aws-cdk-lib 2.187.0__py3-none-any.whl → 2.188.0__py3-none-any.whl

aws_cdk/aws_rds/__init__.py

@@ -153,6 +153,20 @@ rds.DatabaseCluster(self, "DatabaseCluster",
 )
 ```
 
+To configure [the life cycle type of the cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html), use the `engineLifecycleSupport` property:
+
+```python
+# vpc: ec2.IVpc
+
+
+rds.DatabaseCluster(self, "DatabaseCluster",
+    engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_07_0),
+    writer=rds.ClusterInstance.serverless_v2("writerInstance"),
+    vpc=vpc,
+    engine_lifecycle_support=rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT
+)
+```
+
 ### Updating the database instances in a cluster
 
 Database cluster instances may be updated in bulk or on a rolling basis.
@@ -21128,6 +21142,7 @@ class DatabaseClusterEngine(
         "enable_data_api": "enableDataApi",
         "enable_local_write_forwarding": "enableLocalWriteForwarding",
         "enable_performance_insights": "enablePerformanceInsights",
+        "engine_lifecycle_support": "engineLifecycleSupport",
         "iam_authentication": "iamAuthentication",
         "instance_identifier_base": "instanceIdentifierBase",
         "instance_props": "instanceProps",
@@ -21187,6 +21202,7 @@ class DatabaseClusterFromSnapshotProps:
         enable_data_api: typing.Optional[builtins.bool] = None,
         enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
+        engine_lifecycle_support: typing.Optional["EngineLifecycleSupport"] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union["InstanceProps", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -21243,6 +21259,7 @@ class DatabaseClusterFromSnapshotProps:
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
         :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 or higher, and for Aurora PostgreSQL 16.4 or higher (for version 16), 15.8 or higher (for version 15), and 14.13 or higher (for version 14). Default: false
         :param enable_performance_insights: Whether to enable Performance Insights for the DB cluster. Default: - false, unless ``performanceInsightRetention`` or ``performanceInsightEncryptionKey`` is set, or ``databaseInsightsMode`` is set to ``DatabaseInsightsMode.ADVANCED``.
+        :param engine_lifecycle_support: The life cycle type for this DB cluster. Default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -21318,6 +21335,7 @@ class DatabaseClusterFromSnapshotProps:
             check_type(argname="argument enable_data_api", value=enable_data_api, expected_type=type_hints["enable_data_api"])
             check_type(argname="argument enable_local_write_forwarding", value=enable_local_write_forwarding, expected_type=type_hints["enable_local_write_forwarding"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
+            check_type(argname="argument engine_lifecycle_support", value=engine_lifecycle_support, expected_type=type_hints["engine_lifecycle_support"])
             check_type(argname="argument iam_authentication", value=iam_authentication, expected_type=type_hints["iam_authentication"])
             check_type(argname="argument instance_identifier_base", value=instance_identifier_base, expected_type=type_hints["instance_identifier_base"])
             check_type(argname="argument instance_props", value=instance_props, expected_type=type_hints["instance_props"])
@@ -21393,6 +21411,8 @@ class DatabaseClusterFromSnapshotProps:
             self._values["enable_local_write_forwarding"] = enable_local_write_forwarding
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
+        if engine_lifecycle_support is not None:
+            self._values["engine_lifecycle_support"] = engine_lifecycle_support
         if iam_authentication is not None:
             self._values["iam_authentication"] = iam_authentication
         if instance_identifier_base is not None:
@@ -21711,6 +21731,17 @@ class DatabaseClusterFromSnapshotProps:
         result = self._values.get("enable_performance_insights")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def engine_lifecycle_support(self) -> typing.Optional["EngineLifecycleSupport"]:
+        '''The life cycle type for this DB cluster.
+
+        :default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html
+        '''
+        result = self._values.get("engine_lifecycle_support")
+        return typing.cast(typing.Optional["EngineLifecycleSupport"], result)
+
     @builtins.property
     def iam_authentication(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts.
@@ -22108,6 +22139,7 @@ class DatabaseClusterFromSnapshotProps:
         "enable_data_api": "enableDataApi",
         "enable_local_write_forwarding": "enableLocalWriteForwarding",
         "enable_performance_insights": "enablePerformanceInsights",
+        "engine_lifecycle_support": "engineLifecycleSupport",
         "iam_authentication": "iamAuthentication",
         "instance_identifier_base": "instanceIdentifierBase",
         "instance_props": "instanceProps",
@@ -22166,6 +22198,7 @@ class DatabaseClusterProps:
         enable_data_api: typing.Optional[builtins.bool] = None,
         enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
+        engine_lifecycle_support: typing.Optional["EngineLifecycleSupport"] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union["InstanceProps", typing.Dict[builtins.str, typing.Any]]] = None,
@@ -22221,6 +22254,7 @@ class DatabaseClusterProps:
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
         :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 or higher, and for Aurora PostgreSQL 16.4 or higher (for version 16), 15.8 or higher (for version 15), and 14.13 or higher (for version 14). Default: false
         :param enable_performance_insights: Whether to enable Performance Insights for the DB cluster. Default: - false, unless ``performanceInsightRetention`` or ``performanceInsightEncryptionKey`` is set, or ``databaseInsightsMode`` is set to ``DatabaseInsightsMode.ADVANCED``.
+        :param engine_lifecycle_support: The life cycle type for this DB cluster. Default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -22304,6 +22338,7 @@ class DatabaseClusterProps:
             check_type(argname="argument enable_data_api", value=enable_data_api, expected_type=type_hints["enable_data_api"])
             check_type(argname="argument enable_local_write_forwarding", value=enable_local_write_forwarding, expected_type=type_hints["enable_local_write_forwarding"])
             check_type(argname="argument enable_performance_insights", value=enable_performance_insights, expected_type=type_hints["enable_performance_insights"])
+            check_type(argname="argument engine_lifecycle_support", value=engine_lifecycle_support, expected_type=type_hints["engine_lifecycle_support"])
             check_type(argname="argument iam_authentication", value=iam_authentication, expected_type=type_hints["iam_authentication"])
             check_type(argname="argument instance_identifier_base", value=instance_identifier_base, expected_type=type_hints["instance_identifier_base"])
             check_type(argname="argument instance_props", value=instance_props, expected_type=type_hints["instance_props"])
@@ -22378,6 +22413,8 @@ class DatabaseClusterProps:
             self._values["enable_local_write_forwarding"] = enable_local_write_forwarding
         if enable_performance_insights is not None:
             self._values["enable_performance_insights"] = enable_performance_insights
+        if engine_lifecycle_support is not None:
+            self._values["engine_lifecycle_support"] = engine_lifecycle_support
         if iam_authentication is not None:
             self._values["iam_authentication"] = iam_authentication
         if instance_identifier_base is not None:
@@ -22673,6 +22710,17 @@ class DatabaseClusterProps:
         result = self._values.get("enable_performance_insights")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def engine_lifecycle_support(self) -> typing.Optional["EngineLifecycleSupport"]:
+        '''The life cycle type for this DB cluster.
+
+        :default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
+
+        :see: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/extended-support.html
+        '''
+        result = self._values.get("engine_lifecycle_support")
+        return typing.cast(typing.Optional["EngineLifecycleSupport"], result)
+
     @builtins.property
     def iam_authentication(self) -> typing.Optional[builtins.bool]:
         '''Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts.
@@ -27328,6 +27376,31 @@ class Endpoint(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_rds.Endpoint"
         return typing.cast(builtins.str, jsii.get(self, "socketAddress"))
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_rds.EngineLifecycleSupport")
+class EngineLifecycleSupport(enum.Enum):
+    '''Engine lifecycle support for Amazon RDS and Amazon Aurora.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.IVpc
+        
+        
+        rds.DatabaseCluster(self, "DatabaseCluster",
+            engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_07_0),
+            writer=rds.ClusterInstance.serverless_v2("writerInstance"),
+            vpc=vpc,
+            engine_lifecycle_support=rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT
+        )
+    '''
+
+    OPEN_SOURCE_RDS_EXTENDED_SUPPORT = "OPEN_SOURCE_RDS_EXTENDED_SUPPORT"
+    '''Using Amazon RDS extended support.'''
+    OPEN_SOURCE_RDS_EXTENDED_SUPPORT_DISABLED = "OPEN_SOURCE_RDS_EXTENDED_SUPPORT_DISABLED"
+    '''Not using Amazon RDS extended support.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_rds.EngineVersion",
     jsii_struct_bases=[],
@@ -42217,6 +42290,7 @@ class DatabaseClusterFromSnapshot(
         enable_data_api: typing.Optional[builtins.bool] = None,
         enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
+        engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -42274,6 +42348,7 @@ class DatabaseClusterFromSnapshot(
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
         :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 or higher, and for Aurora PostgreSQL 16.4 or higher (for version 16), 15.8 or higher (for version 15), and 14.13 or higher (for version 14). Default: false
         :param enable_performance_insights: Whether to enable Performance Insights for the DB cluster. Default: - false, unless ``performanceInsightRetention`` or ``performanceInsightEncryptionKey`` is set, or ``databaseInsightsMode`` is set to ``DatabaseInsightsMode.ADVANCED``.
+        :param engine_lifecycle_support: The life cycle type for this DB cluster. Default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -42333,6 +42408,7 @@ class DatabaseClusterFromSnapshot(
             enable_data_api=enable_data_api,
             enable_local_write_forwarding=enable_local_write_forwarding,
             enable_performance_insights=enable_performance_insights,
+            engine_lifecycle_support=engine_lifecycle_support,
             iam_authentication=iam_authentication,
             instance_identifier_base=instance_identifier_base,
             instance_props=instance_props,
@@ -46374,6 +46450,7 @@ class DatabaseCluster(
         enable_data_api: typing.Optional[builtins.bool] = None,
         enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
         enable_performance_insights: typing.Optional[builtins.bool] = None,
+        engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
         iam_authentication: typing.Optional[builtins.bool] = None,
         instance_identifier_base: typing.Optional[builtins.str] = None,
         instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -46430,6 +46507,7 @@ class DatabaseCluster(
         :param enable_data_api: Whether to enable the Data API for the cluster. Default: - false
         :param enable_local_write_forwarding: Whether read replicas can forward write operations to the writer DB instance in the DB cluster. This setting can only be enabled for Aurora MySQL 3.04 or higher, and for Aurora PostgreSQL 16.4 or higher (for version 16), 15.8 or higher (for version 15), and 14.13 or higher (for version 14). Default: false
         :param enable_performance_insights: Whether to enable Performance Insights for the DB cluster. Default: - false, unless ``performanceInsightRetention`` or ``performanceInsightEncryptionKey`` is set, or ``databaseInsightsMode`` is set to ``DatabaseInsightsMode.ADVANCED``.
+        :param engine_lifecycle_support: The life cycle type for this DB cluster. Default: undefined - AWS RDS default setting is ``EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT``
         :param iam_authentication: Whether to enable mapping of AWS Identity and Access Management (IAM) accounts to database accounts. Default: false
         :param instance_identifier_base: Base identifier for instances. Every replica is named by appending the replica number to this string, 1-based. Default: - clusterIdentifier is used with the word "Instance" appended. If clusterIdentifier is not provided, the identifier is automatically generated.
         :param instance_props: (deprecated) Settings for the individual instances that are launched.
@@ -46488,6 +46566,7 @@ class DatabaseCluster(
             enable_data_api=enable_data_api,
             enable_local_write_forwarding=enable_local_write_forwarding,
             enable_performance_insights=enable_performance_insights,
+            engine_lifecycle_support=engine_lifecycle_support,
             iam_authentication=iam_authentication,
             instance_identifier_base=instance_identifier_base,
             instance_props=instance_props,
@@ -47415,6 +47494,7 @@ __all__ = [
     "DatabaseSecret",
     "DatabaseSecretProps",
     "Endpoint",
+    "EngineLifecycleSupport",
     "EngineVersion",
     "IAuroraClusterInstance",
     "IClusterEngine",
@@ -50189,6 +50269,7 @@ def _typecheckingstub__1e44b5aef872ca17869a17181382f06cd0166bdbe07e2c33701d3bf1e
     enable_data_api: typing.Optional[builtins.bool] = None,
     enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
+    engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -50247,6 +50328,7 @@ def _typecheckingstub__a32e21c90ab65d3cfdb3b7ef2a0d741ba1528ec8824cd1817d1e485b4
     enable_data_api: typing.Optional[builtins.bool] = None,
     enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
+    engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -51475,6 +51557,7 @@ def _typecheckingstub__d1a2e259091e12a41b0f5818df495769518e049ebcc89ed340ffc7ba4
     enable_data_api: typing.Optional[builtins.bool] = None,
     enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
+    engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -51972,6 +52055,7 @@ def _typecheckingstub__c6184cbbefaa372690b9776dafecbf5857cf9bfbab91d1666aad22c56
     enable_data_api: typing.Optional[builtins.bool] = None,
     enable_local_write_forwarding: typing.Optional[builtins.bool] = None,
     enable_performance_insights: typing.Optional[builtins.bool] = None,
+    engine_lifecycle_support: typing.Optional[EngineLifecycleSupport] = None,
     iam_authentication: typing.Optional[builtins.bool] = None,
     instance_identifier_base: typing.Optional[builtins.str] = None,
     instance_props: typing.Optional[typing.Union[InstanceProps, typing.Dict[builtins.str, typing.Any]]] = None,

aws_cdk/aws_route53/__init__.py

@@ -2254,7 +2254,7 @@ class CfnHostedZone(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param hosted_zone_config: A complex type that contains an optional comment. If you don't want to specify a comment, omit the ``HostedZoneConfig`` and ``Comment`` elements.
-        :param hosted_zone_tags: Adds, edits, or deletes tags for a health check or a hosted zone. For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *AWS Billing and Cost Management User Guide* .
+        :param hosted_zone_tags: Adds, edits, or deletes tags for a health check or a hosted zone. For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *Billing and Cost Management User Guide* .
         :param name: The name of the domain. Specify a fully qualified domain name, for example, *www.example.com* . The trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Route 53 treats *www.example.com* (without a trailing dot) and *www.example.com.* (with a trailing dot) as identical. If you're creating a public hosted zone, this is the name you have registered with your DNS registrar. If your domain name is registered with a registrar other than Route 53, change the name servers for your domain to the set of ``NameServers`` that are returned by the ``Fn::GetAtt`` intrinsic function.
         :param query_logging_config: Creates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish log data to an Amazon CloudWatch Logs log group. DNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following: - Route 53 edge location that responded to the DNS query - Domain or subdomain that was requested - DNS record type, such as A or AAAA - DNS response code, such as ``NoError`` or ``ServFail`` - **Log Group and Resource Policy** - Before you create a query logging configuration, perform the following operations. .. epigraph:: If you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically. - Create a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a query logging configuration. Note the following: - You must create the log group in the us-east-1 region. - You must use the same AWS account to create the log group and the hosted zone that you want to configure query logging for. - When you create log groups for query logging, we recommend that you use a consistent prefix, for example: ``/aws/route53/ *hosted zone name*`` In the next step, you'll create a resource policy, which controls access to one or more log groups and the associated AWS resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so we recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create for query logging. - Create a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to send query logs to log streams. You must create the CloudWatch Logs resource policy in the us-east-1 region. For the value of ``Resource`` , specify the ARN for the log group that you created in the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, replace the hosted zone name with ``*`` , for example: ``arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*`` To avoid the confused deputy problem, a security issue where an entity without a permission for an action can coerce a more-privileged entity to perform it, you can optionally limit the permissions that a service has to a resource in a resource-based policy by supplying the following values: - For ``aws:SourceArn`` , supply the hosted zone ARN used in creating the query logging configuration. For example, ``aws:SourceArn: arn:aws:route53:::hostedzone/hosted zone ID`` . - For ``aws:SourceAccount`` , supply the account ID for the account that creates the query logging configuration. For example, ``aws:SourceAccount:111111111111`` . For more information, see `The confused deputy problem <https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html>`_ in the *AWS IAM User Guide* . .. epigraph:: You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the AWS SDKs, or the AWS CLI . - **Log Streams and Edge Locations** - When Route 53 finishes creating the configuration for DNS query logging, it does the following: - Creates a log stream for an edge location the first time that the edge location responds to DNS queries for the specified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location. - Begins to send query logs to the applicable log stream. The name of each log stream is in the following format: ``*hosted zone ID* / *edge location code*`` The edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see "The Route 53 Global Network" on the `Route 53 Product Details <https://docs.aws.amazon.com/route53/details/>`_ page. - **Queries That Are Logged** - Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. Depending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS. For more information about how DNS works, see `Routing Internet Traffic to Your Website or Web Application <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html>`_ in the *Amazon Route 53 Developer Guide* . - **Log File Format** - For a list of the values in each query log and the format of each value, see `Logging DNS Queries <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html>`_ in the *Amazon Route 53 Developer Guide* . - **Pricing** - For information about charges for query logs, see `Amazon CloudWatch Pricing <https://docs.aws.amazon.com/cloudwatch/pricing/>`_ . - **How to Stop Logging** - If you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see `DeleteQueryLoggingConfig <https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteQueryLoggingConfig.html>`_ .
         :param vpcs: *Private hosted zones:* A complex type that contains information about the VPCs that are associated with the specified hosted zone. .. epigraph:: For public hosted zones, omit ``VPCs`` , ``VPCId`` , and ``VPCRegion`` .
@@ -2702,7 +2702,7 @@ class CfnHostedZoneProps:
         '''Properties for defining a ``CfnHostedZone``.
 
         :param hosted_zone_config: A complex type that contains an optional comment. If you don't want to specify a comment, omit the ``HostedZoneConfig`` and ``Comment`` elements.
-        :param hosted_zone_tags: Adds, edits, or deletes tags for a health check or a hosted zone. For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *AWS Billing and Cost Management User Guide* .
+        :param hosted_zone_tags: Adds, edits, or deletes tags for a health check or a hosted zone. For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *Billing and Cost Management User Guide* .
         :param name: The name of the domain. Specify a fully qualified domain name, for example, *www.example.com* . The trailing dot is optional; Amazon Route 53 assumes that the domain name is fully qualified. This means that Route 53 treats *www.example.com* (without a trailing dot) and *www.example.com.* (with a trailing dot) as identical. If you're creating a public hosted zone, this is the name you have registered with your DNS registrar. If your domain name is registered with a registrar other than Route 53, change the name servers for your domain to the set of ``NameServers`` that are returned by the ``Fn::GetAtt`` intrinsic function.
         :param query_logging_config: Creates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish log data to an Amazon CloudWatch Logs log group. DNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following: - Route 53 edge location that responded to the DNS query - Domain or subdomain that was requested - DNS record type, such as A or AAAA - DNS response code, such as ``NoError`` or ``ServFail`` - **Log Group and Resource Policy** - Before you create a query logging configuration, perform the following operations. .. epigraph:: If you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically. - Create a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a query logging configuration. Note the following: - You must create the log group in the us-east-1 region. - You must use the same AWS account to create the log group and the hosted zone that you want to configure query logging for. - When you create log groups for query logging, we recommend that you use a consistent prefix, for example: ``/aws/route53/ *hosted zone name*`` In the next step, you'll create a resource policy, which controls access to one or more log groups and the associated AWS resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so we recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create for query logging. - Create a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to send query logs to log streams. You must create the CloudWatch Logs resource policy in the us-east-1 region. For the value of ``Resource`` , specify the ARN for the log group that you created in the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, replace the hosted zone name with ``*`` , for example: ``arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*`` To avoid the confused deputy problem, a security issue where an entity without a permission for an action can coerce a more-privileged entity to perform it, you can optionally limit the permissions that a service has to a resource in a resource-based policy by supplying the following values: - For ``aws:SourceArn`` , supply the hosted zone ARN used in creating the query logging configuration. For example, ``aws:SourceArn: arn:aws:route53:::hostedzone/hosted zone ID`` . - For ``aws:SourceAccount`` , supply the account ID for the account that creates the query logging configuration. For example, ``aws:SourceAccount:111111111111`` . For more information, see `The confused deputy problem <https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html>`_ in the *AWS IAM User Guide* . .. epigraph:: You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the AWS SDKs, or the AWS CLI . - **Log Streams and Edge Locations** - When Route 53 finishes creating the configuration for DNS query logging, it does the following: - Creates a log stream for an edge location the first time that the edge location responds to DNS queries for the specified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location. - Begins to send query logs to the applicable log stream. The name of each log stream is in the following format: ``*hosted zone ID* / *edge location code*`` The edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see "The Route 53 Global Network" on the `Route 53 Product Details <https://docs.aws.amazon.com/route53/details/>`_ page. - **Queries That Are Logged** - Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. Depending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS. For more information about how DNS works, see `Routing Internet Traffic to Your Website or Web Application <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html>`_ in the *Amazon Route 53 Developer Guide* . - **Log File Format** - For a list of the values in each query log and the format of each value, see `Logging DNS Queries <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html>`_ in the *Amazon Route 53 Developer Guide* . - **Pricing** - For information about charges for query logs, see `Amazon CloudWatch Pricing <https://docs.aws.amazon.com/cloudwatch/pricing/>`_ . - **How to Stop Logging** - If you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see `DeleteQueryLoggingConfig <https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteQueryLoggingConfig.html>`_ .
         :param vpcs: *Private hosted zones:* A complex type that contains information about the VPCs that are associated with the specified hosted zone. .. epigraph:: For public hosted zones, omit ``VPCs`` , ``VPCId`` , and ``VPCRegion`` .
@@ -2772,7 +2772,7 @@ class CfnHostedZoneProps:
     ) -> typing.Optional[typing.List[CfnHostedZone.HostedZoneTagProperty]]:
         '''Adds, edits, or deletes tags for a health check or a hosted zone.
 
-        For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *AWS Billing and Cost Management User Guide* .
+        For information about using tags for cost allocation, see `Using Cost Allocation Tags <https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html>`_ in the *Billing and Cost Management User Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html#cfn-route53-hostedzone-hostedzonetags
         '''

aws_cdk/aws_route53recoverycontrol/__init__.py

@@ -114,7 +114,7 @@ class CfnCluster(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param name: Name of the cluster. You can use any non-white space character in the name except the following: & > < ' (single quote) " (double quote) ; (semicolon).
-        :param network_type: Cluster supports IPv4 endpoints and Dual-stack IPv4 and IPv6 endpoints. NetworkType can be IPV4 or DUALSTACK.
+        :param network_type: The network-type can either be IPV4 or DUALSTACK.
         :param tags: The tags associated with the cluster.
         '''
         if __debug__:
@@ -213,7 +213,7 @@ class CfnCluster(
     @builtins.property
     @jsii.member(jsii_name="networkType")
     def network_type(self) -> typing.Optional[builtins.str]:
-        '''Cluster supports IPv4 endpoints and Dual-stack IPv4 and IPv6 endpoints.'''
+        '''The network-type can either be IPV4 or DUALSTACK.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "networkType"))
 
     @network_type.setter
@@ -327,7 +327,7 @@ class CfnClusterProps:
         '''Properties for defining a ``CfnCluster``.
 
         :param name: Name of the cluster. You can use any non-white space character in the name except the following: & > < ' (single quote) " (double quote) ; (semicolon).
-        :param network_type: Cluster supports IPv4 endpoints and Dual-stack IPv4 and IPv6 endpoints. NetworkType can be IPV4 or DUALSTACK.
+        :param network_type: The network-type can either be IPV4 or DUALSTACK.
         :param tags: The tags associated with the cluster.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53recoverycontrol-cluster.html
@@ -377,9 +377,7 @@ class CfnClusterProps:
 
     @builtins.property
     def network_type(self) -> typing.Optional[builtins.str]:
-        '''Cluster supports IPv4 endpoints and Dual-stack IPv4 and IPv6 endpoints.
-
-        NetworkType can be IPV4 or DUALSTACK.
+        '''The network-type can either be IPV4 or DUALSTACK.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53recoverycontrol-cluster.html#cfn-route53recoverycontrol-cluster-networktype
         '''

aws_cdk/aws_rum/__init__.py

@@ -175,8 +175,8 @@ class CfnAppMonitor(
         :param custom_events: Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are ``DISABLED`` .
         :param cw_log_enabled: Data collected by CloudWatch RUM is kept by RUM for 30 days and then deleted. This parameter specifies whether CloudWatch RUM sends a copy of this telemetry data to Amazon CloudWatch Logs in your account. This enables you to keep the telemetry data for more than 30 days, but it does incur Amazon CloudWatch Logs charges. If you omit this parameter, the default is ``false`` .
         :param deobfuscation_configuration: A structure that contains the configuration for how an app monitor can deobfuscate stack traces.
-        :param domain: The top-level internet domain name for which your application has administrative authority. This parameter is required.
-        :param domain_list: The top-level internet domain names for which your application has administrative authority. The CreateAppMonitor requires either the domain or the domain list.
+        :param domain: The top-level internet domain name for which your application has administrative authority. This parameter or the ``DomainList`` parameter is required.
+        :param domain_list: List the domain names for which your application has administrative authority. This parameter or the ``Domain`` parameter is required. You can have a minimum of 1 and a maximum of 5 ``Domain`` under ``DomainList`` . Each ``Domain`` must be a minimum length of 1 and a maximum of 253 characters.
         :param resource_policy: Use this structure to assign a resource-based policy to a CloudWatch RUM app monitor to control access to it. Each app monitor can have one resource-based policy. The maximum size of the policy is 4 KB. To learn more about using resource policies with RUM, see `Using resource-based policies with CloudWatch RUM <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-resource-policies.html>`_ .
         :param tags: Assigns one or more tags (key-value pairs) to the app monitor. Tags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values. Tags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters. You can associate as many as 50 tags with an app monitor. For more information, see `Tagging AWS resources <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
         '''
@@ -349,7 +349,10 @@ class CfnAppMonitor(
     @builtins.property
     @jsii.member(jsii_name="domainList")
     def domain_list(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The top-level internet domain names for which your application has administrative authority.'''
+        '''List the domain names for which your application has administrative authority.
+
+        This parameter or the ``Domain`` parameter is required.
+        '''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "domainList"))
 
     @domain_list.setter
@@ -762,7 +765,7 @@ class CfnAppMonitor(
         ) -> None:
             '''A structure that contains the configuration for how an app monitor can unminify JavaScript error stack traces using source maps.
 
-            :param status: Specifies whether JavaScript error stack traces should be unminified for this app monitor. The default is for JavaScript error stack trace unminification to be DISABLED
+            :param status: Specifies whether JavaScript error stack traces should be unminified for this app monitor. The default is for JavaScript error stack trace unminification to be ``DISABLED`` .
             :param s3_uri: The S3Uri of the bucket or folder that stores the source map files. It is required if status is ENABLED.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rum-appmonitor-javascriptsourcemaps.html
@@ -795,7 +798,7 @@ class CfnAppMonitor(
         def status(self) -> builtins.str:
             '''Specifies whether JavaScript error stack traces should be unminified for this app monitor.
 
-            The default is for JavaScript error stack trace unminification to be DISABLED
+            The default is for JavaScript error stack trace unminification to be ``DISABLED`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rum-appmonitor-javascriptsourcemaps.html#cfn-rum-appmonitor-javascriptsourcemaps-status
             '''
@@ -1252,8 +1255,8 @@ class CfnAppMonitorProps:
         :param custom_events: Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are ``DISABLED`` .
         :param cw_log_enabled: Data collected by CloudWatch RUM is kept by RUM for 30 days and then deleted. This parameter specifies whether CloudWatch RUM sends a copy of this telemetry data to Amazon CloudWatch Logs in your account. This enables you to keep the telemetry data for more than 30 days, but it does incur Amazon CloudWatch Logs charges. If you omit this parameter, the default is ``false`` .
         :param deobfuscation_configuration: A structure that contains the configuration for how an app monitor can deobfuscate stack traces.
-        :param domain: The top-level internet domain name for which your application has administrative authority. This parameter is required.
-        :param domain_list: The top-level internet domain names for which your application has administrative authority. The CreateAppMonitor requires either the domain or the domain list.
+        :param domain: The top-level internet domain name for which your application has administrative authority. This parameter or the ``DomainList`` parameter is required.
+        :param domain_list: List the domain names for which your application has administrative authority. This parameter or the ``Domain`` parameter is required. You can have a minimum of 1 and a maximum of 5 ``Domain`` under ``DomainList`` . Each ``Domain`` must be a minimum length of 1 and a maximum of 253 characters.
         :param resource_policy: Use this structure to assign a resource-based policy to a CloudWatch RUM app monitor to control access to it. Each app monitor can have one resource-based policy. The maximum size of the policy is 4 KB. To learn more about using resource policies with RUM, see `Using resource-based policies with CloudWatch RUM <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-resource-policies.html>`_ .
         :param tags: Assigns one or more tags (key-value pairs) to the app monitor. Tags can help you organize and categorize your resources. You can also use them to scope user permissions by granting a user permission to access or change only resources with certain tag values. Tags don't have any semantic meaning to AWS and are interpreted strictly as strings of characters. You can associate as many as 50 tags with an app monitor. For more information, see `Tagging AWS resources <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
 
@@ -1427,7 +1430,7 @@ class CfnAppMonitorProps:
     def domain(self) -> typing.Optional[builtins.str]:
         '''The top-level internet domain name for which your application has administrative authority.
 
-        This parameter is required.
+        This parameter or the ``DomainList`` parameter is required.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rum-appmonitor.html#cfn-rum-appmonitor-domain
         '''
@@ -1436,9 +1439,9 @@ class CfnAppMonitorProps:
 
     @builtins.property
     def domain_list(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The top-level internet domain names for which your application has administrative authority.
+        '''List the domain names for which your application has administrative authority. This parameter or the ``Domain`` parameter is required.
 
-        The CreateAppMonitor requires either the domain or the domain list.
+        You can have a minimum of 1 and a maximum of 5 ``Domain`` under ``DomainList`` . Each ``Domain`` must be a minimum length of 1 and a maximum of 253 characters.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rum-appmonitor.html#cfn-rum-appmonitor-domainlist
         '''

aws_cdk/aws_s3/__init__.py

@@ -2087,7 +2087,7 @@ class BucketProps:
         :param bucket_key_enabled: Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is not set to ``BucketEncryption.UNENCRYPTED``. Default: - false
         :param bucket_name: Physical name of this bucket. Default: - Assigned by CloudFormation (recommended).
         :param cors: The CORS configuration of this bucket. Default: - No CORS configuration.
-        :param encryption: The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``UNENCRYPTED`` otherwise. But if ``UNENCRYPTED`` is specified, the bucket will be encrypted as ``S3_MANAGED`` automatically.
+        :param encryption: The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
         :param encryption_key: External KMS key to use for bucket encryption. The ``encryption`` property must be either not specified or set to ``KMS`` or ``DSSE``. An error will be emitted if ``encryption`` is set to ``UNENCRYPTED`` or ``S3_MANAGED``. Default: - If ``encryption`` is set to ``KMS`` and this property is undefined, a new KMS key will be created and associated with this bucket.
         :param enforce_ssl: Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3. Default: false
         :param event_bridge_enabled: Whether this bucket should send notifications to Amazon EventBridge or not. Default: false
@@ -2325,10 +2325,7 @@ class BucketProps:
         If you choose KMS, you can specify a KMS key via ``encryptionKey``. If
         encryption key is not specified, a key will automatically be created.
 
-        :default:
-
-        - ``KMS`` if ``encryptionKey`` is specified, or ``UNENCRYPTED`` otherwise.
-        But if ``UNENCRYPTED`` is specified, the bucket will be encrypted as ``S3_MANAGED`` automatically.
+        :default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
         '''
         result = self._values.get("encryption")
         return typing.cast(typing.Optional[BucketEncryption], result)
@@ -20670,7 +20667,7 @@ class Bucket(
         :param bucket_key_enabled: Whether Amazon S3 should use its own intermediary key to generate data keys. Only relevant when using KMS for encryption. - If not enabled, every object GET and PUT will cause an API call to KMS (with the attendant cost implications of that). - If enabled, S3 will use its own time-limited key instead. Only relevant, when Encryption is not set to ``BucketEncryption.UNENCRYPTED``. Default: - false
         :param bucket_name: Physical name of this bucket. Default: - Assigned by CloudFormation (recommended).
         :param cors: The CORS configuration of this bucket. Default: - No CORS configuration.
-        :param encryption: The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``UNENCRYPTED`` otherwise. But if ``UNENCRYPTED`` is specified, the bucket will be encrypted as ``S3_MANAGED`` automatically.
+        :param encryption: The kind of server-side encryption to apply to this bucket. If you choose KMS, you can specify a KMS key via ``encryptionKey``. If encryption key is not specified, a key will automatically be created. Default: - ``KMS`` if ``encryptionKey`` is specified, or ``S3_MANAGED`` otherwise.
         :param encryption_key: External KMS key to use for bucket encryption. The ``encryption`` property must be either not specified or set to ``KMS`` or ``DSSE``. An error will be emitted if ``encryption`` is set to ``UNENCRYPTED`` or ``S3_MANAGED``. Default: - If ``encryption`` is set to ``KMS`` and this property is undefined, a new KMS key will be created and associated with this bucket.
         :param enforce_ssl: Enforces SSL for requests. S3.5 of the AWS Foundational Security Best Practices Regarding S3. Default: false
         :param event_bridge_enabled: Whether this bucket should send notifications to Amazon EventBridge or not. Default: false

aws_cdk/aws_sagemaker/__init__.py

@@ -42051,6 +42051,7 @@ class CfnPartnerApp(
             ),
             client_token="clientToken",
             enable_iam_session_based_identity=False,
+            kms_key_id="kmsKeyId",
             maintenance_config=sagemaker.CfnPartnerApp.PartnerAppMaintenanceConfigProperty(
                 maintenance_window_start="maintenanceWindowStart"
             ),
@@ -42074,6 +42075,7 @@ class CfnPartnerApp(
         application_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPartnerApp.PartnerAppConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         client_token: typing.Optional[builtins.str] = None,
         enable_iam_session_based_identity: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        kms_key_id: typing.Optional[builtins.str] = None,
         maintenance_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPartnerApp.PartnerAppMaintenanceConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
@@ -42088,6 +42090,7 @@ class CfnPartnerApp(
         :param application_config: A collection of configuration settings for the PartnerApp.
         :param client_token: (deprecated) The client token for the PartnerApp.
         :param enable_iam_session_based_identity: Enables IAM Session based Identity for PartnerApp.
+        :param kms_key_id: The AWS KMS customer managed key used to encrypt the data associated with the PartnerApp.
         :param maintenance_config: A collection of settings that specify the maintenance schedule for the PartnerApp.
         :param tags: A list of tags to apply to the PartnerApp.
         '''
@@ -42104,6 +42107,7 @@ class CfnPartnerApp(
             application_config=application_config,
             client_token=client_token,
             enable_iam_session_based_identity=enable_iam_session_based_identity,
+            kms_key_id=kms_key_id,
             maintenance_config=maintenance_config,
             tags=tags,
         )
@@ -42288,6 +42292,19 @@ class CfnPartnerApp(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "enableIamSessionBasedIdentity", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="kmsKeyId")
+    def kms_key_id(self) -> typing.Optional[builtins.str]:
+        '''The AWS KMS customer managed key used to encrypt the data associated with the PartnerApp.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "kmsKeyId"))
+
+    @kms_key_id.setter
+    def kms_key_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__58c272923722b0c517d340605d53203fe379f478e3d080374edf1307990220fe)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "kmsKeyId", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="maintenanceConfig")
     def maintenance_config(
@@ -42462,6 +42479,7 @@ class CfnPartnerApp(
         "application_config": "applicationConfig",
         "client_token": "clientToken",
         "enable_iam_session_based_identity": "enableIamSessionBasedIdentity",
+        "kms_key_id": "kmsKeyId",
         "maintenance_config": "maintenanceConfig",
         "tags": "tags",
     },
@@ -42478,6 +42496,7 @@ class CfnPartnerAppProps:
         application_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         client_token: typing.Optional[builtins.str] = None,
         enable_iam_session_based_identity: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        kms_key_id: typing.Optional[builtins.str] = None,
         maintenance_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppMaintenanceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
@@ -42491,6 +42510,7 @@ class CfnPartnerAppProps:
         :param application_config: A collection of configuration settings for the PartnerApp.
         :param client_token: (deprecated) The client token for the PartnerApp.
         :param enable_iam_session_based_identity: Enables IAM Session based Identity for PartnerApp.
+        :param kms_key_id: The AWS KMS customer managed key used to encrypt the data associated with the PartnerApp.
         :param maintenance_config: A collection of settings that specify the maintenance schedule for the PartnerApp.
         :param tags: A list of tags to apply to the PartnerApp.
 
@@ -42519,6 +42539,7 @@ class CfnPartnerAppProps:
                 ),
                 client_token="clientToken",
                 enable_iam_session_based_identity=False,
+                kms_key_id="kmsKeyId",
                 maintenance_config=sagemaker.CfnPartnerApp.PartnerAppMaintenanceConfigProperty(
                     maintenance_window_start="maintenanceWindowStart"
                 ),
@@ -42538,6 +42559,7 @@ class CfnPartnerAppProps:
             check_type(argname="argument application_config", value=application_config, expected_type=type_hints["application_config"])
             check_type(argname="argument client_token", value=client_token, expected_type=type_hints["client_token"])
             check_type(argname="argument enable_iam_session_based_identity", value=enable_iam_session_based_identity, expected_type=type_hints["enable_iam_session_based_identity"])
+            check_type(argname="argument kms_key_id", value=kms_key_id, expected_type=type_hints["kms_key_id"])
             check_type(argname="argument maintenance_config", value=maintenance_config, expected_type=type_hints["maintenance_config"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -42553,6 +42575,8 @@ class CfnPartnerAppProps:
             self._values["client_token"] = client_token
         if enable_iam_session_based_identity is not None:
             self._values["enable_iam_session_based_identity"] = enable_iam_session_based_identity
+        if kms_key_id is not None:
+            self._values["kms_key_id"] = kms_key_id
         if maintenance_config is not None:
             self._values["maintenance_config"] = maintenance_config
         if tags is not None:
@@ -42644,6 +42668,15 @@ class CfnPartnerAppProps:
         result = self._values.get("enable_iam_session_based_identity")
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
+    @builtins.property
+    def kms_key_id(self) -> typing.Optional[builtins.str]:
+        '''The AWS KMS customer managed key used to encrypt the data associated with the PartnerApp.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-partnerapp.html#cfn-sagemaker-partnerapp-kmskeyid
+        '''
+        result = self._values.get("kms_key_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def maintenance_config(
         self,
@@ -54541,6 +54574,7 @@ def _typecheckingstub__149fe137328534a718f6ce551ee72371d9e2f7ac901d129321d3ff327
     application_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     client_token: typing.Optional[builtins.str] = None,
     enable_iam_session_based_identity: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    kms_key_id: typing.Optional[builtins.str] = None,
     maintenance_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppMaintenanceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -54607,6 +54641,12 @@ def _typecheckingstub__ebd74e6776143e94da10e5c2bab1e42ca40468d81bb1db74aa0c18459
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__58c272923722b0c517d340605d53203fe379f478e3d080374edf1307990220fe(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__01904965c7f75553d54adf4ed7dd98da8f98703ddbdf03abdbbfb7056e2bceab(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnPartnerApp.PartnerAppMaintenanceConfigProperty]],
 ) -> None:
@@ -54644,6 +54684,7 @@ def _typecheckingstub__23a26f35e63e4c1c82a8885f138a3f6006822c6ecbf7284a7c2ccafae
     application_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     client_token: typing.Optional[builtins.str] = None,
     enable_iam_session_based_identity: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    kms_key_id: typing.Optional[builtins.str] = None,
     maintenance_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPartnerApp.PartnerAppMaintenanceConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None: