aws-cdk-lib 2.171.1__py3-none-any.whl → 2.173.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1658,6 +1658,19 @@ host = ec2.BastionHostLinux(self, "BastionHost",
 )
 ```
 
+It's recommended to set the `@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault`
+[feature flag](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html) to `true` to use Amazon Linux 2023 as the
+bastion host AMI. Without this flag set, the bastion host will default to Amazon Linux 2, which will be unsupported in
+June 2025.
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true
+  }
+}
+```
+
 ### Placement Group
 
 Specify `placementGroup` to enable the placement group support:
@@ -2604,6 +2617,30 @@ ec2.PrefixList(self, "PrefixList",
 ```
 
 For more information see [Work with customer-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-managed-prefix-lists.html)
+
+### IAM instance profile
+
+Use `instanceProfile` to apply specific IAM Instance Profile. Cannot be used with role
+
+```python
+# instance_type: ec2.InstanceType
+# vpc: ec2.Vpc
+
+
+role = iam.Role(self, "Role",
+    assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")
+)
+instance_profile = iam.InstanceProfile(self, "InstanceProfile",
+    role=role
+)
+
+ec2.Instance(self, "Instance",
+    vpc=vpc,
+    instance_type=instance_type,
+    machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+    instance_profile=instance_profile
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -5132,7 +5169,7 @@ class BastionHostLinuxProps:
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_name: The name of the instance. Default: 'BastionHost'
         :param instance_type: Type of instance to launch. Default: 't3.nano'
-        :param machine_image: The machine image to use, assumed to have SSM Agent preinstalled. Default: - An Amazon Linux 2 image which is kept up-to-date automatically (the instance may be replaced on every deployment) and already has SSM Agent installed.
+        :param machine_image: The machine image to use, assumed to have SSM Agent preinstalled. Default: - An Amazon Linux 2023 image if the ``@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault`` feature flag is enabled. Otherwise, an Amazon Linux 2 image. In both cases, the image is kept up-to-date automatically (the instance may be replaced on every deployment) and already has SSM Agent installed.
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param security_group: Security Group to assign to this instance. Default: - create new security group with no inbound and all outbound traffic allowed
         :param subnet_selection: Select the subnets to run the bastion host in. Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM. You have to allow port 22 manually by using the connections field Default: - private subnets of the supplied VPC
@@ -5272,7 +5309,7 @@ class BastionHostLinuxProps:
 
         :default:
 
-        - An Amazon Linux 2 image which is kept up-to-date automatically (the instance
+        - An Amazon Linux 2023 image if the ``@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault`` feature flag is enabled. Otherwise, an Amazon Linux 2 image. In both cases, the image is kept up-to-date automatically (the instance
         may be replaced on every deployment) and already has SSM Agent installed.
         '''
         result = self._values.get("machine_image")
@@ -5656,16 +5693,16 @@ class CfnCapacityReservation(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param availability_zone: The Availability Zone in which to create the Capacity Reservation.
-        :param instance_count: The number of instances for which to reserve capacity. Valid range: 1 - 1000
+        :param instance_count: The number of instances for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for an instance count with a minimum of 100 VPUs. For example, if you request a future-dated Capacity Reservation for ``m5.xlarge`` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). Valid range: 1 - 1000
         :param instance_platform: The type of operating system for which to reserve capacity.
-        :param instance_type: The instance type for which to reserve capacity. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
+        :param instance_type: The instance type for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for instance types in the C, M, R, I, and T instance families only. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
         :param ebs_optimized: Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.
-        :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.
+        :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019. If you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.
         :param end_date_type: Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types: - ``unlimited`` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an ``EndDate`` if the ``EndDateType`` is ``unlimited`` . - ``limited`` - The Capacity Reservation expires automatically at a specified date and time. You must provide an ``EndDate`` value if the ``EndDateType`` value is ``limited`` .
         :param ephemeral_storage: *Deprecated.*.
-        :param instance_match_criteria: Indicates the type of instance launches that the Capacity Reservation accepts. The options include:. - ``open`` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters. - ``targeted`` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity. Default: ``open``
-        :param out_post_arn: The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
-        :param placement_group_arn: The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
+        :param instance_match_criteria: Indicates the type of instance launches that the Capacity Reservation accepts. The options include:. - ``open`` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters. - ``targeted`` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity. .. epigraph:: If you are requesting a future-dated Capacity Reservation, you must specify ``targeted`` . Default: ``open``
+        :param out_post_arn: .. epigraph:: Not supported for future-dated Capacity Reservations. The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
+        :param placement_group_arn: .. epigraph:: Not supported for future-dated Capacity Reservations. The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
         :param tag_specifications: The tags to apply to the Capacity Reservation during launch.
         :param tenancy: Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:. - ``default`` - The Capacity Reservation is created on hardware that is shared with other AWS accounts . - ``dedicated`` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account .
         :param unused_reservation_billing_owner_id: The ID of the AWS account to which to assign billing of the unused capacity of the Capacity Reservation. A request will be sent to the specified account. That account must accept the request for the billing to be assigned to their account. For more information, see `Billing assignment for shared Amazon EC2 Capacity Reservations <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/assign-billing.html>`_ . You can assign billing only for shared Capacity Reservations. To share a Capacity Reservation, you must add it to a resource share. For more information, see `AWS::RAM::ResourceShare <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html>`_ .
@@ -5925,7 +5962,9 @@ class CfnCapacityReservation(
     @builtins.property
     @jsii.member(jsii_name="outPostArn")
     def out_post_arn(self) -> typing.Optional[builtins.str]:
-        '''The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.'''
+        '''.. epigraph::
+
+   Not supported for future-dated Capacity Reservations.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "outPostArn"))
 
     @out_post_arn.setter
@@ -5938,7 +5977,9 @@ class CfnCapacityReservation(
     @builtins.property
     @jsii.member(jsii_name="placementGroupArn")
     def placement_group_arn(self) -> typing.Optional[builtins.str]:
-        '''The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation.'''
+        '''.. epigraph::
+
+   Not supported for future-dated Capacity Reservations.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "placementGroupArn"))
 
     @placement_group_arn.setter
@@ -6875,16 +6916,16 @@ class CfnCapacityReservationProps:
         '''Properties for defining a ``CfnCapacityReservation``.
 
         :param availability_zone: The Availability Zone in which to create the Capacity Reservation.
-        :param instance_count: The number of instances for which to reserve capacity. Valid range: 1 - 1000
+        :param instance_count: The number of instances for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for an instance count with a minimum of 100 VPUs. For example, if you request a future-dated Capacity Reservation for ``m5.xlarge`` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ). Valid range: 1 - 1000
         :param instance_platform: The type of operating system for which to reserve capacity.
-        :param instance_type: The instance type for which to reserve capacity. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
+        :param instance_type: The instance type for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for instance types in the C, M, R, I, and T instance families only. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
         :param ebs_optimized: Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.
-        :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.
+        :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019. If you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.
         :param end_date_type: Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types: - ``unlimited`` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an ``EndDate`` if the ``EndDateType`` is ``unlimited`` . - ``limited`` - The Capacity Reservation expires automatically at a specified date and time. You must provide an ``EndDate`` value if the ``EndDateType`` value is ``limited`` .
         :param ephemeral_storage: *Deprecated.*.
-        :param instance_match_criteria: Indicates the type of instance launches that the Capacity Reservation accepts. The options include:. - ``open`` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters. - ``targeted`` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity. Default: ``open``
-        :param out_post_arn: The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
-        :param placement_group_arn: The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
+        :param instance_match_criteria: Indicates the type of instance launches that the Capacity Reservation accepts. The options include:. - ``open`` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters. - ``targeted`` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity. .. epigraph:: If you are requesting a future-dated Capacity Reservation, you must specify ``targeted`` . Default: ``open``
+        :param out_post_arn: .. epigraph:: Not supported for future-dated Capacity Reservations. The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
+        :param placement_group_arn: .. epigraph:: Not supported for future-dated Capacity Reservations. The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
         :param tag_specifications: The tags to apply to the Capacity Reservation during launch.
         :param tenancy: Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the following tenancy settings:. - ``default`` - The Capacity Reservation is created on hardware that is shared with other AWS accounts . - ``dedicated`` - The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account .
         :param unused_reservation_billing_owner_id: The ID of the AWS account to which to assign billing of the unused capacity of the Capacity Reservation. A request will be sent to the specified account. That account must accept the request for the billing to be assigned to their account. For more information, see `Billing assignment for shared Amazon EC2 Capacity Reservations <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/assign-billing.html>`_ . You can assign billing only for shared Capacity Reservations. To share a Capacity Reservation, you must add it to a resource share. For more information, see `AWS::RAM::ResourceShare <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ram-resourceshare.html>`_ .
@@ -6980,6 +7021,10 @@ class CfnCapacityReservationProps:
     def instance_count(self) -> jsii.Number:
         '''The number of instances for which to reserve capacity.
 
+        .. epigraph::
+
+           You can request future-dated Capacity Reservations for an instance count with a minimum of 100 VPUs. For example, if you request a future-dated Capacity Reservation for ``m5.xlarge`` instances, you must request at least 25 instances ( *25 * m5.xlarge = 100 vCPUs* ).
+
         Valid range: 1 - 1000
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-instancecount
@@ -7002,6 +7047,10 @@ class CfnCapacityReservationProps:
     def instance_type(self) -> builtins.str:
         '''The instance type for which to reserve capacity.
 
+        .. epigraph::
+
+           You can request future-dated Capacity Reservations for instance types in the C, M, R, I, and T instance families only.
+
         For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-instancetype
@@ -7033,6 +7082,8 @@ class CfnCapacityReservationProps:
 
         If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.
 
+        If you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-enddate
         '''
         result = self._values.get("end_date")
@@ -7070,6 +7121,10 @@ class CfnCapacityReservationProps:
         - ``open`` - The Capacity Reservation automatically matches all instances that have matching attributes (instance type, platform, and Availability Zone). Instances that have matching attributes run in the Capacity Reservation automatically without specifying any additional parameters.
         - ``targeted`` - The Capacity Reservation only accepts instances that have matching attributes (instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This ensures that only permitted instances can use the reserved capacity.
 
+        .. epigraph::
+
+           If you are requesting a future-dated Capacity Reservation, you must specify ``targeted`` .
+
         Default: ``open``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-instancematchcriteria
@@ -7079,7 +7134,11 @@ class CfnCapacityReservationProps:
 
     @builtins.property
     def out_post_arn(self) -> typing.Optional[builtins.str]:
-        '''The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
+        '''.. epigraph::
+
+   Not supported for future-dated Capacity Reservations.
+
+        The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-outpostarn
         '''
@@ -7088,9 +7147,11 @@ class CfnCapacityReservationProps:
 
     @builtins.property
     def placement_group_arn(self) -> typing.Optional[builtins.str]:
-        '''The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation.
+        '''.. epigraph::
 
-        For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
+   Not supported for future-dated Capacity Reservations.
+
+        The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation. For more information, see `Capacity Reservations for cluster placement groups <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cr-cpg.html>`_ in the *Amazon EC2 User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-placementgrouparn
         '''
@@ -11847,7 +11908,7 @@ class CfnEC2Fleet(
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
             :param burstable_performance: Indicates whether burstable performance T instance types are included, excluded, or required. For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ . - To include burstable performance instance types, specify ``included`` . - To require only burstable performance instance types, specify ``required`` . - To exclude burstable performance instance types, specify ``excluded`` . Default: ``excluded``
-            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
+            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . - For instance types with Apple CPUs, specify ``apple`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
             :param excluded_instance_types: The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to exclude an instance family, type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will exclude the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will exclude all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``ExcludedInstanceTypes`` , you can't specify ``AllowedInstanceTypes`` . Default: No excluded instance types
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
@@ -12161,6 +12222,7 @@ class CfnEC2Fleet(
             - For instance types with Intel CPUs, specify ``intel`` .
             - For instance types with AMD CPUs, specify ``amd`` .
             - For instance types with AWS CPUs, specify ``amazon-web-services`` .
+            - For instance types with Apple CPUs, specify ``apple`` .
 
             .. epigraph::
 
@@ -24497,6 +24559,71 @@ class CfnLaunchTemplate(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.BaselinePerformanceFactorsProperty",
+        jsii_struct_bases=[],
+        name_mapping={"cpu": "cpu"},
+    )
+    class BaselinePerformanceFactorsProperty:
+        def __init__(
+            self,
+            *,
+            cpu: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.CpuProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''The baseline performance to consider, using an instance family as a baseline reference.
+
+            The instance family establishes the lowest acceptable level of performance. Amazon EC2 uses this baseline to guide instance type selection, but there is no guarantee that the selected instance types will always exceed the baseline for every application.
+
+            Currently, this parameter only supports CPU performance as a baseline performance factor. For example, specifying ``c6i`` would use the CPU performance of the ``c6i`` family as the baseline reference.
+
+            :param cpu: The CPU performance to consider, using an instance family as the baseline reference.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-baselineperformancefactors.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                baseline_performance_factors_property = ec2.CfnLaunchTemplate.BaselinePerformanceFactorsProperty(
+                    cpu=ec2.CfnLaunchTemplate.CpuProperty(
+                        references=[ec2.CfnLaunchTemplate.ReferenceProperty(
+                            instance_family="instanceFamily"
+                        )]
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__c33b74edb68116a6eddebf7e0fccb8dfd65574d6a35c09a95580596c77d10c84)
+                check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if cpu is not None:
+                self._values["cpu"] = cpu
+
+        @builtins.property
+        def cpu(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.CpuProperty"]]:
+            '''The CPU performance to consider, using an instance family as the baseline reference.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-baselineperformancefactors.html#cfn-ec2-launchtemplate-baselineperformancefactors-cpu
+            '''
+            result = self._values.get("cpu")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.CpuProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "BaselinePerformanceFactorsProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.BlockDeviceMappingProperty",
         jsii_struct_bases=[],
@@ -24638,7 +24765,7 @@ class CfnLaunchTemplate(
 
             ``CapacityReservationSpecification`` is a property of `AWS::EC2::LaunchTemplate LaunchTemplateData <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html>`_ .
 
-            :param capacity_reservation_preference: Indicates the instance's Capacity Reservation preferences. Possible preferences include:. - ``open`` - The instance can run in any ``open`` Capacity Reservation that has matching attributes (instance type, platform, Availability Zone). - ``none`` - The instance avoids running in a Capacity Reservation even if one is available. The instance runs in On-Demand capacity.
+            :param capacity_reservation_preference: Indicates the instance's Capacity Reservation preferences. Possible preferences include:. - ``capacity-reservations-only`` - The instance will only run in a Capacity Reservation or Capacity Reservation group. If capacity isn't available, the instance will fail to launch. - ``open`` - The instance can run in any ``open`` Capacity Reservation that has matching attributes (instance type, platform, Availability Zone, tenancy). - ``none`` - The instance avoids running in a Capacity Reservation even if one is available. The instance runs in On-Demand capacity.
             :param capacity_reservation_target: Information about the target Capacity Reservation or Capacity Reservation group.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-capacityreservationspecification.html
@@ -24672,7 +24799,8 @@ class CfnLaunchTemplate(
         def capacity_reservation_preference(self) -> typing.Optional[builtins.str]:
             '''Indicates the instance's Capacity Reservation preferences. Possible preferences include:.
 
-            - ``open`` - The instance can run in any ``open`` Capacity Reservation that has matching attributes (instance type, platform, Availability Zone).
+            - ``capacity-reservations-only`` - The instance will only run in a Capacity Reservation or Capacity Reservation group. If capacity isn't available, the instance will fail to launch.
+            - ``open`` - The instance can run in any ``open`` Capacity Reservation that has matching attributes (instance type, platform, Availability Zone, tenancy).
             - ``none`` - The instance avoids running in a Capacity Reservation even if one is available. The instance runs in On-Demand capacity.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-capacityreservationspecification.html#cfn-ec2-launchtemplate-capacityreservationspecification-capacityreservationpreference
@@ -24973,6 +25101,66 @@ class CfnLaunchTemplate(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.CpuProperty",
+        jsii_struct_bases=[],
+        name_mapping={"references": "references"},
+    )
+    class CpuProperty:
+        def __init__(
+            self,
+            *,
+            references: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.ReferenceProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        ) -> None:
+            '''
+            :param references: A list of references to be used as baseline for the CPU performance. Currently, you can only specify a single reference across different instance type variations such as CPU manufacturers, architectures etc.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-cpu.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                cpu_property = ec2.CfnLaunchTemplate.CpuProperty(
+                    references=[ec2.CfnLaunchTemplate.ReferenceProperty(
+                        instance_family="instanceFamily"
+                    )]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__a1b8ac2b677fdc40ae8230f2aa1d24dbec065cba8c4948e35f4a0dfd69c2e0bc)
+                check_type(argname="argument references", value=references, expected_type=type_hints["references"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if references is not None:
+                self._values["references"] = references
+
+        @builtins.property
+        def references(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.ReferenceProperty"]]]]:
+            '''A list of references to be used as baseline for the CPU performance.
+
+            Currently, you can only specify a single reference across different instance type variations such as CPU manufacturers, architectures etc.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-cpu.html#cfn-ec2-launchtemplate-cpu-references
+            '''
+            result = self._values.get("references")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.ReferenceProperty"]]]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "CpuProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.CreditSpecificationProperty",
         jsii_struct_bases=[],
@@ -25726,6 +25914,7 @@ class CfnLaunchTemplate(
             "allowed_instance_types": "allowedInstanceTypes",
             "bare_metal": "bareMetal",
             "baseline_ebs_bandwidth_mbps": "baselineEbsBandwidthMbps",
+            "baseline_performance_factors": "baselinePerformanceFactors",
             "burstable_performance": "burstablePerformance",
             "cpu_manufacturers": "cpuManufacturers",
             "excluded_instance_types": "excludedInstanceTypes",
@@ -25756,6 +25945,7 @@ class CfnLaunchTemplate(
             allowed_instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
             bare_metal: typing.Optional[builtins.str] = None,
             baseline_ebs_bandwidth_mbps: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.BaselineEbsBandwidthMbpsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            baseline_performance_factors: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.BaselinePerformanceFactorsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             burstable_performance: typing.Optional[builtins.str] = None,
             cpu_manufacturers: typing.Optional[typing.Sequence[builtins.str]] = None,
             excluded_instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -25802,8 +25992,9 @@ class CfnLaunchTemplate(
             :param allowed_instance_types: The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to allow an instance type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will allow the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will allow all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``AllowedInstanceTypes`` , you can't specify ``ExcludedInstanceTypes`` . Default: All instance types
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
+            :param baseline_performance_factors: The baseline performance to consider, using an instance family as a baseline reference. The instance family establishes the lowest acceptable level of performance. Amazon EC2 uses this baseline to guide instance type selection, but there is no guarantee that the selected instance types will always exceed the baseline for every application. Currently, this parameter only supports CPU performance as a baseline performance factor. For more information, see `Performance protection <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html#ec2fleet-abis-performance-protection>`_ in the *Amazon EC2 User Guide* .
             :param burstable_performance: Indicates whether burstable performance T instance types are included, excluded, or required. For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ . - To include burstable performance instance types, specify ``included`` . - To require only burstable performance instance types, specify ``required`` . - To exclude burstable performance instance types, specify ``excluded`` . Default: ``excluded``
-            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
+            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . - For instance types with Apple CPUs, specify ``apple`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
             :param excluded_instance_types: The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to exclude an instance type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will exclude the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will exclude all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``ExcludedInstanceTypes`` , you can't specify ``AllowedInstanceTypes`` . Default: No excluded instance types
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
@@ -25846,6 +26037,13 @@ class CfnLaunchTemplate(
                         max=123,
                         min=123
                     ),
+                    baseline_performance_factors=ec2.CfnLaunchTemplate.BaselinePerformanceFactorsProperty(
+                        cpu=ec2.CfnLaunchTemplate.CpuProperty(
+                            references=[ec2.CfnLaunchTemplate.ReferenceProperty(
+                                instance_family="instanceFamily"
+                            )]
+                        )
+                    ),
                     burstable_performance="burstablePerformance",
                     cpu_manufacturers=["cpuManufacturers"],
                     excluded_instance_types=["excludedInstanceTypes"],
@@ -25892,6 +26090,7 @@ class CfnLaunchTemplate(
                 check_type(argname="argument allowed_instance_types", value=allowed_instance_types, expected_type=type_hints["allowed_instance_types"])
                 check_type(argname="argument bare_metal", value=bare_metal, expected_type=type_hints["bare_metal"])
                 check_type(argname="argument baseline_ebs_bandwidth_mbps", value=baseline_ebs_bandwidth_mbps, expected_type=type_hints["baseline_ebs_bandwidth_mbps"])
+                check_type(argname="argument baseline_performance_factors", value=baseline_performance_factors, expected_type=type_hints["baseline_performance_factors"])
                 check_type(argname="argument burstable_performance", value=burstable_performance, expected_type=type_hints["burstable_performance"])
                 check_type(argname="argument cpu_manufacturers", value=cpu_manufacturers, expected_type=type_hints["cpu_manufacturers"])
                 check_type(argname="argument excluded_instance_types", value=excluded_instance_types, expected_type=type_hints["excluded_instance_types"])
@@ -25925,6 +26124,8 @@ class CfnLaunchTemplate(
                 self._values["bare_metal"] = bare_metal
             if baseline_ebs_bandwidth_mbps is not None:
                 self._values["baseline_ebs_bandwidth_mbps"] = baseline_ebs_bandwidth_mbps
+            if baseline_performance_factors is not None:
+                self._values["baseline_performance_factors"] = baseline_performance_factors
             if burstable_performance is not None:
                 self._values["burstable_performance"] = burstable_performance
             if cpu_manufacturers is not None:
@@ -26093,6 +26294,19 @@ class CfnLaunchTemplate(
             result = self._values.get("baseline_ebs_bandwidth_mbps")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.BaselineEbsBandwidthMbpsProperty"]], result)
 
+        @builtins.property
+        def baseline_performance_factors(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.BaselinePerformanceFactorsProperty"]]:
+            '''The baseline performance to consider, using an instance family as a baseline reference.
+
+            The instance family establishes the lowest acceptable level of performance. Amazon EC2 uses this baseline to guide instance type selection, but there is no guarantee that the selected instance types will always exceed the baseline for every application. Currently, this parameter only supports CPU performance as a baseline performance factor. For more information, see `Performance protection <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html#ec2fleet-abis-performance-protection>`_ in the *Amazon EC2 User Guide* .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-instancerequirements.html#cfn-ec2-launchtemplate-instancerequirements-baselineperformancefactors
+            '''
+            result = self._values.get("baseline_performance_factors")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.BaselinePerformanceFactorsProperty"]], result)
+
         @builtins.property
         def burstable_performance(self) -> typing.Optional[builtins.str]:
             '''Indicates whether burstable performance T instance types are included, excluded, or required.
@@ -26117,6 +26331,7 @@ class CfnLaunchTemplate(
             - For instance types with Intel CPUs, specify ``intel`` .
             - For instance types with AMD CPUs, specify ``amd`` .
             - For instance types with AWS CPUs, specify ``amazon-web-services`` .
+            - For instance types with Apple CPUs, specify ``apple`` .
 
             .. epigraph::
 
@@ -26739,6 +26954,13 @@ class CfnLaunchTemplate(
                             max=123,
                             min=123
                         ),
+                        baseline_performance_factors=ec2.CfnLaunchTemplate.BaselinePerformanceFactorsProperty(
+                            cpu=ec2.CfnLaunchTemplate.CpuProperty(
+                                references=[ec2.CfnLaunchTemplate.ReferenceProperty(
+                                    instance_family="instanceFamily"
+                                )]
+                            )
+                        ),
                         burstable_performance="burstablePerformance",
                         cpu_manufacturers=["cpuManufacturers"],
                         excluded_instance_types=["excludedInstanceTypes"],
@@ -28994,6 +29216,62 @@ class CfnLaunchTemplate(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.ReferenceProperty",
+        jsii_struct_bases=[],
+        name_mapping={"instance_family": "instanceFamily"},
+    )
+    class ReferenceProperty:
+        def __init__(
+            self,
+            *,
+            instance_family: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''
+            :param instance_family: The instance family to refer. Ensure that you specify the correct family name. For example, C6i and C6g are valid values, but C6 is not.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-reference.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                reference_property = ec2.CfnLaunchTemplate.ReferenceProperty(
+                    instance_family="instanceFamily"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__33d11f174a8d44a60a690675edd2b1264f7b20538793de8a376d9b1c836c5984)
+                check_type(argname="argument instance_family", value=instance_family, expected_type=type_hints["instance_family"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if instance_family is not None:
+                self._values["instance_family"] = instance_family
+
+        @builtins.property
+        def instance_family(self) -> typing.Optional[builtins.str]:
+            '''The instance family to refer.
+
+            Ensure that you specify the correct family name. For example, C6i and C6g are valid values, but C6 is not.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-reference.html#cfn-ec2-launchtemplate-reference-instancefamily
+            '''
+            result = self._values.get("instance_family")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "ReferenceProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.SpotOptionsProperty",
         jsii_struct_bases=[],
@@ -44864,7 +45142,7 @@ class CfnSpotFleet(
             :param bare_metal: Indicates whether bare metal instance types must be included, excluded, or required. - To include bare metal instance types, specify ``included`` . - To require only bare metal instance types, specify ``required`` . - To exclude bare metal instance types, specify ``excluded`` . Default: ``excluded``
             :param baseline_ebs_bandwidth_mbps: The minimum and maximum baseline bandwidth to Amazon EBS, in Mbps. For more information, see `Amazon EBS–optimized instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html>`_ in the *Amazon EC2 User Guide* . Default: No minimum or maximum limits
             :param burstable_performance: Indicates whether burstable performance T instance types are included, excluded, or required. For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ . - To include burstable performance instance types, specify ``included`` . - To require only burstable performance instance types, specify ``required`` . - To exclude burstable performance instance types, specify ``excluded`` . Default: ``excluded``
-            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
+            :param cpu_manufacturers: The CPU manufacturers to include. - For instance types with Intel CPUs, specify ``intel`` . - For instance types with AMD CPUs, specify ``amd`` . - For instance types with AWS CPUs, specify ``amazon-web-services`` . - For instance types with Apple CPUs, specify ``apple`` . .. epigraph:: Don't confuse the CPU manufacturer with the CPU architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. Default: Any manufacturer
             :param excluded_instance_types: The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk ( ``*`` ), to exclude an instance family, type, size, or generation. The following are examples: ``m5.8xlarge`` , ``c5*.*`` , ``m5a.*`` , ``r*`` , ``*3*`` . For example, if you specify ``c5*`` ,Amazon EC2 will exclude the entire C5 instance family, which includes all C5a and C5n instance types. If you specify ``m5a.*`` , Amazon EC2 will exclude all the M5a instance types, but not the M5n instance types. .. epigraph:: If you specify ``ExcludedInstanceTypes`` , you can't specify ``AllowedInstanceTypes`` . Default: No excluded instance types
             :param instance_generations: Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Current generation instance types are typically the latest two to three generations in each instance family. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* . For current generation instance types, specify ``current`` . For previous generation instance types, specify ``previous`` . Default: Current and previous generation instance types
             :param local_storage: Indicates whether instance types with instance store volumes are included, excluded, or required. For more information, `Amazon EC2 instance store <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html>`_ in the *Amazon EC2 User Guide* . - To include instance types with instance store volumes, specify ``included`` . - To require only instance types with instance store volumes, specify ``required`` . - To exclude instance types with instance store volumes, specify ``excluded`` . Default: ``included``
@@ -45178,6 +45456,7 @@ class CfnSpotFleet(
             - For instance types with Intel CPUs, specify ``intel`` .
             - For instance types with AMD CPUs, specify ``amd`` .
             - For instance types with AWS CPUs, specify ``amazon-web-services`` .
+            - For instance types with Apple CPUs, specify ``apple`` .
 
             .. epigraph::
 
@@ -56264,6 +56543,455 @@ class CfnVPC(
         jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
 
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+class CfnVPCBlockPublicAccessExclusion(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ec2.CfnVPCBlockPublicAccessExclusion",
+):
+    '''Create a VPC Block Public Access (BPA) exclusion.
+
+    A VPC BPA exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s BPA mode and will allow bidirectional or egress-only access. You can create BPA exclusions for VPCs and subnets even when BPA is not enabled on the account to ensure that there is no traffic disruption to the exclusions when VPC BPA is turned on. To learn more about VPC BPA, see `Block public access to VPCs and subnets <https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html>`_ in the *Amazon VPC User Guide* .
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html
+    :cloudformationResource: AWS::EC2::VPCBlockPublicAccessExclusion
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ec2 as ec2
+        
+        cfn_vPCBlock_public_access_exclusion = ec2.CfnVPCBlockPublicAccessExclusion(self, "MyCfnVPCBlockPublicAccessExclusion",
+            internet_gateway_exclusion_mode="internetGatewayExclusionMode",
+        
+            # the properties below are optional
+            subnet_id="subnetId",
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )],
+            vpc_id="vpcId"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        internet_gateway_exclusion_mode: builtins.str,
+        subnet_id: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        vpc_id: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param internet_gateway_exclusion_mode: The desired VPC Block Public Access mode for a specific VPC or subnet exclusion. - ``allow-bidirectional`` : Allow all internet traffic to and from the excluded VPCs and subnets. - ``allow-egress`` : Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to ``block-bidirectional`` .
+        :param subnet_id: The ID of the subnet you want to exclude. Required only if you don't specify VpcId.
+        :param tags: An array of key-value pairs to apply to this resource.
+        :param vpc_id: The ID of the VPC you want to exclude. Required only if you don't specify SubnetId.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__25326e9b68ca765acd9653308fa5b739c5caacf8774e9af4f184caeb59c1f9bd)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnVPCBlockPublicAccessExclusionProps(
+            internet_gateway_exclusion_mode=internet_gateway_exclusion_mode,
+            subnet_id=subnet_id,
+            tags=tags,
+            vpc_id=vpc_id,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fff41514dea5c99d2838630dc273006f56cd390a04c0560987153d17d393a471)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0a9c62992443912b497679935e884da9ceaf569a34e270127ba4c4bbcd9178de)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrExclusionId")
+    def attr_exclusion_id(self) -> builtins.str:
+        '''The ID of the exclusion.
+
+        :cloudformationAttribute: ExclusionId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrExclusionId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="internetGatewayExclusionMode")
+    def internet_gateway_exclusion_mode(self) -> builtins.str:
+        '''The desired VPC Block Public Access mode for a specific VPC or subnet exclusion.'''
+        return typing.cast(builtins.str, jsii.get(self, "internetGatewayExclusionMode"))
+
+    @internet_gateway_exclusion_mode.setter
+    def internet_gateway_exclusion_mode(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7a7de616ba221ee0cc286b4d6be980082aff80195ef12a4cc1470e8f39f50d90)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "internetGatewayExclusionMode", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="subnetId")
+    def subnet_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the subnet you want to exclude.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "subnetId"))
+
+    @subnet_id.setter
+    def subnet_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ee41b552e6a5c9ed1c595a0ca9e2a44e6b4767d4d5f9f93bcc6089a2b8a9078d)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "subnetId", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of key-value pairs to apply to this resource.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1e07d614ce4f71c54dd33e378d7a6513c022cab55e36d27577fcd12c2d88dace)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
+
+    @builtins.property
+    @jsii.member(jsii_name="vpcId")
+    def vpc_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the VPC you want to exclude.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "vpcId"))
+
+    @vpc_id.setter
+    def vpc_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0d9ce2b681d384d7bfea8d60491ec27ef69d99c5c9c7ef34d19d78cb31d952de)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "vpcId", value) # pyright: ignore[reportArgumentType]
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.CfnVPCBlockPublicAccessExclusionProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "internet_gateway_exclusion_mode": "internetGatewayExclusionMode",
+        "subnet_id": "subnetId",
+        "tags": "tags",
+        "vpc_id": "vpcId",
+    },
+)
+class CfnVPCBlockPublicAccessExclusionProps:
+    def __init__(
+        self,
+        *,
+        internet_gateway_exclusion_mode: builtins.str,
+        subnet_id: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        vpc_id: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnVPCBlockPublicAccessExclusion``.
+
+        :param internet_gateway_exclusion_mode: The desired VPC Block Public Access mode for a specific VPC or subnet exclusion. - ``allow-bidirectional`` : Allow all internet traffic to and from the excluded VPCs and subnets. - ``allow-egress`` : Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to ``block-bidirectional`` .
+        :param subnet_id: The ID of the subnet you want to exclude. Required only if you don't specify VpcId.
+        :param tags: An array of key-value pairs to apply to this resource.
+        :param vpc_id: The ID of the VPC you want to exclude. Required only if you don't specify SubnetId.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_ec2 as ec2
+            
+            cfn_vPCBlock_public_access_exclusion_props = ec2.CfnVPCBlockPublicAccessExclusionProps(
+                internet_gateway_exclusion_mode="internetGatewayExclusionMode",
+            
+                # the properties below are optional
+                subnet_id="subnetId",
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )],
+                vpc_id="vpcId"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7176b6dba6a7fdb73a24ee0d3bfe1ed69b7628c88f0232d07fb6339a4e6208ca)
+            check_type(argname="argument internet_gateway_exclusion_mode", value=internet_gateway_exclusion_mode, expected_type=type_hints["internet_gateway_exclusion_mode"])
+            check_type(argname="argument subnet_id", value=subnet_id, expected_type=type_hints["subnet_id"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+            check_type(argname="argument vpc_id", value=vpc_id, expected_type=type_hints["vpc_id"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "internet_gateway_exclusion_mode": internet_gateway_exclusion_mode,
+        }
+        if subnet_id is not None:
+            self._values["subnet_id"] = subnet_id
+        if tags is not None:
+            self._values["tags"] = tags
+        if vpc_id is not None:
+            self._values["vpc_id"] = vpc_id
+
+    @builtins.property
+    def internet_gateway_exclusion_mode(self) -> builtins.str:
+        '''The desired VPC Block Public Access mode for a specific VPC or subnet exclusion.
+
+        - ``allow-bidirectional`` : Allow all internet traffic to and from the excluded VPCs and subnets.
+        - ``allow-egress`` : Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to ``block-bidirectional`` .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html#cfn-ec2-vpcblockpublicaccessexclusion-internetgatewayexclusionmode
+        '''
+        result = self._values.get("internet_gateway_exclusion_mode")
+        assert result is not None, "Required property 'internet_gateway_exclusion_mode' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def subnet_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the subnet you want to exclude.
+
+        Required only if you don't specify VpcId.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html#cfn-ec2-vpcblockpublicaccessexclusion-subnetid
+        '''
+        result = self._values.get("subnet_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of key-value pairs to apply to this resource.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html#cfn-ec2-vpcblockpublicaccessexclusion-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
+    @builtins.property
+    def vpc_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the VPC you want to exclude.
+
+        Required only if you don't specify SubnetId.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessexclusion.html#cfn-ec2-vpcblockpublicaccessexclusion-vpcid
+        '''
+        result = self._values.get("vpc_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnVPCBlockPublicAccessExclusionProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnVPCBlockPublicAccessOptions(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ec2.CfnVPCBlockPublicAccessOptions",
+):
+    '''VPC Block Public Access (BPA) enables you to block resources in VPCs and subnets that you own in a Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways.
+
+    To learn more about VPC BPA, see `Block public access to VPCs and subnets <https://docs.aws.amazon.com/vpc/latest/userguide/security-vpc-bpa.html>`_ in the *Amazon VPC User Guide* .
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessoptions.html
+    :cloudformationResource: AWS::EC2::VPCBlockPublicAccessOptions
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ec2 as ec2
+        
+        cfn_vPCBlock_public_access_options = ec2.CfnVPCBlockPublicAccessOptions(self, "MyCfnVPCBlockPublicAccessOptions",
+            internet_gateway_block_mode="internetGatewayBlockMode"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        internet_gateway_block_mode: builtins.str,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param internet_gateway_block_mode: The desired VPC Block Public Access mode for internet gateways in your account. We do not allow you to create this resource type in an "off" mode since off is the default value. - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets). - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__24d31c53909b617dc4fc1905f3c6a7fb631c56e6a160f59064795a8c003a6ea4)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnVPCBlockPublicAccessOptionsProps(
+            internet_gateway_block_mode=internet_gateway_block_mode
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b41534ffeac2685e907615af2fe97bc820a22bad4e77064e661466f1d1387568)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a56a6f6280e3009a525eeedcead9009e2524e22d3375cc0e5d312a313f168131)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAccountId")
+    def attr_account_id(self) -> builtins.str:
+        '''The ID of the AWS account.
+
+        :cloudformationAttribute: AccountId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAccountId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="internetGatewayBlockMode")
+    def internet_gateway_block_mode(self) -> builtins.str:
+        '''The desired VPC Block Public Access mode for internet gateways in your account.'''
+        return typing.cast(builtins.str, jsii.get(self, "internetGatewayBlockMode"))
+
+    @internet_gateway_block_mode.setter
+    def internet_gateway_block_mode(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__19f57f6719b674f2d0d3c2e221d43093e4d8ae38daa501a2066a6d3afaa98e11)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "internetGatewayBlockMode", value) # pyright: ignore[reportArgumentType]
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.CfnVPCBlockPublicAccessOptionsProps",
+    jsii_struct_bases=[],
+    name_mapping={"internet_gateway_block_mode": "internetGatewayBlockMode"},
+)
+class CfnVPCBlockPublicAccessOptionsProps:
+    def __init__(self, *, internet_gateway_block_mode: builtins.str) -> None:
+        '''Properties for defining a ``CfnVPCBlockPublicAccessOptions``.
+
+        :param internet_gateway_block_mode: The desired VPC Block Public Access mode for internet gateways in your account. We do not allow you to create this resource type in an "off" mode since off is the default value. - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets). - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessoptions.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_ec2 as ec2
+            
+            cfn_vPCBlock_public_access_options_props = ec2.CfnVPCBlockPublicAccessOptionsProps(
+                internet_gateway_block_mode="internetGatewayBlockMode"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__58b7bf3beb5810a9ddfb83687c509df267cea795013b7b418f07408b0357d7a7)
+            check_type(argname="argument internet_gateway_block_mode", value=internet_gateway_block_mode, expected_type=type_hints["internet_gateway_block_mode"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "internet_gateway_block_mode": internet_gateway_block_mode,
+        }
+
+    @builtins.property
+    def internet_gateway_block_mode(self) -> builtins.str:
+        '''The desired VPC Block Public Access mode for internet gateways in your account.
+
+        We do not allow you to create this resource type in an "off" mode since off is the default value.
+
+        - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
+        - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcblockpublicaccessoptions.html#cfn-ec2-vpcblockpublicaccessoptions-internetgatewayblockmode
+        '''
+        result = self._values.get("internet_gateway_block_mode")
+        assert result is not None, "Required property 'internet_gateway_block_mode' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnVPCBlockPublicAccessOptionsProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_IInspectable_c2943556)
 class CfnVPCCidrBlock(
     _CfnResource_9df397a6,
@@ -74101,6 +74829,7 @@ class Instance(
         init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         instance_initiated_shutdown_behavior: typing.Optional["InstanceInitiatedShutdownBehavior"] = None,
         instance_name: typing.Optional[builtins.str] = None,
+        instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
         ipv6_address_count: typing.Optional[jsii.Number] = None,
         key_name: typing.Optional[builtins.str] = None,
         key_pair: typing.Optional[IKeyPair] = None,
@@ -74138,6 +74867,7 @@ class Instance(
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_initiated_shutdown_behavior: Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown). Default: InstanceInitiatedShutdownBehavior.STOP
         :param instance_name: The name of the instance. Default: - CDK generated name
+        :param instance_profile: The instance profile used to pass role information to EC2 instances. Note: You can provide an instanceProfile or a role, but not both. Default: - No instance profile
         :param ipv6_address_count: The number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet. You cannot specify this property and ``associatePublicIpAddress`` at the same time. Default: - For instances associated with an IPv6 subnet, use 1; otherwise, use 0.
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
@@ -74146,7 +74876,7 @@ class Instance(
         :param propagate_tags_to_volume_on_creation: Propagate the EC2 instance tags to the EBS volumes. Default: - false
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param resource_signal_timeout: The length of time to wait for the resourceSignalCount. The maximum value is 43200 (12 hours). Default: Duration.minutes(5)
-        :param role: An IAM role to associate with the instance profile assigned to this Auto Scaling Group. The role must be assumable by the service principal ``ec2.amazonaws.com``: Default: - A role will automatically be created, it can be accessed via the ``role`` property
+        :param role: An IAM role to associate with the instance profile assigned to this Auto Scaling Group. The role must be assumable by the service principal ``ec2.amazonaws.com``: Note: You can provide an instanceProfile or a role, but not both. Default: - A role will automatically be created, it can be accessed via the ``role`` property
         :param security_group: Security Group to assign to this instance. Default: - create new security group
         :param source_dest_check: Specifies whether to enable an instance launched in a VPC to perform NAT. This controls whether source/destination checking is enabled on the instance. A value of true means that checking is enabled, and false means that checking is disabled. The value must be false for the instance to perform NAT. Default: true
         :param ssm_session_permissions: Add SSM session permissions to the instance role. Setting this to ``true`` adds the necessary permissions to connect to the instance using SSM Session Manager. You can do this from the AWS Console. NOTE: Setting this flag to ``true`` may not be enough by itself. You must also use an AMI that comes with the SSM Agent, or install the SSM Agent yourself. See `Working with SSM Agent <https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html>`_ in the SSM Developer Guide. Default: false
@@ -74177,6 +74907,7 @@ class Instance(
             init_options=init_options,
             instance_initiated_shutdown_behavior=instance_initiated_shutdown_behavior,
             instance_name=instance_name,
+            instance_profile=instance_profile,
             ipv6_address_count=ipv6_address_count,
             key_name=key_name,
             key_pair=key_pair,
@@ -74989,6 +75720,7 @@ class InstanceInitiatedShutdownBehavior(enum.Enum):
         "init_options": "initOptions",
         "instance_initiated_shutdown_behavior": "instanceInitiatedShutdownBehavior",
         "instance_name": "instanceName",
+        "instance_profile": "instanceProfile",
         "ipv6_address_count": "ipv6AddressCount",
         "key_name": "keyName",
         "key_pair": "keyPair",
@@ -75028,6 +75760,7 @@ class InstanceProps:
         init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         instance_initiated_shutdown_behavior: typing.Optional[InstanceInitiatedShutdownBehavior] = None,
         instance_name: typing.Optional[builtins.str] = None,
+        instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
         ipv6_address_count: typing.Optional[jsii.Number] = None,
         key_name: typing.Optional[builtins.str] = None,
         key_pair: typing.Optional[IKeyPair] = None,
@@ -75064,6 +75797,7 @@ class InstanceProps:
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_initiated_shutdown_behavior: Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown). Default: InstanceInitiatedShutdownBehavior.STOP
         :param instance_name: The name of the instance. Default: - CDK generated name
+        :param instance_profile: The instance profile used to pass role information to EC2 instances. Note: You can provide an instanceProfile or a role, but not both. Default: - No instance profile
         :param ipv6_address_count: The number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet. You cannot specify this property and ``associatePublicIpAddress`` at the same time. Default: - For instances associated with an IPv6 subnet, use 1; otherwise, use 0.
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
@@ -75072,7 +75806,7 @@ class InstanceProps:
         :param propagate_tags_to_volume_on_creation: Propagate the EC2 instance tags to the EBS volumes. Default: - false
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param resource_signal_timeout: The length of time to wait for the resourceSignalCount. The maximum value is 43200 (12 hours). Default: Duration.minutes(5)
-        :param role: An IAM role to associate with the instance profile assigned to this Auto Scaling Group. The role must be assumable by the service principal ``ec2.amazonaws.com``: Default: - A role will automatically be created, it can be accessed via the ``role`` property
+        :param role: An IAM role to associate with the instance profile assigned to this Auto Scaling Group. The role must be assumable by the service principal ``ec2.amazonaws.com``: Note: You can provide an instanceProfile or a role, but not both. Default: - A role will automatically be created, it can be accessed via the ``role`` property
         :param security_group: Security Group to assign to this instance. Default: - create new security group
         :param source_dest_check: Specifies whether to enable an instance launched in a VPC to perform NAT. This controls whether source/destination checking is enabled on the instance. A value of true means that checking is enabled, and false means that checking is disabled. The value must be false for the instance to perform NAT. Default: true
         :param ssm_session_permissions: Add SSM session permissions to the instance role. Setting this to ``true`` adds the necessary permissions to connect to the instance using SSM Session Manager. You can do this from the AWS Console. NOTE: Setting this flag to ``true`` may not be enough by itself. You must also use an AMI that comes with the SSM Agent, or install the SSM Agent yourself. See `Working with SSM Agent <https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html>`_ in the SSM Developer Guide. Default: false
@@ -75123,6 +75857,7 @@ class InstanceProps:
             check_type(argname="argument init_options", value=init_options, expected_type=type_hints["init_options"])
             check_type(argname="argument instance_initiated_shutdown_behavior", value=instance_initiated_shutdown_behavior, expected_type=type_hints["instance_initiated_shutdown_behavior"])
             check_type(argname="argument instance_name", value=instance_name, expected_type=type_hints["instance_name"])
+            check_type(argname="argument instance_profile", value=instance_profile, expected_type=type_hints["instance_profile"])
             check_type(argname="argument ipv6_address_count", value=ipv6_address_count, expected_type=type_hints["ipv6_address_count"])
             check_type(argname="argument key_name", value=key_name, expected_type=type_hints["key_name"])
             check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
@@ -75173,6 +75908,8 @@ class InstanceProps:
             self._values["instance_initiated_shutdown_behavior"] = instance_initiated_shutdown_behavior
         if instance_name is not None:
             self._values["instance_name"] = instance_name
+        if instance_profile is not None:
+            self._values["instance_profile"] = instance_profile
         if ipv6_address_count is not None:
             self._values["ipv6_address_count"] = ipv6_address_count
         if key_name is not None:
@@ -75405,6 +76142,17 @@ class InstanceProps:
         result = self._values.get("instance_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def instance_profile(self) -> typing.Optional[_IInstanceProfile_10d5ce2c]:
+        '''The instance profile used to pass role information to EC2 instances.
+
+        Note: You can provide an instanceProfile or a role, but not both.
+
+        :default: - No instance profile
+        '''
+        result = self._values.get("instance_profile")
+        return typing.cast(typing.Optional[_IInstanceProfile_10d5ce2c], result)
+
     @builtins.property
     def ipv6_address_count(self) -> typing.Optional[jsii.Number]:
         '''The number of IPv6 addresses to associate with the primary network interface.
@@ -75494,6 +76242,7 @@ class InstanceProps:
         '''An IAM role to associate with the instance profile assigned to this Auto Scaling Group.
 
         The role must be assumable by the service principal ``ec2.amazonaws.com``:
+        Note: You can provide an instanceProfile or a role, but not both.
 
         :default: - A role will automatically be created, it can be accessed via the ``role`` property
 
@@ -76160,6 +76909,16 @@ class InterfaceVpcEndpointAwsService(
     def APPLICATION_AUTOSCALING(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APPLICATION_AUTOSCALING"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APPLICATION_DISCOVERY_ARSENAL")
+    def APPLICATION_DISCOVERY_ARSENAL(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APPLICATION_DISCOVERY_ARSENAL"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="APPLICATION_DISCOVERY_SERVICE")
+    def APPLICATION_DISCOVERY_SERVICE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "APPLICATION_DISCOVERY_SERVICE"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="APPLICATION_MIGRATION_SERVICE")
     def APPLICATION_MIGRATION_SERVICE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -76390,6 +77149,11 @@ class InterfaceVpcEndpointAwsService(
     def CLOUDWATCH_SYNTHETICS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_SYNTHETICS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CLOUDWATCH_SYNTHETICS_FIPS")
+    def CLOUDWATCH_SYNTHETICS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "CLOUDWATCH_SYNTHETICS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="CODE_CONNECTIONS")
     def CODE_CONNECTIONS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -76815,6 +77579,11 @@ class InterfaceVpcEndpointAwsService(
     def GLUE(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GLUE"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="GLUE_DASHBOARD")
+    def GLUE_DASHBOARD(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "GLUE_DASHBOARD"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="GLUE_DATABREW")
     def GLUE_DATABREW(cls) -> "InterfaceVpcEndpointAwsService":
@@ -76905,6 +77674,11 @@ class InterfaceVpcEndpointAwsService(
     def INSPECTOR_SCAN(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INSPECTOR_SCAN"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="INVOICING")
+    def INVOICING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "INVOICING"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="IOT_CORE")
     def IOT_CORE(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77162,11 +77936,26 @@ class InterfaceVpcEndpointAwsService(
     def MIGRATIONHUB_STRATEGY(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MIGRATIONHUB_STRATEGY"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MQ")
+    def MQ(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "MQ"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="NEPTUNE_ANALYTICS")
     def NEPTUNE_ANALYTICS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "NEPTUNE_ANALYTICS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NEPTUNE_ANALYTICS_DATA")
+    def NEPTUNE_ANALYTICS_DATA(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "NEPTUNE_ANALYTICS_DATA"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NEPTUNE_ANALYTICS_FIPS")
+    def NEPTUNE_ANALYTICS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "NEPTUNE_ANALYTICS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="NETWORK_FIREWALL")
     def NETWORK_FIREWALL(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77307,6 +78096,11 @@ class InterfaceVpcEndpointAwsService(
     def PRICE_LIST(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRICE_LIST"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PRICING_CALCULATOR")
+    def PRICING_CALCULATOR(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "PRICING_CALCULATOR"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="PRIVATE_5G")
     def PRIVATE_5_G(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77466,6 +78260,16 @@ class InterfaceVpcEndpointAwsService(
     def RESOURCE_ACCESS_MANAGER(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "RESOURCE_ACCESS_MANAGER"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RESOURCE_GROUPS")
+    def RESOURCE_GROUPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "RESOURCE_GROUPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RESOURCE_GROUPS_FIPS")
+    def RESOURCE_GROUPS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "RESOURCE_GROUPS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="ROBOMAKER")
     def ROBOMAKER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77486,11 +78290,21 @@ class InterfaceVpcEndpointAwsService(
     def S3_OUTPOSTS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "S3_OUTPOSTS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="S3_TABLES")
+    def S3_TABLES(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "S3_TABLES"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SAGEMAKER_API")
     def SAGEMAKER_API(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_API"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SAGEMAKER_DATA_SCIENCE_ASSISTANT")
+    def SAGEMAKER_DATA_SCIENCE_ASSISTANT(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_DATA_SCIENCE_ASSISTANT"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SAGEMAKER_EXPERIMENTS")
     def SAGEMAKER_EXPERIMENTS(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77516,6 +78330,11 @@ class InterfaceVpcEndpointAwsService(
     def SAGEMAKER_NOTEBOOK(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_NOTEBOOK"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SAGEMAKER_PARTNER_APP")
+    def SAGEMAKER_PARTNER_APP(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_PARTNER_APP"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SAGEMAKER_RUNTIME")
     def SAGEMAKER_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77531,6 +78350,11 @@ class InterfaceVpcEndpointAwsService(
     def SAGEMAKER_STUDIO(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAGEMAKER_STUDIO"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SAVINGS_PLANS")
+    def SAVINGS_PLANS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SAVINGS_PLANS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SECRETS_MANAGER")
     def SECRETS_MANAGER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -77666,6 +78490,11 @@ class InterfaceVpcEndpointAwsService(
     def SWF_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SWF_FIPS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="TAGGING")
+    def TAGGING(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "TAGGING"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="TELCO_NETWORK_BUILDER")
     def TELCO_NETWORK_BUILDER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -91977,7 +92806,7 @@ class BastionHostLinux(
         :param init_options: Use the given options for applying CloudFormation Init. Describes the configsets to use and the timeout to wait Default: - default options
         :param instance_name: The name of the instance. Default: 'BastionHost'
         :param instance_type: Type of instance to launch. Default: 't3.nano'
-        :param machine_image: The machine image to use, assumed to have SSM Agent preinstalled. Default: - An Amazon Linux 2 image which is kept up-to-date automatically (the instance may be replaced on every deployment) and already has SSM Agent installed.
+        :param machine_image: The machine image to use, assumed to have SSM Agent preinstalled. Default: - An Amazon Linux 2023 image if the ``@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault`` feature flag is enabled. Otherwise, an Amazon Linux 2 image. In both cases, the image is kept up-to-date automatically (the instance may be replaced on every deployment) and already has SSM Agent installed.
         :param require_imdsv2: Whether IMDSv2 should be required on this instance. Default: - false
         :param security_group: Security Group to assign to this instance. Default: - create new security group with no inbound and all outbound traffic allowed
         :param subnet_selection: Select the subnets to run the bastion host in. Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM. You have to allow port 22 manually by using the connections field Default: - private subnets of the supplied VPC
@@ -96774,6 +97603,10 @@ __all__ = [
     "CfnTransitGatewayVpcAttachment",
     "CfnTransitGatewayVpcAttachmentProps",
     "CfnVPC",
+    "CfnVPCBlockPublicAccessExclusion",
+    "CfnVPCBlockPublicAccessExclusionProps",
+    "CfnVPCBlockPublicAccessOptions",
+    "CfnVPCBlockPublicAccessOptionsProps",
     "CfnVPCCidrBlock",
     "CfnVPCCidrBlockProps",
     "CfnVPCDHCPOptionsAssociation",
@@ -100258,6 +101091,13 @@ def _typecheckingstub__f5438a142333f133eef7d17b761ec865c610e35c3898aaeced24d3a33
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c33b74edb68116a6eddebf7e0fccb8dfd65574d6a35c09a95580596c77d10c84(
+    *,
+    cpu: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.CpuProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b11583349c048323414167490ce520ce6a2c88a94f22727256f4c8458131de17(
     *,
     device_name: typing.Optional[builtins.str] = None,
@@ -100302,6 +101142,13 @@ def _typecheckingstub__92b7bc91aa2d524d3b92853936f95f64b742fff5188a86cd52b461fbf
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a1b8ac2b677fdc40ae8230f2aa1d24dbec065cba8c4948e35f4a0dfd69c2e0bc(
+    *,
+    references: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.ReferenceProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__650ea292c25895ae31516c706d23275a66f0cceb4abe283b392b67c0f180be7d(
     *,
     cpu_credits: typing.Optional[builtins.str] = None,
@@ -100385,6 +101232,7 @@ def _typecheckingstub__5fc9ef3203af5508d5ac30f48557352d8fd1abcefdc9c04e40826c7c6
     allowed_instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
     bare_metal: typing.Optional[builtins.str] = None,
     baseline_ebs_bandwidth_mbps: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.BaselineEbsBandwidthMbpsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    baseline_performance_factors: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.BaselinePerformanceFactorsProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     burstable_performance: typing.Optional[builtins.str] = None,
     cpu_manufacturers: typing.Optional[typing.Sequence[builtins.str]] = None,
     excluded_instance_types: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -100603,6 +101451,13 @@ def _typecheckingstub__b6c5b5b228b065f6a57591206bbe516bb3639cfe4572dbb7cedd38475
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__33d11f174a8d44a60a690675edd2b1264f7b20538793de8a376d9b1c836c5984(
+    *,
+    instance_family: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6a634ae7e5758becae7a53d5843892730c9c079318bfa3bfc2e89825c3df5db7(
     *,
     block_duration_minutes: typing.Optional[jsii.Number] = None,
@@ -104621,6 +105476,98 @@ def _typecheckingstub__48b11f5a9856584abde78ea8179ea1e15a79daa88103bf860d8cfd485
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__25326e9b68ca765acd9653308fa5b739c5caacf8774e9af4f184caeb59c1f9bd(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    internet_gateway_exclusion_mode: builtins.str,
+    subnet_id: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    vpc_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__fff41514dea5c99d2838630dc273006f56cd390a04c0560987153d17d393a471(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0a9c62992443912b497679935e884da9ceaf569a34e270127ba4c4bbcd9178de(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7a7de616ba221ee0cc286b4d6be980082aff80195ef12a4cc1470e8f39f50d90(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__ee41b552e6a5c9ed1c595a0ca9e2a44e6b4767d4d5f9f93bcc6089a2b8a9078d(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1e07d614ce4f71c54dd33e378d7a6513c022cab55e36d27577fcd12c2d88dace(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0d9ce2b681d384d7bfea8d60491ec27ef69d99c5c9c7ef34d19d78cb31d952de(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7176b6dba6a7fdb73a24ee0d3bfe1ed69b7628c88f0232d07fb6339a4e6208ca(
+    *,
+    internet_gateway_exclusion_mode: builtins.str,
+    subnet_id: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    vpc_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__24d31c53909b617dc4fc1905f3c6a7fb631c56e6a160f59064795a8c003a6ea4(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    internet_gateway_block_mode: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b41534ffeac2685e907615af2fe97bc820a22bad4e77064e661466f1d1387568(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a56a6f6280e3009a525eeedcead9009e2524e22d3375cc0e5d312a313f168131(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__19f57f6719b674f2d0d3c2e221d43093e4d8ae38daa501a2066a6d3afaa98e11(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__58b7bf3beb5810a9ddfb83687c509df267cea795013b7b418f07408b0357d7a7(
+    *,
+    internet_gateway_block_mode: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__183c6879cecf5e6ddd997bbb9856489efd89dd91a20b0a897e4a12a459346d37(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -107184,6 +108131,7 @@ def _typecheckingstub__5fdf31f5ae2497c7efcb56df558011698f38dc19cff28ca7a78a08a6d
     init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     instance_initiated_shutdown_behavior: typing.Optional[InstanceInitiatedShutdownBehavior] = None,
     instance_name: typing.Optional[builtins.str] = None,
+    instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
     ipv6_address_count: typing.Optional[jsii.Number] = None,
     key_name: typing.Optional[builtins.str] = None,
     key_pair: typing.Optional[IKeyPair] = None,
@@ -107255,6 +108203,7 @@ def _typecheckingstub__2d4dc63c6e6ee3ddc68d5dd204d8ac5ef1f1dec37a7b84d636225df1c
     init_options: typing.Optional[typing.Union[ApplyCloudFormationInitOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     instance_initiated_shutdown_behavior: typing.Optional[InstanceInitiatedShutdownBehavior] = None,
     instance_name: typing.Optional[builtins.str] = None,
+    instance_profile: typing.Optional[_IInstanceProfile_10d5ce2c] = None,
     ipv6_address_count: typing.Optional[jsii.Number] = None,
     key_name: typing.Optional[builtins.str] = None,
     key_pair: typing.Optional[IKeyPair] = None,