inbound and all outbound traffic allowed
         :param subnet_selection: Select the subnets to run the bastion host in. Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM. You have to allow port 22 manually by using the connections field Default: - private subnets of the supplied VPC
+        :param user_data_causes_replacement: Determines whether changes to the UserData will force instance replacement. Depending on the EC2 instance type, modifying the UserData may either restart or replace the instance: - Instance store-backed instances are replaced. - EBS-backed instances are restarted. Note that by default, restarting does not execute the updated UserData, so an alternative mechanism is needed to ensure the instance re-executes the UserData. When set to ``true``, the instance's Logical ID will depend on the UserData, causing CloudFormation to replace the instance if the UserData changes. Default: - ``true`` if ``initOptions`` is specified, otherwise ``false``.
 
         :exampleMetadata: fixture=with-vpc infused
 
@@ -5132,6 +5152,7 @@ class BastionHostLinuxProps:
             check_type(argname="argument require_imdsv2", value=require_imdsv2, expected_type=type_hints["require_imdsv2"])
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
             check_type(argname="argument subnet_selection", value=subnet_selection, expected_type=type_hints["subnet_selection"])
+            check_type(argname="argument user_data_causes_replacement", value=user_data_causes_replacement, expected_type=type_hints["user_data_causes_replacement"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc": vpc,
         }
@@ -5155,6 +5176,8 @@ class BastionHostLinuxProps:
             self._values["security_group"] = security_group
         if subnet_selection is not None:
             self._values["subnet_selection"] = subnet_selection
+        if user_data_causes_replacement is not None:
+            self._values["user_data_causes_replacement"] = user_data_causes_replacement
 
     @builtins.property
     def vpc(self) -> "IVpc":
@@ -5268,6 +5291,27 @@ class BastionHostLinuxProps:
         result = self._values.get("subnet_selection")
         return typing.cast(typing.Optional["SubnetSelection"], result)
 
+    @builtins.property
+    def user_data_causes_replacement(self) -> typing.Optional[builtins.bool]:
+        '''Determines whether changes to the UserData will force instance replacement.
+
+        Depending on the EC2 instance type, modifying the UserData may either restart
+        or replace the instance:
+
+        - Instance store-backed instances are replaced.
+        - EBS-backed instances are restarted.
+
+        Note that by default, restarting does not execute the updated UserData, so an alternative
+        mechanism is needed to ensure the instance re-executes the UserData.
+
+        When set to ``true``, the instance's Logical ID will depend on the UserData, causing
+        CloudFormation to replace the instance if the UserData changes.
+
+        :default: - ``true`` if ``initOptions`` is specified, otherwise ``false``.
+        '''
+        result = self._values.get("user_data_causes_replacement")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -5566,7 +5610,8 @@ class CfnCapacityReservation(
                     value="value"
                 )]
             )],
-            tenancy="tenancy"
+            tenancy="tenancy",
+            unused_reservation_billing_owner_id="unusedReservationBillingOwnerId"
         )
     '''
 
@@ -5588,6 +5633,7 @@ class CfnCapacityReservation(
         placement_group_arn: typing.Optional[builtins.str] = None,
         tag_specifications: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCapacityReservation.TagSpecificationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tenancy: typing.Optional[builtins.str] = None,
+        unused_reservation_billing_owner_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -5605,6 +5651,7 @@ class CfnCapacityReservation(
         :param placement_group_arn: The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
         :param tag_specifications: The tags to apply to the Capacity Reservation during launch.
         :param tenancy: Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:. - ``default`` - The Capacity Reservation is created on hardware that is shared with other AWS accounts . - ``dedicated`` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account .
+        :param unused_reservation_billing_owner_id: 
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__96fb3bc559aaa9df971e86ea7cdd3cdc3de550019a2d3bf247d3fb169b5e9f7e)
@@ -5624,6 +5671,7 @@ class CfnCapacityReservation(
             placement_group_arn=placement_group_arn,
             tag_specifications=tag_specifications,
             tenancy=tenancy,
+            unused_reservation_billing_owner_id=unused_reservation_billing_owner_id,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -5917,6 +5965,21 @@ class CfnCapacityReservation(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tenancy", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="unusedReservationBillingOwnerId")
+    def unused_reservation_billing_owner_id(self) -> typing.Optional[builtins.str]:
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "unusedReservationBillingOwnerId"))
+
+    @unused_reservation_billing_owner_id.setter
+    def unused_reservation_billing_owner_id(
+        self,
+        value: typing.Optional[builtins.str],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2a09cfe18a64a35ca3513da8b832d14a3961e5101708c3d59880377b4beea919)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "unusedReservationBillingOwnerId", value) # pyright: ignore[reportArgumentType]
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnCapacityReservation.TagSpecificationProperty",
         jsii_struct_bases=[],
@@ -6769,6 +6832,7 @@ class CfnCapacityReservationFleetProps:
         "placement_group_arn": "placementGroupArn",
         "tag_specifications": "tagSpecifications",
         "tenancy": "tenancy",
+        "unused_reservation_billing_owner_id": "unusedReservationBillingOwnerId",
     },
 )
 class CfnCapacityReservationProps:
@@ -6788,6 +6852,7 @@ class CfnCapacityReservationProps:
         placement_group_arn: typing.Optional[builtins.str] = None,
         tag_specifications: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCapacityReservation.TagSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tenancy: typing.Optional[builtins.str] = None,
+        unused_reservation_billing_owner_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnCapacityReservation``.
 
@@ -6804,6 +6869,7 @@ class CfnCapacityReservationProps:
         :param placement_group_arn: The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
         :param tag_specifications: The tags to apply to the Capacity Reservation during launch.
         :param tenancy: Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:. - ``default`` - The Capacity Reservation is created on hardware that is shared with other AWS accounts . - ``dedicated`` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account .
+        :param unused_reservation_billing_owner_id: 
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html
         :exampleMetadata: fixture=_generated
@@ -6835,7 +6901,8 @@ class CfnCapacityReservationProps:
                         value="value"
                     )]
                 )],
-                tenancy="tenancy"
+                tenancy="tenancy",
+                unused_reservation_billing_owner_id="unusedReservationBillingOwnerId"
             )
         '''
         if __debug__:
@@ -6853,6 +6920,7 @@ class CfnCapacityReservationProps:
             check_type(argname="argument placement_group_arn", value=placement_group_arn, expected_type=type_hints["placement_group_arn"])
             check_type(argname="argument tag_specifications", value=tag_specifications, expected_type=type_hints["tag_specifications"])
             check_type(argname="argument tenancy", value=tenancy, expected_type=type_hints["tenancy"])
+            check_type(argname="argument unused_reservation_billing_owner_id", value=unused_reservation_billing_owner_id, expected_type=type_hints["unused_reservation_billing_owner_id"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "availability_zone": availability_zone,
             "instance_count": instance_count,
@@ -6877,6 +6945,8 @@ class CfnCapacityReservationProps:
             self._values["tag_specifications"] = tag_specifications
         if tenancy is not None:
             self._values["tenancy"] = tenancy
+        if unused_reservation_billing_owner_id is not None:
+            self._values["unused_reservation_billing_owner_id"] = unused_reservation_billing_owner_id
 
     @builtins.property
     def availability_zone(self) -> builtins.str:
@@ -7032,6 +7102,14 @@ class CfnCapacityReservationProps:
         result = self._values.get("tenancy")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def unused_reservation_billing_owner_id(self) -> typing.Optional[builtins.str]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-unusedreservationbillingownerid
+        '''
+        result = self._values.get("unused_reservation_billing_owner_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -11735,13 +11813,13 @@ class CfnEC2Fleet(
 
                Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` .
 
-            For more information, see `Attribute-based instance type selection for EC2 Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ , `Attribute-based instance type selection for Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html>`_ , and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
+            For more information, see `Specify attributes for instance type selection for EC2 Fleet or Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
 
             :param accelerator_count: The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance. To exclude accelerator-enabled instance types, set ``Max`` to ``0`` . Default: No minimum or maximum limits
             :param accelerator_manufacturers: Indicates whether instance types must have accelerators by specific manufacturers. - For instance types with AWS devices, specify ``amazon-web-services`` . - For instance types with AMD devices, specify ``amd`` . - For instance types with Habana devices, specify ``habana`` . - For instance types with NVIDIA devices, specify ``nvidia`` . - For instance types with Xilinx devices, specify ``xilinx`` . Default: Any manufacturer
             :param accelerator_names: The accelerators that must be on the instance type. - For instance types with NVIDIA A10G GPUs, specify ``a10g`` . - For instance types with NVIDIA A100 GPUs, specify ``a100`` . - For instance types with NVIDIA H100 GPUs, specify ``h100`` . - For instance types with AWS Inferentia chips, specify ``inferentia`` . - For instance types with NVIDIA GRID K520 GPUs, specify ``k520`` . - For instance types with NVIDIA K80 GPUs, specify ``k80`` . - For instance types with NVIDIA M60 GPUs, specify ``m60`` . - For instance types with AMD Radeon Pro V520 GPUs, specify ``radeon-pro-v520`` . - For instance types with NVIDIA T4 GPUs, specify ``t4`` . - For instance types with NVIDIA T4G GPUs, specify ``t4g`` . - For instance types with Xilinx VU9P FPGAs, specify ``vu9p`` . - For instance types with NVIDIA V100 GPUs, specify ``v100`` . Default: Any accelerator
             :param accelerator_total_memory_mib: The minimum and maximum amount of total accelerator memory, in MiB. Default: No minimum or maximum limits
-            :param accelerator_types: The accelerator types that must be on the instance type. - To include instance types with GPU hardware, specify ``gpu`` . - To include instance types with FPGA hardware, specify ``fpga`` . - To include instance types with inference hardware, specify ``inference`` . Default: Any accelerator type
+            :param accelerator_types: The accelerator types that must be on the instance type. - To include instance types with GPU hardware, specify ``gpu`` . - To include instance types with FPGA hardware, specify ``fpga`` . Default: Any accelerator type
             :param allowed_instance_types: The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to allow an instance type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``AllowedInstanceTypes`` , you can't specify ``ExcludedInstanceTypes`` . Default: All instance types
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
@@ -11978,7 +12056,6 @@ class CfnEC2Fleet(
 
             - To include instance types with GPU hardware, specify ``gpu`` .
             - To include instance types with FPGA hardware, specify ``fpga`` .
-            - To include instance types with inference hardware, specify ``inference`` .
 
             Default: Any accelerator type
 
@@ -19488,7 +19565,7 @@ class CfnInstance(
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
         :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference is no longer available.
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your Amazon EC2 instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -22134,7 +22211,9 @@ class CfnInstanceConnectEndpoint(
 ):
     '''Creates an EC2 Instance Connect Endpoint.
 
-    An EC2 Instance Connect Endpoint allows you to connect to an instance, without requiring the instance to have a public IPv4 address. For more information, see `Connect to your instances without requiring a public IPv4 address using EC2 Instance Connect Endpoint <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html>`_ in the *Amazon EC2 User Guide* .
+    An EC2 Instance Connect Endpoint allows you to connect to an instance, without requiring the instance to have a public IPv4 address. For more information, see `Connect to your instances using EC2 Instance Connect Endpoint <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html>`_ in the *Amazon EC2 User Guide* .
+
+    With the replacement update behavior, AWS CloudFormation usually creates the new resource first, changes references to point to the new resource, and then deletes the old resource. However, you can create only one EC2 Instance Connect Endpoint per VPC, so the replacement process fails. If you need to modify an EC2 Instance Connect Endpoint, you must replace the resource manually.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html
     :cloudformationResource: AWS::EC2::InstanceConnectEndpoint
@@ -22560,7 +22639,7 @@ class CfnInstanceProps:
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
         :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference is no longer available.
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your Amazon EC2 instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -22982,7 +23061,7 @@ class CfnInstanceProps:
 
         .. epigraph::
 
-           Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
+           Amazon Elastic Inference is no longer available.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-elasticinferenceaccelerators
         '''
@@ -24900,7 +24979,7 @@ class CfnLaunchTemplate(
             :param delete_on_termination: Indicates whether the EBS volume is deleted on instance termination.
             :param encrypted: Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you can't specify an encryption value.
             :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 16,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is supported for ``io1`` , ``io2`` , and ``gp3`` volumes only.
-            :param kms_key_id: The ARN of the symmetric AWS Key Management Service ( AWS KMS ) CMK used for encryption.
+            :param kms_key_id: Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.
             :param snapshot_id: The ID of the snapshot.
             :param throughput: The throughput to provision for a ``gp3`` volume, with a maximum of 1,000 MiB/s. Valid Range: Minimum value of 125. Maximum value of 1000.
             :param volume_size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type: - ``gp2`` and ``gp3`` : 1 - 16,384 GiB - ``io1`` : 4 - 16,384 GiB - ``io2`` : 4 - 65,536 GiB - ``st1`` and ``sc1`` : 125 - 16,384 GiB - ``standard`` : 1 - 1024 GiB
@@ -25001,7 +25080,7 @@ class CfnLaunchTemplate(
 
         @builtins.property
         def kms_key_id(self) -> typing.Optional[builtins.str]:
-            '''The ARN of the symmetric AWS Key Management Service ( AWS KMS ) CMK used for encryption.
+            '''Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-ebs.html#cfn-ec2-launchtemplate-ebs-kmskeyid
             '''
@@ -25626,13 +25705,13 @@ class CfnLaunchTemplate(
 
                Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` .
 
-            For more information, see `Attribute-based instance type selection for EC2 Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ , `Attribute-based instance type selection for Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html>`_ , and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
+            For more information, see `Specify attributes for instance type selection for EC2 Fleet or Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
 
             :param accelerator_count: The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance. To exclude accelerator-enabled instance types, set ``Max`` to ``0`` . Default: No minimum or maximum limits
             :param accelerator_manufacturers: Indicates whether instance types must have accelerators by specific manufacturers. - For instance types with AWS devices, specify ``amazon-web-services`` . - For instance types with AMD devices, specify ``amd`` . - For instance types with Habana devices, specify ``habana`` . - For instance types with NVIDIA devices, specify ``nvidia`` . - For instance types with Xilinx devices, specify ``xilinx`` . Default: Any manufacturer
             :param accelerator_names: The accelerators that must be on the instance type. - For instance types with NVIDIA A10G GPUs, specify ``a10g`` . - For instance types with NVIDIA A100 GPUs, specify ``a100`` . - For instance types with NVIDIA H100 GPUs, specify ``h100`` . - For instance types with AWS Inferentia chips, specify ``inferentia`` . - For instance types with NVIDIA GRID K520 GPUs, specify ``k520`` . - For instance types with NVIDIA K80 GPUs, specify ``k80`` . - For instance types with NVIDIA M60 GPUs, specify ``m60`` . - For instance types with AMD Radeon Pro V520 GPUs, specify ``radeon-pro-v520`` . - For instance types with NVIDIA T4 GPUs, specify ``t4`` . - For instance types with NVIDIA T4G GPUs, specify ``t4g`` . - For instance types with Xilinx VU9P FPGAs, specify ``vu9p`` . - For instance types with NVIDIA V100 GPUs, specify ``v100`` . Default: Any accelerator
             :param accelerator_total_memory_mib: The minimum and maximum amount of total accelerator memory, in MiB. Default: No minimum or maximum limits
-            :param accelerator_types: The accelerator types that must be on the instance type. - For instance types with GPU accelerators, specify ``gpu`` . - For instance types with FPGA accelerators, specify ``fpga`` . - For instance types with inference accelerators, specify ``inference`` . Default: Any accelerator type
+            :param accelerator_types: The accelerator types that must be on the instance type. - For instance types with GPU accelerators, specify ``gpu`` . - For instance types with FPGA accelerators, specify ``fpga`` . Default: Any accelerator type
             :param allowed_instance_types: The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to allow an instance type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``AllowedInstanceTypes`` , you can't specify ``ExcludedInstanceTypes`` . Default: All instance types
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
@@ -25869,7 +25948,6 @@ class CfnLaunchTemplate(
 
             - For instance types with GPU accelerators, specify ``gpu`` .
             - For instance types with FPGA accelerators, specify ``fpga`` .
-            - For instance types with inference accelerators, specify ``inference`` .
 
             Default: Any accelerator type
 
@@ -26460,14 +26538,14 @@ class CfnLaunchTemplate(
             :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance.
             :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance.
             :param elastic_gpu_specifications: Deprecated. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
-            :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+            :param elastic_inference_accelerators: .. epigraph:: Amazon Elastic Inference is no longer available. An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
             :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves. For more information, see `What is AWS Nitro Enclaves? <https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html>`_ in the *AWS Nitro Enclaves User Guide* . You can't enable AWS Nitro Enclaves and hibernation on the same instance.
             :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your Amazon EC2 instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* .
             :param iam_instance_profile: The name or Amazon Resource Name (ARN) of an IAM instance profile.
             :param image_id: The ID of the AMI. Alternatively, you can specify a Systems Manager parameter, which will resolve to an AMI ID on launch. Valid formats: - ``ami-0ac394d6a3example`` - ``resolve:ssm:parameter-name`` - ``resolve:ssm:parameter-name:version-number`` - ``resolve:ssm:parameter-name:label`` For more information, see `Use a Systems Manager parameter to find an AMI <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html#using-systems-manager-parameter-to-find-AMI>`_ in the *Amazon Elastic Compute Cloud User Guide* .
             :param instance_initiated_shutdown_behavior: Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown). Default: ``stop``
             :param instance_market_options: The market (purchasing) option for the instances.
-            :param instance_requirements: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes. You must specify ``VCpuCount`` and ``MemoryMiB`` . All other attributes are optional. Any unspecified optional attribute is set to its default. When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values. To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request: - ``AllowedInstanceTypes`` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes. - ``ExcludedInstanceTypes`` - The instance types to exclude from the list, even if they match your specified attributes. .. epigraph:: If you specify ``InstanceRequirements`` , you can't specify ``InstanceType`` . Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` . For more information, see `Attribute-based instance type selection for EC2 Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ , `Attribute-based instance type selection for Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html>`_ , and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
+            :param instance_requirements: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes. You must specify ``VCpuCount`` and ``MemoryMiB`` . All other attributes are optional. Any unspecified optional attribute is set to its default. When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values. To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request: - ``AllowedInstanceTypes`` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes. - ``ExcludedInstanceTypes`` - The instance types to exclude from the list, even if they match your specified attributes. .. epigraph:: If you specify ``InstanceRequirements`` , you can't specify ``InstanceType`` . Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` . For more information, see `Specify attributes for instance type selection for EC2 Fleet or Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
             :param instance_type: The instance type. For more information, see `Amazon EC2 instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . If you specify ``InstanceType`` , you can't specify ``InstanceRequirements`` .
             :param kernel_id: The ID of the kernel. We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see `User Provided Kernels <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html>`_ in the *Amazon EC2 User Guide* .
             :param key_name: The name of the key pair. You can create a key pair using `CreateKeyPair <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html>`_ or `ImportKeyPair <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html>`_ . .. epigraph:: If you do not specify a key pair, you can't connect to the instance unless you choose an AMI that is configured to allow users another way to log in.
@@ -26904,9 +26982,11 @@ class CfnLaunchTemplate(
         def elastic_inference_accelerators(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.LaunchTemplateElasticInferenceAcceleratorProperty"]]]]:
-            '''An elastic inference accelerator to associate with the instance.
+            '''.. epigraph::
 
-            Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.
+   Amazon Elastic Inference is no longer available.
+
+            An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.
 
             You cannot specify accelerators from different generations in the same request.
             .. epigraph::
@@ -27022,7 +27102,7 @@ class CfnLaunchTemplate(
 
                Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` .
 
-            For more information, see `Attribute-based instance type selection for EC2 Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ , `Attribute-based instance type selection for Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html>`_ , and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
+            For more information, see `Specify attributes for instance type selection for EC2 Fleet or Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-instancerequirements
             '''
@@ -30914,6 +30994,8 @@ class CfnNetworkAcl(
 ):
     '''Specifies a network ACL for your VPC.
 
+    To add a network ACL entry, see `AWS::EC2::NetworkAclEntry <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html>`_ .
+
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkacl.html
     :cloudformationResource: AWS::EC2::NetworkAcl
     :exampleMetadata: fixture=_generated
@@ -31044,6 +31126,8 @@ class CfnNetworkAclEntry(
 
     Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.
 
+    To create the network ACL, see `AWS::EC2::NetworkAcl <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkacl.html>`_ .
+
     For information about the protocol value, see `Protocol Numbers <https://docs.aws.amazon.com/https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ on the Internet Assigned Numbers Authority (IANA) website.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
@@ -39545,7 +39629,7 @@ class CfnPrefixList(
         :param address_family: The IP address type. Valid Values: ``IPv4`` | ``IPv6``
         :param prefix_list_name: A name for the prefix list. Constraints: Up to 255 characters in length. The name cannot start with ``com.amazonaws`` .
         :param entries: The entries for the prefix list.
-        :param max_entries: The maximum number of entries for the prefix list. This property is required when you create a prefix list.
+        :param max_entries: The maximum number of entries for the prefix list.
         :param tags: The tags for the prefix list.
         '''
         if __debug__:
@@ -39819,7 +39903,7 @@ class CfnPrefixListProps:
         :param address_family: The IP address type. Valid Values: ``IPv4`` | ``IPv6``
         :param prefix_list_name: A name for the prefix list. Constraints: Up to 255 characters in length. The name cannot start with ``com.amazonaws`` .
         :param entries: The entries for the prefix list.
-        :param max_entries: The maximum number of entries for the prefix list. This property is required when you create a prefix list.
+        :param max_entries: The maximum number of entries for the prefix list.
         :param tags: The tags for the prefix list.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html
@@ -39906,8 +39990,6 @@ class CfnPrefixListProps:
     def max_entries(self) -> typing.Optional[jsii.Number]:
         '''The maximum number of entries for the prefix list.
 
-        This property is required when you create a prefix list.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html#cfn-ec2-prefixlist-maxentries
         '''
         result = self._values.get("max_entries")
@@ -44476,13 +44558,13 @@ class CfnSpotFleet(
 
                Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the `launch instance wizard <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html>`_ , or with the `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ API or `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ AWS CloudFormation resource, you can't specify ``InstanceRequirements`` .
 
-            For more information, see `Attribute-based instance type selection for EC2 Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ , `Attribute-based instance type selection for Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html>`_ , and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
+            For more information, see `Specify attributes for instance type selection for EC2 Fleet or Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html>`_ and `Spot placement score <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html>`_ in the *Amazon EC2 User Guide* .
 
             :param accelerator_count: The minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips) on an instance. To exclude accelerator-enabled instance types, set ``Max`` to ``0`` . Default: No minimum or maximum limits
             :param accelerator_manufacturers: Indicates whether instance types must have accelerators by specific manufacturers. - For instance types with AWS devices, specify ``amazon-web-services`` . - For instance types with AMD devices, specify ``amd`` . - For instance types with Habana devices, specify ``habana`` . - For instance types with NVIDIA devices, specify ``nvidia`` . - For instance types with Xilinx devices, specify ``xilinx`` . Default: Any manufacturer
             :param accelerator_names: The accelerators that must be on the instance type. - For instance types with NVIDIA A10G GPUs, specify ``a10g`` . - For instance types with NVIDIA A100 GPUs, specify ``a100`` . - For instance types with NVIDIA H100 GPUs, specify ``h100`` . - For instance types with AWS Inferentia chips, specify ``inferentia`` . - For instance types with NVIDIA GRID K520 GPUs, specify ``k520`` . - For instance types with NVIDIA K80 GPUs, specify ``k80`` . - For instance types with NVIDIA M60 GPUs, specify ``m60`` . - For instance types with AMD Radeon Pro V520 GPUs, specify ``radeon-pro-v520`` . - For instance types with NVIDIA T4 GPUs, specify ``t4`` . - For instance types with NVIDIA T4G GPUs, specify ``t4g`` . - For instance types with Xilinx VU9P FPGAs, specify ``vu9p`` . - For instance types with NVIDIA V100 GPUs, specify ``v100`` . Default: Any accelerator
             :param accelerator_total_memory_mib: The minimum and maximum amount of total accelerator memory, in MiB. Default: No minimum or maximum limits
-            :param accelerator_types: The accelerator types that must be on the instance type. - To include instance types with GPU hardware, specify ``gpu`` . - To include instance types with FPGA hardware, specify ``fpga`` . - To include instance types with inference hardware, specify ``inference`` . Default: Any accelerator type
+            :param accelerator_types: The accelerator types that must be on the instance type. - To include instance types with GPU hardware, specify ``gpu`` . - To include instance types with FPGA hardware, specify ``fpga`` . Default: Any accelerator type
             :param allowed_instance_types: The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to allow an instance type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``AllowedInstanceTypes`` , you can't specify ``ExcludedInstanceTypes`` . Default: All instance types
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
@@ -44719,7 +44801,6 @@ class CfnSpotFleet(
 
             - To include instance types with GPU hardware, specify ``gpu`` .
             - To include instance types with FPGA hardware, specify ``fpga`` .
-            - To include instance types with inference hardware, specify ``inference`` .
 
             Default: Any accelerator type
 
@@ -58089,7 +58170,7 @@ class CfnVPCPeeringConnection(
 
     The requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of ``failed`` .
 
-    If the VPCs belong to different accounts, the acceptor account must have a role that allows the requester account to accept the VPC peering connection. For more information, see `Walkthough: Peer with a VPC in another AWS account <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html>`_ .
+    If the VPCs belong to different accounts, the acceptor account must have a role that allows the requester account to accept the VPC peering connection. For an example, see `Walkthrough: Peer with a VPC in another AWS account <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html>`_ .
 
     If the requester and acceptor VPCs are in the same account, the peering request is accepted without a peering role.
 
@@ -58663,8 +58744,46 @@ class CfnVPNConnection(
             tunnel_inside_ip_version="tunnelInsideIpVersion",
             vpn_gateway_id="vpnGatewayId",
             vpn_tunnel_options_specifications=[ec2.CfnVPNConnection.VpnTunnelOptionsSpecificationProperty(
+                dpd_timeout_action="dpdTimeoutAction",
+                dpd_timeout_seconds=123,
+                enable_tunnel_lifecycle_control=False,
+                ike_versions=[{
+                    "value": "value"
+                }],
+                log_options=ec2.CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty(
+                    cloudwatch_log_options=ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty(
+                        log_enabled=False,
+                        log_group_arn="logGroupArn",
+                        log_output_format="logOutputFormat"
+                    )
+                ),
+                phase1_dh_group_numbers=[ec2.CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty(
+                    value=123
+                )],
+                phase1_encryption_algorithms=[ec2.CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty(
+                    value="value"
+                )],
+                phase1_integrity_algorithms=[ec2.CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty(
+                    value="value"
+                )],
+                phase1_lifetime_seconds=123,
+                phase2_dh_group_numbers=[ec2.CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty(
+                    value=123
+                )],
+                phase2_encryption_algorithms=[ec2.CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty(
+                    value="value"
+                )],
+                phase2_integrity_algorithms=[ec2.CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty(
+                    value="value"
+                )],
+                phase2_lifetime_seconds=123,
                 pre_shared_key="preSharedKey",
-                tunnel_inside_cidr="tunnelInsideCidr"
+                rekey_fuzz_percentage=123,
+                rekey_margin_time_seconds=123,
+                replay_window_size=123,
+                startup_action="startupAction",
+                tunnel_inside_cidr="tunnelInsideCidr",
+                tunnel_inside_ipv6_cidr="tunnelInsideIpv6Cidr"
             )]
         )
     '''
@@ -58996,25 +59115,592 @@ class CfnVPNConnection(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "vpnTunnelOptionsSpecifications", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "log_enabled": "logEnabled",
+            "log_group_arn": "logGroupArn",
+            "log_output_format": "logOutputFormat",
+        },
+    )
+    class CloudwatchLogOptionsSpecificationProperty:
+        def __init__(
+            self,
+            *,
+            log_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+            log_group_arn: typing.Optional[builtins.str] = None,
+            log_output_format: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''Options for sending VPN tunnel logs to CloudWatch.
+
+            :param log_enabled: Enable or disable VPN tunnel logging feature. Default value is ``False`` . Valid values: ``True`` | ``False``
+            :param log_group_arn: The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
+            :param log_output_format: Set log format. Default format is ``json`` . Valid values: ``json`` | ``text``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                cloudwatch_log_options_specification_property = ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty(
+                    log_enabled=False,
+                    log_group_arn="logGroupArn",
+                    log_output_format="logOutputFormat"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__bd596864a79667f9fd7ea34a4b2b4bc80eea01d6f5d0306e0660a88f43622cf9)
+                check_type(argname="argument log_enabled", value=log_enabled, expected_type=type_hints["log_enabled"])
+                check_type(argname="argument log_group_arn", value=log_group_arn, expected_type=type_hints["log_group_arn"])
+                check_type(argname="argument log_output_format", value=log_output_format, expected_type=type_hints["log_output_format"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if log_enabled is not None:
+                self._values["log_enabled"] = log_enabled
+            if log_group_arn is not None:
+                self._values["log_group_arn"] = log_group_arn
+            if log_output_format is not None:
+                self._values["log_output_format"] = log_output_format
+
+        @builtins.property
+        def log_enabled(
+            self,
+        ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+            '''Enable or disable VPN tunnel logging feature. Default value is ``False`` .
+
+            Valid values: ``True`` | ``False``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.html#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logenabled
+            '''
+            result = self._values.get("log_enabled")
+            return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+        @builtins.property
+        def log_group_arn(self) -> typing.Optional[builtins.str]:
+            '''The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.html#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-loggrouparn
+            '''
+            result = self._values.get("log_group_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def log_output_format(self) -> typing.Optional[builtins.str]:
+            '''Set log format. Default format is ``json`` .
+
+            Valid values: ``json`` | ``text``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-cloudwatchlogoptionsspecification.html#cfn-ec2-vpnconnection-cloudwatchlogoptionsspecification-logoutputformat
+            '''
+            result = self._values.get("log_output_format")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CloudwatchLogOptionsSpecificationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.IKEVersionsRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class IKEVersionsRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[builtins.str] = None) -> None:
+            '''The IKE version that is permitted for the VPN tunnel.
+
+            :param value: The IKE version.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-ikeversionsrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                i_kEVersions_request_list_value_property = {
+                    "value": "value"
+                }
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__fe82f7092cfe3daf1976f55ceb6d944eb6d256a481ec7e98ae1897a9d47af7a1)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[builtins.str]:
+            '''The IKE version.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-ikeversionsrequestlistvalue.html#cfn-ec2-vpnconnection-ikeversionsrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "IKEVersionsRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase1DHGroupNumbersRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[jsii.Number] = None) -> None:
+            '''Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations.
+
+            :param value: The Diffie-Hellmann group number.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase1_dHGroup_numbers_request_list_value_property = ec2.CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty(
+                    value=123
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__918d5f5b5e88ae68daf35c3d93776500cfc34270e528ae9c3dc133bfa0096b85)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[jsii.Number]:
+            '''The Diffie-Hellmann group number.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue.html#cfn-ec2-vpnconnection-phase1dhgroupnumbersrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase1DHGroupNumbersRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase1EncryptionAlgorithmsRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[builtins.str] = None) -> None:
+            '''Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations.
+
+            :param value: The value for the encryption algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase1_encryption_algorithms_request_list_value_property = ec2.CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty(
+                    value="value"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__22fbe2c39b9921f1ab2862205b1cf5ef686c18168136eb68682dbc3f7d433a36)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[builtins.str]:
+            '''The value for the encryption algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue.html#cfn-ec2-vpnconnection-phase1encryptionalgorithmsrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase1EncryptionAlgorithmsRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase1IntegrityAlgorithmsRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[builtins.str] = None) -> None:
+            '''Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations.
+
+            :param value: The value for the integrity algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase1_integrity_algorithms_request_list_value_property = ec2.CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty(
+                    value="value"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__a0015c70bcf807f70699a0ff5fbdaf7b9703d3751680a849a5acd4186fcb9588)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[builtins.str]:
+            '''The value for the integrity algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue.html#cfn-ec2-vpnconnection-phase1integrityalgorithmsrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase1IntegrityAlgorithmsRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase2DHGroupNumbersRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[jsii.Number] = None) -> None:
+            '''Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations.
+
+            :param value: The Diffie-Hellmann group number.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase2_dHGroup_numbers_request_list_value_property = ec2.CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty(
+                    value=123
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__d65eb64aa76aba56a565fc56d45096dad72a4eb03c46fd63ac7aa4d8c0bebcfd)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[jsii.Number]:
+            '''The Diffie-Hellmann group number.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue.html#cfn-ec2-vpnconnection-phase2dhgroupnumbersrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase2DHGroupNumbersRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase2EncryptionAlgorithmsRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[builtins.str] = None) -> None:
+            '''Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations.
+
+            :param value: The encryption algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase2_encryption_algorithms_request_list_value_property = ec2.CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty(
+                    value="value"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__acb67278adfea74d52c512c96c9c00fb330b3d45c9266ac4d2b30bfdbfaa674d)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[builtins.str]:
+            '''The encryption algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue.html#cfn-ec2-vpnconnection-phase2encryptionalgorithmsrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase2EncryptionAlgorithmsRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value": "value"},
+    )
+    class Phase2IntegrityAlgorithmsRequestListValueProperty:
+        def __init__(self, *, value: typing.Optional[builtins.str] = None) -> None:
+            '''Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations.
+
+            :param value: The integrity algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                phase2_integrity_algorithms_request_list_value_property = ec2.CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty(
+                    value="value"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__f840e78842ee8f4a726cacbb8d5214f63eb65e6ddb1c55a3f5a779e97615acf9)
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if value is not None:
+                self._values["value"] = value
+
+        @builtins.property
+        def value(self) -> typing.Optional[builtins.str]:
+            '''The integrity algorithm.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue.html#cfn-ec2-vpnconnection-phase2integrityalgorithmsrequestlistvalue-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "Phase2IntegrityAlgorithmsRequestListValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"cloudwatch_log_options": "cloudwatchLogOptions"},
+    )
+    class VpnTunnelLogOptionsSpecificationProperty:
+        def __init__(
+            self,
+            *,
+            cloudwatch_log_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Options for logging VPN tunnel activity.
+
+            :param cloudwatch_log_options: Options for sending VPN tunnel logs to CloudWatch.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunnellogoptionsspecification.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                vpn_tunnel_log_options_specification_property = ec2.CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty(
+                    cloudwatch_log_options=ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty(
+                        log_enabled=False,
+                        log_group_arn="logGroupArn",
+                        log_output_format="logOutputFormat"
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__03be9463ce73095b0619c9b322ea6c5b050580851d3de940235cda9021f28166)
+                check_type(argname="argument cloudwatch_log_options", value=cloudwatch_log_options, expected_type=type_hints["cloudwatch_log_options"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if cloudwatch_log_options is not None:
+                self._values["cloudwatch_log_options"] = cloudwatch_log_options
+
+        @builtins.property
+        def cloudwatch_log_options(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty"]]:
+            '''Options for sending VPN tunnel logs to CloudWatch.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunnellogoptionsspecification.html#cfn-ec2-vpnconnection-vpntunnellogoptionsspecification-cloudwatchlogoptions
+            '''
+            result = self._values.get("cloudwatch_log_options")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "VpnTunnelLogOptionsSpecificationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnVPNConnection.VpnTunnelOptionsSpecificationProperty",
         jsii_struct_bases=[],
         name_mapping={
+            "dpd_timeout_action": "dpdTimeoutAction",
+            "dpd_timeout_seconds": "dpdTimeoutSeconds",
+            "enable_tunnel_lifecycle_control": "enableTunnelLifecycleControl",
+            "ike_versions": "ikeVersions",
+            "log_options": "logOptions",
+            "phase1_dh_group_numbers": "phase1DhGroupNumbers",
+            "phase1_encryption_algorithms": "phase1EncryptionAlgorithms",
+            "phase1_integrity_algorithms": "phase1IntegrityAlgorithms",
+            "phase1_lifetime_seconds": "phase1LifetimeSeconds",
+            "phase2_dh_group_numbers": "phase2DhGroupNumbers",
+            "phase2_encryption_algorithms": "phase2EncryptionAlgorithms",
+            "phase2_integrity_algorithms": "phase2IntegrityAlgorithms",
+            "phase2_lifetime_seconds": "phase2LifetimeSeconds",
             "pre_shared_key": "preSharedKey",
+            "rekey_fuzz_percentage": "rekeyFuzzPercentage",
+            "rekey_margin_time_seconds": "rekeyMarginTimeSeconds",
+            "replay_window_size": "replayWindowSize",
+            "startup_action": "startupAction",
             "tunnel_inside_cidr": "tunnelInsideCidr",
+            "tunnel_inside_ipv6_cidr": "tunnelInsideIpv6Cidr",
         },
     )
     class VpnTunnelOptionsSpecificationProperty:
         def __init__(
             self,
             *,
+            dpd_timeout_action: typing.Optional[builtins.str] = None,
+            dpd_timeout_seconds: typing.Optional[jsii.Number] = None,
+            enable_tunnel_lifecycle_control: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+            ike_versions: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.IKEVersionsRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            log_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            phase1_dh_group_numbers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase1_encryption_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase1_integrity_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase1_lifetime_seconds: typing.Optional[jsii.Number] = None,
+            phase2_dh_group_numbers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase2_encryption_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase2_integrity_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            phase2_lifetime_seconds: typing.Optional[jsii.Number] = None,
             pre_shared_key: typing.Optional[builtins.str] = None,
+            rekey_fuzz_percentage: typing.Optional[jsii.Number] = None,
+            rekey_margin_time_seconds: typing.Optional[jsii.Number] = None,
+            replay_window_size: typing.Optional[jsii.Number] = None,
+            startup_action: typing.Optional[builtins.str] = None,
             tunnel_inside_cidr: typing.Optional[builtins.str] = None,
+            tunnel_inside_ipv6_cidr: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The tunnel options for a single VPN tunnel.
 
+            :param dpd_timeout_action: The action to take after DPD timeout occurs. Specify ``restart`` to restart the IKE initiation. Specify ``clear`` to end the IKE session. Valid Values: ``clear`` | ``none`` | ``restart`` Default: ``clear``
+            :param dpd_timeout_seconds: The number of seconds after which a DPD timeout occurs. Constraints: A value greater than or equal to 30. Default: ``30``
+            :param enable_tunnel_lifecycle_control: Turn on or off tunnel endpoint lifecycle control feature.
+            :param ike_versions: The IKE versions that are permitted for the VPN tunnel. Valid values: ``ikev1`` | ``ikev2``
+            :param log_options: Options for logging VPN tunnel activity.
+            :param phase1_dh_group_numbers: One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: ``2`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+            :param phase1_encryption_algorithms: One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+            :param phase1_integrity_algorithms: One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations. Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+            :param phase1_lifetime_seconds: The lifetime for phase 1 of the IKE negotiation, in seconds. Constraints: A value between 900 and 28,800. Default: ``28800``
+            :param phase2_dh_group_numbers: One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: ``2`` | ``5`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+            :param phase2_encryption_algorithms: One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+            :param phase2_integrity_algorithms: One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+            :param phase2_lifetime_seconds: The lifetime for phase 2 of the IKE negotiation, in seconds. Constraints: A value between 900 and 3,600. The value must be less than the value for ``Phase1LifetimeSeconds`` . Default: ``3600``
             :param pre_shared_key: The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway. Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
+            :param rekey_fuzz_percentage: The percentage of the rekey window (determined by ``RekeyMarginTimeSeconds`` ) during which the rekey time is randomly selected. Constraints: A value between 0 and 100. Default: ``100``
+            :param rekey_margin_time_seconds: The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for ``RekeyFuzzPercentage`` . Constraints: A value between 60 and half of ``Phase2LifetimeSeconds`` . Default: ``270``
+            :param replay_window_size: The number of packets in an IKE replay window. Constraints: A value between 64 and 2048. Default: ``1024``
+            :param startup_action: The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify ``start`` for AWS to initiate the IKE negotiation. Valid Values: ``add`` | ``start`` Default: ``add``
             :param tunnel_inside_cidr: The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway. Constraints: A size /30 CIDR block from the ``169.254.0.0/16`` range. The following CIDR blocks are reserved and cannot be used: - ``169.254.0.0/30`` - ``169.254.1.0/30`` - ``169.254.2.0/30`` - ``169.254.3.0/30`` - ``169.254.4.0/30`` - ``169.254.5.0/30`` - ``169.254.169.252/30``
+            :param tunnel_inside_ipv6_cidr: The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway. Constraints: A size /126 CIDR block from the local ``fd00::/8`` range.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html
             :exampleMetadata: fixture=_generated
@@ -59026,19 +59712,278 @@ class CfnVPNConnection(
                 from aws_cdk import aws_ec2 as ec2
                 
                 vpn_tunnel_options_specification_property = ec2.CfnVPNConnection.VpnTunnelOptionsSpecificationProperty(
+                    dpd_timeout_action="dpdTimeoutAction",
+                    dpd_timeout_seconds=123,
+                    enable_tunnel_lifecycle_control=False,
+                    ike_versions=[{
+                        "value": "value"
+                    }],
+                    log_options=ec2.CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty(
+                        cloudwatch_log_options=ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty(
+                            log_enabled=False,
+                            log_group_arn="logGroupArn",
+                            log_output_format="logOutputFormat"
+                        )
+                    ),
+                    phase1_dh_group_numbers=[ec2.CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty(
+                        value=123
+                    )],
+                    phase1_encryption_algorithms=[ec2.CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase1_integrity_algorithms=[ec2.CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase1_lifetime_seconds=123,
+                    phase2_dh_group_numbers=[ec2.CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty(
+                        value=123
+                    )],
+                    phase2_encryption_algorithms=[ec2.CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase2_integrity_algorithms=[ec2.CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase2_lifetime_seconds=123,
                     pre_shared_key="preSharedKey",
-                    tunnel_inside_cidr="tunnelInsideCidr"
+                    rekey_fuzz_percentage=123,
+                    rekey_margin_time_seconds=123,
+                    replay_window_size=123,
+                    startup_action="startupAction",
+                    tunnel_inside_cidr="tunnelInsideCidr",
+                    tunnel_inside_ipv6_cidr="tunnelInsideIpv6Cidr"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__c11a91303ade674ac2062d6f836f1c6c8a5ffcd828e189ee16a639aed0741e2c)
+                check_type(argname="argument dpd_timeout_action", value=dpd_timeout_action, expected_type=type_hints["dpd_timeout_action"])
+                check_type(argname="argument dpd_timeout_seconds", value=dpd_timeout_seconds, expected_type=type_hints["dpd_timeout_seconds"])
+                check_type(argname="argument enable_tunnel_lifecycle_control", value=enable_tunnel_lifecycle_control, expected_type=type_hints["enable_tunnel_lifecycle_control"])
+                check_type(argname="argument ike_versions", value=ike_versions, expected_type=type_hints["ike_versions"])
+                check_type(argname="argument log_options", value=log_options, expected_type=type_hints["log_options"])
+                check_type(argname="argument phase1_dh_group_numbers", value=phase1_dh_group_numbers, expected_type=type_hints["phase1_dh_group_numbers"])
+                check_type(argname="argument phase1_encryption_algorithms", value=phase1_encryption_algorithms, expected_type=type_hints["phase1_encryption_algorithms"])
+                check_type(argname="argument phase1_integrity_algorithms", value=phase1_integrity_algorithms, expected_type=type_hints["phase1_integrity_algorithms"])
+                check_type(argname="argument phase1_lifetime_seconds", value=phase1_lifetime_seconds, expected_type=type_hints["phase1_lifetime_seconds"])
+                check_type(argname="argument phase2_dh_group_numbers", value=phase2_dh_group_numbers, expected_type=type_hints["phase2_dh_group_numbers"])
+                check_type(argname="argument phase2_encryption_algorithms", value=phase2_encryption_algorithms, expected_type=type_hints["phase2_encryption_algorithms"])
+                check_type(argname="argument phase2_integrity_algorithms", value=phase2_integrity_algorithms, expected_type=type_hints["phase2_integrity_algorithms"])
+                check_type(argname="argument phase2_lifetime_seconds", value=phase2_lifetime_seconds, expected_type=type_hints["phase2_lifetime_seconds"])
                 check_type(argname="argument pre_shared_key", value=pre_shared_key, expected_type=type_hints["pre_shared_key"])
+                check_type(argname="argument rekey_fuzz_percentage", value=rekey_fuzz_percentage, expected_type=type_hints["rekey_fuzz_percentage"])
+                check_type(argname="argument rekey_margin_time_seconds", value=rekey_margin_time_seconds, expected_type=type_hints["rekey_margin_time_seconds"])
+                check_type(argname="argument replay_window_size", value=replay_window_size, expected_type=type_hints["replay_window_size"])
+                check_type(argname="argument startup_action", value=startup_action, expected_type=type_hints["startup_action"])
                 check_type(argname="argument tunnel_inside_cidr", value=tunnel_inside_cidr, expected_type=type_hints["tunnel_inside_cidr"])
+                check_type(argname="argument tunnel_inside_ipv6_cidr", value=tunnel_inside_ipv6_cidr, expected_type=type_hints["tunnel_inside_ipv6_cidr"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if dpd_timeout_action is not None:
+                self._values["dpd_timeout_action"] = dpd_timeout_action
+            if dpd_timeout_seconds is not None:
+                self._values["dpd_timeout_seconds"] = dpd_timeout_seconds
+            if enable_tunnel_lifecycle_control is not None:
+                self._values["enable_tunnel_lifecycle_control"] = enable_tunnel_lifecycle_control
+            if ike_versions is not None:
+                self._values["ike_versions"] = ike_versions
+            if log_options is not None:
+                self._values["log_options"] = log_options
+            if phase1_dh_group_numbers is not None:
+                self._values["phase1_dh_group_numbers"] = phase1_dh_group_numbers
+            if phase1_encryption_algorithms is not None:
+                self._values["phase1_encryption_algorithms"] = phase1_encryption_algorithms
+            if phase1_integrity_algorithms is not None:
+                self._values["phase1_integrity_algorithms"] = phase1_integrity_algorithms
+            if phase1_lifetime_seconds is not None:
+                self._values["phase1_lifetime_seconds"] = phase1_lifetime_seconds
+            if phase2_dh_group_numbers is not None:
+                self._values["phase2_dh_group_numbers"] = phase2_dh_group_numbers
+            if phase2_encryption_algorithms is not None:
+                self._values["phase2_encryption_algorithms"] = phase2_encryption_algorithms
+            if phase2_integrity_algorithms is not None:
+                self._values["phase2_integrity_algorithms"] = phase2_integrity_algorithms
+            if phase2_lifetime_seconds is not None:
+                self._values["phase2_lifetime_seconds"] = phase2_lifetime_seconds
             if pre_shared_key is not None:
                 self._values["pre_shared_key"] = pre_shared_key
+            if rekey_fuzz_percentage is not None:
+                self._values["rekey_fuzz_percentage"] = rekey_fuzz_percentage
+            if rekey_margin_time_seconds is not None:
+                self._values["rekey_margin_time_seconds"] = rekey_margin_time_seconds
+            if replay_window_size is not None:
+                self._values["replay_window_size"] = replay_window_size
+            if startup_action is not None:
+                self._values["startup_action"] = startup_action
             if tunnel_inside_cidr is not None:
                 self._values["tunnel_inside_cidr"] = tunnel_inside_cidr
+            if tunnel_inside_ipv6_cidr is not None:
+                self._values["tunnel_inside_ipv6_cidr"] = tunnel_inside_ipv6_cidr
+
+        @builtins.property
+        def dpd_timeout_action(self) -> typing.Optional[builtins.str]:
+            '''The action to take after DPD timeout occurs.
+
+            Specify ``restart`` to restart the IKE initiation. Specify ``clear`` to end the IKE session.
+
+            Valid Values: ``clear`` | ``none`` | ``restart``
+
+            Default: ``clear``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutaction
+            '''
+            result = self._values.get("dpd_timeout_action")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def dpd_timeout_seconds(self) -> typing.Optional[jsii.Number]:
+            '''The number of seconds after which a DPD timeout occurs.
+
+            Constraints: A value greater than or equal to 30.
+
+            Default: ``30``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-dpdtimeoutseconds
+            '''
+            result = self._values.get("dpd_timeout_seconds")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def enable_tunnel_lifecycle_control(
+            self,
+        ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+            '''Turn on or off tunnel endpoint lifecycle control feature.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-enabletunnellifecyclecontrol
+            '''
+            result = self._values.get("enable_tunnel_lifecycle_control")
+            return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+        @builtins.property
+        def ike_versions(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.IKEVersionsRequestListValueProperty"]]]]:
+            '''The IKE versions that are permitted for the VPN tunnel.
+
+            Valid values: ``ikev1`` | ``ikev2``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-ikeversions
+            '''
+            result = self._values.get("ike_versions")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.IKEVersionsRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def log_options(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty"]]:
+            '''Options for logging VPN tunnel activity.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-logoptions
+            '''
+            result = self._values.get("log_options")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty"]], result)
+
+        @builtins.property
+        def phase1_dh_group_numbers(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty"]]]]:
+            '''One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+
+            Valid values: ``2`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1dhgroupnumbers
+            '''
+            result = self._values.get("phase1_dh_group_numbers")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase1_encryption_algorithms(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty"]]]]:
+            '''One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+
+            Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1encryptionalgorithms
+            '''
+            result = self._values.get("phase1_encryption_algorithms")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase1_integrity_algorithms(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty"]]]]:
+            '''One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
+
+            Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1integrityalgorithms
+            '''
+            result = self._values.get("phase1_integrity_algorithms")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase1_lifetime_seconds(self) -> typing.Optional[jsii.Number]:
+            '''The lifetime for phase 1 of the IKE negotiation, in seconds.
+
+            Constraints: A value between 900 and 28,800.
+
+            Default: ``28800``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase1lifetimeseconds
+            '''
+            result = self._values.get("phase1_lifetime_seconds")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def phase2_dh_group_numbers(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty"]]]]:
+            '''One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+
+            Valid values: ``2`` | ``5`` | ``14`` | ``15`` | ``16`` | ``17`` | ``18`` | ``19`` | ``20`` | ``21`` | ``22`` | ``23`` | ``24``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2dhgroupnumbers
+            '''
+            result = self._values.get("phase2_dh_group_numbers")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase2_encryption_algorithms(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty"]]]]:
+            '''One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+
+            Valid values: ``AES128`` | ``AES256`` | ``AES128-GCM-16`` | ``AES256-GCM-16``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2encryptionalgorithms
+            '''
+            result = self._values.get("phase2_encryption_algorithms")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase2_integrity_algorithms(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty"]]]]:
+            '''One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
+
+            Valid values: ``SHA1`` | ``SHA2-256`` | ``SHA2-384`` | ``SHA2-512``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2integrityalgorithms
+            '''
+            result = self._values.get("phase2_integrity_algorithms")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty"]]]], result)
+
+        @builtins.property
+        def phase2_lifetime_seconds(self) -> typing.Optional[jsii.Number]:
+            '''The lifetime for phase 2 of the IKE negotiation, in seconds.
+
+            Constraints: A value between 900 and 3,600. The value must be less than the value for ``Phase1LifetimeSeconds`` .
+
+            Default: ``3600``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-phase2lifetimeseconds
+            '''
+            result = self._values.get("phase2_lifetime_seconds")
+            return typing.cast(typing.Optional[jsii.Number], result)
 
         @builtins.property
         def pre_shared_key(self) -> typing.Optional[builtins.str]:
@@ -59051,6 +59996,62 @@ class CfnVPNConnection(
             result = self._values.get("pre_shared_key")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def rekey_fuzz_percentage(self) -> typing.Optional[jsii.Number]:
+            '''The percentage of the rekey window (determined by ``RekeyMarginTimeSeconds`` ) during which the rekey time is randomly selected.
+
+            Constraints: A value between 0 and 100.
+
+            Default: ``100``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeyfuzzpercentage
+            '''
+            result = self._values.get("rekey_fuzz_percentage")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def rekey_margin_time_seconds(self) -> typing.Optional[jsii.Number]:
+            '''The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the VPN connection performs an IKE rekey.
+
+            The exact time of the rekey is randomly selected based on the value for ``RekeyFuzzPercentage`` .
+
+            Constraints: A value between 60 and half of ``Phase2LifetimeSeconds`` .
+
+            Default: ``270``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-rekeymargintimeseconds
+            '''
+            result = self._values.get("rekey_margin_time_seconds")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def replay_window_size(self) -> typing.Optional[jsii.Number]:
+            '''The number of packets in an IKE replay window.
+
+            Constraints: A value between 64 and 2048.
+
+            Default: ``1024``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-replaywindowsize
+            '''
+            result = self._values.get("replay_window_size")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
+        @builtins.property
+        def startup_action(self) -> typing.Optional[builtins.str]:
+            '''The action to take when the establishing the tunnel for the VPN connection.
+
+            By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify ``start`` for AWS to initiate the IKE negotiation.
+
+            Valid Values: ``add`` | ``start``
+
+            Default: ``add``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-startupaction
+            '''
+            result = self._values.get("startup_action")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def tunnel_inside_cidr(self) -> typing.Optional[builtins.str]:
             '''The range of inside IP addresses for the tunnel.
@@ -59072,6 +60073,19 @@ class CfnVPNConnection(
             result = self._values.get("tunnel_inside_cidr")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def tunnel_inside_ipv6_cidr(self) -> typing.Optional[builtins.str]:
+            '''The range of inside IPv6 addresses for the tunnel.
+
+            Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.
+
+            Constraints: A size /126 CIDR block from the local ``fd00::/8`` range.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html#cfn-ec2-vpnconnection-vpntunneloptionsspecification-tunnelinsideipv6cidr
+            '''
+            result = self._values.get("tunnel_inside_ipv6_cidr")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -59173,8 +60187,46 @@ class CfnVPNConnectionProps:
                 tunnel_inside_ip_version="tunnelInsideIpVersion",
                 vpn_gateway_id="vpnGatewayId",
                 vpn_tunnel_options_specifications=[ec2.CfnVPNConnection.VpnTunnelOptionsSpecificationProperty(
+                    dpd_timeout_action="dpdTimeoutAction",
+                    dpd_timeout_seconds=123,
+                    enable_tunnel_lifecycle_control=False,
+                    ike_versions=[{
+                        "value": "value"
+                    }],
+                    log_options=ec2.CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty(
+                        cloudwatch_log_options=ec2.CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty(
+                            log_enabled=False,
+                            log_group_arn="logGroupArn",
+                            log_output_format="logOutputFormat"
+                        )
+                    ),
+                    phase1_dh_group_numbers=[ec2.CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty(
+                        value=123
+                    )],
+                    phase1_encryption_algorithms=[ec2.CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase1_integrity_algorithms=[ec2.CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase1_lifetime_seconds=123,
+                    phase2_dh_group_numbers=[ec2.CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty(
+                        value=123
+                    )],
+                    phase2_encryption_algorithms=[ec2.CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase2_integrity_algorithms=[ec2.CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty(
+                        value="value"
+                    )],
+                    phase2_lifetime_seconds=123,
                     pre_shared_key="preSharedKey",
-                    tunnel_inside_cidr="tunnelInsideCidr"
+                    rekey_fuzz_percentage=123,
+                    rekey_margin_time_seconds=123,
+                    replay_window_size=123,
+                    startup_action="startupAction",
+                    tunnel_inside_cidr="tunnelInsideCidr",
+                    tunnel_inside_ipv6_cidr="tunnelInsideIpv6Cidr"
                 )]
             )
         '''
@@ -72740,6 +73792,7 @@ class Instance(
         block_devices: typing.Optional[typing.Sequence[typing.Union[BlockDevice, typing.Dict[builtins.str, typing.Any]]]] = None,
         credit_specification: typing.Optional[CpuCredits] = None,
         detailed_monitoring: typing.Optional[builtins.bool] = None,
+        disable_api_termination: typing.Optional[builtins.bool] = None,
         ebs_optimized: typing.Optional[builtins.bool] = None,
         enclave_enabled: typing.Optional[builtins.bool] = None,
         hibernation_enabled: typing.Optional[builtins.bool] = None,
@@ -72776,6 +73829,7 @@ class Instance(
         :param block_devices: Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes. Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mappings to specify additional EBS volumes or instance store volumes to attach to an instance when it is launched. Default: - Uses the block device mapping of the AMI
         :param credit_specification: Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc). The unlimited CPU credit option is not supported for T3 instances with a dedicated host. Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.
         :param detailed_monitoring: Whether "Detailed Monitoring" is enabled for this instance Keep in mind that Detailed Monitoring results in extra charges. Default: - false
+        :param disable_api_termination: If true, the instance will not be able to be terminated using the Amazon EC2 console, CLI, or API. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_. Alternatively, if you set InstanceInitiatedShutdownBehavior to terminate, you can terminate the instance by running the shutdown command from the instance. Default: false
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: false
         :param enclave_enabled: Whether the instance is enabled for AWS Nitro Enclaves. Nitro Enclaves requires a Nitro-based virtualized parent instance with specific Intel/AMD with at least 4 vCPUs or Graviton with at least 2 vCPUs instance types and Linux/Windows host OS, while the enclave itself supports only Linux OS. You can't set both ``enclaveEnabled`` and ``hibernationEnabled`` to true on the same instance. Default: - false
         :param hibernation_enabled: Whether the instance is enabled for hibernation. You can't set both ``enclaveEnabled`` and ``hibernationEnabled`` to true on the same instance. Default: - false
@@ -72814,6 +73868,7 @@ class Instance(
             block_devices=block_devices,
             credit_specification=credit_specification,
             detailed_monitoring=detailed_monitoring,
+            disable_api_termination=disable_api_termination,
             ebs_optimized=ebs_optimized,
             enclave_enabled=enclave_enabled,
             hibernation_enabled=hibernation_enabled,
@@ -73625,6 +74680,7 @@ class InstanceInitiatedShutdownBehavior(enum.Enum):
         "block_devices": "blockDevices",
         "credit_specification": "creditSpecification",
         "detailed_monitoring": "detailedMonitoring",
+        "disable_api_termination": "disableApiTermination",
         "ebs_optimized": "ebsOptimized",
         "enclave_enabled": "enclaveEnabled",
         "hibernation_enabled": "hibernationEnabled",
@@ -73663,6 +74719,7 @@ class InstanceProps:
         block_devices: typing.Optional[typing.Sequence[typing.Union[BlockDevice, typing.Dict[builtins.str, typing.Any]]]] = None,
         credit_specification: typing.Optional[CpuCredits] = None,
         detailed_monitoring: typing.Optional[builtins.bool] = None,
+        disable_api_termination: typing.Optional[builtins.bool] = None,
         ebs_optimized: typing.Optional[builtins.bool] = None,
         enclave_enabled: typing.Optional[builtins.bool] = None,
         hibernation_enabled: typing.Optional[builtins.bool] = None,
@@ -73698,6 +74755,7 @@ class InstanceProps:
         :param block_devices: Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes. Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an instance store volume. You can use block device mappings to specify additional EBS volumes or instance store volumes to attach to an instance when it is launched. Default: - Uses the block device mapping of the AMI
         :param credit_specification: Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc). The unlimited CPU credit option is not supported for T3 instances with a dedicated host. Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.
         :param detailed_monitoring: Whether "Detailed Monitoring" is enabled for this instance Keep in mind that Detailed Monitoring results in extra charges. Default: - false
+        :param disable_api_termination: If true, the instance will not be able to be terminated using the Amazon EC2 console, CLI, or API. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_. Alternatively, if you set InstanceInitiatedShutdownBehavior to terminate, you can terminate the instance by running the shutdown command from the instance. Default: false
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: false
         :param enclave_enabled: Whether the instance is enabled for AWS Nitro Enclaves. Nitro Enclaves requires a Nitro-based virtualized parent instance with specific Intel/AMD with at least 4 vCPUs or Graviton with at least 2 vCPUs instance types and Linux/Windows host OS, while the enclave itself supports only Linux OS. You can't set both ``enclaveEnabled`` and ``hibernationEnabled`` to true on the same instance. Default: - false
         :param hibernation_enabled: Whether the instance is enabled for hibernation. You can't set both ``enclaveEnabled`` and ``hibernationEnabled`` to true on the same instance. Default: - false
@@ -73756,6 +74814,7 @@ class InstanceProps:
             check_type(argname="argument block_devices", value=block_devices, expected_type=type_hints["block_devices"])
             check_type(argname="argument credit_specification", value=credit_specification, expected_type=type_hints["credit_specification"])
             check_type(argname="argument detailed_monitoring", value=detailed_monitoring, expected_type=type_hints["detailed_monitoring"])
+            check_type(argname="argument disable_api_termination", value=disable_api_termination, expected_type=type_hints["disable_api_termination"])
             check_type(argname="argument ebs_optimized", value=ebs_optimized, expected_type=type_hints["ebs_optimized"])
             check_type(argname="argument enclave_enabled", value=enclave_enabled, expected_type=type_hints["enclave_enabled"])
             check_type(argname="argument hibernation_enabled", value=hibernation_enabled, expected_type=type_hints["hibernation_enabled"])
@@ -73797,6 +74856,8 @@ class InstanceProps:
             self._values["credit_specification"] = credit_specification
         if detailed_monitoring is not None:
             self._values["detailed_monitoring"] = detailed_monitoring
+        if disable_api_termination is not None:
+            self._values["disable_api_termination"] = disable_api_termination
         if ebs_optimized is not None:
             self._values["ebs_optimized"] = ebs_optimized
         if enclave_enabled is not None:
@@ -73943,6 +75004,21 @@ class InstanceProps:
         result = self._values.get("detailed_monitoring")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def disable_api_termination(self) -> typing.Optional[builtins.bool]:
+        '''If true, the instance will not be able to be terminated using the Amazon EC2 console, CLI, or API.
+
+        To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_.
+        Alternatively, if you set InstanceInitiatedShutdownBehavior to terminate, you can terminate the instance
+        by running the shutdown command from the instance.
+
+        :default: false
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-disableapitermination
+        '''
+        result = self._values.get("disable_api_termination")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def ebs_optimized(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether the instance is optimized for Amazon EBS I/O.
@@ -74386,14 +75462,15 @@ class InstanceSize(enum.Enum):
 
         # vpc: ec2.Vpc
         
-        cluster = rds.DatabaseCluster(self, "Database",
-            engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_01_0),
-            writer=rds.ClusterInstance.provisioned("Instance",
-                instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL)
-            ),
-            readers=[rds.ClusterInstance.provisioned("reader")],
-            instance_update_behaviour=rds.InstanceUpdateBehaviour.ROLLING,  # Optional - defaults to rds.InstanceUpdateBehaviour.BULK
-            vpc=vpc
+        instance = rds.DatabaseInstance(self, "Instance",
+            engine=rds.DatabaseInstanceEngine.oracle_se2(version=rds.OracleEngineVersion.VER_19_0_0_0_2020_04_R1),
+            # optional, defaults to m5.large
+            instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL),
+            credentials=rds.Credentials.from_generated_secret("syscdk"),  # Optional - will default to 'admin' username and generated password
+            vpc=vpc,
+            vpc_subnets=ec2.SubnetSelection(
+                subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
+            )
         )
     '''
 
@@ -90541,6 +91618,7 @@ class BastionHostLinux(
         require_imdsv2: typing.Optional[builtins.bool] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
         subnet_selection: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
+        user_data_causes_replacement: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''
         :param scope: -
@@ -90556,6 +91634,7 @@ class BastionHostLinux(
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param security_group: Security Group to assign to this instance. Default: - create new security group with no inbound and all outbound traffic allowed
         :param subnet_selection: Select the subnets to run the bastion host in. Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM. You have to allow port 22 manually by using the connections field Default: - private subnets of the supplied VPC
+        :param user_data_causes_replacement: Determines whether changes to the UserData will force instance replacement. Depending on the EC2 instance type, modifying the UserData may either restart or replace the instance: - Instance store-backed instances are replaced. - EBS-backed instances are restarted. Note that by default, restarting does not execute the updated UserData, so an alternative mechanism is needed to ensure the instance re-executes the UserData. When set to ``true``, the instance's Logical ID will depend on the UserData, causing CloudFormation to replace the instance if the UserData changes. Default: - ``true`` if ``initOptions`` is specified, otherwise ``false``.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__92a5b88f3339020054ea1e16e9617c17798da0b874294e4200a9b8e5bf598a4b)
@@ -90573,6 +91652,7 @@ class BastionHostLinux(
             require_imdsv2=require_imdsv2,
             security_group=security_group,
             subnet_selection=subnet_selection,
+            user_data_causes_replacement=user_data_causes_replacement,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -95798,6 +96878,7 @@ def _typecheckingstub__2647a77163fdd79c5b81f9523b8e35e195386f549d272d3474261e525
     require_imdsv2: typing.Optional[builtins.bool] = None,
     security_group: typing.Optional[ISecurityGroup] = None,
     subnet_selection: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
+    user_data_causes_replacement: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -95866,6 +96947,7 @@ def _typecheckingstub__96fb3bc559aaa9df971e86ea7cdd3cdc3de550019a2d3bf247d3fb169
     placement_group_arn: typing.Optional[builtins.str] = None,
     tag_specifications: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCapacityReservation.TagSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tenancy: typing.Optional[builtins.str] = None,
+    unused_reservation_billing_owner_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -95960,6 +97042,12 @@ def _typecheckingstub__26e29c48a6cb47934fcf7b54e3d3eed16da0c88c8d717089ac043c03e
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__2a09cfe18a64a35ca3513da8b832d14a3961e5101708c3d59880377b4beea919(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__578daf872c6424406c4ac67bfb16e1a373fb40f41078950b64a62c991d0be846(
     *,
     resource_type: typing.Optional[builtins.str] = None,
@@ -96102,6 +97190,7 @@ def _typecheckingstub__8a65d4e8bb2e678a9a6387fd809c3b5428c783211224ece5155ec92d1
     placement_group_arn: typing.Optional[builtins.str] = None,
     tag_specifications: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnCapacityReservation.TagSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     tenancy: typing.Optional[builtins.str] = None,
+    unused_reservation_billing_owner_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -103742,10 +104831,93 @@ def _typecheckingstub__6e5141022cbe7f67d8c3189c0b096230c58a40a82fd75e0a817bb5321
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__bd596864a79667f9fd7ea34a4b2b4bc80eea01d6f5d0306e0660a88f43622cf9(
+    *,
+    log_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    log_group_arn: typing.Optional[builtins.str] = None,
+    log_output_format: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__fe82f7092cfe3daf1976f55ceb6d944eb6d256a481ec7e98ae1897a9d47af7a1(
+    *,
+    value: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__918d5f5b5e88ae68daf35c3d93776500cfc34270e528ae9c3dc133bfa0096b85(
+    *,
+    value: typing.Optional[jsii.Number] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__22fbe2c39b9921f1ab2862205b1cf5ef686c18168136eb68682dbc3f7d433a36(
+    *,
+    value: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a0015c70bcf807f70699a0ff5fbdaf7b9703d3751680a849a5acd4186fcb9588(
+    *,
+    value: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__d65eb64aa76aba56a565fc56d45096dad72a4eb03c46fd63ac7aa4d8c0bebcfd(
+    *,
+    value: typing.Optional[jsii.Number] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__acb67278adfea74d52c512c96c9c00fb330b3d45c9266ac4d2b30bfdbfaa674d(
+    *,
+    value: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f840e78842ee8f4a726cacbb8d5214f63eb65e6ddb1c55a3f5a779e97615acf9(
+    *,
+    value: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__03be9463ce73095b0619c9b322ea6c5b050580851d3de940235cda9021f28166(
+    *,
+    cloudwatch_log_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.CloudwatchLogOptionsSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__c11a91303ade674ac2062d6f836f1c6c8a5ffcd828e189ee16a639aed0741e2c(
     *,
+    dpd_timeout_action: typing.Optional[builtins.str] = None,
+    dpd_timeout_seconds: typing.Optional[jsii.Number] = None,
+    enable_tunnel_lifecycle_control: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    ike_versions: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.IKEVersionsRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    log_options: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.VpnTunnelLogOptionsSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    phase1_dh_group_numbers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase1DHGroupNumbersRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase1_encryption_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase1EncryptionAlgorithmsRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase1_integrity_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase1IntegrityAlgorithmsRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase1_lifetime_seconds: typing.Optional[jsii.Number] = None,
+    phase2_dh_group_numbers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase2DHGroupNumbersRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase2_encryption_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase2EncryptionAlgorithmsRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase2_integrity_algorithms: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnVPNConnection.Phase2IntegrityAlgorithmsRequestListValueProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    phase2_lifetime_seconds: typing.Optional[jsii.Number] = None,
     pre_shared_key: typing.Optional[builtins.str] = None,
+    rekey_fuzz_percentage: typing.Optional[jsii.Number] = None,
+    rekey_margin_time_seconds: typing.Optional[jsii.Number] = None,
+    replay_window_size: typing.Optional[jsii.Number] = None,
+    startup_action: typing.Optional[builtins.str] = None,
     tunnel_inside_cidr: typing.Optional[builtins.str] = None,
+    tunnel_inside_ipv6_cidr: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -105554,6 +106726,7 @@ def _typecheckingstub__5fdf31f5ae2497c7efcb56df558011698f38dc19cff28ca7a78a08a6d
     block_devices: typing.Optional[typing.Sequence[typing.Union[BlockDevice, typing.Dict[builtins.str, typing.Any]]]] = None,
     credit_specification: typing.Optional[CpuCredits] = None,
     detailed_monitoring: typing.Optional[builtins.bool] = None,
+    disable_api_termination: typing.Optional[builtins.bool] = None,
     ebs_optimized: typing.Optional[builtins.bool] = None,
     enclave_enabled: typing.Optional[builtins.bool] = None,
     hibernation_enabled: typing.Optional[builtins.bool] = None,
@@ -105624,6 +106797,7 @@ def _typecheckingstub__2d4dc63c6e6ee3ddc68d5dd204d8ac5ef1f1dec37a7b84d636225df1c
     block_devices: typing.Optional[typing.Sequence[typing.Union[BlockDevice, typing.Dict[builtins.str, typing.Any]]]] = None,
     credit_specification: typing.Optional[CpuCredits] = None,
     detailed_monitoring: typing.Optional[builtins.bool] = None,
+    disable_api_termination: typing.Optional[builtins.bool] = None,
     ebs_optimized: typing.Optional[builtins.bool] = None,
     enclave_enabled: typing.Optional[builtins.bool] = None,
     hibernation_enabled: typing.Optional[builtins.bool] = None,
@@ -107255,6 +108429,7 @@ def _typecheckingstub__92a5b88f3339020054ea1e16e9617c17798da0b874294e4200a9b8e5b
     require_imdsv2: typing.Optional[builtins.bool] = None,
     security_group: typing.Optional[ISecurityGroup] = None,
     subnet_selection: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
+    user_data_causes_replacement: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass