aws-cdk-lib 2.201.0__py3-none-any.whl → 2.203.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1396,6 +1396,19 @@ endpoint.add_route("Route",
 
 Use the `connections` object of the endpoint to allow traffic to other security groups.
 
+To enable [client route enforcement](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html), configure the `clientRouteEnforcementOptions.enforced` prop to `true`:
+
+```python
+endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+    cidr="10.100.0.0/16",
+    server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+    client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+    client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+        enforced=True
+    )
+)
+```
+
 ## Instances
 
 You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend
@@ -16213,7 +16226,7 @@ class CfnEIPProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnEgressOnlyInternetGateway(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -16236,7 +16249,13 @@ class CfnEgressOnlyInternetGateway(
         from aws_cdk import aws_ec2 as ec2
         
         cfn_egress_only_internet_gateway = ec2.CfnEgressOnlyInternetGateway(self, "MyCfnEgressOnlyInternetGateway",
-            vpc_id="vpcId"
+            vpc_id="vpcId",
+        
+            # the properties below are optional
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )]
         )
     '''
 
@@ -16246,17 +16265,19 @@ class CfnEgressOnlyInternetGateway(
         id: builtins.str,
         *,
         vpc_id: builtins.str,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param vpc_id: The ID of the VPC for which to create the egress-only internet gateway.
+        :param tags: The tags assigned to the egress-only internet gateway.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__84a7ddca98bd1c24713f12588ec54b51cdc19c99c2209e07c964172011c4d7ab)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = CfnEgressOnlyInternetGatewayProps(vpc_id=vpc_id)
+        props = CfnEgressOnlyInternetGatewayProps(vpc_id=vpc_id, tags=tags)
 
         jsii.create(self.__class__, self, [scope, id, props])
 
@@ -16299,6 +16320,12 @@ class CfnEgressOnlyInternetGateway(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -16317,17 +16344,36 @@ class CfnEgressOnlyInternetGateway(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "vpcId", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''The tags assigned to the egress-only internet gateway.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__923846a8ba3d02f36c9267e2c903018ed279860265ad8a488da0a81153c5ff44)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ec2.CfnEgressOnlyInternetGatewayProps",
     jsii_struct_bases=[],
-    name_mapping={"vpc_id": "vpcId"},
+    name_mapping={"vpc_id": "vpcId", "tags": "tags"},
 )
 class CfnEgressOnlyInternetGatewayProps:
-    def __init__(self, *, vpc_id: builtins.str) -> None:
+    def __init__(
+        self,
+        *,
+        vpc_id: builtins.str,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ) -> None:
         '''Properties for defining a ``CfnEgressOnlyInternetGateway``.
 
         :param vpc_id: The ID of the VPC for which to create the egress-only internet gateway.
+        :param tags: The tags assigned to the egress-only internet gateway.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-egressonlyinternetgateway.html
         :exampleMetadata: fixture=_generated
@@ -16339,15 +16385,24 @@ class CfnEgressOnlyInternetGatewayProps:
             from aws_cdk import aws_ec2 as ec2
             
             cfn_egress_only_internet_gateway_props = ec2.CfnEgressOnlyInternetGatewayProps(
-                vpc_id="vpcId"
+                vpc_id="vpcId",
+            
+                # the properties below are optional
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )]
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b693b2d49003d73758f4c0003564a93353b18fc97434556a2e988e47f367fb84)
             check_type(argname="argument vpc_id", value=vpc_id, expected_type=type_hints["vpc_id"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc_id": vpc_id,
         }
+        if tags is not None:
+            self._values["tags"] = tags
 
     @builtins.property
     def vpc_id(self) -> builtins.str:
@@ -16359,6 +16414,15 @@ class CfnEgressOnlyInternetGatewayProps:
         assert result is not None, "Required property 'vpc_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''The tags assigned to the egress-only internet gateway.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-egressonlyinternetgateway.html#cfn-ec2-egressonlyinternetgateway-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -40953,9 +41017,7 @@ class CfnNetworkInterfacePermission(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_ec2.CfnNetworkInterfacePermission",
 ):
-    '''Specifies a permission for an Amazon EC2 network interface.
-
-    For example, you can grant an AWS authorized partner account permission to attach the specified network interface to an instance in their account.
+    '''Specifies a permission for the network interface, For example, you can grant an AWS -authorized account permission to attach the network interface to an instance in their account.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkinterfacepermission.html
     :cloudformationResource: AWS::EC2::NetworkInterfacePermission
@@ -52550,7 +52612,7 @@ class CfnSubnet(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v33 import KubectlV33Layer
         # vpc: ec2.Vpc
         
         
@@ -52575,11 +52637,11 @@ class CfnSubnet(
             subnetcount = subnetcount + 1
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_33,
             vpc=vpc,
             ip_family=eks.IpFamily.IP_V6,
             vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV33Layer(self, "kubectl")
         )
     '''
 
@@ -52705,6 +52767,14 @@ class CfnSubnet(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAvailabilityZoneId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrBlockPublicAccessStates")
+    def attr_block_public_access_states(self) -> _IResolvable_da3f097b:
+        '''
+        :cloudformationAttribute: BlockPublicAccessStates
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrBlockPublicAccessStates"))
+
     @builtins.property
     @jsii.member(jsii_name="attrCidrBlock")
     def attr_cidr_block(self) -> builtins.str:
@@ -53017,6 +53087,65 @@ class CfnSubnet(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_ec2.CfnSubnet.BlockPublicAccessStatesProperty",
+        jsii_struct_bases=[],
+        name_mapping={"internet_gateway_block_mode": "internetGatewayBlockMode"},
+    )
+    class BlockPublicAccessStatesProperty:
+        def __init__(
+            self,
+            *,
+            internet_gateway_block_mode: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The state of VPC Block Public Access (BPA).
+
+            :param internet_gateway_block_mode: The mode of VPC BPA. - ``off`` : VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region. - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets). - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-subnet-blockpublicaccessstates.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_ec2 as ec2
+                
+                block_public_access_states_property = ec2.CfnSubnet.BlockPublicAccessStatesProperty(
+                    internet_gateway_block_mode="internetGatewayBlockMode"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__39b852e2beaad9da72706596053a58f7c1190828d458e590af07c5701812220d)
+                check_type(argname="argument internet_gateway_block_mode", value=internet_gateway_block_mode, expected_type=type_hints["internet_gateway_block_mode"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if internet_gateway_block_mode is not None:
+                self._values["internet_gateway_block_mode"] = internet_gateway_block_mode
+
+        @builtins.property
+        def internet_gateway_block_mode(self) -> typing.Optional[builtins.str]:
+            '''The mode of VPC BPA.
+
+            - ``off`` : VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
+            - ``block-bidirectional`` : Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
+            - ``block-ingress`` : Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-subnet-blockpublicaccessstates.html#cfn-ec2-subnet-blockpublicaccessstates-internetgatewayblockmode
+            '''
+            result = self._values.get("internet_gateway_block_mode")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "BlockPublicAccessStatesProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnSubnet.PrivateDnsNameOptionsOnLaunchProperty",
         jsii_struct_bases=[],
@@ -54239,7 +54368,8 @@ class CfnTrafficMirrorFilter(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The ID of a traffic mirror filter.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -54531,6 +54661,15 @@ class CfnTrafficMirrorFilterRule(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrTrafficMirrorFilterRuleId")
+    def attr_traffic_mirror_filter_rule_id(self) -> builtins.str:
+        '''The ID of the Traffic Mirror Filter rule.
+
+        :cloudformationAttribute: TrafficMirrorFilterRuleId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrTrafficMirrorFilterRuleId"))
+
     @builtins.property
     @jsii.member(jsii_name="cdkTagManager")
     def cdk_tag_manager(self) -> _TagManager_0a598cb3:
@@ -60874,7 +61013,7 @@ class CfnVPCCidrBlock(
 
     Example::
 
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v33 import KubectlV33Layer
         # vpc: ec2.Vpc
         
         
@@ -60899,11 +61038,11 @@ class CfnVPCCidrBlock(
             subnetcount = subnetcount + 1
         
         cluster = eks.Cluster(self, "hello-eks",
-            version=eks.KubernetesVersion.V1_32,
+            version=eks.KubernetesVersion.V1_33,
             vpc=vpc,
             ip_family=eks.IpFamily.IP_V6,
             vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
-            kubectl_layer=KubectlV32Layer(self, "kubectl")
+            kubectl_layer=KubectlV33Layer(self, "kubectl")
         )
     '''
 
@@ -61213,7 +61352,7 @@ class CfnVPCCidrBlockProps:
 
         Example::
 
-            from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+            from aws_cdk.lambda_layer_kubectl_v33 import KubectlV33Layer
             # vpc: ec2.Vpc
             
             
@@ -61238,11 +61377,11 @@ class CfnVPCCidrBlockProps:
                 subnetcount = subnetcount + 1
             
             cluster = eks.Cluster(self, "hello-eks",
-                version=eks.KubernetesVersion.V1_32,
+                version=eks.KubernetesVersion.V1_33,
                 vpc=vpc,
                 ip_family=eks.IpFamily.IP_V6,
                 vpc_subnets=[ec2.SubnetSelection(subnets=vpc.public_subnets)],
-                kubectl_layer=KubectlV32Layer(self, "kubectl")
+                kubectl_layer=KubectlV33Layer(self, "kubectl")
             )
         '''
         if __debug__:
@@ -71379,6 +71518,59 @@ class CfnVolumeProps:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.ClientRouteEnforcementOptions",
+    jsii_struct_bases=[],
+    name_mapping={"enforced": "enforced"},
+)
+class ClientRouteEnforcementOptions:
+    def __init__(self, *, enforced: builtins.bool) -> None:
+        '''Options for Client Route Enforcement.
+
+        :param enforced: Enable or disable Client Route Enforcement. The state can either be true (enabled) or false (disabled).
+
+        :exampleMetadata: fixture=client-vpn infused
+
+        Example::
+
+            endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+                cidr="10.100.0.0/16",
+                server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+                client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+                client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+                    enforced=True
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ff75a2d8f5c6dd9dde18d6e1933265e0d20a4b21489fde8d4735778facaad902)
+            check_type(argname="argument enforced", value=enforced, expected_type=type_hints["enforced"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "enforced": enforced,
+        }
+
+    @builtins.property
+    def enforced(self) -> builtins.bool:
+        '''Enable or disable Client Route Enforcement.
+
+        The state can either be true (enabled) or false (disabled).
+        '''
+        result = self._values.get("enforced")
+        assert result is not None, "Required property 'enforced' is missing"
+        return typing.cast(builtins.bool, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "ClientRouteEnforcementOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 class ClientVpnAuthorizationRule(
     _Resource_45bc6135,
     metaclass=jsii.JSIIMeta,
@@ -71713,6 +71905,7 @@ class ClientVpnEndpointAttributes:
         "client_certificate_arn": "clientCertificateArn",
         "client_connection_handler": "clientConnectionHandler",
         "client_login_banner": "clientLoginBanner",
+        "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
         "dns_servers": "dnsServers",
         "logging": "logging",
@@ -71738,6 +71931,7 @@ class ClientVpnEndpointOptions:
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional["IClientVpnConnectionHandler"] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -71760,6 +71954,7 @@ class ClientVpnEndpointOptions:
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -71790,6 +71985,8 @@ class ClientVpnEndpointOptions:
                 group_id="group-id"
             )
         '''
+        if isinstance(client_route_enforcement_options, dict):
+            client_route_enforcement_options = ClientRouteEnforcementOptions(**client_route_enforcement_options)
         if isinstance(vpc_subnets, dict):
             vpc_subnets = SubnetSelection(**vpc_subnets)
         if __debug__:
@@ -71800,6 +71997,7 @@ class ClientVpnEndpointOptions:
             check_type(argname="argument client_certificate_arn", value=client_certificate_arn, expected_type=type_hints["client_certificate_arn"])
             check_type(argname="argument client_connection_handler", value=client_connection_handler, expected_type=type_hints["client_connection_handler"])
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
+            check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
@@ -71825,6 +72023,8 @@ class ClientVpnEndpointOptions:
             self._values["client_connection_handler"] = client_connection_handler
         if client_login_banner is not None:
             self._values["client_login_banner"] = client_login_banner
+        if client_route_enforcement_options is not None:
+            self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
         if dns_servers is not None:
@@ -71922,6 +72122,22 @@ class ClientVpnEndpointOptions:
         result = self._values.get("client_login_banner")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def client_route_enforcement_options(
+        self,
+    ) -> typing.Optional[ClientRouteEnforcementOptions]:
+        '''Options for Client Route Enforcement.
+
+        Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN.
+        This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
+
+        :default: undefined - AWS Client VPN default setting is disable client route enforcement
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html
+        '''
+        result = self._values.get("client_route_enforcement_options")
+        return typing.cast(typing.Optional[ClientRouteEnforcementOptions], result)
+
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
         '''A brief description of the Client VPN endpoint.
@@ -72069,6 +72285,7 @@ class ClientVpnEndpointOptions:
         "client_certificate_arn": "clientCertificateArn",
         "client_connection_handler": "clientConnectionHandler",
         "client_login_banner": "clientLoginBanner",
+        "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
         "dns_servers": "dnsServers",
         "logging": "logging",
@@ -72095,6 +72312,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional["IClientVpnConnectionHandler"] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -72118,6 +72336,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -72161,6 +72380,9 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
                 client_certificate_arn="clientCertificateArn",
                 client_connection_handler=client_vpn_connection_handler,
                 client_login_banner="clientLoginBanner",
+                client_route_enforcement_options=ec2.ClientRouteEnforcementOptions(
+                    enforced=False
+                ),
                 description="description",
                 dns_servers=["dnsServers"],
                 logging=False,
@@ -72183,6 +72405,8 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
                 )
             )
         '''
+        if isinstance(client_route_enforcement_options, dict):
+            client_route_enforcement_options = ClientRouteEnforcementOptions(**client_route_enforcement_options)
         if isinstance(vpc_subnets, dict):
             vpc_subnets = SubnetSelection(**vpc_subnets)
         if __debug__:
@@ -72193,6 +72417,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             check_type(argname="argument client_certificate_arn", value=client_certificate_arn, expected_type=type_hints["client_certificate_arn"])
             check_type(argname="argument client_connection_handler", value=client_connection_handler, expected_type=type_hints["client_connection_handler"])
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
+            check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
@@ -72220,6 +72445,8 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             self._values["client_connection_handler"] = client_connection_handler
         if client_login_banner is not None:
             self._values["client_login_banner"] = client_login_banner
+        if client_route_enforcement_options is not None:
+            self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
         if dns_servers is not None:
@@ -72317,6 +72544,22 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         result = self._values.get("client_login_banner")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def client_route_enforcement_options(
+        self,
+    ) -> typing.Optional[ClientRouteEnforcementOptions]:
+        '''Options for Client Route Enforcement.
+
+        Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN.
+        This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
+
+        :default: undefined - AWS Client VPN default setting is disable client route enforcement
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html
+        '''
+        result = self._values.get("client_route_enforcement_options")
+        return typing.cast(typing.Optional[ClientRouteEnforcementOptions], result)
+
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
         '''A brief description of the Client VPN endpoint.
@@ -76970,6 +77213,7 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -76993,6 +77237,7 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -77216,6 +77461,7 @@ class _IVpcProxy(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -77239,6 +77485,7 @@ class _IVpcProxy(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -77263,6 +77510,7 @@ class _IVpcProxy(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -83880,6 +84128,16 @@ class InterfaceVpcEndpointAwsService(
         '''
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SES"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SHIELD")
+    def SHIELD(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SHIELD"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SHIELD_FIPS")
+    def SHIELD_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SHIELD_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SIMSPACE_WEAVER")
     def SIMSPACE_WEAVER(cls) -> "InterfaceVpcEndpointAwsService":
@@ -83900,6 +84158,11 @@ class InterfaceVpcEndpointAwsService(
     def SQS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SQS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SQS_FIPS")
+    def SQS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "SQS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SSM")
     def SSM(cls) -> "InterfaceVpcEndpointAwsService":
@@ -83950,6 +84213,11 @@ class InterfaceVpcEndpointAwsService(
     def STS(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "STS"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="STS_FIPS")
+    def STS_FIPS(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "STS_FIPS"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="SUPPLY_CHAIN")
     def SUPPLY_CHAIN(cls) -> "InterfaceVpcEndpointAwsService":
@@ -94922,6 +95190,7 @@ class Vpc(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -94945,6 +95214,7 @@ class Vpc(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -94969,6 +95239,7 @@ class Vpc(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -103472,6 +103743,7 @@ class ClientVpnEndpoint(
         client_certificate_arn: typing.Optional[builtins.str] = None,
         client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
         client_login_banner: typing.Optional[builtins.str] = None,
+        client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
@@ -103496,6 +103768,7 @@ class ClientVpnEndpoint(
         :param client_certificate_arn: The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
         :param client_connection_handler: The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the ``AWSClientVPN-`` prefix Default: - no connection handler
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
+        :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
@@ -103522,6 +103795,7 @@ class ClientVpnEndpoint(
             client_certificate_arn=client_certificate_arn,
             client_connection_handler=client_connection_handler,
             client_login_banner=client_login_banner,
+            client_route_enforcement_options=client_route_enforcement_options,
             description=description,
             dns_servers=dns_servers,
             logging=logging,
@@ -104007,6 +104281,7 @@ __all__ = [
     "CfnVolumeAttachment",
     "CfnVolumeAttachmentProps",
     "CfnVolumeProps",
+    "ClientRouteEnforcementOptions",
     "ClientVpnAuthorizationRule",
     "ClientVpnAuthorizationRuleOptions",
     "ClientVpnAuthorizationRuleProps",
@@ -105971,6 +106246,7 @@ def _typecheckingstub__84a7ddca98bd1c24713f12588ec54b51cdc19c99c2209e07c96417201
     id: builtins.str,
     *,
     vpc_id: builtins.str,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -105993,9 +106269,16 @@ def _typecheckingstub__dd41a3676da418b0ac30e8c6707af491b5f32416672bf517e640f6132
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__923846a8ba3d02f36c9267e2c903018ed279860265ad8a488da0a81153c5ff44(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b693b2d49003d73758f4c0003564a93353b18fc97434556a2e988e47f367fb84(
     *,
     vpc_id: builtins.str,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -110934,6 +111217,13 @@ def _typecheckingstub__b297663d31b5bbe92a3f56911eb6c57abab4c122a855b348cb1da68bc
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__39b852e2beaad9da72706596053a58f7c1190828d458e590af07c5701812220d(
+    *,
+    internet_gateway_block_mode: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__9ead2dbf33a2462f22ec4fe1b542f6a0fc766e914575dd0c8da36b35e6a471a0(
     *,
     enable_resource_name_dns_aaaa_record: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -114166,6 +114456,13 @@ def _typecheckingstub__df1f84bfc2d41a9f2d283d6a706150686c01c8f45a742c92af54cbee7
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ff75a2d8f5c6dd9dde18d6e1933265e0d20a4b21489fde8d4735778facaad902(
+    *,
+    enforced: builtins.bool,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6f8556471b9878ffc0a31155bd24890dd137dc2f25f5faa23ec8adbfb35154db(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -114213,6 +114510,7 @@ def _typecheckingstub__73f8593e2e6199f8ae542cff4cbe02f0be09fd9043b8072cbb652d5b0
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -114238,6 +114536,7 @@ def _typecheckingstub__8e89ba9082e1bc80500c526e8522c5a90e2a91bd17d985f5932611e0b
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -114671,6 +114970,7 @@ def _typecheckingstub__19cdaa7bec0f733a863944b2be6c76392b1e518714158a913370b8de7
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -116554,6 +116854,7 @@ def _typecheckingstub__04f8b7e933af74b695401b45c9c6b308e4684ecde3cb9a2a1e358a336
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
@@ -117425,6 +117726,7 @@ def _typecheckingstub__9a2422e1dfabadbd7f572317ed37670a87714b6f36fe9da2a01f1e26e
     client_certificate_arn: typing.Optional[builtins.str] = None,
     client_connection_handler: typing.Optional[IClientVpnConnectionHandler] = None,
     client_login_banner: typing.Optional[builtins.str] = None,
+    client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,