aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/_jsii/__init__.py

@@ -34,7 +34,7 @@ import aws_cdk.cloud_assembly_schema._jsii
 import constructs._jsii
 
 __jsii_assembly__ = jsii.JSIIAssembly.load(
-    "aws-cdk-lib", "2.195.0", __name__[0:-6], "aws-cdk-lib@2.195.0.jsii.tgz"
+    "aws-cdk-lib", "2.224.0", __name__[0:-6], "aws-cdk-lib@2.224.0.jsii.tgz"
 )
 
 __all__ = [

aws_cdk/alexa_ask/__init__.py

@@ -64,9 +64,12 @@ from .. import (
     IResolvable as _IResolvable_da3f097b,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces.alexa_ask import (
+    ISkillRef as _ISkillRef_7086c21a, SkillReference as _SkillReference_eb5d54fa
+)
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ISkillRef_7086c21a)
 class CfnSkill(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -118,7 +121,8 @@ class CfnSkill(
         skill_package: typing.Union[_IResolvable_da3f097b, typing.Union["CfnSkill.SkillPackageProperty", typing.Dict[builtins.str, typing.Any]]],
         vendor_id: builtins.str,
     ) -> None:
-        '''
+        '''Create a new ``Alexa::ASK::Skill``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param authentication_configuration: Login with Amazon (LWA) configuration used to authenticate with the Alexa service. Only Login with Amazon clients created through the are supported. The client ID, client secret, and refresh token are required.
@@ -180,6 +184,12 @@ class CfnSkill(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="skillRef")
+    def skill_ref(self) -> _SkillReference_eb5d54fa:
+        '''A reference to a Skill resource.'''
+        return typing.cast(_SkillReference_eb5d54fa, jsii.get(self, "skillRef"))
+
     @builtins.property
     @jsii.member(jsii_name="authenticationConfiguration")
     def authentication_configuration(

aws_cdk/aws_accessanalyzer/__init__.py

@@ -67,9 +67,13 @@ from .. import (
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces.aws_accessanalyzer import (
+    AnalyzerReference as _AnalyzerReference_be7daa4e,
+    IAnalyzerRef as _IAnalyzerRef_1291bb9b,
+)
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IAnalyzerRef_1291bb9b, _ITaggable_36806126)
 class CfnAnalyzer(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -94,6 +98,15 @@ class CfnAnalyzer(
         
             # the properties below are optional
             analyzer_configuration=accessanalyzer.CfnAnalyzer.AnalyzerConfigurationProperty(
+                internal_access_configuration=accessanalyzer.CfnAnalyzer.InternalAccessConfigurationProperty(
+                    internal_access_analysis_rule=accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty(
+                        inclusions=[accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                            account_ids=["accountIds"],
+                            resource_arns=["resourceArns"],
+                            resource_types=["resourceTypes"]
+                        )]
+                    )
+                ),
                 unused_access_configuration=accessanalyzer.CfnAnalyzer.UnusedAccessConfigurationProperty(
                     analysis_rule=accessanalyzer.CfnAnalyzer.AnalysisRuleProperty(
                         exclusions=[accessanalyzer.CfnAnalyzer.AnalysisRuleCriteriaProperty(
@@ -138,10 +151,11 @@ class CfnAnalyzer(
         archive_rules: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAnalyzer.ArchiveRuleProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::AccessAnalyzer::Analyzer``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param type: The type represents the zone of trust for the analyzer. *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS
+        :param type: The type represents the zone of trust for the analyzer. *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ACCOUNT_INTERNAL_ACCESS | ORGANIZATION_INTERNAL_ACCESS | ORGANIZATION_UNUSED_ACCESS
         :param analyzer_configuration: Contains information about the configuration of an analyzer for an AWS organization or account.
         :param analyzer_name: The name of the analyzer.
         :param archive_rules: Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.
@@ -191,6 +205,12 @@ class CfnAnalyzer(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="analyzerRef")
+    def analyzer_ref(self) -> _AnalyzerReference_be7daa4e:
+        '''A reference to a Analyzer resource.'''
+        return typing.cast(_AnalyzerReference_be7daa4e, jsii.get(self, "analyzerRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrArn")
     def attr_arn(self) -> builtins.str:
@@ -441,16 +461,21 @@ class CfnAnalyzer(
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_accessanalyzer.CfnAnalyzer.AnalyzerConfigurationProperty",
         jsii_struct_bases=[],
-        name_mapping={"unused_access_configuration": "unusedAccessConfiguration"},
+        name_mapping={
+            "internal_access_configuration": "internalAccessConfiguration",
+            "unused_access_configuration": "unusedAccessConfiguration",
+        },
     )
     class AnalyzerConfigurationProperty:
         def __init__(
             self,
             *,
+            internal_access_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAnalyzer.InternalAccessConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             unused_access_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAnalyzer.UnusedAccessConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
             '''Contains information about the configuration of an analyzer for an AWS organization or account.
 
+            :param internal_access_configuration: Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates access within your AWS environment.
             :param unused_access_configuration: Specifies the configuration of an unused access analyzer for an AWS organization or account.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-analyzerconfiguration.html
@@ -463,6 +488,15 @@ class CfnAnalyzer(
                 from aws_cdk import aws_accessanalyzer as accessanalyzer
                 
                 analyzer_configuration_property = accessanalyzer.CfnAnalyzer.AnalyzerConfigurationProperty(
+                    internal_access_configuration=accessanalyzer.CfnAnalyzer.InternalAccessConfigurationProperty(
+                        internal_access_analysis_rule=accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty(
+                            inclusions=[accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                                account_ids=["accountIds"],
+                                resource_arns=["resourceArns"],
+                                resource_types=["resourceTypes"]
+                            )]
+                        )
+                    ),
                     unused_access_configuration=accessanalyzer.CfnAnalyzer.UnusedAccessConfigurationProperty(
                         analysis_rule=accessanalyzer.CfnAnalyzer.AnalysisRuleProperty(
                             exclusions=[accessanalyzer.CfnAnalyzer.AnalysisRuleCriteriaProperty(
@@ -479,11 +513,27 @@ class CfnAnalyzer(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__31c56409583b90336517d4c07b7b7849a386335199a589eff293943ed3b54e61)
+                check_type(argname="argument internal_access_configuration", value=internal_access_configuration, expected_type=type_hints["internal_access_configuration"])
                 check_type(argname="argument unused_access_configuration", value=unused_access_configuration, expected_type=type_hints["unused_access_configuration"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if internal_access_configuration is not None:
+                self._values["internal_access_configuration"] = internal_access_configuration
             if unused_access_configuration is not None:
                 self._values["unused_access_configuration"] = unused_access_configuration
 
+        @builtins.property
+        def internal_access_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessConfigurationProperty"]]:
+            '''Specifies the configuration of an internal access analyzer for an AWS organization or account.
+
+            This configuration determines how the analyzer evaluates access within your AWS environment.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-analyzerconfiguration.html#cfn-accessanalyzer-analyzer-analyzerconfiguration-internalaccessconfiguration
+            '''
+            result = self._values.get("internal_access_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessConfigurationProperty"]], result)
+
         @builtins.property
         def unused_access_configuration(
             self,
@@ -717,6 +767,240 @@ class CfnAnalyzer(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "account_ids": "accountIds",
+            "resource_arns": "resourceArns",
+            "resource_types": "resourceTypes",
+        },
+    )
+    class InternalAccessAnalysisRuleCriteriaProperty:
+        def __init__(
+            self,
+            *,
+            account_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+            resource_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
+            resource_types: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ) -> None:
+            '''The criteria for an analysis rule for an internal access analyzer.
+
+            :param account_ids: A list of AWS account IDs to apply to the internal access analysis rule criteria. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
+            :param resource_arns: A list of resource ARNs to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources that match these ARNs.
+            :param resource_types: A list of resource types to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources of these types. These resource types are currently supported for internal access analyzers: - ``AWS::S3::Bucket`` - ``AWS::RDS::DBSnapshot`` - ``AWS::RDS::DBClusterSnapshot`` - ``AWS::S3Express::DirectoryBucket`` - ``AWS::DynamoDB::Table`` - ``AWS::DynamoDB::Stream``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrulecriteria.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_accessanalyzer as accessanalyzer
+                
+                internal_access_analysis_rule_criteria_property = accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                    account_ids=["accountIds"],
+                    resource_arns=["resourceArns"],
+                    resource_types=["resourceTypes"]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__df58106489755d92b5cc9d51d8ac254dfccee65f0ca7f4d03d3a9002659d6a9f)
+                check_type(argname="argument account_ids", value=account_ids, expected_type=type_hints["account_ids"])
+                check_type(argname="argument resource_arns", value=resource_arns, expected_type=type_hints["resource_arns"])
+                check_type(argname="argument resource_types", value=resource_types, expected_type=type_hints["resource_types"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if account_ids is not None:
+                self._values["account_ids"] = account_ids
+            if resource_arns is not None:
+                self._values["resource_arns"] = resource_arns
+            if resource_types is not None:
+                self._values["resource_types"] = resource_types
+
+        @builtins.property
+        def account_ids(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of AWS account IDs to apply to the internal access analysis rule criteria.
+
+            Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrulecriteria.html#cfn-accessanalyzer-analyzer-internalaccessanalysisrulecriteria-accountids
+            '''
+            result = self._values.get("account_ids")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def resource_arns(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of resource ARNs to apply to the internal access analysis rule criteria.
+
+            The analyzer will only generate findings for resources that match these ARNs.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrulecriteria.html#cfn-accessanalyzer-analyzer-internalaccessanalysisrulecriteria-resourcearns
+            '''
+            result = self._values.get("resource_arns")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def resource_types(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of resource types to apply to the internal access analysis rule criteria.
+
+            The analyzer will only generate findings for resources of these types. These resource types are currently supported for internal access analyzers:
+
+            - ``AWS::S3::Bucket``
+            - ``AWS::RDS::DBSnapshot``
+            - ``AWS::RDS::DBClusterSnapshot``
+            - ``AWS::S3Express::DirectoryBucket``
+            - ``AWS::DynamoDB::Table``
+            - ``AWS::DynamoDB::Stream``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrulecriteria.html#cfn-accessanalyzer-analyzer-internalaccessanalysisrulecriteria-resourcetypes
+            '''
+            result = self._values.get("resource_types")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "InternalAccessAnalysisRuleCriteriaProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty",
+        jsii_struct_bases=[],
+        name_mapping={"inclusions": "inclusions"},
+    )
+    class InternalAccessAnalysisRuleProperty:
+        def __init__(
+            self,
+            *,
+            inclusions: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        ) -> None:
+            '''Contains information about analysis rules for the internal access analyzer.
+
+            Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.
+
+            :param inclusions: A list of rules for the internal access analyzer containing criteria to include in analysis. Only resources that meet the rule criteria will generate findings.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrule.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_accessanalyzer as accessanalyzer
+                
+                internal_access_analysis_rule_property = accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty(
+                    inclusions=[accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                        account_ids=["accountIds"],
+                        resource_arns=["resourceArns"],
+                        resource_types=["resourceTypes"]
+                    )]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__b551cb53f4f7a1a38a9a57f1445115d565b843fa07c255e6ae31333c89b019a7)
+                check_type(argname="argument inclusions", value=inclusions, expected_type=type_hints["inclusions"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if inclusions is not None:
+                self._values["inclusions"] = inclusions
+
+        @builtins.property
+        def inclusions(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty"]]]]:
+            '''A list of rules for the internal access analyzer containing criteria to include in analysis.
+
+            Only resources that meet the rule criteria will generate findings.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessanalysisrule.html#cfn-accessanalyzer-analyzer-internalaccessanalysisrule-inclusions
+            '''
+            result = self._values.get("inclusions")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty"]]]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "InternalAccessAnalysisRuleProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_accessanalyzer.CfnAnalyzer.InternalAccessConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"internal_access_analysis_rule": "internalAccessAnalysisRule"},
+    )
+    class InternalAccessConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            internal_access_analysis_rule: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnAnalyzer.InternalAccessAnalysisRuleProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Specifies the configuration of an internal access analyzer for an AWS organization or account.
+
+            This configuration determines how the analyzer evaluates internal access within your AWS environment.
+
+            :param internal_access_analysis_rule: Contains information about analysis rules for the internal access analyzer. These rules determine which resources and access patterns will be analyzed.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_accessanalyzer as accessanalyzer
+                
+                internal_access_configuration_property = accessanalyzer.CfnAnalyzer.InternalAccessConfigurationProperty(
+                    internal_access_analysis_rule=accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty(
+                        inclusions=[accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                            account_ids=["accountIds"],
+                            resource_arns=["resourceArns"],
+                            resource_types=["resourceTypes"]
+                        )]
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__0a796d008592c4cc4b9ffe7a696b2a26db99022fdab61d5695cf9465c2e2ecff)
+                check_type(argname="argument internal_access_analysis_rule", value=internal_access_analysis_rule, expected_type=type_hints["internal_access_analysis_rule"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if internal_access_analysis_rule is not None:
+                self._values["internal_access_analysis_rule"] = internal_access_analysis_rule
+
+        @builtins.property
+        def internal_access_analysis_rule(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessAnalysisRuleProperty"]]:
+            '''Contains information about analysis rules for the internal access analyzer.
+
+            These rules determine which resources and access patterns will be analyzed.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-accessanalyzer-analyzer-internalaccessconfiguration.html#cfn-accessanalyzer-analyzer-internalaccessconfiguration-internalaccessanalysisrule
+            '''
+            result = self._values.get("internal_access_analysis_rule")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnAnalyzer.InternalAccessAnalysisRuleProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "InternalAccessConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_accessanalyzer.CfnAnalyzer.UnusedAccessConfigurationProperty",
         jsii_struct_bases=[],
@@ -828,7 +1112,7 @@ class CfnAnalyzerProps:
     ) -> None:
         '''Properties for defining a ``CfnAnalyzer``.
 
-        :param type: The type represents the zone of trust for the analyzer. *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS
+        :param type: The type represents the zone of trust for the analyzer. *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ACCOUNT_INTERNAL_ACCESS | ORGANIZATION_INTERNAL_ACCESS | ORGANIZATION_UNUSED_ACCESS
         :param analyzer_configuration: Contains information about the configuration of an analyzer for an AWS organization or account.
         :param analyzer_name: The name of the analyzer.
         :param archive_rules: Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.
@@ -848,6 +1132,15 @@ class CfnAnalyzerProps:
             
                 # the properties below are optional
                 analyzer_configuration=accessanalyzer.CfnAnalyzer.AnalyzerConfigurationProperty(
+                    internal_access_configuration=accessanalyzer.CfnAnalyzer.InternalAccessConfigurationProperty(
+                        internal_access_analysis_rule=accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleProperty(
+                            inclusions=[accessanalyzer.CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty(
+                                account_ids=["accountIds"],
+                                resource_arns=["resourceArns"],
+                                resource_types=["resourceTypes"]
+                            )]
+                        )
+                    ),
                     unused_access_configuration=accessanalyzer.CfnAnalyzer.UnusedAccessConfigurationProperty(
                         analysis_rule=accessanalyzer.CfnAnalyzer.AnalysisRuleProperty(
                             exclusions=[accessanalyzer.CfnAnalyzer.AnalysisRuleCriteriaProperty(
@@ -903,7 +1196,7 @@ class CfnAnalyzerProps:
     def type(self) -> builtins.str:
         '''The type represents the zone of trust for the analyzer.
 
-        *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS
+        *Allowed Values* : ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ACCOUNT_INTERNAL_ACCESS | ORGANIZATION_INTERNAL_ACCESS | ORGANIZATION_UNUSED_ACCESS
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html#cfn-accessanalyzer-analyzer-type
         '''
@@ -1050,6 +1343,7 @@ def _typecheckingstub__17edc274e7f0852c4514c56018aaea9d25296dab4aaadab463eab1460
 
 def _typecheckingstub__31c56409583b90336517d4c07b7b7849a386335199a589eff293943ed3b54e61(
     *,
+    internal_access_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAnalyzer.InternalAccessConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     unused_access_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAnalyzer.UnusedAccessConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -1074,6 +1368,29 @@ def _typecheckingstub__a277539f2c67c28a2a9fc67270fd81239b1346785d9508df320b963a2
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__df58106489755d92b5cc9d51d8ac254dfccee65f0ca7f4d03d3a9002659d6a9f(
+    *,
+    account_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    resource_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
+    resource_types: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b551cb53f4f7a1a38a9a57f1445115d565b843fa07c255e6ae31333c89b019a7(
+    *,
+    inclusions: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAnalyzer.InternalAccessAnalysisRuleCriteriaProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0a796d008592c4cc4b9ffe7a696b2a26db99022fdab61d5695cf9465c2e2ecff(
+    *,
+    internal_access_analysis_rule: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAnalyzer.InternalAccessAnalysisRuleProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b15bc1bfb223a199dc73f744cc56dfec8d77e91fcae9e8e5b3520484a497aba7(
     *,
     analysis_rule: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnAnalyzer.AnalysisRuleProperty, typing.Dict[builtins.str, typing.Any]]]] = None,

aws_cdk/aws_acmpca/__init__.py

@@ -99,6 +99,16 @@ from .. import (
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces.aws_acmpca import (
+    CertificateAuthorityActivationReference as _CertificateAuthorityActivationReference_efbb95ed,
+    CertificateAuthorityReference as _CertificateAuthorityReference_4a9960c9,
+    CertificateReference as _CertificateReference_b07032bd,
+    ICertificateAuthorityActivationRef as _ICertificateAuthorityActivationRef_eac4783f,
+    ICertificateAuthorityRef as _ICertificateAuthorityRef_240f71c8,
+    ICertificateRef as _ICertificateRef_d3019a6f,
+    IPermissionRef as _IPermissionRef_f04c5632,
+    PermissionReference as _PermissionReference_cddcccb3,
+)
 
 
 class CertificateAuthority(
@@ -118,7 +128,7 @@ class CertificateAuthority(
         
         cluster = msk.Cluster(self, "Cluster",
             cluster_name="myCluster",
-            kafka_version=msk.KafkaVersion.V3_8_X,
+            kafka_version=msk.KafkaVersion.V4_1_X_KRAFT,
             vpc=vpc,
             encryption_in_transit=msk.EncryptionInTransitConfig(
                 client_broker=msk.ClientBrokerEncryption.TLS
@@ -153,7 +163,7 @@ class CertificateAuthority(
         return typing.cast("ICertificateAuthority", jsii.sinvoke(cls, "fromCertificateAuthorityArn", [scope, id, certificate_authority_arn]))
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ICertificateRef_d3019a6f)
 class CfnCertificate(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -296,7 +306,8 @@ class CfnCertificate(
         template_arn: typing.Optional[builtins.str] = None,
         validity_not_before: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnCertificate.ValidityProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::ACMPCA::Certificate``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param certificate_authority_arn: The Amazon Resource Name (ARN) for the private CA issues the certificate.
@@ -371,6 +382,12 @@ class CfnCertificate(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrCertificate"))
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateRef")
+    def certificate_ref(self) -> _CertificateReference_b07032bd:
+        '''A reference to a Certificate resource.'''
+        return typing.cast(_CertificateReference_b07032bd, jsii.get(self, "certificateRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -2246,7 +2263,7 @@ class CfnCertificate(
             )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ICertificateAuthorityRef_240f71c8, _ITaggable_36806126)
 class CfnCertificateAuthority(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2303,7 +2320,8 @@ class CfnCertificateAuthority(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         usage_mode: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::ACMPCA::CertificateAuthority``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param key_algorithm: Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
@@ -2382,6 +2400,12 @@ class CfnCertificateAuthority(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrCertificateSigningRequest"))
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateAuthorityRef")
+    def certificate_authority_ref(self) -> _CertificateAuthorityReference_4a9960c9:
+        '''A reference to a CertificateAuthority resource.'''
+        return typing.cast(_CertificateAuthorityReference_4a9960c9, jsii.get(self, "certificateAuthorityRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -4272,7 +4296,7 @@ class CfnCertificateAuthority(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ICertificateAuthorityActivationRef_eac4783f)
 class CfnCertificateAuthorityActivation(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4312,7 +4336,8 @@ class CfnCertificateAuthorityActivation(
         certificate_chain: typing.Optional[builtins.str] = None,
         status: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::ACMPCA::CertificateAuthorityActivation``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param certificate: The Base64 PEM-encoded certificate authority certificate.
@@ -4372,6 +4397,14 @@ class CfnCertificateAuthorityActivation(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrCompleteCertificateChain"))
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateAuthorityActivationRef")
+    def certificate_authority_activation_ref(
+        self,
+    ) -> _CertificateAuthorityActivationReference_efbb95ed:
+        '''A reference to a CertificateAuthorityActivation resource.'''
+        return typing.cast(_CertificateAuthorityActivationReference_efbb95ed, jsii.get(self, "certificateAuthorityActivationRef"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -5030,13 +5063,13 @@ class CfnCertificateProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IPermissionRef_f04c5632)
 class CfnPermission(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_acmpca.CfnPermission",
 ):
-    '''Grants permissions to the AWS Certificate Manager ( ACM ) service principal ( ``acm.amazonaws.com`` ) to perform `IssueCertificate <https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html>`_ , `GetCertificate <https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html>`_ , and `ListPermissions <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html>`_ actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA.
+    '''Grants permissions to the Certificate Manager ( ACM ) service principal ( ``acm.amazonaws.com`` ) to perform `IssueCertificate <https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html>`_ , `GetCertificate <https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html>`_ , and `ListPermissions <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html>`_ actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA.
 
     **About permissions** - If the private CA and the certificates it issues reside in the same account, you can use ``AWS::ACMPCA::Permission`` to grant permissions for ACM to carry out automatic certificate renewals.
 
@@ -5077,7 +5110,8 @@ class CfnPermission(
         principal: builtins.str,
         source_account: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::ACMPCA::Permission``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param actions: The private CA actions that can be performed by the designated AWS service. Supported actions are ``IssueCertificate`` , ``GetCertificate`` , and ``ListPermissions`` .
@@ -5133,6 +5167,12 @@ class CfnPermission(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="permissionRef")
+    def permission_ref(self) -> _PermissionReference_cddcccb3:
+        '''A reference to a Permission resource.'''
+        return typing.cast(_PermissionReference_cddcccb3, jsii.get(self, "permissionRef"))
+
     @builtins.property
     @jsii.member(jsii_name="actions")
     def actions(self) -> typing.List[builtins.str]:
@@ -5927,3 +5967,6 @@ def _typecheckingstub__9e4f8a50d06c841025fd393d8e235b3e62339c693e4dbb7a9ab17b555
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICertificateAuthority]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])