aws-cdk-lib 2.166.0__py3-none-any.whl → 2.167.0__py3-none-any.whl

aws_cdk/aws_lambda/__init__.py

@@ -16,8 +16,29 @@ fn = lambda_.Function(self, "MyFunction",
 The `lambda.Code` class includes static convenience methods for various types of
 runtime code.
 
-* `lambda.Code.fromBucket(bucket, key[, objectVersion])` - specify an S3 object
+* `lambda.Code.fromBucket(bucket, key, objectVersion)` - specify an S3 object
   that contains the archive of your runtime code.
+* `lambda.Code.fromBucketV2(bucket, key, {objectVersion: version, sourceKMSKey: key})` - specify an S3 object
+  that contains the archive of your runtime code.
+
+```python
+from aws_cdk.aws_kms import Key
+import aws_cdk.aws_s3 as s3
+# key: Key
+
+
+bucket = s3.Bucket(self, "Bucket")
+
+options = {
+    "source_kMSKey": key
+}
+fn_bucket = lambda_.Function(self, "myFunction2",
+    runtime=lambda_.Runtime.NODEJS_LATEST,
+    handler="index.handler",
+    code=lambda_.Code.from_bucket_v2(bucket, "python-lambda-handler.zip", options)
+)
+```
+
 * `lambda.Code.fromInline(code)` - inline the handle code as a string. This is
   limited to supported runtimes.
 * `lambda.Code.fromAsset(path)` - specify a directory or a .zip file in the local
@@ -1050,7 +1071,7 @@ https://docs.aws.amazon.com/lambda/latest/dg/invocation-recursion.html
 
 ## Lambda with SnapStart
 
-SnapStart is currently supported only on Java 11 and later [Java managed runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). SnapStart does not support provisioned concurrency, Amazon Elastic File System (Amazon EFS), or ephemeral storage greater than 512 MB. After you enable Lambda SnapStart for a particular Lambda function, publishing a new version of the function will trigger an optimization process.
+SnapStart is currently supported on Python 3.12, Python 3.13, .NET 8, and Java 11 and later [Java managed runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). SnapStart does not support provisioned concurrency, Amazon Elastic File System (Amazon EFS), or ephemeral storage greater than 512 MB. After you enable Lambda SnapStart for a particular Lambda function, publishing a new version of the function will trigger an optimization process.
 
 See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) to learn more about AWS Lambda SnapStart
 
@@ -2972,6 +2993,80 @@ class AutoScalingOptions:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_lambda.BucketOptions",
+    jsii_struct_bases=[],
+    name_mapping={"object_version": "objectVersion", "source_kms_key": "sourceKMSKey"},
+)
+class BucketOptions:
+    def __init__(
+        self,
+        *,
+        object_version: typing.Optional[builtins.str] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> None:
+        '''Optional parameters for creating code using bucket.
+
+        :param object_version: Optional S3 object version.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+
+        :exampleMetadata: infused
+
+        Example::
+
+            from aws_cdk.aws_kms import Key
+            import aws_cdk.aws_s3 as s3
+            # key: Key
+            
+            
+            bucket = s3.Bucket(self, "Bucket")
+            
+            options = {
+                "source_kMSKey": key
+            }
+            fn_bucket = lambda_.Function(self, "myFunction2",
+                runtime=lambda_.Runtime.NODEJS_LATEST,
+                handler="index.handler",
+                code=lambda_.Code.from_bucket_v2(bucket, "python-lambda-handler.zip", options)
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ea5994c9827298565c305f3f7f771ab57a19a60665d41006e56da4741c2d0d56)
+            check_type(argname="argument object_version", value=object_version, expected_type=type_hints["object_version"])
+            check_type(argname="argument source_kms_key", value=source_kms_key, expected_type=type_hints["source_kms_key"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if object_version is not None:
+            self._values["object_version"] = object_version
+        if source_kms_key is not None:
+            self._values["source_kms_key"] = source_kms_key
+
+    @builtins.property
+    def object_version(self) -> typing.Optional[builtins.str]:
+        '''Optional S3 object version.'''
+        result = self._values.get("object_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def source_kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The ARN of the KMS key used to encrypt the handler code.
+
+        :default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        result = self._values.get("source_kms_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "BucketOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_IInspectable_c2943556)
 class CfnAlias(
     _CfnResource_9df397a6,
@@ -7059,6 +7154,10 @@ class CfnFunction(
         ) -> None:
             '''The `deployment package <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html>`_ for a Lambda function. To deploy a function defined as a container image, you specify the location of a container image in the Amazon ECR registry. For a .zip file deployment package, you can specify the location of an object in Amazon S3. For Node.js and Python functions, you can specify the function code inline in the template.
 
+            .. epigraph::
+
+               When you specify source code inline for a Node.js function, the ``index`` file that AWS CloudFormation creates uses the extension ``.js`` . This means that Lambda treats the file as a CommonJS module. ES modules aren't supported for inline functions.
+
             Changes to a deployment package in Amazon S3 or a container image in ECR are not detected automatically during stack updates. To update the function code, change the object key or version in the template.
 
             :param image_uri: URI of a `container image <https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html>`_ in the Amazon ECR registry.
@@ -7066,7 +7165,7 @@ class CfnFunction(
             :param s3_key: The Amazon S3 key of the deployment package.
             :param s3_object_version: For versioned objects, the version of the deployment package object to use.
             :param source_kms_key_arn: 
-            :param zip_file: (Node.js and Python) The source code of your Lambda function. If you include your function source inline with this parameter, AWS CloudFormation places it in a file named ``index`` and zips it to create a `deployment package <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html>`_ . This zip file cannot exceed 4MB. For the ``Handler`` property, the first part of the handler identifier must be ``index`` . For example, ``index.handler`` . For JSON, you must escape quotes and special characters such as newline ( ``\\n`` ) with a backslash. If you specify a function that interacts with an AWS CloudFormation custom resource, you don't have to write your own functions to send responses to the custom resource that invoked the function. AWS CloudFormation provides a response module ( `cfn-response <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html>`_ ) that simplifies sending responses. See `Using AWS Lambda with AWS CloudFormation <https://docs.aws.amazon.com/lambda/latest/dg/services-cloudformation.html>`_ for details.
+            :param zip_file: (Node.js and Python) The source code of your Lambda function. If you include your function source inline with this parameter, AWS CloudFormation places it in a file named ``index`` and zips it to create a `deployment package <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html>`_ . This zip file cannot exceed 4MB. For the ``Handler`` property, the first part of the handler identifier must be ``index`` . For example, ``index.handler`` . .. epigraph:: When you specify source code inline for a Node.js function, the ``index`` file that AWS CloudFormation creates uses the extension ``.js`` . This means that Lambda treats the file as a CommonJS module. ES modules aren't supported for inline functions. For JSON, you must escape quotes and special characters such as newline ( ``\\n`` ) with a backslash. If you specify a function that interacts with an AWS CloudFormation custom resource, you don't have to write your own functions to send responses to the custom resource that invoked the function. AWS CloudFormation provides a response module ( `cfn-response <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html>`_ ) that simplifies sending responses. See `Using AWS Lambda with AWS CloudFormation <https://docs.aws.amazon.com/lambda/latest/dg/services-cloudformation.html>`_ for details.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html
             :exampleMetadata: fixture=_generated
@@ -7158,6 +7257,10 @@ class CfnFunction(
         def zip_file(self) -> typing.Optional[builtins.str]:
             '''(Node.js and Python) The source code of your Lambda function. If you include your function source inline with this parameter, AWS CloudFormation places it in a file named ``index`` and zips it to create a `deployment package <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html>`_ . This zip file cannot exceed 4MB. For the ``Handler`` property, the first part of the handler identifier must be ``index`` . For example, ``index.handler`` .
 
+            .. epigraph::
+
+               When you specify source code inline for a Node.js function, the ``index`` file that AWS CloudFormation creates uses the extension ``.js`` . This means that Lambda treats the file as a CommonJS module. ES modules aren't supported for inline functions.
+
             For JSON, you must escape quotes and special characters such as newline ( ``\\n`` ) with a backslash.
 
             If you specify a function that interacts with an AWS CloudFormation custom resource, you don't have to write your own functions to send responses to the custom resource that invoked the function. AWS CloudFormation provides a response module ( `cfn-response <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html>`_ ) that simplifies sending responses. See `Using AWS Lambda with AWS CloudFormation <https://docs.aws.amazon.com/lambda/latest/dg/services-cloudformation.html>`_ for details.
@@ -9293,6 +9396,7 @@ class CfnLayerVersionProps:
     name_mapping={
         "bucket_name_param": "bucketNameParam",
         "object_key_param": "objectKeyParam",
+        "source_kms_key": "sourceKMSKey",
     },
 )
 class CfnParametersCodeProps:
@@ -9301,11 +9405,13 @@ class CfnParametersCodeProps:
         *,
         bucket_name_param: typing.Optional[_CfnParameter_48fc1866] = None,
         object_key_param: typing.Optional[_CfnParameter_48fc1866] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     ) -> None:
         '''Construction properties for ``CfnParametersCode``.
 
         :param bucket_name_param: The CloudFormation parameter that represents the name of the S3 Bucket where the Lambda code will be located in. Must be of type 'String'. Default: a new parameter will be created
         :param object_key_param: The CloudFormation parameter that represents the path inside the S3 Bucket where the Lambda code will be located at. Must be of type 'String'. Default: a new parameter will be created
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
 
         :exampleMetadata: fixture=_generated
 
@@ -9314,24 +9420,30 @@ class CfnParametersCodeProps:
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
             import aws_cdk as cdk
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
             
             # cfn_parameter: cdk.CfnParameter
+            # key: kms.Key
             
             cfn_parameters_code_props = lambda.CfnParametersCodeProps(
                 bucket_name_param=cfn_parameter,
-                object_key_param=cfn_parameter
+                object_key_param=cfn_parameter,
+                source_kMSKey=key
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__45ce02257c922b893446f407552a2416c3356585f4b95a19a9069a0bb7e9115f)
             check_type(argname="argument bucket_name_param", value=bucket_name_param, expected_type=type_hints["bucket_name_param"])
             check_type(argname="argument object_key_param", value=object_key_param, expected_type=type_hints["object_key_param"])
+            check_type(argname="argument source_kms_key", value=source_kms_key, expected_type=type_hints["source_kms_key"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if bucket_name_param is not None:
             self._values["bucket_name_param"] = bucket_name_param
         if object_key_param is not None:
             self._values["object_key_param"] = object_key_param
+        if source_kms_key is not None:
+            self._values["source_kms_key"] = source_kms_key
 
     @builtins.property
     def bucket_name_param(self) -> typing.Optional[_CfnParameter_48fc1866]:
@@ -9355,6 +9467,15 @@ class CfnParametersCodeProps:
         result = self._values.get("object_key_param")
         return typing.cast(typing.Optional[_CfnParameter_48fc1866], result)
 
+    @builtins.property
+    def source_kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The ARN of the KMS key used to encrypt the handler code.
+
+        :default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        result = self._values.get("source_kms_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -10841,6 +10962,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         *,
         deploy_time: typing.Optional[builtins.bool] = None,
         readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
         asset_hash: typing.Optional[builtins.str] = None,
         asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
         bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -10853,6 +10975,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         :param path: Either a directory with the Lambda code bundle or a .zip file.
         :param deploy_time: Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false
         :param readers: A list of principals that should be able to read this asset from S3. You can use ``asset.grantRead(principal)`` to grant read permissions later. Default: - No principals that can read file asset.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
         :param asset_hash: Specify a custom hash for this asset. If ``assetHashType`` is set it must be set to ``AssetHashType.CUSTOM``. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on ``assetHashType``
         :param asset_hash_type: Specifies the type of hash to calculate for this asset. If ``assetHash`` is configured, this option must be ``undefined`` or ``AssetHashType.CUSTOM``. Default: - the default is ``AssetHashType.SOURCE``, but if ``assetHash`` is explicitly specified this value defaults to ``AssetHashType.CUSTOM``.
         :param bundling: Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at ``/asset-input``. The Docker container is responsible for putting content at ``/asset-output``. The content at ``/asset-output`` will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise
@@ -10866,6 +10989,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         options = _AssetOptions_2aa69621(
             deploy_time=deploy_time,
             readers=readers,
+            source_kms_key=source_kms_key,
             asset_hash=asset_hash,
             asset_hash_type=asset_hash_type,
             bundling=bundling,
@@ -10976,6 +11100,33 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
             check_type(argname="argument object_version", value=object_version, expected_type=type_hints["object_version"])
         return typing.cast("S3Code", jsii.sinvoke(cls, "fromBucket", [bucket, key, object_version]))
 
+    @jsii.member(jsii_name="fromBucketV2")
+    @builtins.classmethod
+    def from_bucket_v2(
+        cls,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+        *,
+        object_version: typing.Optional[builtins.str] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> "S3CodeV2":
+        '''Lambda handler code as an S3 object.
+
+        :param bucket: The S3 bucket.
+        :param key: The object key.
+        :param object_version: Optional S3 object version.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b3435b4d9a286e912d3934fc747c05554a23d64416b95f4dd12b911cd5bce166)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        options = BucketOptions(
+            object_version=object_version, source_kms_key=source_kms_key
+        )
+
+        return typing.cast("S3CodeV2", jsii.sinvoke(cls, "fromBucketV2", [bucket, key, options]))
+
     @jsii.member(jsii_name="fromCfnParameters")
     @builtins.classmethod
     def from_cfn_parameters(
@@ -10983,16 +11134,20 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         *,
         bucket_name_param: typing.Optional[_CfnParameter_48fc1866] = None,
         object_key_param: typing.Optional[_CfnParameter_48fc1866] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     ) -> "CfnParametersCode":
         '''Creates a new Lambda source defined using CloudFormation parameters.
 
         :param bucket_name_param: The CloudFormation parameter that represents the name of the S3 Bucket where the Lambda code will be located in. Must be of type 'String'. Default: a new parameter will be created
         :param object_key_param: The CloudFormation parameter that represents the path inside the S3 Bucket where the Lambda code will be located at. Must be of type 'String'. Default: a new parameter will be created
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
 
         :return: a new instance of ``CfnParametersCode``
         '''
         props = CfnParametersCodeProps(
-            bucket_name_param=bucket_name_param, object_key_param=object_key_param
+            bucket_name_param=bucket_name_param,
+            object_key_param=object_key_param,
+            source_kms_key=source_kms_key,
         )
 
         return typing.cast("CfnParametersCode", jsii.sinvoke(cls, "fromCfnParameters", [props]))
@@ -11007,6 +11162,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         command_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
         deploy_time: typing.Optional[builtins.bool] = None,
         readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
         asset_hash: typing.Optional[builtins.str] = None,
         asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
         bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -11021,6 +11177,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
         :param command_options: options that are passed to the spawned process, which determine the characteristics of the spawned process. Default: : see ``child_process.SpawnSyncOptions`` (https://nodejs.org/api/child_process.html#child_processspawnsynccommand-args-options).
         :param deploy_time: Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false
         :param readers: A list of principals that should be able to read this asset from S3. You can use ``asset.grantRead(principal)`` to grant read permissions later. Default: - No principals that can read file asset.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
         :param asset_hash: Specify a custom hash for this asset. If ``assetHashType`` is set it must be set to ``AssetHashType.CUSTOM``. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on ``assetHashType``
         :param asset_hash_type: Specifies the type of hash to calculate for this asset. If ``assetHash`` is configured, this option must be ``undefined`` or ``AssetHashType.CUSTOM``. Default: - the default is ``AssetHashType.SOURCE``, but if ``assetHash`` is explicitly specified this value defaults to ``AssetHashType.CUSTOM``.
         :param bundling: Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at ``/asset-input``. The Docker container is responsible for putting content at ``/asset-output``. The content at ``/asset-output`` will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise
@@ -11036,6 +11193,7 @@ class Code(metaclass=jsii.JSIIAbstractClass, jsii_type="aws-cdk-lib.aws_lambda.C
             command_options=command_options,
             deploy_time=deploy_time,
             readers=readers,
+            source_kms_key=source_kms_key,
             asset_hash=asset_hash,
             asset_hash_type=asset_hash_type,
             bundling=bundling,
@@ -11198,6 +11356,7 @@ typing.cast(typing.Any, Code).__jsii_proxy_class__ = lambda : _CodeProxy
         "image": "image",
         "inline_code": "inlineCode",
         "s3_location": "s3Location",
+        "source_kms_key_arn": "sourceKMSKeyArn",
     },
 )
 class CodeConfig:
@@ -11207,12 +11366,14 @@ class CodeConfig:
         image: typing.Optional[typing.Union["CodeImageConfig", typing.Dict[builtins.str, typing.Any]]] = None,
         inline_code: typing.Optional[builtins.str] = None,
         s3_location: typing.Optional[typing.Union[_Location_0948fa7f, typing.Dict[builtins.str, typing.Any]]] = None,
+        source_kms_key_arn: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Result of binding ``Code`` into a ``Function``.
 
         :param image: Docker image configuration (mutually exclusive with ``s3Location`` and ``inlineCode``). Default: - code is not an ECR container image
         :param inline_code: Inline code (mutually exclusive with ``s3Location`` and ``image``). Default: - code is not inline code
         :param s3_location: The location of the code in S3 (mutually exclusive with ``inlineCode`` and ``image``). Default: - code is not an s3 location
+        :param source_kms_key_arn: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
 
         :exampleMetadata: fixture=_generated
 
@@ -11238,7 +11399,8 @@ class CodeConfig:
             
                     # the properties below are optional
                     object_version="objectVersion"
-                )
+                ),
+                source_kMSKey_arn="sourceKMSKeyArn"
             )
         '''
         if isinstance(image, dict):
@@ -11250,6 +11412,7 @@ class CodeConfig:
             check_type(argname="argument image", value=image, expected_type=type_hints["image"])
             check_type(argname="argument inline_code", value=inline_code, expected_type=type_hints["inline_code"])
             check_type(argname="argument s3_location", value=s3_location, expected_type=type_hints["s3_location"])
+            check_type(argname="argument source_kms_key_arn", value=source_kms_key_arn, expected_type=type_hints["source_kms_key_arn"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if image is not None:
             self._values["image"] = image
@@ -11257,6 +11420,8 @@ class CodeConfig:
             self._values["inline_code"] = inline_code
         if s3_location is not None:
             self._values["s3_location"] = s3_location
+        if source_kms_key_arn is not None:
+            self._values["source_kms_key_arn"] = source_kms_key_arn
 
     @builtins.property
     def image(self) -> typing.Optional["CodeImageConfig"]:
@@ -11285,6 +11450,15 @@ class CodeConfig:
         result = self._values.get("s3_location")
         return typing.cast(typing.Optional[_Location_0948fa7f], result)
 
+    @builtins.property
+    def source_kms_key_arn(self) -> typing.Optional[builtins.str]:
+        '''The ARN of the KMS key used to encrypt the handler code.
+
+        :default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        result = self._values.get("source_kms_key_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -11529,6 +11703,7 @@ class CodeSigningConfigProps:
         "ignore_mode": "ignoreMode",
         "deploy_time": "deployTime",
         "readers": "readers",
+        "source_kms_key": "sourceKMSKey",
         "command_options": "commandOptions",
     },
 )
@@ -11544,6 +11719,7 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
         ignore_mode: typing.Optional[_IgnoreMode_655a98e8] = None,
         deploy_time: typing.Optional[builtins.bool] = None,
         readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
         command_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
     ) -> None:
         '''Options for creating ``AssetCode`` with a custom command, such as running a buildfile.
@@ -11556,6 +11732,7 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
         :param ignore_mode: The ignore behavior to use for ``exclude`` patterns. Default: IgnoreMode.GLOB
         :param deploy_time: Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false
         :param readers: A list of principals that should be able to read this asset from S3. You can use ``asset.grantRead(principal)`` to grant read permissions later. Default: - No principals that can read file asset.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
         :param command_options: options that are passed to the spawned process, which determine the characteristics of the spawned process. Default: : see ``child_process.SpawnSyncOptions`` (https://nodejs.org/api/child_process.html#child_processspawnsynccommand-args-options).
 
         :exampleMetadata: fixture=_generated
@@ -11566,11 +11743,13 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
             # The values are placeholders you should change.
             import aws_cdk as cdk
             from aws_cdk import aws_iam as iam
+            from aws_cdk import aws_kms as kms
             from aws_cdk import aws_lambda as lambda_
             
             # command_options: Any
             # docker_image: cdk.DockerImage
             # grantable: iam.IGrantable
+            # key: kms.Key
             # local_bundling: cdk.ILocalBundling
             
             custom_command_options = lambda.CustomCommandOptions(
@@ -11609,7 +11788,8 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
                 exclude=["exclude"],
                 follow_symlinks=cdk.SymlinkFollowMode.NEVER,
                 ignore_mode=cdk.IgnoreMode.GLOB,
-                readers=[grantable]
+                readers=[grantable],
+                source_kMSKey=key
             )
         '''
         if isinstance(bundling, dict):
@@ -11624,6 +11804,7 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
             check_type(argname="argument ignore_mode", value=ignore_mode, expected_type=type_hints["ignore_mode"])
             check_type(argname="argument deploy_time", value=deploy_time, expected_type=type_hints["deploy_time"])
             check_type(argname="argument readers", value=readers, expected_type=type_hints["readers"])
+            check_type(argname="argument source_kms_key", value=source_kms_key, expected_type=type_hints["source_kms_key"])
             check_type(argname="argument command_options", value=command_options, expected_type=type_hints["command_options"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if asset_hash is not None:
@@ -11642,6 +11823,8 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
             self._values["deploy_time"] = deploy_time
         if readers is not None:
             self._values["readers"] = readers
+        if source_kms_key is not None:
+            self._values["source_kms_key"] = source_kms_key
         if command_options is not None:
             self._values["command_options"] = command_options
 
@@ -11757,6 +11940,15 @@ class CustomCommandOptions(_AssetOptions_2aa69621):
         result = self._values.get("readers")
         return typing.cast(typing.Optional[typing.List[_IGrantable_71c4f5de]], result)
 
+    @builtins.property
+    def source_kms_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The ARN of the KMS key used to encrypt the handler code.
+
+        :default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        result = self._values.get("source_kms_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
+
     @builtins.property
     def command_options(
         self,
@@ -14536,7 +14728,7 @@ class FunctionOptions(EventInvokeConfigOptions):
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -15332,7 +15524,7 @@ class FunctionOptions(EventInvokeConfigOptions):
     def snap_start(self) -> typing.Optional["SnapStartConf"]:
         '''Enable SnapStart for Lambda Function.
 
-        SnapStart is currently supported only for Java 11, 17 runtime
+        SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime
 
         :default: - No snapstart
         '''
@@ -15579,7 +15771,7 @@ class FunctionProps(FunctionOptions):
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -16296,7 +16488,7 @@ class FunctionProps(FunctionOptions):
     def snap_start(self) -> typing.Optional["SnapStartConf"]:
         '''Enable SnapStart for Lambda Function.
 
-        SnapStart is currently supported only for Java 11, 17 runtime
+        SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime
 
         :default: - No snapstart
         '''
@@ -20637,6 +20829,12 @@ class Runtime(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_lambda.Runtime
         '''The Python 3.12 runtime (python3.12).'''
         return typing.cast("Runtime", jsii.sget(cls, "PYTHON_3_12"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PYTHON_3_13")
+    def PYTHON_3_13(cls) -> "Runtime":
+        '''The Python 3.13 runtime (python3.13).'''
+        return typing.cast("Runtime", jsii.sget(cls, "PYTHON_3_13"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PYTHON_3_6")
     def PYTHON_3_6(cls) -> "Runtime":
@@ -20901,6 +21099,76 @@ class S3Code(Code, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_lambda.S3
         return typing.cast(builtins.bool, jsii.get(self, "isInline"))
 
 
+class S3CodeV2(
+    Code,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_lambda.S3CodeV2",
+):
+    '''Lambda code from an S3 archive.
+
+    With option to set KMSKey for encryption.
+
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_kms as kms
+        from aws_cdk import aws_lambda as lambda_
+        from aws_cdk import aws_s3 as s3
+        
+        # bucket: s3.Bucket
+        # key: kms.Key
+        
+        s3_code_v2 = lambda_.S3CodeV2(bucket, "key",
+            object_version="objectVersion",
+            source_kMSKey=key
+        )
+    '''
+
+    def __init__(
+        self,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+        *,
+        object_version: typing.Optional[builtins.str] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> None:
+        '''
+        :param bucket: -
+        :param key: -
+        :param object_version: Optional S3 object version.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b41ca6a89b02f4abbd158513a5c812e15217b49cbb3e409cff1690bdb9e00f3c)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+        options = BucketOptions(
+            object_version=object_version, source_kms_key=source_kms_key
+        )
+
+        jsii.create(self.__class__, self, [bucket, key, options])
+
+    @jsii.member(jsii_name="bind")
+    def bind(self, _scope: _constructs_77d1e7e8.Construct) -> CodeConfig:
+        '''Called when the lambda or layer is initialized to allow this object to bind to the stack, add resources and have fun.
+
+        :param _scope: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__304505e97ff3b397f5306079c5410e06bb217281e1cc348ada6eef6ae77771f2)
+            check_type(argname="argument _scope", value=_scope, expected_type=type_hints["_scope"])
+        return typing.cast(CodeConfig, jsii.invoke(self, "bind", [_scope]))
+
+    @builtins.property
+    @jsii.member(jsii_name="isInline")
+    def is_inline(self) -> builtins.bool:
+        '''Determines whether this Code is inline code or not.'''
+        return typing.cast(builtins.bool, jsii.get(self, "isInline"))
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_lambda.SingletonFunctionProps",
     jsii_struct_bases=[FunctionProps],
@@ -21064,7 +21332,7 @@ class SingletonFunctionProps(FunctionProps):
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -21769,7 +22037,7 @@ class SingletonFunctionProps(FunctionProps):
     def snap_start(self) -> typing.Optional["SnapStartConf"]:
         '''Enable SnapStart for Lambda Function.
 
-        SnapStart is currently supported only for Java 11, 17 runtime
+        SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime
 
         :default: - No snapstart
         '''
@@ -23291,6 +23559,7 @@ class AssetCode(
         *,
         deploy_time: typing.Optional[builtins.bool] = None,
         readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
         asset_hash: typing.Optional[builtins.str] = None,
         asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
         bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -23302,6 +23571,7 @@ class AssetCode(
         :param path: The path to the asset file or directory.
         :param deploy_time: Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false
         :param readers: A list of principals that should be able to read this asset from S3. You can use ``asset.grantRead(principal)`` to grant read permissions later. Default: - No principals that can read file asset.
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
         :param asset_hash: Specify a custom hash for this asset. If ``assetHashType`` is set it must be set to ``AssetHashType.CUSTOM``. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on ``assetHashType``
         :param asset_hash_type: Specifies the type of hash to calculate for this asset. If ``assetHash`` is configured, this option must be ``undefined`` or ``AssetHashType.CUSTOM``. Default: - the default is ``AssetHashType.SOURCE``, but if ``assetHash`` is explicitly specified this value defaults to ``AssetHashType.CUSTOM``.
         :param bundling: Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at ``/asset-input``. The Docker container is responsible for putting content at ``/asset-output``. The content at ``/asset-output`` will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise
@@ -23315,6 +23585,7 @@ class AssetCode(
         options = _AssetOptions_2aa69621(
             deploy_time=deploy_time,
             readers=readers,
+            source_kms_key=source_kms_key,
             asset_hash=asset_hash,
             asset_hash_type=asset_hash_type,
             bundling=bundling,
@@ -23701,13 +23972,17 @@ class CfnParametersCode(
         *,
         bucket_name_param: typing.Optional[_CfnParameter_48fc1866] = None,
         object_key_param: typing.Optional[_CfnParameter_48fc1866] = None,
+        source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     ) -> None:
         '''
         :param bucket_name_param: The CloudFormation parameter that represents the name of the S3 Bucket where the Lambda code will be located in. Must be of type 'String'. Default: a new parameter will be created
         :param object_key_param: The CloudFormation parameter that represents the path inside the S3 Bucket where the Lambda code will be located at. Must be of type 'String'. Default: a new parameter will be created
+        :param source_kms_key: The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.
         '''
         props = CfnParametersCodeProps(
-            bucket_name_param=bucket_name_param, object_key_param=object_key_param
+            bucket_name_param=bucket_name_param,
+            object_key_param=object_key_param,
+            source_kms_key=source_kms_key,
         )
 
         jsii.create(self.__class__, self, [props])
@@ -24018,7 +24293,7 @@ class DockerImageFunctionProps(FunctionOptions):
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -24708,7 +24983,7 @@ class DockerImageFunctionProps(FunctionOptions):
     def snap_start(self) -> typing.Optional[SnapStartConf]:
         '''Enable SnapStart for Lambda Function.
 
-        SnapStart is currently supported only for Java 11, 17 runtime
+        SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime
 
         :default: - No snapstart
         '''
@@ -26105,7 +26380,7 @@ class SingletonFunction(
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -27095,7 +27370,7 @@ class Function(
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -27891,7 +28166,7 @@ class DockerImageFunction(
         :param role: Lambda execution role. This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal. The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself. The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole". Default: - A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling ``addToRolePolicy``.
         :param runtime_management_mode: Sets the runtime management configuration for a function's version. Default: Auto
         :param security_groups: The list of security groups to associate with the Lambda's network interfaces. Only used if 'vpc' is supplied. Default: - If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
-        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime Default: - No snapstart
+        :param snap_start: Enable SnapStart for Lambda Function. SnapStart is currently supported for Java 11, Java 17, Python 3.12, Python 3.13, and .NET 8 runtime Default: - No snapstart
         :param system_log_level: (deprecated) Sets the system log level for the function. Default: "INFO"
         :param system_log_level_v2: Sets the system log level for the function. Default: SystemLogLevel.INFO
         :param timeout: The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.seconds(3)
@@ -27982,6 +28257,7 @@ __all__ = [
     "AssetImageCode",
     "AssetImageCodeProps",
     "AutoScalingOptions",
+    "BucketOptions",
     "CfnAlias",
     "CfnAliasProps",
     "CfnCodeSigningConfig",
@@ -28079,6 +28355,7 @@ __all__ = [
     "RuntimeFamily",
     "RuntimeManagementMode",
     "S3Code",
+    "S3CodeV2",
     "SingletonFunction",
     "SingletonFunctionProps",
     "SnapStartConf",
@@ -28220,6 +28497,14 @@ def _typecheckingstub__d87a0ce22b000498263273a478e075d6808ca7f5931890c7a99744eb4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ea5994c9827298565c305f3f7f771ab57a19a60665d41006e56da4741c2d0d56(
+    *,
+    object_version: typing.Optional[builtins.str] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__681471c67952a7e725f76572ad9bf09e1c634a81914690dff68e934c039fd2f9(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -29260,6 +29545,7 @@ def _typecheckingstub__45ce02257c922b893446f407552a2416c3356585f4b95a19a9069a0bb
     *,
     bucket_name_param: typing.Optional[_CfnParameter_48fc1866] = None,
     object_key_param: typing.Optional[_CfnParameter_48fc1866] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -29526,6 +29812,7 @@ def _typecheckingstub__f040a1ba6e87fe9c9a6496be4b8fbf73f2646b80291bfc4d04979d6ef
     *,
     deploy_time: typing.Optional[builtins.bool] = None,
     readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     asset_hash: typing.Optional[builtins.str] = None,
     asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
     bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -29571,6 +29858,16 @@ def _typecheckingstub__cf2f362d90d470e1ea550c48af2d201151dbe9e28567f1f024ec091a2
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b3435b4d9a286e912d3934fc747c05554a23d64416b95f4dd12b911cd5bce166(
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+    *,
+    object_version: typing.Optional[builtins.str] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__f107aedaa96b9385600e34088d5cda9d8035f15776c846b0f0b4fbbe35d118df(
     output: builtins.str,
     command: typing.Sequence[builtins.str],
@@ -29578,6 +29875,7 @@ def _typecheckingstub__f107aedaa96b9385600e34088d5cda9d8035f15776c846b0f0b4fbbe3
     command_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
     deploy_time: typing.Optional[builtins.bool] = None,
     readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     asset_hash: typing.Optional[builtins.str] = None,
     asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
     bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -29641,6 +29939,7 @@ def _typecheckingstub__9f94faae4fd35a06e3f67763f77da934d65414f84781e7e17169eece9
     image: typing.Optional[typing.Union[CodeImageConfig, typing.Dict[builtins.str, typing.Any]]] = None,
     inline_code: typing.Optional[builtins.str] = None,
     s3_location: typing.Optional[typing.Union[_Location_0948fa7f, typing.Dict[builtins.str, typing.Any]]] = None,
+    source_kms_key_arn: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -29674,6 +29973,7 @@ def _typecheckingstub__69255a578358e8a47662200dda7ce2e0b1f2ee573c1469268f14060b0
     ignore_mode: typing.Optional[_IgnoreMode_655a98e8] = None,
     deploy_time: typing.Optional[builtins.bool] = None,
     readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     command_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -30502,6 +30802,22 @@ def _typecheckingstub__cbc76142aaf180fc781ccfffd9ddf0cea89284555d302bceebc998bd3
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b41ca6a89b02f4abbd158513a5c812e15217b49cbb3e409cff1690bdb9e00f3c(
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+    *,
+    object_version: typing.Optional[builtins.str] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__304505e97ff3b397f5306079c5410e06bb217281e1cc348ada6eef6ae77771f2(
+    _scope: _constructs_77d1e7e8.Construct,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__68a03ec9f866a29c77aabcf8328c63a49511790fa9714874f255b3292623893c(
     *,
     max_event_age: typing.Optional[_Duration_4839e8c3] = None,
@@ -30665,6 +30981,7 @@ def _typecheckingstub__2f05314dba16cc49614c6f64783d2cd85683aeb754a1d8b045caf7c7f
     *,
     deploy_time: typing.Optional[builtins.bool] = None,
     readers: typing.Optional[typing.Sequence[_IGrantable_71c4f5de]] = None,
+    source_kms_key: typing.Optional[_IKey_5f11635f] = None,
     asset_hash: typing.Optional[builtins.str] = None,
     asset_hash_type: typing.Optional[_AssetHashType_05b67f2d] = None,
     bundling: typing.Optional[typing.Union[_BundlingOptions_588cc936, typing.Dict[builtins.str, typing.Any]]] = None,