aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_s3/__init__.py

@@ -152,6 +152,22 @@ bucket.grant_read_write(my_lambda)
 Will give the Lambda's execution role permissions to read and write
 from the bucket.
 
+### Understanding "grant" Methods
+
+The S3 construct library provides several grant methods for the `Bucket` resource, but two of them have a special behavior. This two accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources:
+
+* `grantRead`
+* `grantReadWrite`
+
+When examining the synthesized policy, you'll notice it includes both your specified object key patterns and the bucket itself.
+This is by design. Some permissions (like `s3:ListBucket`) apply at the bucket level, while others (like `s3:GetObject`) apply to specific objects.
+
+Specifically, the [`s3:ListBucket` action operates on bucket resources](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-bucket)
+and requires the bucket ARN to work properly. This might be seen as a bug, giving the impression that more permissions were granted than the ones you intended, but the reality is that the policy does not ignore your `objectsKeyPattern` - object-specific actions like `s3:GetObject`
+will still be limited to the resources defined in your pattern.
+
+If you need to restrict the `s3:ListBucket` action to specific paths, you can add a `Condition` to your policy that limits the `objectsKeyPattern` to specific folders. For more details and examples, see the [AWS documentation on bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-folders).
+
 ## AWS Foundational Security Best Practices
 
 ### Enforcing SSL
@@ -183,8 +199,8 @@ To use a bucket in a different stack in the same CDK application, pass the objec
 #
 class Producer(Stack):
 
-    def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, notificationArns=None, synthesizer=None, terminationProtection=None, analyticsReporting=None, crossRegionReferences=None, permissionsBoundary=None, suppressTemplateIndentation=None):
-        super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, notificationArns=notificationArns, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting, crossRegionReferences=crossRegionReferences, permissionsBoundary=permissionsBoundary, suppressTemplateIndentation=suppressTemplateIndentation)
+    def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, notificationArns=None, synthesizer=None, terminationProtection=None, analyticsReporting=None, crossRegionReferences=None, permissionsBoundary=None, suppressTemplateIndentation=None, propertyInjectors=None):
+        super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, notificationArns=notificationArns, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting, crossRegionReferences=crossRegionReferences, permissionsBoundary=permissionsBoundary, suppressTemplateIndentation=suppressTemplateIndentation, propertyInjectors=propertyInjectors)
 
         bucket = s3.Bucket(self, "MyBucket",
             removal_policy=cdk.RemovalPolicy.DESTROY
@@ -195,8 +211,8 @@ class Producer(Stack):
 # Stack that consumes the bucket
 #
 class Consumer(Stack):
-    def __init__(self, scope, id, *, userBucket, description=None, env=None, stackName=None, tags=None, notificationArns=None, synthesizer=None, terminationProtection=None, analyticsReporting=None, crossRegionReferences=None, permissionsBoundary=None, suppressTemplateIndentation=None):
-        super().__init__(scope, id, userBucket=userBucket, description=description, env=env, stackName=stackName, tags=tags, notificationArns=notificationArns, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting, crossRegionReferences=crossRegionReferences, permissionsBoundary=permissionsBoundary, suppressTemplateIndentation=suppressTemplateIndentation)
+    def __init__(self, scope, id, *, userBucket, description=None, env=None, stackName=None, tags=None, notificationArns=None, synthesizer=None, terminationProtection=None, analyticsReporting=None, crossRegionReferences=None, permissionsBoundary=None, suppressTemplateIndentation=None, propertyInjectors=None):
+        super().__init__(scope, id, userBucket=userBucket, description=description, env=env, stackName=stackName, tags=tags, notificationArns=notificationArns, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting, crossRegionReferences=crossRegionReferences, permissionsBoundary=permissionsBoundary, suppressTemplateIndentation=suppressTemplateIndentation, propertyInjectors=propertyInjectors)
 
         user = iam.User(self, "MyUser")
         user_bucket.grant_read_write(user)
@@ -360,19 +376,19 @@ bucket = s3.Bucket(self, "MyBlockedBucket",
 )
 ```
 
-Block and ignore public ACLs:
+Block and ignore public ACLs (other options remain unblocked):
 
 ```python
 bucket = s3.Bucket(self, "MyBlockedBucket",
-    block_public_access=s3.BlockPublicAccess.BLOCK_ACLS
+    block_public_access=s3.BlockPublicAccess.BLOCK_ACLS_ONLY
 )
 ```
 
-Alternatively, specify the settings manually:
+Alternatively, specify the settings manually (unspecified options will remain blocked):
 
 ```python
 bucket = s3.Bucket(self, "MyBlockedBucket",
-    block_public_access=s3.BlockPublicAccess(block_public_policy=True)
+    block_public_access=s3.BlockPublicAccess(block_public_policy=False)
 )
 ```
 
@@ -904,12 +920,15 @@ To replicate objects to a destination bucket, you can specify the `replicationRu
 # destination_bucket1: s3.IBucket
 # destination_bucket2: s3.IBucket
 # replication_role: iam.IRole
-# kms_key: kms.IKey
+# encryption_key: kms.IKey
+# destination_encryption_key: kms.IKey
 
 
 source_bucket = s3.Bucket(self, "SourceBucket",
     # Versioning must be enabled on both the source and destination bucket
     versioned=True,
+    # Optional. Specify the KMS key to use for encrypts objects in the source bucket.
+    encryption_key=encryption_key,
     # Optional. If not specified, a new role will be created.
     replication_role=replication_role,
     replication_rules=[s3.ReplicationRule(
@@ -932,7 +951,7 @@ source_bucket = s3.Bucket(self, "SourceBucket",
         # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
         metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
         # The kms key to use for the destination bucket.
-        kms_key=kms_key,
+        kms_key=destination_encryption_key,
         # The storage class to use for the destination bucket.
         storage_class=s3.StorageClass.INFREQUENT_ACCESS,
         # Whether to replicate objects with SSE-KMS encryption.
@@ -958,6 +977,15 @@ source_bucket = s3.Bucket(self, "SourceBucket",
     )
     ]
 )
+
+# Grant permissions to the replication role.
+# This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
+source_bucket.grant_replication_permission(replication_role,
+    # Optional. Specify the KMS key to use for decrypting objects in the source bucket.
+    source_decryption_key=encryption_key,
+    destinations=[s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket1), s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket2, encryption_key=destination_encryption_key)
+    ]
+)
 ```
 
 ### Cross Account Replication
@@ -1063,6 +1091,28 @@ from ..aws_iam import (
     PolicyStatement as _PolicyStatement_0fe33853,
 )
 from ..aws_kms import IKey as _IKey_5f11635f
+from ..interfaces.aws_s3 import (
+    AccessGrantReference as _AccessGrantReference_4b0925c1,
+    AccessGrantsInstanceReference as _AccessGrantsInstanceReference_18c061b7,
+    AccessGrantsLocationReference as _AccessGrantsLocationReference_6163b002,
+    AccessPointReference as _AccessPointReference_b9bf9d61,
+    BucketPolicyReference as _BucketPolicyReference_3414f1e3,
+    BucketReference as _BucketReference_502fb39f,
+    IAccessGrantRef as _IAccessGrantRef_0e7c5209,
+    IAccessGrantsInstanceRef as _IAccessGrantsInstanceRef_94e5b823,
+    IAccessGrantsLocationRef as _IAccessGrantsLocationRef_5ae01054,
+    IAccessPointRef as _IAccessPointRef_02282fed,
+    IBucketPolicyRef as _IBucketPolicyRef_8ee2499d,
+    IBucketRef as _IBucketRef_3debe44e,
+    IMultiRegionAccessPointPolicyRef as _IMultiRegionAccessPointPolicyRef_2e4f5aa6,
+    IMultiRegionAccessPointRef as _IMultiRegionAccessPointRef_b814832f,
+    IStorageLensGroupRef as _IStorageLensGroupRef_aa787427,
+    IStorageLensRef as _IStorageLensRef_a99bd868,
+    MultiRegionAccessPointPolicyReference as _MultiRegionAccessPointPolicyReference_f5654e86,
+    MultiRegionAccessPointReference as _MultiRegionAccessPointReference_590848b5,
+    StorageLensGroupReference as _StorageLensGroupReference_c117a5a4,
+    StorageLensReference as _StorageLensReference_cc81afb5,
+)
 
 
 class BlockPublicAccess(
@@ -1074,8 +1124,15 @@ class BlockPublicAccess(
 
     Example::
 
-        bucket = s3.Bucket(self, "MyBlockedBucket",
-            block_public_access=s3.BlockPublicAccess.BLOCK_ALL
+        from aws_cdk import RemovalPolicy
+        
+        
+        s3.Bucket(scope, "Bucket",
+            block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
+            encryption=s3.BucketEncryption.S3_MANAGED,
+            enforce_sSL=True,
+            versioned=True,
+            removal_policy=RemovalPolicy.RETAIN
         )
     '''
 
@@ -1105,11 +1162,26 @@ class BlockPublicAccess(
     @jsii.python.classproperty
     @jsii.member(jsii_name="BLOCK_ACLS")
     def BLOCK_ACLS(cls) -> "BlockPublicAccess":
+        '''
+        :deprecated: Use ``BLOCK_ACLS_ONLY`` instead.
+
+        :stability: deprecated
+        '''
         return typing.cast("BlockPublicAccess", jsii.sget(cls, "BLOCK_ACLS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BLOCK_ACLS_ONLY")
+    def BLOCK_ACLS_ONLY(cls) -> "BlockPublicAccess":
+        '''Use this option if you want to only block the ACLs, using this will set blockPublicPolicy and restrictPublicBuckets to false.'''
+        return typing.cast("BlockPublicAccess", jsii.sget(cls, "BLOCK_ACLS_ONLY"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BLOCK_ALL")
     def BLOCK_ALL(cls) -> "BlockPublicAccess":
+        '''Use this option if you want to ensure every public access method is blocked.
+
+        However keep in mind that this is the default state of an S3 bucket, and leaving blockPublicAccess undefined would also work.
+        '''
         return typing.cast("BlockPublicAccess", jsii.sget(cls, "BLOCK_ALL"))
 
     @builtins.property
@@ -1191,7 +1263,7 @@ class BlockPublicAccessOptions:
         Example::
 
             bucket = s3.Bucket(self, "MyBlockedBucket",
-                block_public_access=s3.BlockPublicAccess(block_public_policy=True)
+                block_public_access=s3.BlockPublicAccess(block_public_policy=False)
             )
         '''
         if __debug__:
@@ -1580,16 +1652,17 @@ class BucketEncryption(enum.Enum):
 
     Example::
 
-        from aws_cdk.aws_s3 import BucketEncryption
+        # application: appconfig.Application
         
         
-        app = App(
-            default_stack_synthesizer=AppStagingSynthesizer.default_resources(
-                app_id="my-app-id",
-                staging_bucket_encryption=BucketEncryption.S3_MANAGED,
-                file_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/S3Access"),
-                image_asset_publishing_role=BootstrapRole.from_role_arn("arn:aws:iam::123456789012:role/ECRAccess")
-            )
+        bucket = s3.Bucket(self, "MyBucket",
+            versioned=True,
+            encryption=s3.BucketEncryption.KMS
+        )
+        
+        appconfig.SourcedConfiguration(self, "MySourcedConfiguration",
+            application=application,
+            location=appconfig.ConfigurationSource.from_bucket(bucket, "path/to/file.json")
         )
     '''
 
@@ -1803,6 +1876,7 @@ class BucketNotificationDestinationType(enum.Enum):
     TOPIC = "TOPIC"
 
 
+@jsii.implements(_IBucketPolicyRef_8ee2499d)
 class BucketPolicy(
     _Resource_45bc6135,
     metaclass=jsii.JSIIMeta,
@@ -1877,19 +1951,23 @@ class BucketPolicy(
         id: builtins.str,
         *,
         bucket: "IBucket",
+        document: typing.Optional[_PolicyDocument_3ac34393] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     ) -> None:
         '''
         :param scope: -
         :param id: -
         :param bucket: The Amazon S3 bucket that the policy applies to.
+        :param document: Policy document to apply to the bucket. Default: - A new empty PolicyDocument will be created.
         :param removal_policy: Policy to apply when the policy is removed from this stack. Default: - RemovalPolicy.DESTROY.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__910b3df1208e67cb52dad0b0b8c5feb43c7bddb0ced50eaf6c953477298a840e)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = BucketPolicyProps(bucket=bucket, removal_policy=removal_policy)
+        props = BucketPolicyProps(
+            bucket=bucket, document=document, removal_policy=removal_policy
+        )
 
         jsii.create(self.__class__, self, [scope, id, props])
 
@@ -1919,12 +1997,24 @@ class BucketPolicy(
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
         return typing.cast(None, jsii.invoke(self, "applyRemovalPolicy", [removal_policy]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="bucket")
     def bucket(self) -> "IBucket":
         '''The Bucket this Policy applies to.'''
         return typing.cast("IBucket", jsii.get(self, "bucket"))
 
+    @builtins.property
+    @jsii.member(jsii_name="bucketPolicyRef")
+    def bucket_policy_ref(self) -> _BucketPolicyReference_3414f1e3:
+        '''A reference to a BucketPolicy resource.'''
+        return typing.cast(_BucketPolicyReference_3414f1e3, jsii.get(self, "bucketPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="document")
     def document(self) -> _PolicyDocument_3ac34393:
@@ -1939,17 +2029,23 @@ class BucketPolicy(
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_s3.BucketPolicyProps",
     jsii_struct_bases=[],
-    name_mapping={"bucket": "bucket", "removal_policy": "removalPolicy"},
+    name_mapping={
+        "bucket": "bucket",
+        "document": "document",
+        "removal_policy": "removalPolicy",
+    },
 )
 class BucketPolicyProps:
     def __init__(
         self,
         *,
         bucket: "IBucket",
+        document: typing.Optional[_PolicyDocument_3ac34393] = None,
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     ) -> None:
         '''
         :param bucket: The Amazon S3 bucket that the policy applies to.
+        :param document: Policy document to apply to the bucket. Default: - A new empty PolicyDocument will be created.
         :param removal_policy: Policy to apply when the policy is removed from this stack. Default: - RemovalPolicy.DESTROY.
 
         :exampleMetadata: fixture=_generated
@@ -1959,24 +2055,30 @@ class BucketPolicyProps:
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
             import aws_cdk as cdk
+            from aws_cdk import aws_iam as iam
             from aws_cdk import aws_s3 as s3
             
             # bucket: s3.Bucket
+            # policy_document: iam.PolicyDocument
             
             bucket_policy_props = s3.BucketPolicyProps(
                 bucket=bucket,
             
                 # the properties below are optional
+                document=policy_document,
                 removal_policy=cdk.RemovalPolicy.DESTROY
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4d7b9233434273933326211f004f27c2982fedd89ad904dc86d84c54f0f50ac6)
             check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument document", value=document, expected_type=type_hints["document"])
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "bucket": bucket,
         }
+        if document is not None:
+            self._values["document"] = document
         if removal_policy is not None:
             self._values["removal_policy"] = removal_policy
 
@@ -1987,6 +2089,15 @@ class BucketPolicyProps:
         assert result is not None, "Required property 'bucket' is missing"
         return typing.cast("IBucket", result)
 
+    @builtins.property
+    def document(self) -> typing.Optional[_PolicyDocument_3ac34393]:
+        '''Policy document to apply to the bucket.
+
+        :default: - A new empty PolicyDocument will be created.
+        '''
+        result = self._values.get("document")
+        return typing.cast(typing.Optional[_PolicyDocument_3ac34393], result)
+
     @builtins.property
     def removal_policy(self) -> typing.Optional[_RemovalPolicy_9f93c814]:
         '''Policy to apply when the policy is removed from this stack.
@@ -2652,7 +2763,7 @@ class BucketProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IAccessGrantRef_0e7c5209, _ITaggableV2_4e6798f8)
 class CfnAccessGrant(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2713,7 +2824,8 @@ class CfnAccessGrant(
         s3_prefix_type: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::AccessGrant``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param access_grants_location_id: The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID ``default`` to the default location ``s3://`` and assigns an auto-generated ID to other locations that you register.
@@ -2770,6 +2882,12 @@ class CfnAccessGrant(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessGrantRef")
+    def access_grant_ref(self) -> _AccessGrantReference_4b0925c1:
+        '''A reference to a AccessGrant resource.'''
+        return typing.cast(_AccessGrantReference_4b0925c1, jsii.get(self, "accessGrantRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAccessGrantArn")
     def attr_access_grant_arn(self) -> builtins.str:
@@ -3238,7 +3356,7 @@ class CfnAccessGrantProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IAccessGrantsInstanceRef_94e5b823, _ITaggableV2_4e6798f8)
 class CfnAccessGrantsInstance(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3278,7 +3396,8 @@ class CfnAccessGrantsInstance(
         identity_center_arn: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::AccessGrantsInstance``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param identity_center_arn: If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center.
@@ -3324,6 +3443,12 @@ class CfnAccessGrantsInstance(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessGrantsInstanceRef")
+    def access_grants_instance_ref(self) -> _AccessGrantsInstanceReference_18c061b7:
+        '''A reference to a AccessGrantsInstance resource.'''
+        return typing.cast(_AccessGrantsInstanceReference_18c061b7, jsii.get(self, "accessGrantsInstanceRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAccessGrantsInstanceArn")
     def attr_access_grants_instance_arn(self) -> builtins.str:
@@ -3460,7 +3585,7 @@ class CfnAccessGrantsInstanceProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IAccessGrantsLocationRef_5ae01054, _ITaggableV2_4e6798f8)
 class CfnAccessGrantsLocation(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3492,6 +3617,8 @@ class CfnAccessGrantsLocation(
         cfn_access_grants_location = s3.CfnAccessGrantsLocation(self, "MyCfnAccessGrantsLocation",
             iam_role_arn="iamRoleArn",
             location_scope="locationScope",
+        
+            # the properties below are optional
             tags=[CfnTag(
                 key="key",
                 value="value"
@@ -3504,11 +3631,12 @@ class CfnAccessGrantsLocation(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        iam_role_arn: typing.Optional[builtins.str] = None,
-        location_scope: typing.Optional[builtins.str] = None,
+        iam_role_arn: builtins.str,
+        location_scope: builtins.str,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::AccessGrantsLocation``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param iam_role_arn: The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
@@ -3555,6 +3683,12 @@ class CfnAccessGrantsLocation(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessGrantsLocationRef")
+    def access_grants_location_ref(self) -> _AccessGrantsLocationReference_6163b002:
+        '''A reference to a AccessGrantsLocation resource.'''
+        return typing.cast(_AccessGrantsLocationReference_6163b002, jsii.get(self, "accessGrantsLocationRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAccessGrantsLocationArn")
     def attr_access_grants_location_arn(self) -> builtins.str:
@@ -3588,12 +3722,12 @@ class CfnAccessGrantsLocation(
 
     @builtins.property
     @jsii.member(jsii_name="iamRoleArn")
-    def iam_role_arn(self) -> typing.Optional[builtins.str]:
+    def iam_role_arn(self) -> builtins.str:
         '''The Amazon Resource Name (ARN) of the IAM role for the registered location.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "iamRoleArn"))
+        return typing.cast(builtins.str, jsii.get(self, "iamRoleArn"))
 
     @iam_role_arn.setter
-    def iam_role_arn(self, value: typing.Optional[builtins.str]) -> None:
+    def iam_role_arn(self, value: builtins.str) -> None:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c6ad3ea630d95d457364fa227ccc4159df9b2fe48cab3fd14afc7301612ddce6)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
@@ -3601,12 +3735,12 @@ class CfnAccessGrantsLocation(
 
     @builtins.property
     @jsii.member(jsii_name="locationScope")
-    def location_scope(self) -> typing.Optional[builtins.str]:
+    def location_scope(self) -> builtins.str:
         '''The S3 URI path to the location that you are registering.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "locationScope"))
+        return typing.cast(builtins.str, jsii.get(self, "locationScope"))
 
     @location_scope.setter
-    def location_scope(self, value: typing.Optional[builtins.str]) -> None:
+    def location_scope(self, value: builtins.str) -> None:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__80f4ecc1c277ca36e62d80157ee09c7e5856bf9bc1e1542588d3449f958c3302)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
@@ -3639,8 +3773,8 @@ class CfnAccessGrantsLocationProps:
     def __init__(
         self,
         *,
-        iam_role_arn: typing.Optional[builtins.str] = None,
-        location_scope: typing.Optional[builtins.str] = None,
+        iam_role_arn: builtins.str,
+        location_scope: builtins.str,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnAccessGrantsLocation``.
@@ -3661,6 +3795,8 @@ class CfnAccessGrantsLocationProps:
             cfn_access_grants_location_props = s3.CfnAccessGrantsLocationProps(
                 iam_role_arn="iamRoleArn",
                 location_scope="locationScope",
+            
+                # the properties below are optional
                 tags=[CfnTag(
                     key="key",
                     value="value"
@@ -3672,16 +3808,15 @@ class CfnAccessGrantsLocationProps:
             check_type(argname="argument iam_role_arn", value=iam_role_arn, expected_type=type_hints["iam_role_arn"])
             check_type(argname="argument location_scope", value=location_scope, expected_type=type_hints["location_scope"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {}
-        if iam_role_arn is not None:
-            self._values["iam_role_arn"] = iam_role_arn
-        if location_scope is not None:
-            self._values["location_scope"] = location_scope
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "iam_role_arn": iam_role_arn,
+            "location_scope": location_scope,
+        }
         if tags is not None:
             self._values["tags"] = tags
 
     @builtins.property
-    def iam_role_arn(self) -> typing.Optional[builtins.str]:
+    def iam_role_arn(self) -> builtins.str:
         '''The Amazon Resource Name (ARN) of the IAM role for the registered location.
 
         S3 Access Grants assumes this role to manage access to the registered location.
@@ -3689,10 +3824,11 @@ class CfnAccessGrantsLocationProps:
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accessgrantslocation.html#cfn-s3-accessgrantslocation-iamrolearn
         '''
         result = self._values.get("iam_role_arn")
-        return typing.cast(typing.Optional[builtins.str], result)
+        assert result is not None, "Required property 'iam_role_arn' is missing"
+        return typing.cast(builtins.str, result)
 
     @builtins.property
-    def location_scope(self) -> typing.Optional[builtins.str]:
+    def location_scope(self) -> builtins.str:
         '''The S3 URI path to the location that you are registering.
 
         The location scope can be the default S3 location ``s3://`` , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the ``engineering/`` prefix or object key names that start with the ``marketing/campaigns/`` prefix.
@@ -3700,7 +3836,8 @@ class CfnAccessGrantsLocationProps:
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accessgrantslocation.html#cfn-s3-accessgrantslocation-locationscope
         '''
         result = self._values.get("location_scope")
-        return typing.cast(typing.Optional[builtins.str], result)
+        assert result is not None, "Required property 'location_scope' is missing"
+        return typing.cast(builtins.str, result)
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
@@ -3725,7 +3862,7 @@ class CfnAccessGrantsLocationProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IAccessPointRef_02282fed, _ITaggableV2_4e6798f8)
 class CfnAccessPoint(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3758,6 +3895,10 @@ class CfnAccessPoint(
                 ignore_public_acls=False,
                 restrict_public_buckets=False
             ),
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )],
             vpc_configuration=s3.CfnAccessPoint.VpcConfigurationProperty(
                 vpc_id="vpcId"
             )
@@ -3774,9 +3915,11 @@ class CfnAccessPoint(
         name: typing.Optional[builtins.str] = None,
         policy: typing.Any = None,
         public_access_block_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAccessPoint.PublicAccessBlockConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAccessPoint.VpcConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::AccessPoint``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param bucket: The name of the bucket associated with this access point.
@@ -3784,6 +3927,7 @@ class CfnAccessPoint(
         :param name: The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.
         :param policy: The access point policy associated with this access point.
         :param public_access_block_configuration: The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see `The Meaning of "Public" <https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status>`_ in the *Amazon S3 User Guide* .
+        :param tags: An array of tags that you can apply to access points. Tags are key-value pairs of metadata used to categorize your access points and control access. For more information, see `Using tags for attribute-based access control (ABAC) <https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac>`_ .
         :param vpc_configuration: The Virtual Private Cloud (VPC) configuration for this access point, if one exists.
         '''
         if __debug__:
@@ -3796,11 +3940,54 @@ class CfnAccessPoint(
             name=name,
             policy=policy,
             public_access_block_configuration=public_access_block_configuration,
+            tags=tags,
             vpc_configuration=vpc_configuration,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromAccessPointArn")
+    @builtins.classmethod
+    def from_access_point_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        arn: builtins.str,
+    ) -> _IAccessPointRef_02282fed:
+        '''Creates a new IAccessPointRef from an ARN.
+
+        :param scope: -
+        :param id: -
+        :param arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__27c1fdb406b539ade70eea36bce09782bba11b354442fee5c5d43c938bfd0aee)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
+        return typing.cast(_IAccessPointRef_02282fed, jsii.sinvoke(cls, "fromAccessPointArn", [scope, id, arn]))
+
+    @jsii.member(jsii_name="fromAccessPointName")
+    @builtins.classmethod
+    def from_access_point_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        access_point_name: builtins.str,
+    ) -> _IAccessPointRef_02282fed:
+        '''Creates a new IAccessPointRef from a accessPointName.
+
+        :param scope: -
+        :param id: -
+        :param access_point_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9af2790fec8caeab2621c276234587e70ab62b4d6d6f7a82947b3b7326f42deb)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument access_point_name", value=access_point_name, expected_type=type_hints["access_point_name"])
+        return typing.cast(_IAccessPointRef_02282fed, jsii.sinvoke(cls, "fromAccessPointName", [scope, id, access_point_name]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -3831,6 +4018,12 @@ class CfnAccessPoint(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessPointRef")
+    def access_point_ref(self) -> _AccessPointReference_b9bf9d61:
+        '''A reference to a AccessPoint resource.'''
+        return typing.cast(_AccessPointReference_b9bf9d61, jsii.get(self, "accessPointRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrAlias")
     def attr_alias(self) -> builtins.str:
@@ -3871,6 +4064,12 @@ class CfnAccessPoint(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrNetworkOrigin"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -3946,6 +4145,19 @@ class CfnAccessPoint(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "publicAccessBlockConfiguration", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of tags that you can apply to access points.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d6c41b842366f80d771c24147e6f4bdb868bf8899c3f03b128339e380a158e19)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="vpcConfiguration")
     def vpc_configuration(
@@ -4160,6 +4372,7 @@ class CfnAccessPoint(
         "name": "name",
         "policy": "policy",
         "public_access_block_configuration": "publicAccessBlockConfiguration",
+        "tags": "tags",
         "vpc_configuration": "vpcConfiguration",
     },
 )
@@ -4172,6 +4385,7 @@ class CfnAccessPointProps:
         name: typing.Optional[builtins.str] = None,
         policy: typing.Any = None,
         public_access_block_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.PublicAccessBlockConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.VpcConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnAccessPoint``.
@@ -4181,6 +4395,7 @@ class CfnAccessPointProps:
         :param name: The name of this access point. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the access point name.
         :param policy: The access point policy associated with this access point.
         :param public_access_block_configuration: The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see `The Meaning of "Public" <https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status>`_ in the *Amazon S3 User Guide* .
+        :param tags: An array of tags that you can apply to access points. Tags are key-value pairs of metadata used to categorize your access points and control access. For more information, see `Using tags for attribute-based access control (ABAC) <https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac>`_ .
         :param vpc_configuration: The Virtual Private Cloud (VPC) configuration for this access point, if one exists.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accesspoint.html
@@ -4207,6 +4422,10 @@ class CfnAccessPointProps:
                     ignore_public_acls=False,
                     restrict_public_buckets=False
                 ),
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )],
                 vpc_configuration=s3.CfnAccessPoint.VpcConfigurationProperty(
                     vpc_id="vpcId"
                 )
@@ -4219,6 +4438,7 @@ class CfnAccessPointProps:
             check_type(argname="argument name", value=name, expected_type=type_hints["name"])
             check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
             check_type(argname="argument public_access_block_configuration", value=public_access_block_configuration, expected_type=type_hints["public_access_block_configuration"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
             check_type(argname="argument vpc_configuration", value=vpc_configuration, expected_type=type_hints["vpc_configuration"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "bucket": bucket,
@@ -4231,6 +4451,8 @@ class CfnAccessPointProps:
             self._values["policy"] = policy
         if public_access_block_configuration is not None:
             self._values["public_access_block_configuration"] = public_access_block_configuration
+        if tags is not None:
+            self._values["tags"] = tags
         if vpc_configuration is not None:
             self._values["vpc_configuration"] = vpc_configuration
 
@@ -4286,6 +4508,17 @@ class CfnAccessPointProps:
         result = self._values.get("public_access_block_configuration")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnAccessPoint.PublicAccessBlockConfigurationProperty]], result)
 
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''An array of tags that you can apply to access points.
+
+        Tags are key-value pairs of metadata used to categorize your access points and control access. For more information, see `Using tags for attribute-based access control (ABAC) <https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accesspoint.html#cfn-s3-accesspoint-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
     @builtins.property
     def vpc_configuration(
         self,
@@ -4309,7 +4542,7 @@ class CfnAccessPointProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IBucketRef_3debe44e, _ITaggable_36806126)
 class CfnBucket(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4356,6 +4589,7 @@ class CfnBucket(
         inventory_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.InventoryConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         lifecycle_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.LifecycleConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         logging_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.LoggingConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        metadata_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetadataConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         metadata_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetadataTableConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         metrics_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetricsConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         notification_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.NotificationConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -4368,7 +4602,8 @@ class CfnBucket(
         versioning_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.VersioningConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         website_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.WebsiteConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::Bucket``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param accelerate_configuration: Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see `Amazon S3 Transfer Acceleration <https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html>`_ in the *Amazon S3 User Guide* .
@@ -4378,13 +4613,14 @@ class CfnBucket(
         :param bucket_name: A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow `Amazon S3 bucket restrictions and limitations <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html>`_ . For more information, see `Rules for naming Amazon S3 buckets <https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html>`_ in the *Amazon S3 User Guide* . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
         :param cors_configuration: Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see `Enabling Cross-Origin Resource Sharing <https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html>`_ in the *Amazon S3 User Guide* .
         :param intelligent_tiering_configurations: Defines how Amazon S3 handles Intelligent-Tiering storage.
-        :param inventory_configurations: Specifies the inventory configuration for an Amazon S3 bucket. For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
+        :param inventory_configurations: Specifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
         :param lifecycle_configuration: Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see `Object Lifecycle Management <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html>`_ in the *Amazon S3 User Guide* .
         :param logging_configuration: Settings that define where logs are stored.
+        :param metadata_configuration: The S3 Metadata configuration for a general purpose bucket.
         :param metadata_table_configuration: The metadata table configuration of an Amazon S3 general purpose bucket.
         :param metrics_configurations: Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see `PutBucketMetricsConfiguration <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html>`_ .
         :param notification_configuration: Configuration that defines how Amazon S3 handles bucket notifications.
-        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
+        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ . > You must URL encode any signed header values that contain spaces. For example, if your header value is ``my file.txt`` , containing two spaces after ``my`` , you must URL encode this value to ``my%20%20file.txt`` .
         :param object_lock_enabled: Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket.
         :param ownership_controls: Configuration that defines how Amazon S3 handles Object Ownership rules.
         :param public_access_block_configuration: Configuration that defines how Amazon S3 handles public access.
@@ -4408,6 +4644,7 @@ class CfnBucket(
             inventory_configurations=inventory_configurations,
             lifecycle_configuration=lifecycle_configuration,
             logging_configuration=logging_configuration,
+            metadata_configuration=metadata_configuration,
             metadata_table_configuration=metadata_table_configuration,
             metrics_configurations=metrics_configurations,
             notification_configuration=notification_configuration,
@@ -4423,6 +4660,48 @@ class CfnBucket(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.member(jsii_name="fromBucketArn")
+    @builtins.classmethod
+    def from_bucket_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        arn: builtins.str,
+    ) -> _IBucketRef_3debe44e:
+        '''Creates a new IBucketRef from an ARN.
+
+        :param scope: -
+        :param id: -
+        :param arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f218931ccffe0d6407edcfc452f39d64609d0cceec6ea04313fa364cf5a4f3df)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument arn", value=arn, expected_type=type_hints["arn"])
+        return typing.cast(_IBucketRef_3debe44e, jsii.sinvoke(cls, "fromBucketArn", [scope, id, arn]))
+
+    @jsii.member(jsii_name="fromBucketName")
+    @builtins.classmethod
+    def from_bucket_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        bucket_name: builtins.str,
+    ) -> _IBucketRef_3debe44e:
+        '''Creates a new IBucketRef from a bucketName.
+
+        :param scope: -
+        :param id: -
+        :param bucket_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__08ccc75711c8ec0fedd9747e674f732b2653120a392c01413875cc0df08e91fa)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument bucket_name", value=bucket_name, expected_type=type_hints["bucket_name"])
+        return typing.cast(_IBucketRef_3debe44e, jsii.sinvoke(cls, "fromBucketName", [scope, id, bucket_name]))
+
     @jsii.member(jsii_name="inspect")
     def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
         '''Examines the CloudFormation resource and discloses attributes.
@@ -4488,6 +4767,59 @@ class CfnBucket(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrDualStackDomainName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrMetadataConfigurationDestination")
+    def attr_metadata_configuration_destination(self) -> _IResolvable_da3f097b:
+        '''The destination information for the S3 Metadata configuration.
+
+        :cloudformationAttribute: MetadataConfiguration.Destination
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrMetadataConfigurationDestination"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrMetadataConfigurationInventoryTableConfigurationTableArn")
+    def attr_metadata_configuration_inventory_table_configuration_table_arn(
+        self,
+    ) -> builtins.str:
+        '''The Amazon Resource Name (ARN) for the inventory table.
+
+        :cloudformationAttribute: MetadataConfiguration.InventoryTableConfiguration.TableArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrMetadataConfigurationInventoryTableConfigurationTableArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrMetadataConfigurationInventoryTableConfigurationTableName")
+    def attr_metadata_configuration_inventory_table_configuration_table_name(
+        self,
+    ) -> builtins.str:
+        '''The name of the inventory table.
+
+        :cloudformationAttribute: MetadataConfiguration.InventoryTableConfiguration.TableName
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrMetadataConfigurationInventoryTableConfigurationTableName"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrMetadataConfigurationJournalTableConfigurationTableArn")
+    def attr_metadata_configuration_journal_table_configuration_table_arn(
+        self,
+    ) -> builtins.str:
+        '''The Amazon Resource Name (ARN) for the journal table.
+
+        :cloudformationAttribute: MetadataConfiguration.JournalTableConfiguration.TableArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrMetadataConfigurationJournalTableConfigurationTableArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrMetadataConfigurationJournalTableConfigurationTableName")
+    def attr_metadata_configuration_journal_table_configuration_table_name(
+        self,
+    ) -> builtins.str:
+        '''The name of the journal table.
+
+        :cloudformationAttribute: MetadataConfiguration.JournalTableConfiguration.TableName
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrMetadataConfigurationJournalTableConfigurationTableName"))
+
     @builtins.property
     @jsii.member(jsii_name="attrMetadataTableConfigurationS3TablesDestinationTableArn")
     def attr_metadata_table_configuration_s3_tables_destination_table_arn(
@@ -4538,6 +4870,12 @@ class CfnBucket(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrWebsiteUrl"))
 
+    @builtins.property
+    @jsii.member(jsii_name="bucketRef")
+    def bucket_ref(self) -> _BucketReference_502fb39f:
+        '''A reference to a Bucket resource.'''
+        return typing.cast(_BucketReference_502fb39f, jsii.get(self, "bucketRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -4672,7 +5010,7 @@ class CfnBucket(
     def inventory_configurations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnBucket.InventoryConfigurationProperty"]]]]:
-        '''Specifies the inventory configuration for an Amazon S3 bucket.'''
+        '''Specifies the S3 Inventory configuration for an Amazon S3 bucket.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnBucket.InventoryConfigurationProperty"]]]], jsii.get(self, "inventoryConfigurations"))
 
     @inventory_configurations.setter
@@ -4721,6 +5059,24 @@ class CfnBucket(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "loggingConfiguration", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="metadataConfiguration")
+    def metadata_configuration(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataConfigurationProperty"]]:
+        '''The S3 Metadata configuration for a general purpose bucket.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataConfigurationProperty"]], jsii.get(self, "metadataConfiguration"))
+
+    @metadata_configuration.setter
+    def metadata_configuration(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataConfigurationProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__13b4697762f20bd91e57f93bf2922758e68d9cbc3f74472e7da7f9ce2f7dcdca)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "metadataConfiguration", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="metadataTableConfiguration")
     def metadata_table_configuration(
@@ -5693,7 +6049,7 @@ class CfnBucket(
 
                If you are using an earlier version of the replication configuration, Amazon S3 handles replication of delete markers differently. For more information, see `Backward Compatibility <https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-add-config.html#replication-backward-compat-considerations>`_ .
 
-            :param status: Indicates whether to replicate delete markers. Disabled by default.
+            :param status: Indicates whether to replicate delete markers.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-deletemarkerreplication.html
             :exampleMetadata: fixture=_generated
@@ -5719,8 +6075,6 @@ class CfnBucket(
         def status(self) -> typing.Optional[builtins.str]:
             '''Indicates whether to replicate delete markers.
 
-            Disabled by default.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-deletemarkerreplication.html#cfn-s3-bucket-deletemarkerreplication-status
             '''
             result = self._values.get("status")
@@ -6208,7 +6562,7 @@ class CfnBucket(
             optional_fields: typing.Optional[typing.Sequence[builtins.str]] = None,
             prefix: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Specifies the inventory configuration for an Amazon S3 bucket.
+            '''Specifies the S3 Inventory configuration for an Amazon S3 bucket.
 
             For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
 
@@ -6355,25 +6709,32 @@ class CfnBucket(
             )
 
     @jsii.data_type(
-        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.LambdaConfigurationProperty",
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.InventoryTableConfigurationProperty",
         jsii_struct_bases=[],
-        name_mapping={"event": "event", "function": "function", "filter": "filter"},
+        name_mapping={
+            "configuration_state": "configurationState",
+            "encryption_configuration": "encryptionConfiguration",
+            "table_arn": "tableArn",
+            "table_name": "tableName",
+        },
     )
-    class LambdaConfigurationProperty:
+    class InventoryTableConfigurationProperty:
         def __init__(
             self,
             *,
-            event: builtins.str,
-            function: builtins.str,
-            filter: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.NotificationFilterProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            configuration_state: builtins.str,
+            encryption_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetadataTableEncryptionConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            table_arn: typing.Optional[builtins.str] = None,
+            table_name: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Describes the AWS Lambda functions to invoke and the events for which to invoke them.
+            '''The inventory table configuration for an S3 Metadata configuration.
 
-            :param event: The Amazon S3 bucket event for which to invoke the AWS Lambda function. For more information, see `Supported Event Types <https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html>`_ in the *Amazon S3 User Guide* .
-            :param function: The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3 invokes when the specified event type occurs.
-            :param filter: The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a ``.jpg`` extension invoke the function when they are added to the Amazon S3 bucket.
+            :param configuration_state: The configuration state of the inventory table, indicating whether the inventory table is enabled or disabled.
+            :param encryption_configuration: The encryption configuration for the inventory table.
+            :param table_arn: The Amazon Resource Name (ARN) for the inventory table.
+            :param table_name: The name of the inventory table.
 
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lambdaconfiguration.html
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-inventorytableconfiguration.html
             :exampleMetadata: fixture=_generated
 
             Example::
@@ -6382,32 +6743,262 @@ class CfnBucket(
                 # The values are placeholders you should change.
                 from aws_cdk import aws_s3 as s3
                 
-                lambda_configuration_property = s3.CfnBucket.LambdaConfigurationProperty(
-                    event="event",
-                    function="function",
+                inventory_table_configuration_property = s3.CfnBucket.InventoryTableConfigurationProperty(
+                    configuration_state="configurationState",
                 
                     # the properties below are optional
-                    filter=s3.CfnBucket.NotificationFilterProperty(
-                        s3_key=s3.CfnBucket.S3KeyFilterProperty(
-                            rules=[s3.CfnBucket.FilterRuleProperty(
-                                name="name",
-                                value="value"
-                            )]
-                        )
-                    )
+                    encryption_configuration=s3.CfnBucket.MetadataTableEncryptionConfigurationProperty(
+                        sse_algorithm="sseAlgorithm",
+                
+                        # the properties below are optional
+                        kms_key_arn="kmsKeyArn"
+                    ),
+                    table_arn="tableArn",
+                    table_name="tableName"
                 )
             '''
             if __debug__:
-                type_hints = typing.get_type_hints(_typecheckingstub__599ef02853407bceb720424e9874eda7b5e2324f3be8a787939e9d5f9a7d5765)
-                check_type(argname="argument event", value=event, expected_type=type_hints["event"])
-                check_type(argname="argument function", value=function, expected_type=type_hints["function"])
-                check_type(argname="argument filter", value=filter, expected_type=type_hints["filter"])
+                type_hints = typing.get_type_hints(_typecheckingstub__e3f0960f8776684cd6b2c423b1320b1ffcb2a6165dba0f275451667884000458)
+                check_type(argname="argument configuration_state", value=configuration_state, expected_type=type_hints["configuration_state"])
+                check_type(argname="argument encryption_configuration", value=encryption_configuration, expected_type=type_hints["encryption_configuration"])
+                check_type(argname="argument table_arn", value=table_arn, expected_type=type_hints["table_arn"])
+                check_type(argname="argument table_name", value=table_name, expected_type=type_hints["table_name"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
-                "event": event,
-                "function": function,
+                "configuration_state": configuration_state,
             }
-            if filter is not None:
-                self._values["filter"] = filter
+            if encryption_configuration is not None:
+                self._values["encryption_configuration"] = encryption_configuration
+            if table_arn is not None:
+                self._values["table_arn"] = table_arn
+            if table_name is not None:
+                self._values["table_name"] = table_name
+
+        @builtins.property
+        def configuration_state(self) -> builtins.str:
+            '''The configuration state of the inventory table, indicating whether the inventory table is enabled or disabled.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-inventorytableconfiguration.html#cfn-s3-bucket-inventorytableconfiguration-configurationstate
+            '''
+            result = self._values.get("configuration_state")
+            assert result is not None, "Required property 'configuration_state' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def encryption_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataTableEncryptionConfigurationProperty"]]:
+            '''The encryption configuration for the inventory table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-inventorytableconfiguration.html#cfn-s3-bucket-inventorytableconfiguration-encryptionconfiguration
+            '''
+            result = self._values.get("encryption_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataTableEncryptionConfigurationProperty"]], result)
+
+        @builtins.property
+        def table_arn(self) -> typing.Optional[builtins.str]:
+            '''The Amazon Resource Name (ARN) for the inventory table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-inventorytableconfiguration.html#cfn-s3-bucket-inventorytableconfiguration-tablearn
+            '''
+            result = self._values.get("table_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def table_name(self) -> typing.Optional[builtins.str]:
+            '''The name of the inventory table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-inventorytableconfiguration.html#cfn-s3-bucket-inventorytableconfiguration-tablename
+            '''
+            result = self._values.get("table_name")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "InventoryTableConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.JournalTableConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "record_expiration": "recordExpiration",
+            "encryption_configuration": "encryptionConfiguration",
+            "table_arn": "tableArn",
+            "table_name": "tableName",
+        },
+    )
+    class JournalTableConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            record_expiration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.RecordExpirationProperty", typing.Dict[builtins.str, typing.Any]]],
+            encryption_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetadataTableEncryptionConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            table_arn: typing.Optional[builtins.str] = None,
+            table_name: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The journal table configuration for an S3 Metadata configuration.
+
+            :param record_expiration: The journal table record expiration settings for the journal table.
+            :param encryption_configuration: The encryption configuration for the journal table.
+            :param table_arn: The Amazon Resource Name (ARN) for the journal table.
+            :param table_name: The name of the journal table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-journaltableconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                journal_table_configuration_property = s3.CfnBucket.JournalTableConfigurationProperty(
+                    record_expiration=s3.CfnBucket.RecordExpirationProperty(
+                        expiration="expiration",
+                
+                        # the properties below are optional
+                        days=123
+                    ),
+                
+                    # the properties below are optional
+                    encryption_configuration=s3.CfnBucket.MetadataTableEncryptionConfigurationProperty(
+                        sse_algorithm="sseAlgorithm",
+                
+                        # the properties below are optional
+                        kms_key_arn="kmsKeyArn"
+                    ),
+                    table_arn="tableArn",
+                    table_name="tableName"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__4831e8bf78dc983eaf9b010780417c4e6b808ef19beac1729f89ba7bab53d4d9)
+                check_type(argname="argument record_expiration", value=record_expiration, expected_type=type_hints["record_expiration"])
+                check_type(argname="argument encryption_configuration", value=encryption_configuration, expected_type=type_hints["encryption_configuration"])
+                check_type(argname="argument table_arn", value=table_arn, expected_type=type_hints["table_arn"])
+                check_type(argname="argument table_name", value=table_name, expected_type=type_hints["table_name"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "record_expiration": record_expiration,
+            }
+            if encryption_configuration is not None:
+                self._values["encryption_configuration"] = encryption_configuration
+            if table_arn is not None:
+                self._values["table_arn"] = table_arn
+            if table_name is not None:
+                self._values["table_name"] = table_name
+
+        @builtins.property
+        def record_expiration(
+            self,
+        ) -> typing.Union[_IResolvable_da3f097b, "CfnBucket.RecordExpirationProperty"]:
+            '''The journal table record expiration settings for the journal table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-journaltableconfiguration.html#cfn-s3-bucket-journaltableconfiguration-recordexpiration
+            '''
+            result = self._values.get("record_expiration")
+            assert result is not None, "Required property 'record_expiration' is missing"
+            return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnBucket.RecordExpirationProperty"], result)
+
+        @builtins.property
+        def encryption_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataTableEncryptionConfigurationProperty"]]:
+            '''The encryption configuration for the journal table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-journaltableconfiguration.html#cfn-s3-bucket-journaltableconfiguration-encryptionconfiguration
+            '''
+            result = self._values.get("encryption_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataTableEncryptionConfigurationProperty"]], result)
+
+        @builtins.property
+        def table_arn(self) -> typing.Optional[builtins.str]:
+            '''The Amazon Resource Name (ARN) for the journal table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-journaltableconfiguration.html#cfn-s3-bucket-journaltableconfiguration-tablearn
+            '''
+            result = self._values.get("table_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def table_name(self) -> typing.Optional[builtins.str]:
+            '''The name of the journal table.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-journaltableconfiguration.html#cfn-s3-bucket-journaltableconfiguration-tablename
+            '''
+            result = self._values.get("table_name")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "JournalTableConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.LambdaConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"event": "event", "function": "function", "filter": "filter"},
+    )
+    class LambdaConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            event: builtins.str,
+            function: builtins.str,
+            filter: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.NotificationFilterProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Describes the AWS Lambda functions to invoke and the events for which to invoke them.
+
+            :param event: The Amazon S3 bucket event for which to invoke the AWS Lambda function. For more information, see `Supported Event Types <https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html>`_ in the *Amazon S3 User Guide* .
+            :param function: The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3 invokes when the specified event type occurs.
+            :param filter: The filtering rules that determine which objects invoke the AWS Lambda function. For example, you can create a filter so that only image files with a ``.jpg`` extension invoke the function when they are added to the Amazon S3 bucket.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lambdaconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                lambda_configuration_property = s3.CfnBucket.LambdaConfigurationProperty(
+                    event="event",
+                    function="function",
+                
+                    # the properties below are optional
+                    filter=s3.CfnBucket.NotificationFilterProperty(
+                        s3_key=s3.CfnBucket.S3KeyFilterProperty(
+                            rules=[s3.CfnBucket.FilterRuleProperty(
+                                name="name",
+                                value="value"
+                            )]
+                        )
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__599ef02853407bceb720424e9874eda7b5e2324f3be8a787939e9d5f9a7d5765)
+                check_type(argname="argument event", value=event, expected_type=type_hints["event"])
+                check_type(argname="argument function", value=function, expected_type=type_hints["function"])
+                check_type(argname="argument filter", value=filter, expected_type=type_hints["filter"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "event": event,
+                "function": function,
+            }
+            if filter is not None:
+                self._values["filter"] = filter
 
         @builtins.property
         def event(self) -> builtins.str:
@@ -6708,6 +7299,235 @@ class CfnBucket(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.MetadataConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "journal_table_configuration": "journalTableConfiguration",
+            "destination": "destination",
+            "inventory_table_configuration": "inventoryTableConfiguration",
+        },
+    )
+    class MetadataConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            journal_table_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.JournalTableConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
+            destination: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.MetadataDestinationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            inventory_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.InventoryTableConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Creates a V2 Amazon S3 Metadata configuration of a general purpose bucket.
+
+            For more information, see `Accelerating data discovery with S3 Metadata <https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html>`_ in the *Amazon S3 User Guide* .
+
+            :param journal_table_configuration: The journal table configuration for a metadata configuration.
+            :param destination: The destination information for the S3 Metadata configuration.
+            :param inventory_table_configuration: The inventory table configuration for a metadata configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadataconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                metadata_configuration_property = s3.CfnBucket.MetadataConfigurationProperty(
+                    journal_table_configuration=s3.CfnBucket.JournalTableConfigurationProperty(
+                        record_expiration=s3.CfnBucket.RecordExpirationProperty(
+                            expiration="expiration",
+                
+                            # the properties below are optional
+                            days=123
+                        ),
+                
+                        # the properties below are optional
+                        encryption_configuration=s3.CfnBucket.MetadataTableEncryptionConfigurationProperty(
+                            sse_algorithm="sseAlgorithm",
+                
+                            # the properties below are optional
+                            kms_key_arn="kmsKeyArn"
+                        ),
+                        table_arn="tableArn",
+                        table_name="tableName"
+                    ),
+                
+                    # the properties below are optional
+                    destination=s3.CfnBucket.MetadataDestinationProperty(
+                        table_bucket_type="tableBucketType",
+                
+                        # the properties below are optional
+                        table_bucket_arn="tableBucketArn",
+                        table_namespace="tableNamespace"
+                    ),
+                    inventory_table_configuration=s3.CfnBucket.InventoryTableConfigurationProperty(
+                        configuration_state="configurationState",
+                
+                        # the properties below are optional
+                        encryption_configuration=s3.CfnBucket.MetadataTableEncryptionConfigurationProperty(
+                            sse_algorithm="sseAlgorithm",
+                
+                            # the properties below are optional
+                            kms_key_arn="kmsKeyArn"
+                        ),
+                        table_arn="tableArn",
+                        table_name="tableName"
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__5ba4e02b348fb368852d2eaf89da64d6c5432c39d5f771482cd73c5e29aea1d2)
+                check_type(argname="argument journal_table_configuration", value=journal_table_configuration, expected_type=type_hints["journal_table_configuration"])
+                check_type(argname="argument destination", value=destination, expected_type=type_hints["destination"])
+                check_type(argname="argument inventory_table_configuration", value=inventory_table_configuration, expected_type=type_hints["inventory_table_configuration"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "journal_table_configuration": journal_table_configuration,
+            }
+            if destination is not None:
+                self._values["destination"] = destination
+            if inventory_table_configuration is not None:
+                self._values["inventory_table_configuration"] = inventory_table_configuration
+
+        @builtins.property
+        def journal_table_configuration(
+            self,
+        ) -> typing.Union[_IResolvable_da3f097b, "CfnBucket.JournalTableConfigurationProperty"]:
+            '''The journal table configuration for a metadata configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadataconfiguration.html#cfn-s3-bucket-metadataconfiguration-journaltableconfiguration
+            '''
+            result = self._values.get("journal_table_configuration")
+            assert result is not None, "Required property 'journal_table_configuration' is missing"
+            return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnBucket.JournalTableConfigurationProperty"], result)
+
+        @builtins.property
+        def destination(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataDestinationProperty"]]:
+            '''The destination information for the S3 Metadata configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadataconfiguration.html#cfn-s3-bucket-metadataconfiguration-destination
+            '''
+            result = self._values.get("destination")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.MetadataDestinationProperty"]], result)
+
+        @builtins.property
+        def inventory_table_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.InventoryTableConfigurationProperty"]]:
+            '''The inventory table configuration for a metadata configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadataconfiguration.html#cfn-s3-bucket-metadataconfiguration-inventorytableconfiguration
+            '''
+            result = self._values.get("inventory_table_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.InventoryTableConfigurationProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "MetadataConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.MetadataDestinationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "table_bucket_type": "tableBucketType",
+            "table_bucket_arn": "tableBucketArn",
+            "table_namespace": "tableNamespace",
+        },
+    )
+    class MetadataDestinationProperty:
+        def __init__(
+            self,
+            *,
+            table_bucket_type: builtins.str,
+            table_bucket_arn: typing.Optional[builtins.str] = None,
+            table_namespace: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The destination information for the S3 Metadata configuration.
+
+            :param table_bucket_type: The type of the table bucket where the metadata configuration is stored. The ``aws`` value indicates an AWS managed table bucket, and the ``customer`` value indicates a customer-managed table bucket. V2 metadata configurations are stored in AWS managed table buckets, and V1 metadata configurations are stored in customer-managed table buckets.
+            :param table_bucket_arn: The Amazon Resource Name (ARN) of the table bucket where the metadata configuration is stored.
+            :param table_namespace: The namespace in the table bucket where the metadata tables for a metadata configuration are stored.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatadestination.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                metadata_destination_property = s3.CfnBucket.MetadataDestinationProperty(
+                    table_bucket_type="tableBucketType",
+                
+                    # the properties below are optional
+                    table_bucket_arn="tableBucketArn",
+                    table_namespace="tableNamespace"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__22a357b76c39088e89c9805c6e3fd369bf83472fbcec37ad505b7803d1960e7e)
+                check_type(argname="argument table_bucket_type", value=table_bucket_type, expected_type=type_hints["table_bucket_type"])
+                check_type(argname="argument table_bucket_arn", value=table_bucket_arn, expected_type=type_hints["table_bucket_arn"])
+                check_type(argname="argument table_namespace", value=table_namespace, expected_type=type_hints["table_namespace"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "table_bucket_type": table_bucket_type,
+            }
+            if table_bucket_arn is not None:
+                self._values["table_bucket_arn"] = table_bucket_arn
+            if table_namespace is not None:
+                self._values["table_namespace"] = table_namespace
+
+        @builtins.property
+        def table_bucket_type(self) -> builtins.str:
+            '''The type of the table bucket where the metadata configuration is stored.
+
+            The ``aws`` value indicates an AWS managed table bucket, and the ``customer`` value indicates a customer-managed table bucket. V2 metadata configurations are stored in AWS managed table buckets, and V1 metadata configurations are stored in customer-managed table buckets.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatadestination.html#cfn-s3-bucket-metadatadestination-tablebuckettype
+            '''
+            result = self._values.get("table_bucket_type")
+            assert result is not None, "Required property 'table_bucket_type' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def table_bucket_arn(self) -> typing.Optional[builtins.str]:
+            '''The Amazon Resource Name (ARN) of the table bucket where the metadata configuration is stored.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatadestination.html#cfn-s3-bucket-metadatadestination-tablebucketarn
+            '''
+            result = self._values.get("table_bucket_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def table_namespace(self) -> typing.Optional[builtins.str]:
+            '''The namespace in the table bucket where the metadata tables for a metadata configuration are stored.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatadestination.html#cfn-s3-bucket-metadatadestination-tablenamespace
+            '''
+            result = self._values.get("table_namespace")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "MetadataDestinationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_s3.CfnBucket.MetadataTableConfigurationProperty",
         jsii_struct_bases=[],
@@ -6719,9 +7539,11 @@ class CfnBucket(
             *,
             s3_tables_destination: typing.Union[_IResolvable_da3f097b, typing.Union["CfnBucket.S3TablesDestinationProperty", typing.Dict[builtins.str, typing.Any]]],
         ) -> None:
-            '''The metadata table configuration of an Amazon S3 general purpose bucket.
+            '''.. epigraph::
+
+   We recommend that you create your S3 Metadata configurations by using the V2 `MetadataConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.html>`_ resource type. We no longer recommend using the V1 ``MetadataTableConfiguration`` resource type. >  > If you created your S3 Metadata configuration before July 15, 2025, we recommend that you delete and re-create your configuration by using the `MetadataConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-metadataconfiguration.html>`_ resource type so that you can expire journal table records and create a live inventory table.
 
-            For more information, see `Accelerating data discovery with S3 Metadata <https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html>`_ and `Setting up permissions for configuring metadata tables <https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html>`_ .
+            Creates a V1 S3 Metadata configuration for a general purpose bucket. For more information, see `Accelerating data discovery with S3 Metadata <https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html>`_ in the *Amazon S3 User Guide* .
 
             :param s3_tables_destination: The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the ``aws_s3_metadata`` namespace in the destination table bucket.
 
@@ -6777,6 +7599,83 @@ class CfnBucket(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.MetadataTableEncryptionConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"sse_algorithm": "sseAlgorithm", "kms_key_arn": "kmsKeyArn"},
+    )
+    class MetadataTableEncryptionConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            sse_algorithm: builtins.str,
+            kms_key_arn: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The encryption settings for an S3 Metadata journal table or inventory table configuration.
+
+            :param sse_algorithm: The encryption type specified for a metadata table. To specify server-side encryption with AWS Key Management Service ( AWS KMS ) keys (SSE-KMS), use the ``aws:kms`` value. To specify server-side encryption with Amazon S3 managed keys (SSE-S3), use the ``AES256`` value.
+            :param kms_key_arn: If server-side encryption with AWS Key Management Service ( AWS KMS ) keys (SSE-KMS) is specified, you must also specify the KMS key Amazon Resource Name (ARN). You must specify a customer-managed KMS key that's located in the same Region as the general purpose bucket that corresponds to the metadata table configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatatableencryptionconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                metadata_table_encryption_configuration_property = s3.CfnBucket.MetadataTableEncryptionConfigurationProperty(
+                    sse_algorithm="sseAlgorithm",
+                
+                    # the properties below are optional
+                    kms_key_arn="kmsKeyArn"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__638725ba5e16c7545010085fee3839279059f8036e3a36e81a6da12f68c3c96d)
+                check_type(argname="argument sse_algorithm", value=sse_algorithm, expected_type=type_hints["sse_algorithm"])
+                check_type(argname="argument kms_key_arn", value=kms_key_arn, expected_type=type_hints["kms_key_arn"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "sse_algorithm": sse_algorithm,
+            }
+            if kms_key_arn is not None:
+                self._values["kms_key_arn"] = kms_key_arn
+
+        @builtins.property
+        def sse_algorithm(self) -> builtins.str:
+            '''The encryption type specified for a metadata table.
+
+            To specify server-side encryption with AWS Key Management Service ( AWS KMS ) keys (SSE-KMS), use the ``aws:kms`` value. To specify server-side encryption with Amazon S3 managed keys (SSE-S3), use the ``AES256`` value.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatatableencryptionconfiguration.html#cfn-s3-bucket-metadatatableencryptionconfiguration-ssealgorithm
+            '''
+            result = self._values.get("sse_algorithm")
+            assert result is not None, "Required property 'sse_algorithm' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def kms_key_arn(self) -> typing.Optional[builtins.str]:
+            '''If server-side encryption with AWS Key Management Service ( AWS KMS ) keys (SSE-KMS) is specified, you must also specify the KMS key Amazon Resource Name (ARN).
+
+            You must specify a customer-managed KMS key that's located in the same Region as the general purpose bucket that corresponds to the metadata table configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-metadatatableencryptionconfiguration.html#cfn-s3-bucket-metadatatableencryptionconfiguration-kmskeyarn
+            '''
+            result = self._values.get("kms_key_arn")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "MetadataTableEncryptionConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_s3.CfnBucket.MetricsConfigurationProperty",
         jsii_struct_bases=[],
@@ -7935,12 +8834,87 @@ class CfnBucket(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.NotificationFilterProperty"]]:
             '''The filtering rules that determine which objects trigger notifications.
 
-            For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. For more information, see `Configuring event notifications using object key name filtering <https://docs.aws.amazon.com/AmazonS3/latest/user-guide/notification-how-to-filtering.html>`_ in the *Amazon S3 User Guide* .
+            For example, you can create a filter so that Amazon S3 sends notifications only when image files with a ``.jpg`` extension are added to the bucket. For more information, see `Configuring event notifications using object key name filtering <https://docs.aws.amazon.com/AmazonS3/latest/user-guide/notification-how-to-filtering.html>`_ in the *Amazon S3 User Guide* .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-queueconfiguration.html#cfn-s3-bucket-queueconfiguration-filter
+            '''
+            result = self._values.get("filter")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.NotificationFilterProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "QueueConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_s3.CfnBucket.RecordExpirationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"expiration": "expiration", "days": "days"},
+    )
+    class RecordExpirationProperty:
+        def __init__(
+            self,
+            *,
+            expiration: builtins.str,
+            days: typing.Optional[jsii.Number] = None,
+        ) -> None:
+            '''The journal table record expiration settings for a journal table in an S3 Metadata configuration.
+
+            :param expiration: Specifies whether journal table record expiration is enabled or disabled.
+            :param days: If you enable journal table record expiration, you can set the number of days to retain your journal table records. Journal table records must be retained for a minimum of 7 days. To set this value, specify any whole number from ``7`` to ``2147483647`` . For example, to retain your journal table records for one year, set this value to ``365`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-recordexpiration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_s3 as s3
+                
+                record_expiration_property = s3.CfnBucket.RecordExpirationProperty(
+                    expiration="expiration",
+                
+                    # the properties below are optional
+                    days=123
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__ced4e05e0d07a000e813825522beab4af447ff67164c61600ff7eb3b0afab28c)
+                check_type(argname="argument expiration", value=expiration, expected_type=type_hints["expiration"])
+                check_type(argname="argument days", value=days, expected_type=type_hints["days"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "expiration": expiration,
+            }
+            if days is not None:
+                self._values["days"] = days
+
+        @builtins.property
+        def expiration(self) -> builtins.str:
+            '''Specifies whether journal table record expiration is enabled or disabled.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-recordexpiration.html#cfn-s3-bucket-recordexpiration-expiration
+            '''
+            result = self._values.get("expiration")
+            assert result is not None, "Required property 'expiration' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def days(self) -> typing.Optional[jsii.Number]:
+            '''If you enable journal table record expiration, you can set the number of days to retain your journal table records.
 
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-queueconfiguration.html#cfn-s3-bucket-queueconfiguration-filter
+            Journal table records must be retained for a minimum of 7 days. To set this value, specify any whole number from ``7`` to ``2147483647`` . For example, to retain your journal table records for one year, set this value to ``365`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-recordexpiration.html#cfn-s3-bucket-recordexpiration-days
             '''
-            result = self._values.get("filter")
-            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnBucket.NotificationFilterProperty"]], result)
+            result = self._values.get("days")
+            return typing.cast(typing.Optional[jsii.Number], result)
 
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -7949,7 +8923,7 @@ class CfnBucket(
             return not (rhs == self)
 
         def __repr__(self) -> str:
-            return "QueueConfigurationProperty(%s)" % ", ".join(
+            return "RecordExpirationProperty(%s)" % ", ".join(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
@@ -8390,7 +9364,7 @@ class CfnBucket(
             :param encryption_configuration: Specifies encryption-related information.
             :param metrics: A container specifying replication metrics-related settings enabling replication metrics and events.
             :param replication_time: A container specifying S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. Must be specified together with a ``Metrics`` block.
-            :param storage_class: The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the ``StorageClass`` element of the `PUT Bucket replication <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html>`_ action in the *Amazon S3 API Reference* .
+            :param storage_class: The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the ``StorageClass`` element of the `PUT Bucket replication <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html>`_ action in the *Amazon S3 API Reference* . ``FSX_OPENZFS`` is not an accepted value when replicating objects.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationdestination.html
             :exampleMetadata: fixture=_generated
@@ -8533,6 +9507,8 @@ class CfnBucket(
 
             For valid values, see the ``StorageClass`` element of the `PUT Bucket replication <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html>`_ action in the *Amazon S3 API Reference* .
 
+            ``FSX_OPENZFS`` is not an accepted value when replicating objects.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationdestination.html#cfn-s3-bucket-replicationdestination-storageclass
             '''
             result = self._values.get("storage_class")
@@ -9146,7 +10122,7 @@ class CfnBucket(
             For example, 1. If request is for pages in the ``/docs`` folder, redirect to the ``/documents`` folder. 2. If request results in HTTP error 4xx, redirect request to another host where you might process the error.
 
             :param http_error_code_returned_equals: The HTTP error code when the redirect is applied. In the event of an error, if the error code equals this value, then the specified redirect is applied. Required when parent element ``Condition`` is specified and sibling ``KeyPrefixEquals`` is not specified. If both are specified, then both must be true for the redirect to be applied.
-            :param key_prefix_equals: The object key name prefix when the redirect is applied. For example, to redirect requests for ``ExamplePage.html`` , the key prefix will be ``ExamplePage.html`` . To redirect request for all pages with the prefix ``docs/`` , the key prefix will be ``/docs`` , which identifies all objects in the docs/ folder. Required when the parent element ``Condition`` is specified and sibling ``HttpErrorCodeReturnedEquals`` is not specified. If both conditions are specified, both must be true for the redirect to be applied.
+            :param key_prefix_equals: The object key name prefix when the redirect is applied. For example, to redirect requests for ``ExamplePage.html`` , the key prefix will be ``ExamplePage.html`` . To redirect request for all pages with the prefix ``docs/`` , the key prefix will be ``docs/`` , which identifies all objects in the docs/ folder. Required when the parent element ``Condition`` is specified and sibling ``HttpErrorCodeReturnedEquals`` is not specified. If both conditions are specified, both must be true for the redirect to be applied.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-routingrulecondition.html
             :exampleMetadata: fixture=_generated
@@ -9189,7 +10165,7 @@ class CfnBucket(
         def key_prefix_equals(self) -> typing.Optional[builtins.str]:
             '''The object key name prefix when the redirect is applied.
 
-            For example, to redirect requests for ``ExamplePage.html`` , the key prefix will be ``ExamplePage.html`` . To redirect request for all pages with the prefix ``docs/`` , the key prefix will be ``/docs`` , which identifies all objects in the docs/ folder.
+            For example, to redirect requests for ``ExamplePage.html`` , the key prefix will be ``ExamplePage.html`` . To redirect request for all pages with the prefix ``docs/`` , the key prefix will be ``docs/`` , which identifies all objects in the docs/ folder.
 
             Required when the parent element ``Condition`` is specified and sibling ``HttpErrorCodeReturnedEquals`` is not specified. If both conditions are specified, both must be true for the redirect to be applied.
 
@@ -9769,7 +10745,7 @@ class CfnBucket(
             table_arn: typing.Optional[builtins.str] = None,
             table_namespace: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''The destination information for the metadata table configuration.
+            '''The destination information for a V1 S3 Metadata configuration.
 
             The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the ``aws_s3_metadata`` namespace in the destination table bucket.
 
@@ -10699,9 +11675,12 @@ class CfnBucket(
             '''Describes the versioning state of an Amazon S3 bucket.
 
             For more information, see `PUT Bucket versioning <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html>`_ in the *Amazon S3 API Reference* .
-            .. epigraph::
 
-               When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations ( ``PUT`` or ``DELETE`` ) on objects in the bucket.
+            Keep the following timing in mind when enabling, suspending, or transitioning between versioning states:
+
+            - *Enabling versioning* - Changes may take up to 15 minutes to propagate across all AWS regions for full consistency.
+            - *Suspending versioning* - Takes effect immediately with no propagation delay.
+            - *Transitioning between states* - Any change from Suspended to Enabled has a 15-minute delay.
 
             :param status: The versioning state of the bucket. Default: - "Suspended"
 
@@ -10881,7 +11860,7 @@ class CfnBucket(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IBucketPolicyRef_8ee2499d)
 class CfnBucketPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -10896,7 +11875,7 @@ class CfnBucketPolicy(
 
        As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action.
 
-    When using the ``AWS::S3::BucketPolicy`` resource, you can create, update, and delete bucket policies for S3 buckets located in regions different from the stack's region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
+    When using the ``AWS::S3::BucketPolicy`` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or ``us-east-1`` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
     .. epigraph::
 
        If the `DeletionPolicy attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html>`_ is not specified or set to ``Delete`` , the bucket policy will be removed when the stack is deleted. If set to ``Retain`` , the bucket policy will be preserved even after the stack is deleted.
@@ -10956,7 +11935,8 @@ class CfnBucketPolicy(
         bucket: builtins.str,
         policy_document: typing.Any,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::BucketPolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param bucket: The name of the Amazon S3 bucket to which the policy applies.
@@ -11000,6 +11980,12 @@ class CfnBucketPolicy(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="bucketPolicyRef")
+    def bucket_policy_ref(self) -> _BucketPolicyReference_3414f1e3:
+        '''A reference to a BucketPolicy resource.'''
+        return typing.cast(_BucketPolicyReference_3414f1e3, jsii.get(self, "bucketPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -11137,6 +12123,7 @@ class CfnBucketPolicyProps:
         "inventory_configurations": "inventoryConfigurations",
         "lifecycle_configuration": "lifecycleConfiguration",
         "logging_configuration": "loggingConfiguration",
+        "metadata_configuration": "metadataConfiguration",
         "metadata_table_configuration": "metadataTableConfiguration",
         "metrics_configurations": "metricsConfigurations",
         "notification_configuration": "notificationConfiguration",
@@ -11164,6 +12151,7 @@ class CfnBucketProps:
         inventory_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.InventoryConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         lifecycle_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LifecycleConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         logging_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LoggingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+        metadata_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         metadata_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataTableConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         metrics_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetricsConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
         notification_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.NotificationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -11185,13 +12173,14 @@ class CfnBucketProps:
         :param bucket_name: A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow `Amazon S3 bucket restrictions and limitations <https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html>`_ . For more information, see `Rules for naming Amazon S3 buckets <https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html>`_ in the *Amazon S3 User Guide* . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.
         :param cors_configuration: Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see `Enabling Cross-Origin Resource Sharing <https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html>`_ in the *Amazon S3 User Guide* .
         :param intelligent_tiering_configurations: Defines how Amazon S3 handles Intelligent-Tiering storage.
-        :param inventory_configurations: Specifies the inventory configuration for an Amazon S3 bucket. For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
+        :param inventory_configurations: Specifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
         :param lifecycle_configuration: Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see `Object Lifecycle Management <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html>`_ in the *Amazon S3 User Guide* .
         :param logging_configuration: Settings that define where logs are stored.
+        :param metadata_configuration: The S3 Metadata configuration for a general purpose bucket.
         :param metadata_table_configuration: The metadata table configuration of an Amazon S3 general purpose bucket.
         :param metrics_configurations: Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you're updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don't include the elements you want to keep, they are erased. For more information, see `PutBucketMetricsConfiguration <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html>`_ .
         :param notification_configuration: Configuration that defines how Amazon S3 handles bucket notifications.
-        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
+        :param object_lock_configuration: .. epigraph:: This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see `Locking Objects <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html>`_ . .. epigraph:: - The ``DefaultRetention`` settings require both a mode and a period. - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time. - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ . > You must URL encode any signed header values that contain spaces. For example, if your header value is ``my file.txt`` , containing two spaces after ``my`` , you must URL encode this value to ``my%20%20file.txt`` .
         :param object_lock_enabled: Indicates whether this bucket has an Object Lock configuration enabled. Enable ``ObjectLockEnabled`` when you apply ``ObjectLockConfiguration`` to a bucket.
         :param ownership_controls: Configuration that defines how Amazon S3 handles Object Ownership rules.
         :param public_access_block_configuration: Configuration that defines how Amazon S3 handles public access.
@@ -11227,6 +12216,7 @@ class CfnBucketProps:
             check_type(argname="argument inventory_configurations", value=inventory_configurations, expected_type=type_hints["inventory_configurations"])
             check_type(argname="argument lifecycle_configuration", value=lifecycle_configuration, expected_type=type_hints["lifecycle_configuration"])
             check_type(argname="argument logging_configuration", value=logging_configuration, expected_type=type_hints["logging_configuration"])
+            check_type(argname="argument metadata_configuration", value=metadata_configuration, expected_type=type_hints["metadata_configuration"])
             check_type(argname="argument metadata_table_configuration", value=metadata_table_configuration, expected_type=type_hints["metadata_table_configuration"])
             check_type(argname="argument metrics_configurations", value=metrics_configurations, expected_type=type_hints["metrics_configurations"])
             check_type(argname="argument notification_configuration", value=notification_configuration, expected_type=type_hints["notification_configuration"])
@@ -11259,6 +12249,8 @@ class CfnBucketProps:
             self._values["lifecycle_configuration"] = lifecycle_configuration
         if logging_configuration is not None:
             self._values["logging_configuration"] = logging_configuration
+        if metadata_configuration is not None:
+            self._values["metadata_configuration"] = metadata_configuration
         if metadata_table_configuration is not None:
             self._values["metadata_table_configuration"] = metadata_table_configuration
         if metrics_configurations is not None:
@@ -11380,7 +12372,7 @@ class CfnBucketProps:
     def inventory_configurations(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnBucket.InventoryConfigurationProperty]]]]:
-        '''Specifies the inventory configuration for an Amazon S3 bucket.
+        '''Specifies the S3 Inventory configuration for an Amazon S3 bucket.
 
         For more information, see `GET Bucket inventory <https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html>`_ in the *Amazon S3 API Reference* .
 
@@ -11413,6 +12405,17 @@ class CfnBucketProps:
         result = self._values.get("logging_configuration")
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.LoggingConfigurationProperty]], result)
 
+    @builtins.property
+    def metadata_configuration(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.MetadataConfigurationProperty]]:
+        '''The S3 Metadata configuration for a general purpose bucket.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-metadataconfiguration
+        '''
+        result = self._values.get("metadata_configuration")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.MetadataConfigurationProperty]], result)
+
     @builtins.property
     def metadata_table_configuration(
         self,
@@ -11461,7 +12464,7 @@ class CfnBucketProps:
 
            - The ``DefaultRetention`` settings require both a mode and a period.
            - The ``DefaultRetention`` period can be either ``Days`` or ``Years`` but you must select one. You cannot specify ``Days`` and ``Years`` at the same time.
-           - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ .
+           - You can enable Object Lock for new or existing buckets. For more information, see `Configuring Object Lock <https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-configure.html>`_ . > You must URL encode any signed header values that contain spaces. For example, if your header value is ``my file.txt`` , containing two spaces after ``my`` , you must URL encode this value to ``my%20%20file.txt`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html#cfn-s3-bucket-objectlockconfiguration
         '''
@@ -11568,7 +12571,7 @@ class CfnBucketProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IMultiRegionAccessPointRef_b814832f)
 class CfnMultiRegionAccessPoint(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -11616,7 +12619,8 @@ class CfnMultiRegionAccessPoint(
         name: typing.Optional[builtins.str] = None,
         public_access_block_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnMultiRegionAccessPoint.PublicAccessBlockConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::MultiRegionAccessPoint``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param regions: A collection of the Regions and buckets associated with the Multi-Region Access Point.
@@ -11690,6 +12694,14 @@ class CfnMultiRegionAccessPoint(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="multiRegionAccessPointRef")
+    def multi_region_access_point_ref(
+        self,
+    ) -> _MultiRegionAccessPointReference_590848b5:
+        '''A reference to a MultiRegionAccessPoint resource.'''
+        return typing.cast(_MultiRegionAccessPointReference_590848b5, jsii.get(self, "multiRegionAccessPointRef"))
+
     @builtins.property
     @jsii.member(jsii_name="regions")
     def regions(
@@ -11948,7 +12960,7 @@ class CfnMultiRegionAccessPoint(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IMultiRegionAccessPointPolicyRef_2e4f5aa6)
 class CfnMultiRegionAccessPointPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -11984,7 +12996,8 @@ class CfnMultiRegionAccessPointPolicy(
         mrap_name: builtins.str,
         policy: typing.Any,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::MultiRegionAccessPointPolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param mrap_name: The name of the Multi-Region Access Point.
@@ -12053,6 +13066,14 @@ class CfnMultiRegionAccessPointPolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="multiRegionAccessPointPolicyRef")
+    def multi_region_access_point_policy_ref(
+        self,
+    ) -> _MultiRegionAccessPointPolicyReference_f5654e86:
+        '''A reference to a MultiRegionAccessPointPolicy resource.'''
+        return typing.cast(_MultiRegionAccessPointPolicyReference_f5654e86, jsii.get(self, "multiRegionAccessPointPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="mrapName")
     def mrap_name(self) -> builtins.str:
@@ -12312,7 +13333,7 @@ class CfnMultiRegionAccessPointProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IStorageLensRef_a99bd868, _ITaggable_36806126)
 class CfnStorageLens(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -12434,7 +13455,8 @@ class CfnStorageLens(
         storage_lens_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnStorageLens.StorageLensConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::StorageLens``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param storage_lens_configuration: This resource contains the details Amazon S3 Storage Lens configuration.
@@ -12496,6 +13518,12 @@ class CfnStorageLens(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="storageLensRef")
+    def storage_lens_ref(self) -> _StorageLensReference_cc81afb5:
+        '''A reference to a StorageLens resource.'''
+        return typing.cast(_StorageLensReference_cc81afb5, jsii.get(self, "storageLensRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -14303,7 +15331,7 @@ class CfnStorageLens(
             )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+@jsii.implements(_IInspectable_c2943556, _IStorageLensGroupRef_aa787427, _ITaggableV2_4e6798f8)
 class CfnStorageLensGroup(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -14391,7 +15419,8 @@ class CfnStorageLensGroup(
         name: builtins.str,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::S3::StorageLensGroup``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param filter: This property contains the criteria for the Storage Lens group data that is displayed.
@@ -14456,6 +15485,12 @@ class CfnStorageLensGroup(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="storageLensGroupRef")
+    def storage_lens_group_ref(self) -> _StorageLensGroupReference_c117a5a4:
+        '''A reference to a StorageLensGroup resource.'''
+        return typing.cast(_StorageLensGroupReference_c117a5a4, jsii.get(self, "storageLensGroupRef"))
+
     @builtins.property
     @jsii.member(jsii_name="filter")
     def filter(
@@ -15717,71 +16752,281 @@ class EventType(enum.Enum):
     OBJECT_RESTORE_DELETE = "OBJECT_RESTORE_DELETE"
     '''Using restore object event types you can receive notifications for initiation and completion when restoring objects from the S3 Glacier storage class.
 
-    You use s3:ObjectRestore:Delete to request notification of
-    restoration completion.
-    '''
-    REDUCED_REDUNDANCY_LOST_OBJECT = "REDUCED_REDUNDANCY_LOST_OBJECT"
-    '''You can use this event type to request Amazon S3 to send a notification message when Amazon S3 detects that an object of the RRS storage class is lost.'''
-    REPLICATION_OPERATION_FAILED_REPLICATION = "REPLICATION_OPERATION_FAILED_REPLICATION"
-    '''You receive this notification event when an object that was eligible for replication using Amazon S3 Replication Time Control failed to replicate.'''
-    REPLICATION_OPERATION_MISSED_THRESHOLD = "REPLICATION_OPERATION_MISSED_THRESHOLD"
-    '''You receive this notification event when an object that was eligible for replication using Amazon S3 Replication Time Control exceeded the 15-minute threshold for replication.'''
-    REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD = "REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD"
-    '''You receive this notification event for an object that was eligible for replication using the Amazon S3 Replication Time Control feature replicated after the 15-minute threshold.'''
-    REPLICATION_OPERATION_NOT_TRACKED = "REPLICATION_OPERATION_NOT_TRACKED"
-    '''You receive this notification event for an object that was eligible for replication using Amazon S3 Replication Time Control but is no longer tracked by replication metrics.'''
-    LIFECYCLE_EXPIRATION = "LIFECYCLE_EXPIRATION"
-    '''By using the LifecycleExpiration event types, you can receive a notification when Amazon S3 deletes an object based on your S3 Lifecycle configuration.'''
-    LIFECYCLE_EXPIRATION_DELETE = "LIFECYCLE_EXPIRATION_DELETE"
-    '''The s3:LifecycleExpiration:Delete event type notifies you when an object in an unversioned bucket is deleted.
+    You use s3:ObjectRestore:Delete to request notification of
+    restoration completion.
+    '''
+    REDUCED_REDUNDANCY_LOST_OBJECT = "REDUCED_REDUNDANCY_LOST_OBJECT"
+    '''You can use this event type to request Amazon S3 to send a notification message when Amazon S3 detects that an object of the RRS storage class is lost.'''
+    REPLICATION_OPERATION_FAILED_REPLICATION = "REPLICATION_OPERATION_FAILED_REPLICATION"
+    '''You receive this notification event when an object that was eligible for replication using Amazon S3 Replication Time Control failed to replicate.'''
+    REPLICATION_OPERATION_MISSED_THRESHOLD = "REPLICATION_OPERATION_MISSED_THRESHOLD"
+    '''You receive this notification event when an object that was eligible for replication using Amazon S3 Replication Time Control exceeded the 15-minute threshold for replication.'''
+    REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD = "REPLICATION_OPERATION_REPLICATED_AFTER_THRESHOLD"
+    '''You receive this notification event for an object that was eligible for replication using the Amazon S3 Replication Time Control feature replicated after the 15-minute threshold.'''
+    REPLICATION_OPERATION_NOT_TRACKED = "REPLICATION_OPERATION_NOT_TRACKED"
+    '''You receive this notification event for an object that was eligible for replication using Amazon S3 Replication Time Control but is no longer tracked by replication metrics.'''
+    LIFECYCLE_EXPIRATION = "LIFECYCLE_EXPIRATION"
+    '''By using the LifecycleExpiration event types, you can receive a notification when Amazon S3 deletes an object based on your S3 Lifecycle configuration.'''
+    LIFECYCLE_EXPIRATION_DELETE = "LIFECYCLE_EXPIRATION_DELETE"
+    '''The s3:LifecycleExpiration:Delete event type notifies you when an object in an unversioned bucket is deleted.
+
+    It also notifies you when an object version is permanently deleted by an
+    S3 Lifecycle configuration.
+    '''
+    LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED = "LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED"
+    '''The s3:LifecycleExpiration:DeleteMarkerCreated event type notifies you when S3 Lifecycle creates a delete marker when a current version of an object in versioned bucket is deleted.'''
+    LIFECYCLE_TRANSITION = "LIFECYCLE_TRANSITION"
+    '''You receive this notification event when an object is transitioned to another Amazon S3 storage class by an S3 Lifecycle configuration.'''
+    INTELLIGENT_TIERING = "INTELLIGENT_TIERING"
+    '''You receive this notification event when an object within the S3 Intelligent-Tiering storage class moved to the Archive Access tier or Deep Archive Access tier.'''
+    OBJECT_TAGGING = "OBJECT_TAGGING"
+    '''By using the ObjectTagging event types, you can enable notification when an object tag is added or deleted from an object.'''
+    OBJECT_TAGGING_PUT = "OBJECT_TAGGING_PUT"
+    '''The s3:ObjectTagging:Put event type notifies you when a tag is PUT on an object or an existing tag is updated.'''
+    OBJECT_TAGGING_DELETE = "OBJECT_TAGGING_DELETE"
+    '''The s3:ObjectTagging:Delete event type notifies you when a tag is removed from an object.'''
+    OBJECT_ACL_PUT = "OBJECT_ACL_PUT"
+    '''You receive this notification event when an ACL is PUT on an object or when an existing ACL is changed.
+
+    An event is not generated when a request results in no change to an
+    object’s ACL.
+    '''
+    OBJECT_RESTORE = "OBJECT_RESTORE"
+    '''Using restore object event types you can receive notifications for initiation and completion when restoring objects from the S3 Glacier storage class.
+
+    You use s3:ObjectRestore:* to request notification of
+    any restoration event.
+    '''
+    REPLICATION = "REPLICATION"
+    '''You receive this notification event for any object replication event.'''
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_s3.Filter",
+    jsii_struct_bases=[],
+    name_mapping={"prefix": "prefix", "tags": "tags"},
+)
+class Filter:
+    def __init__(
+        self,
+        *,
+        prefix: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union["Tag", typing.Dict[builtins.str, typing.Any]]]] = None,
+    ) -> None:
+        '''A filter that identifies the subset of objects to which the replication rule applies.
+
+        :param prefix: An object key name prefix that identifies the object or objects to which the rule applies. Default: - applies to all objects
+        :param tags: The tag array used for tag filters. The rule applies only to objects that have the tag in this set. Default: - applies to all objects
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # destination_bucket1: s3.IBucket
+            # destination_bucket2: s3.IBucket
+            # replication_role: iam.IRole
+            # encryption_key: kms.IKey
+            # destination_encryption_key: kms.IKey
+            
+            
+            source_bucket = s3.Bucket(self, "SourceBucket",
+                # Versioning must be enabled on both the source and destination bucket
+                versioned=True,
+                # Optional. Specify the KMS key to use for encrypts objects in the source bucket.
+                encryption_key=encryption_key,
+                # Optional. If not specified, a new role will be created.
+                replication_role=replication_role,
+                replication_rules=[s3.ReplicationRule(
+                    # The destination bucket for the replication rule.
+                    destination=destination_bucket1,
+                    # The priority of the rule.
+                    # Amazon S3 will attempt to replicate objects according to all replication rules.
+                    # However, if there are two or more rules with the same destination bucket, then objects will be replicated according to the rule with the highest priority.
+                    # The higher the number, the higher the priority.
+                    # It is essential to specify priority explicitly when the replication configuration has multiple rules.
+                    priority=1
+                ), s3.ReplicationRule(
+                    destination=destination_bucket2,
+                    priority=2,
+                    # Whether to specify S3 Replication Time Control (S3 RTC).
+                    # S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
+                    # and 99.99 percent of those objects within specified time.
+                    replication_time_control=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                    # Whether to enable replication metrics about S3 RTC.
+                    # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
+                    metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
+                    # The kms key to use for the destination bucket.
+                    kms_key=destination_encryption_key,
+                    # The storage class to use for the destination bucket.
+                    storage_class=s3.StorageClass.INFREQUENT_ACCESS,
+                    # Whether to replicate objects with SSE-KMS encryption.
+                    sse_kms_encrypted_objects=False,
+                    # Whether to replicate modifications on replicas.
+                    replica_modifications=True,
+                    # Whether to replicate delete markers.
+                    # This property cannot be enabled if the replication rule has a tag filter.
+                    delete_marker_replication=False,
+                    # The ID of the rule.
+                    id="full-settings-rule",
+                    # The object filter for the rule.
+                    filter=s3.Filter(
+                        # The prefix filter for the rule.
+                        prefix="prefix",
+                        # The tag filter for the rule.
+                        tags=[s3.Tag(
+                            key="tagKey",
+                            value="tagValue"
+                        )
+                        ]
+                    )
+                )
+                ]
+            )
+            
+            # Grant permissions to the replication role.
+            # This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
+            source_bucket.grant_replication_permission(replication_role,
+                # Optional. Specify the KMS key to use for decrypting objects in the source bucket.
+                source_decryption_key=encryption_key,
+                destinations=[s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket1), s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket2, encryption_key=destination_encryption_key)
+                ]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ff4b8a813f6812ab1464fced92fa61b97e151767705973ce994c0970fde139df)
+            check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if prefix is not None:
+            self._values["prefix"] = prefix
+        if tags is not None:
+            self._values["tags"] = tags
+
+    @builtins.property
+    def prefix(self) -> typing.Optional[builtins.str]:
+        '''An object key name prefix that identifies the object or objects to which the rule applies.
+
+        :default: - applies to all objects
+        '''
+        result = self._values.get("prefix")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List["Tag"]]:
+        '''The tag array used for tag filters.
+
+        The rule applies only to objects that have the tag in this set.
+
+        :default: - applies to all objects
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List["Tag"]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "Filter(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_s3.GrantReplicationPermissionDestinationProps",
+    jsii_struct_bases=[],
+    name_mapping={"bucket": "bucket", "encryption_key": "encryptionKey"},
+)
+class GrantReplicationPermissionDestinationProps:
+    def __init__(
+        self,
+        *,
+        bucket: "IBucket",
+        encryption_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> None:
+        '''The properties for the destination bucket for granting replication permission.
+
+        :param bucket: The destination bucket.
+        :param encryption_key: The KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. Default: - no KMS key is used for replication.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_kms as kms
+            from aws_cdk import aws_s3 as s3
+            
+            # bucket: s3.Bucket
+            # key: kms.Key
+            
+            grant_replication_permission_destination_props = s3.GrantReplicationPermissionDestinationProps(
+                bucket=bucket,
+            
+                # the properties below are optional
+                encryption_key=key
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c28989eb119121ac7809e78ba2038558e14755021078bf7d97f894b34bc3311a)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument encryption_key", value=encryption_key, expected_type=type_hints["encryption_key"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "bucket": bucket,
+        }
+        if encryption_key is not None:
+            self._values["encryption_key"] = encryption_key
+
+    @builtins.property
+    def bucket(self) -> "IBucket":
+        '''The destination bucket.'''
+        result = self._values.get("bucket")
+        assert result is not None, "Required property 'bucket' is missing"
+        return typing.cast("IBucket", result)
+
+    @builtins.property
+    def encryption_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key.
+
+        :default: - no KMS key is used for replication.
+        '''
+        result = self._values.get("encryption_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
 
-    It also notifies you when an object version is permanently deleted by an
-    S3 Lifecycle configuration.
-    '''
-    LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED = "LIFECYCLE_EXPIRATION_DELETE_MARKER_CREATED"
-    '''The s3:LifecycleExpiration:DeleteMarkerCreated event type notifies you when S3 Lifecycle creates a delete marker when a current version of an object in versioned bucket is deleted.'''
-    LIFECYCLE_TRANSITION = "LIFECYCLE_TRANSITION"
-    '''You receive this notification event when an object is transitioned to another Amazon S3 storage class by an S3 Lifecycle configuration.'''
-    INTELLIGENT_TIERING = "INTELLIGENT_TIERING"
-    '''You receive this notification event when an object within the S3 Intelligent-Tiering storage class moved to the Archive Access tier or Deep Archive Access tier.'''
-    OBJECT_TAGGING = "OBJECT_TAGGING"
-    '''By using the ObjectTagging event types, you can enable notification when an object tag is added or deleted from an object.'''
-    OBJECT_TAGGING_PUT = "OBJECT_TAGGING_PUT"
-    '''The s3:ObjectTagging:Put event type notifies you when a tag is PUT on an object or an existing tag is updated.'''
-    OBJECT_TAGGING_DELETE = "OBJECT_TAGGING_DELETE"
-    '''The s3:ObjectTagging:Delete event type notifies you when a tag is removed from an object.'''
-    OBJECT_ACL_PUT = "OBJECT_ACL_PUT"
-    '''You receive this notification event when an ACL is PUT on an object or when an existing ACL is changed.
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
 
-    An event is not generated when a request results in no change to an
-    object’s ACL.
-    '''
-    OBJECT_RESTORE = "OBJECT_RESTORE"
-    '''Using restore object event types you can receive notifications for initiation and completion when restoring objects from the S3 Glacier storage class.
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
 
-    You use s3:ObjectRestore:* to request notification of
-    any restoration event.
-    '''
-    REPLICATION = "REPLICATION"
-    '''You receive this notification event for any object replication event.'''
+    def __repr__(self) -> str:
+        return "GrantReplicationPermissionDestinationProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
 
 
 @jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_s3.Filter",
+    jsii_type="aws-cdk-lib.aws_s3.GrantReplicationPermissionProps",
     jsii_struct_bases=[],
-    name_mapping={"prefix": "prefix", "tags": "tags"},
+    name_mapping={
+        "destinations": "destinations",
+        "source_decryption_key": "sourceDecryptionKey",
+    },
 )
-class Filter:
+class GrantReplicationPermissionProps:
     def __init__(
         self,
         *,
-        prefix: typing.Optional[builtins.str] = None,
-        tags: typing.Optional[typing.Sequence[typing.Union["Tag", typing.Dict[builtins.str, typing.Any]]]] = None,
+        destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+        source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
     ) -> None:
-        '''A filter that identifies the subset of objects to which the replication rule applies.
+        '''The properties for the destination bucket for granting replication permission.
 
-        :param prefix: An object key name prefix that identifies the object or objects to which the rule applies. Default: - applies to all objects
-        :param tags: The tag array used for tag filters. The rule applies only to objects that have the tag in this set. Default: - applies to all objects
+        :param destinations: The destination buckets for replication. Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. One or more destination buckets are required if replication configuration is enabled (i.e., ``replicationRole`` is specified). Default: - empty array (valid only if the ``replicationRole`` property is NOT specified)
+        :param source_decryption_key: The KMS key used to decrypt objects in the source bucket for replication. **Required if** the source bucket is encrypted with a customer-managed KMS key. Default: - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
 
         :exampleMetadata: infused
 
@@ -15790,12 +17035,15 @@ class Filter:
             # destination_bucket1: s3.IBucket
             # destination_bucket2: s3.IBucket
             # replication_role: iam.IRole
-            # kms_key: kms.IKey
+            # encryption_key: kms.IKey
+            # destination_encryption_key: kms.IKey
             
             
             source_bucket = s3.Bucket(self, "SourceBucket",
                 # Versioning must be enabled on both the source and destination bucket
                 versioned=True,
+                # Optional. Specify the KMS key to use for encrypts objects in the source bucket.
+                encryption_key=encryption_key,
                 # Optional. If not specified, a new role will be created.
                 replication_role=replication_role,
                 replication_rules=[s3.ReplicationRule(
@@ -15818,7 +17066,7 @@ class Filter:
                     # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
                     metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
                     # The kms key to use for the destination bucket.
-                    kms_key=kms_key,
+                    kms_key=destination_encryption_key,
                     # The storage class to use for the destination bucket.
                     storage_class=s3.StorageClass.INFREQUENT_ACCESS,
                     # Whether to replicate objects with SSE-KMS encryption.
@@ -15844,36 +17092,49 @@ class Filter:
                 )
                 ]
             )
+            
+            # Grant permissions to the replication role.
+            # This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
+            source_bucket.grant_replication_permission(replication_role,
+                # Optional. Specify the KMS key to use for decrypting objects in the source bucket.
+                source_decryption_key=encryption_key,
+                destinations=[s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket1), s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket2, encryption_key=destination_encryption_key)
+                ]
+            )
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__ff4b8a813f6812ab1464fced92fa61b97e151767705973ce994c0970fde139df)
-            check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
-            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {}
-        if prefix is not None:
-            self._values["prefix"] = prefix
-        if tags is not None:
-            self._values["tags"] = tags
+            type_hints = typing.get_type_hints(_typecheckingstub__892523669f29c26ab296b743291f04387d44edf1630a2288ab68d906f972d8ff)
+            check_type(argname="argument destinations", value=destinations, expected_type=type_hints["destinations"])
+            check_type(argname="argument source_decryption_key", value=source_decryption_key, expected_type=type_hints["source_decryption_key"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "destinations": destinations,
+        }
+        if source_decryption_key is not None:
+            self._values["source_decryption_key"] = source_decryption_key
 
     @builtins.property
-    def prefix(self) -> typing.Optional[builtins.str]:
-        '''An object key name prefix that identifies the object or objects to which the rule applies.
+    def destinations(self) -> typing.List[GrantReplicationPermissionDestinationProps]:
+        '''The destination buckets for replication.
 
-        :default: - applies to all objects
+        Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key.
+        One or more destination buckets are required if replication configuration is enabled (i.e., ``replicationRole`` is specified).
+
+        :default: - empty array (valid only if the ``replicationRole`` property is NOT specified)
         '''
-        result = self._values.get("prefix")
-        return typing.cast(typing.Optional[builtins.str], result)
+        result = self._values.get("destinations")
+        assert result is not None, "Required property 'destinations' is missing"
+        return typing.cast(typing.List[GrantReplicationPermissionDestinationProps], result)
 
     @builtins.property
-    def tags(self) -> typing.Optional[typing.List["Tag"]]:
-        '''The tag array used for tag filters.
+    def source_decryption_key(self) -> typing.Optional[_IKey_5f11635f]:
+        '''The KMS key used to decrypt objects in the source bucket for replication.
 
-        The rule applies only to objects that have the tag in this set.
+        **Required if** the source bucket is encrypted with a customer-managed KMS key.
 
-        :default: - applies to all objects
+        :default: - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
         '''
-        result = self._values.get("tags")
-        return typing.cast(typing.Optional[typing.List["Tag"]], result)
+        result = self._values.get("source_decryption_key")
+        return typing.cast(typing.Optional[_IKey_5f11635f], result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -15882,7 +17143,7 @@ class Filter:
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "Filter(%s)" % ", ".join(
+        return "GrantReplicationPermissionProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
@@ -15904,7 +17165,7 @@ class HttpMethods(enum.Enum):
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_s3.IBucket")
-class IBucket(_IResource_c80c4260, typing_extensions.Protocol):
+class IBucket(_IResource_c80c4260, _IBucketRef_3debe44e, typing_extensions.Protocol):
     @builtins.property
     @jsii.member(jsii_name="bucketArn")
     def bucket_arn(self) -> builtins.str:
@@ -16247,6 +17508,27 @@ class IBucket(_IResource_c80c4260, typing_extensions.Protocol):
         '''
         ...
 
+    @jsii.member(jsii_name="grantReplicationPermission")
+    def grant_replication_permission(
+        self,
+        identity: _IGrantable_71c4f5de,
+        *,
+        destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+        source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> _Grant_a7ae64f8:
+        '''Allows permissions for replication operation to bucket replication role.
+
+        If an encryption key is used, permission to use the key for
+        encrypt/decrypt will also be granted.
+
+        :param identity: The principal.
+        :param destinations: The destination buckets for replication. Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. One or more destination buckets are required if replication configuration is enabled (i.e., ``replicationRole`` is specified). Default: - empty array (valid only if the ``replicationRole`` property is NOT specified)
+        :param source_decryption_key: The KMS key used to decrypt objects in the source bucket for replication. **Required if** the source bucket is encrypted with a customer-managed KMS key. Default: - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
+
+        :return: The ``iam.Grant`` object, which represents the grant of permissions.
+        '''
+        ...
+
     @jsii.member(jsii_name="grantWrite")
     def grant_write(
         self,
@@ -16443,6 +17725,7 @@ class IBucket(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _IBucketProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IBucketRef_3debe44e), # type: ignore[misc]
 ):
     __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_s3.IBucket"
 
@@ -16842,6 +18125,34 @@ class _IBucketProxy(
             check_type(argname="argument objects_key_pattern", value=objects_key_pattern, expected_type=type_hints["objects_key_pattern"])
         return typing.cast(_Grant_a7ae64f8, jsii.invoke(self, "grantReadWrite", [identity, objects_key_pattern]))
 
+    @jsii.member(jsii_name="grantReplicationPermission")
+    def grant_replication_permission(
+        self,
+        identity: _IGrantable_71c4f5de,
+        *,
+        destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+        source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> _Grant_a7ae64f8:
+        '''Allows permissions for replication operation to bucket replication role.
+
+        If an encryption key is used, permission to use the key for
+        encrypt/decrypt will also be granted.
+
+        :param identity: The principal.
+        :param destinations: The destination buckets for replication. Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. One or more destination buckets are required if replication configuration is enabled (i.e., ``replicationRole`` is specified). Default: - empty array (valid only if the ``replicationRole`` property is NOT specified)
+        :param source_decryption_key: The KMS key used to decrypt objects in the source bucket for replication. **Required if** the source bucket is encrypted with a customer-managed KMS key. Default: - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
+
+        :return: The ``iam.Grant`` object, which represents the grant of permissions.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b2772da13be98dbf89b1d2aec491a21f6a48f84e8d96dacef9ad681c2a3c690a)
+            check_type(argname="argument identity", value=identity, expected_type=type_hints["identity"])
+        props = GrantReplicationPermissionProps(
+            destinations=destinations, source_decryption_key=source_decryption_key
+        )
+
+        return typing.cast(_Grant_a7ae64f8, jsii.invoke(self, "grantReplicationPermission", [identity, props]))
+
     @jsii.member(jsii_name="grantWrite")
     def grant_write(
         self,
@@ -17104,7 +18415,7 @@ class IBucketNotificationDestination(typing_extensions.Protocol):
     def bind(
         self,
         scope: _constructs_77d1e7e8.Construct,
-        bucket: IBucket,
+        bucket: _IBucketRef_3debe44e,
     ) -> BucketNotificationDestinationConfig:
         '''Registers this resource to receive notifications for the specified bucket.
 
@@ -17127,7 +18438,7 @@ class _IBucketNotificationDestinationProxy:
     def bind(
         self,
         scope: _constructs_77d1e7e8.Construct,
-        bucket: IBucket,
+        bucket: _IBucketRef_3debe44e,
     ) -> BucketNotificationDestinationConfig:
         '''Registers this resource to receive notifications for the specified bucket.
 
@@ -17686,7 +18997,7 @@ class LifecycleRule:
         :param id: A unique identifier for this rule. The value cannot be more than 255 characters.
         :param noncurrent_version_expiration: Time between when a new version of the object is uploaded to the bucket and when old versions of the object expire. For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time. The underlying configuration is expressed in whole numbers of days. Providing a Duration that does not represent a whole number of days will result in a runtime or deployment error. Default: - No noncurrent version expiration
         :param noncurrent_versions_to_retain: Indicates a maximum number of noncurrent versions to retain. If there are this many more noncurrent versions, Amazon S3 permanently deletes them. Default: - No noncurrent versions to retain
-        :param noncurrent_version_transitions: One or more transition rules that specify when non-current objects transition to a specified storage class. Only for for buckets with versioning enabled (or suspended). If you specify a transition and expiration time, the expiration time must be later than the transition time.
+        :param noncurrent_version_transitions: One or more transition rules that specify when non-current objects transition to a specified storage class. Only for buckets with versioning enabled (or suspended). If you specify a transition and expiration time, the expiration time must be later than the transition time.
         :param object_size_greater_than: Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. Default: - No rule
         :param object_size_less_than: Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. Default: - No rule
         :param prefix: Object key prefix that identifies one or more objects to which this rule applies. Default: - Rule applies to all objects
@@ -17898,7 +19209,7 @@ class LifecycleRule:
     ) -> typing.Optional[typing.List["NoncurrentVersionTransition"]]:
         '''One or more transition rules that specify when non-current objects transition to a specified storage class.
 
-        Only for for buckets with versioning enabled (or suspended).
+        Only for buckets with versioning enabled (or suspended).
 
         If you specify a transition and expiration time, the expiration time
         must be later than the transition time.
@@ -17994,26 +19305,43 @@ class Location:
         :param object_key: The path inside the Bucket where the object is located at.
         :param object_version: The S3 object version.
 
-        :exampleMetadata: infused
+        :exampleMetadata: fixture=default infused
 
         Example::
 
-            start_query_execution_job = tasks.AthenaStartQueryExecution(self, "Start Athena Query",
-                query_string=sfn.JsonPath.string_at("$.queryString"),
-                query_execution_context=tasks.QueryExecutionContext(
-                    database_name="mydatabase"
-                ),
-                result_configuration=tasks.ResultConfiguration(
-                    encryption_configuration=tasks.EncryptionConfiguration(
-                        encryption_option=tasks.EncryptionOption.S3_MANAGED
-                    ),
-                    output_location=s3.Location(
-                        bucket_name="query-results-bucket",
-                        object_key="folder"
+            bucket = s3.Bucket(self, "memoryBucket",
+                bucket_name="test-memory",
+                removal_policy=cdk.RemovalPolicy.DESTROY,
+                auto_delete_objects=True
+            )
+            
+            topic = sns.Topic(self, "topic")
+            
+            # Create a custom semantic memory strategy
+            self_managed_strategy = agentcore.MemoryStrategy.using_self_managed(
+                name="selfManagedStrategy",
+                description="self managed memory strategy",
+                historical_context_window_size=5,
+                invocation_configuration=agentcore.InvocationConfiguration(
+                    topic=topic,
+                    s3_location=s3.Location(
+                        bucket_name=bucket.bucket_name,
+                        object_key="memory/"
                     )
                 ),
-                execution_parameters=["param1", "param2"],
-                result_reuse_configuration_max_age=Duration.minutes(100)
+                trigger_conditions=agentcore.TriggerConditions(
+                    message_based_trigger=1,
+                    time_based_trigger=cdk.Duration.seconds(10),
+                    token_based_trigger=100
+                )
+            )
+            
+            # Create memory with custom strategy
+            memory = agentcore.Memory(self, "MyMemory",
+                memory_name="my-custom-memory",
+                description="Memory with custom strategy",
+                expiration_duration=cdk.Duration.days(90),
+                memory_strategies=[self_managed_strategy]
             )
         '''
         if __debug__:
@@ -18981,12 +20309,15 @@ class ReplicationTimeValue(
         # destination_bucket1: s3.IBucket
         # destination_bucket2: s3.IBucket
         # replication_role: iam.IRole
-        # kms_key: kms.IKey
+        # encryption_key: kms.IKey
+        # destination_encryption_key: kms.IKey
         
         
         source_bucket = s3.Bucket(self, "SourceBucket",
             # Versioning must be enabled on both the source and destination bucket
             versioned=True,
+            # Optional. Specify the KMS key to use for encrypts objects in the source bucket.
+            encryption_key=encryption_key,
             # Optional. If not specified, a new role will be created.
             replication_role=replication_role,
             replication_rules=[s3.ReplicationRule(
@@ -19009,7 +20340,7 @@ class ReplicationTimeValue(
                 # If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
                 metrics=s3.ReplicationTimeValue.FIFTEEN_MINUTES,
                 # The kms key to use for the destination bucket.
-                kms_key=kms_key,
+                kms_key=destination_encryption_key,
                 # The storage class to use for the destination bucket.
                 storage_class=s3.StorageClass.INFREQUENT_ACCESS,
                 # Whether to replicate objects with SSE-KMS encryption.
@@ -19035,6 +20366,15 @@ class ReplicationTimeValue(
             )
             ]
         )
+        
+        # Grant permissions to the replication role.
+        # This method is not required if you choose to use an auto-generated replication role or manually grant permissions.
+        source_bucket.grant_replication_permission(replication_role,
+            # Optional. Specify the KMS key to use for decrypting objects in the source bucket.
+            source_decryption_key=encryption_key,
+            destinations=[s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket1), s3.GrantReplicationPermissionDestinationProps(bucket=destination_bucket2, encryption_key=destination_encryption_key)
+            ]
+        )
     '''
 
     @jsii.python.classproperty
@@ -20095,6 +21435,32 @@ class BucketBase(
             check_type(argname="argument objects_key_pattern", value=objects_key_pattern, expected_type=type_hints["objects_key_pattern"])
         return typing.cast(_Grant_a7ae64f8, jsii.invoke(self, "grantReadWrite", [identity, objects_key_pattern]))
 
+    @jsii.member(jsii_name="grantReplicationPermission")
+    def grant_replication_permission(
+        self,
+        identity: _IGrantable_71c4f5de,
+        *,
+        destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+        source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+    ) -> _Grant_a7ae64f8:
+        '''Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket.
+
+        Note that when calling this function for source or destination buckets that support KMS encryption,
+        you need to specify the KMS key for encryption and the KMS key for decryption, respectively.
+
+        :param identity: The principal to grant replication permission to.
+        :param destinations: The destination buckets for replication. Specify the KMS key to use for encryption if a destination bucket needs to be encrypted with a customer-managed KMS key. One or more destination buckets are required if replication configuration is enabled (i.e., ``replicationRole`` is specified). Default: - empty array (valid only if the ``replicationRole`` property is NOT specified)
+        :param source_decryption_key: The KMS key used to decrypt objects in the source bucket for replication. **Required if** the source bucket is encrypted with a customer-managed KMS key. Default: - it's assumed the source bucket is not encrypted with a customer-managed KMS key.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ae08375448013fd67c288fc732b4e3bd7135520a849542f49221c12f286f9554)
+            check_type(argname="argument identity", value=identity, expected_type=type_hints["identity"])
+        props = GrantReplicationPermissionProps(
+            destinations=destinations, source_decryption_key=source_decryption_key
+        )
+
+        return typing.cast(_Grant_a7ae64f8, jsii.invoke(self, "grantReplicationPermission", [identity, props]))
+
     @jsii.member(jsii_name="grantWrite")
     def grant_write(
         self,
@@ -20371,6 +21737,12 @@ class BucketBase(
         '''The name of the bucket.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="bucketRef")
+    def bucket_ref(self) -> _BucketReference_502fb39f:
+        '''A reference to a Bucket resource.'''
+        return typing.cast(_BucketReference_502fb39f, jsii.get(self, "bucketRef"))
+
     @builtins.property
     @jsii.member(jsii_name="bucketRegionalDomainName")
     @abc.abstractmethod
@@ -20991,7 +22363,7 @@ class Bucket(
         :param id: A unique identifier for this rule. The value cannot be more than 255 characters.
         :param noncurrent_version_expiration: Time between when a new version of the object is uploaded to the bucket and when old versions of the object expire. For buckets with versioning enabled (or suspended), specifies the time, in days, between when a new version of the object is uploaded to the bucket and when old versions of the object expire. When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and expiration time, the expiration time must be later than the transition time. The underlying configuration is expressed in whole numbers of days. Providing a Duration that does not represent a whole number of days will result in a runtime or deployment error. Default: - No noncurrent version expiration
         :param noncurrent_versions_to_retain: Indicates a maximum number of noncurrent versions to retain. If there are this many more noncurrent versions, Amazon S3 permanently deletes them. Default: - No noncurrent versions to retain
-        :param noncurrent_version_transitions: One or more transition rules that specify when non-current objects transition to a specified storage class. Only for for buckets with versioning enabled (or suspended). If you specify a transition and expiration time, the expiration time must be later than the transition time.
+        :param noncurrent_version_transitions: One or more transition rules that specify when non-current objects transition to a specified storage class. Only for buckets with versioning enabled (or suspended). If you specify a transition and expiration time, the expiration time must be later than the transition time.
         :param object_size_greater_than: Specifies the minimum object size in bytes for this rule to apply to. Objects must be larger than this value in bytes. Default: - No rule
         :param object_size_less_than: Specifies the maximum object size in bytes for this rule to apply to. Objects must be smaller than this value in bytes. Default: - No rule
         :param prefix: Object key prefix that identifies one or more objects to which this rule applies. Default: - Rule applies to all objects
@@ -21035,6 +22407,12 @@ class Bucket(
 
         return typing.cast(None, jsii.invoke(self, "addMetric", [metric]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="bucketArn")
     def bucket_arn(self) -> builtins.str:
@@ -21183,6 +22561,8 @@ __all__ = [
     "CorsRule",
     "EventType",
     "Filter",
+    "GrantReplicationPermissionDestinationProps",
+    "GrantReplicationPermissionProps",
     "HttpMethods",
     "IBucket",
     "IBucketNotificationDestination",
@@ -21294,6 +22674,7 @@ def _typecheckingstub__910b3df1208e67cb52dad0b0b8c5feb43c7bddb0ced50eaf6c9534772
     id: builtins.str,
     *,
     bucket: IBucket,
+    document: typing.Optional[_PolicyDocument_3ac34393] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
 ) -> None:
     """Type checking stubs"""
@@ -21314,6 +22695,7 @@ def _typecheckingstub__70ab6602f43f75a64ae8e8349b5d140cdfefe9af2e4d2352ec6279ed1
 def _typecheckingstub__4d7b9233434273933326211f004f27c2982fedd89ad904dc86d84c54f0f50ac6(
     *,
     bucket: IBucket,
+    document: typing.Optional[_PolicyDocument_3ac34393] = None,
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
 ) -> None:
     """Type checking stubs"""
@@ -21502,8 +22884,8 @@ def _typecheckingstub__f63f8766c3f622205e3ea04592d9dbd1cdfdf34d2e6b1aca405f1b211
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    iam_role_arn: typing.Optional[builtins.str] = None,
-    location_scope: typing.Optional[builtins.str] = None,
+    iam_role_arn: builtins.str,
+    location_scope: builtins.str,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -21522,13 +22904,13 @@ def _typecheckingstub__41246c53313d09c72689110109c1c02c98b558c613dd50d35f19becfa
     pass
 
 def _typecheckingstub__c6ad3ea630d95d457364fa227ccc4159df9b2fe48cab3fd14afc7301612ddce6(
-    value: typing.Optional[builtins.str],
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__80f4ecc1c277ca36e62d80157ee09c7e5856bf9bc1e1542588d3449f958c3302(
-    value: typing.Optional[builtins.str],
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -21541,8 +22923,8 @@ def _typecheckingstub__34ec64e9e3a170eac86359c24d865c728a0273caa8c470380483ea14c
 
 def _typecheckingstub__5f891152429263f2b2cdf0641e18212de422d1b020ebb0f7ffbac1e255090f5d(
     *,
-    iam_role_arn: typing.Optional[builtins.str] = None,
-    location_scope: typing.Optional[builtins.str] = None,
+    iam_role_arn: builtins.str,
+    location_scope: builtins.str,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -21557,11 +22939,28 @@ def _typecheckingstub__effa13924691e4b61b906bb0dc0bd5da8dfc4d4cbd167af0fe9491358
     name: typing.Optional[builtins.str] = None,
     policy: typing.Any = None,
     public_access_block_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.PublicAccessBlockConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.VpcConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__27c1fdb406b539ade70eea36bce09782bba11b354442fee5c5d43c938bfd0aee(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__9af2790fec8caeab2621c276234587e70ab62b4d6d6f7a82947b3b7326f42deb(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    access_point_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__71b3c7d208bf045aac83ee95ce52f903885375649aecea79c502164e94dcdf8a(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -21604,6 +23003,12 @@ def _typecheckingstub__f1674ffbc32679c9e6b98201180481c7cd25fa6b6b1611ce89faf76ad
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d6c41b842366f80d771c24147e6f4bdb868bf8899c3f03b128339e380a158e19(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__a49ee3ddcfdce1bcd8c198e3823a2490c2f4ac82647902a91b701dbc61ab86b8(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnAccessPoint.VpcConfigurationProperty]],
 ) -> None:
@@ -21634,6 +23039,7 @@ def _typecheckingstub__78747b8f8c95f80def774b788cce8b1ff46ec71c89a1b755270401066
     name: typing.Optional[builtins.str] = None,
     policy: typing.Any = None,
     public_access_block_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.PublicAccessBlockConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     vpc_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAccessPoint.VpcConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -21653,6 +23059,7 @@ def _typecheckingstub__0cfa39e37f5fa17b8234ce2f712ef5cf3bf2c262914967924c19a67f6
     inventory_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.InventoryConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     lifecycle_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LifecycleConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LoggingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    metadata_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     metadata_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataTableConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     metrics_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetricsConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     notification_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.NotificationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -21668,6 +23075,22 @@ def _typecheckingstub__0cfa39e37f5fa17b8234ce2f712ef5cf3bf2c262914967924c19a67f6
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__f218931ccffe0d6407edcfc452f39d64609d0cceec6ea04313fa364cf5a4f3df(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__08ccc75711c8ec0fedd9747e674f732b2653120a392c01413875cc0df08e91fa(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    bucket_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__176de3038f1db142ab99b5462bff80dea14e125a51ef31e58c268c52bbbc103e(
     inspector: _TreeInspector_488e0dd5,
 ) -> None:
@@ -21740,6 +23163,12 @@ def _typecheckingstub__4b77f03fd3b3677eb1438ce6b2a3991e386c73bd8744df53f5e4ba5ea
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__13b4697762f20bd91e57f93bf2922758e68d9cbc3f74472e7da7f9ce2f7dcdca(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.MetadataConfigurationProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__fd29cd03877c191999cfea4d853581d72ddc33cf57cc7d4cba47336d1b9943ec(
     value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnBucket.MetadataTableConfigurationProperty]],
 ) -> None:
@@ -21943,6 +23372,26 @@ def _typecheckingstub__cdee89cd1b92609a0e10908dd9212db336cab5c5d1cccdb91cf76efe8
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__e3f0960f8776684cd6b2c423b1320b1ffcb2a6165dba0f275451667884000458(
+    *,
+    configuration_state: builtins.str,
+    encryption_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataTableEncryptionConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    table_arn: typing.Optional[builtins.str] = None,
+    table_name: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__4831e8bf78dc983eaf9b010780417c4e6b808ef19beac1729f89ba7bab53d4d9(
+    *,
+    record_expiration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.RecordExpirationProperty, typing.Dict[builtins.str, typing.Any]]],
+    encryption_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataTableEncryptionConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    table_arn: typing.Optional[builtins.str] = None,
+    table_name: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__599ef02853407bceb720424e9874eda7b5e2324f3be8a787939e9d5f9a7d5765(
     *,
     event: builtins.str,
@@ -21969,6 +23418,24 @@ def _typecheckingstub__01491815d16a808a2dce4d193703181c42183e3e002a73f20f0f129d4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__5ba4e02b348fb368852d2eaf89da64d6c5432c39d5f771482cd73c5e29aea1d2(
+    *,
+    journal_table_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.JournalTableConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
+    destination: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataDestinationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    inventory_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.InventoryTableConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__22a357b76c39088e89c9805c6e3fd369bf83472fbcec37ad505b7803d1960e7e(
+    *,
+    table_bucket_type: builtins.str,
+    table_bucket_arn: typing.Optional[builtins.str] = None,
+    table_namespace: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__5ca454da0b88593246b2d389c687410262b1687eb76eddb67e9375ebad28093f(
     *,
     s3_tables_destination: typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.S3TablesDestinationProperty, typing.Dict[builtins.str, typing.Any]]],
@@ -21976,6 +23443,14 @@ def _typecheckingstub__5ca454da0b88593246b2d389c687410262b1687eb76eddb67e9375eba
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__638725ba5e16c7545010085fee3839279059f8036e3a36e81a6da12f68c3c96d(
+    *,
+    sse_algorithm: builtins.str,
+    kms_key_arn: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__ad42f7d497f9da61528b895926b56b4a48de1121e97039ba589509b4f56b32f7(
     *,
     id: builtins.str,
@@ -22083,6 +23558,14 @@ def _typecheckingstub__fa7475a01d5eb0e88eb78519cde0c5de6ace577577dd1b48ec5816cca
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ced4e05e0d07a000e813825522beab4af447ff67164c61600ff7eb3b0afab28c(
+    *,
+    expiration: builtins.str,
+    days: typing.Optional[jsii.Number] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__8aaa5db61b5a90e427f3a57c45b3bd725fb80aeca08f50b45728a5d954ee837f(
     *,
     host_name: builtins.str,
@@ -22382,6 +23865,7 @@ def _typecheckingstub__658a4165ec8804b9770871bbb27764713f55dc53e9c9e990dca120e77
     inventory_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.InventoryConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     lifecycle_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LifecycleConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     logging_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.LoggingConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    metadata_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     metadata_table_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetadataTableConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     metrics_configurations: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.MetricsConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     notification_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnBucket.NotificationConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
@@ -22838,6 +24322,22 @@ def _typecheckingstub__ff4b8a813f6812ab1464fced92fa61b97e151767705973ce994c0970f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__c28989eb119121ac7809e78ba2038558e14755021078bf7d97f894b34bc3311a(
+    *,
+    bucket: IBucket,
+    encryption_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__892523669f29c26ab296b743291f04387d44edf1630a2288ab68d906f972d8ff(
+    *,
+    destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+    source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__eee382ff86c17d46379012dcccee86976ea92e15cb6d63c3e3f4e853c058ac53(
     value: typing.Optional[BucketPolicy],
 ) -> None:
@@ -22934,6 +24434,15 @@ def _typecheckingstub__96c877c118f5e8a1b2d7e8d8a3a593f12688f174eaf15ecd7c8198344
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b2772da13be98dbf89b1d2aec491a21f6a48f84e8d96dacef9ad681c2a3c690a(
+    identity: _IGrantable_71c4f5de,
+    *,
+    destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+    source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d80dff4704f5345b5514fd2dfceb4cf2e1b6f5dbd368505a740522685f4b2404(
     identity: _IGrantable_71c4f5de,
     objects_key_pattern: typing.Any = None,
@@ -23011,7 +24520,7 @@ def _typecheckingstub__993ef29805b7b5223d6327faefc00c505108a1497efd501af949abb29
 
 def _typecheckingstub__c383a5262868f93c81da67f9058929f12151009bdb49b69a87ed6e62b4fe28a9(
     scope: _constructs_77d1e7e8.Construct,
-    bucket: IBucket,
+    bucket: _IBucketRef_3debe44e,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23316,6 +24825,15 @@ def _typecheckingstub__b4fefa6383b8da3c85e674cc7aa9017f54bbafd94b3f086c041a65129
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ae08375448013fd67c288fc732b4e3bd7135520a849542f49221c12f286f9554(
+    identity: _IGrantable_71c4f5de,
+    *,
+    destinations: typing.Sequence[typing.Union[GrantReplicationPermissionDestinationProps, typing.Dict[builtins.str, typing.Any]]],
+    source_decryption_key: typing.Optional[_IKey_5f11635f] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__857aef69f081fcbca7e312228a28a24530a67adbfdf13e38eca13f14153683be(
     identity: _IGrantable_71c4f5de,
     objects_key_pattern: typing.Any = None,
@@ -23547,3 +25065,6 @@ def _typecheckingstub__3cb691a849de33681a4f0021424f266609c2785cf8cbf5306c98726a6
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IBucket, IBucketNotificationDestination]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])