aws-cdk-lib 2.218.0__py3-none-any.whl → 2.220.0__py3-none-any.whl

aws_cdk/aws_kinesis/__init__.py

@@ -17,6 +17,8 @@ intake and aggregation.
     * [Write Permissions](#write-permissions)
     * [Custom Permissions](#custom-permissions)
   * [Metrics](#metrics)
+
+    * [Shard-level Metrics](#shard-level-metrics)
 * [Stream Consumers](#stream-consumers)
 
   * [Read Permissions](#read-permissions-1)
@@ -189,6 +191,40 @@ stream.metric_get_records_success()
 stream.metric_get_records_success(statistic="Maximum")
 ```
 
+#### Shard-level Metrics
+
+You can enable enhanced shard-level metrics for your Kinesis stream to get detailed monitoring of individual shards. Shard-level metrics provide more granular insights into the performance and health of your stream.
+
+```python
+stream = kinesis.Stream(self, "MyStream",
+    shard_level_metrics=[kinesis.ShardLevelMetrics.ALL]
+)
+```
+
+You can also specify individual metrics that you want to monitor:
+
+```python
+stream = kinesis.Stream(self, "MyStream",
+    shard_level_metrics=[kinesis.ShardLevelMetrics.INCOMING_BYTES, kinesis.ShardLevelMetrics.INCOMING_RECORDS, kinesis.ShardLevelMetrics.ITERATOR_AGE_MILLISECONDS, kinesis.ShardLevelMetrics.OUTGOING_BYTES, kinesis.ShardLevelMetrics.OUTGOING_RECORDS, kinesis.ShardLevelMetrics.READ_PROVISIONED_THROUGHPUT_EXCEEDED, kinesis.ShardLevelMetrics.WRITE_PROVISIONED_THROUGHPUT_EXCEEDED
+    ]
+)
+```
+
+Available shard-level metrics include:
+
+* `INCOMING_BYTES` - The number of bytes successfully put to the shard
+* `INCOMING_RECORDS` - The number of records successfully put to the shard
+* `ITERATOR_AGE_MILLISECONDS` - The age of the last record in all GetRecords calls made against a shard
+* `OUTGOING_BYTES` - The number of bytes retrieved from the shard
+* `OUTGOING_RECORDS` - The number of records retrieved from the shard
+* `READ_PROVISIONED_THROUGHPUT_EXCEEDED` - The number of GetRecords calls throttled for the shard
+* `WRITE_PROVISIONED_THROUGHPUT_EXCEEDED` - The number of records rejected due to throttling for the shard
+* `ALL` - All available metrics
+
+Note: You cannot specify `ALL` together with other individual metrics. If you want all metrics, use `ALL` alone.
+
+For more information about shard-level metrics, see [Monitoring the Amazon Kinesis Data Streams Service with Amazon CloudWatch](https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html#kinesis-metrics-shard).
+
 ## Stream Consumers
 
 Creating stream consumers allow consumers to receive data from the stream using enhanced fan-out at a rate of up to 2 MiB per second for every shard.
@@ -377,7 +413,7 @@ class CfnResourcePolicyProps:
     ) -> None:
         '''Properties for defining a ``CfnResourcePolicy``.
 
-        :param resource_arn: This is the name for the resource policy.
+        :param resource_arn: Returns the Amazon Resource Name (ARN) of the resource-based policy.
         :param resource_policy: This is the description for the resource policy.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html
@@ -407,7 +443,7 @@ class CfnResourcePolicyProps:
 
     @builtins.property
     def resource_arn(self) -> builtins.str:
-        '''This is the name for the resource policy.
+        '''Returns the Amazon Resource Name (ARN) of the resource-based policy.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-resourcepolicy.html#cfn-kinesis-resourcepolicy-resourcearn
         '''
@@ -3274,6 +3310,38 @@ class ResourcePolicyReference:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_kinesis.ShardLevelMetrics")
+class ShardLevelMetrics(enum.Enum):
+    '''Enhanced shard-level metrics.
+
+    :see: https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html#kinesis-metrics-shard
+    :exampleMetadata: infused
+
+    Example::
+
+        stream = kinesis.Stream(self, "MyStream",
+            shard_level_metrics=[kinesis.ShardLevelMetrics.ALL]
+        )
+    '''
+
+    INCOMING_BYTES = "INCOMING_BYTES"
+    '''The number of bytes successfully put to the shard over the specified time period.'''
+    INCOMING_RECORDS = "INCOMING_RECORDS"
+    '''The number of records successfully put to the shard over the specified time period.'''
+    ITERATOR_AGE_MILLISECONDS = "ITERATOR_AGE_MILLISECONDS"
+    '''The age of the last record in all GetRecords calls made against a shard, measured over the specified time period.'''
+    OUTGOING_BYTES = "OUTGOING_BYTES"
+    '''The number of bytes retrieved from the shard, measured over the specified time period.'''
+    OUTGOING_RECORDS = "OUTGOING_RECORDS"
+    '''The number of records retrieved from the shard, measured over the specified time period.'''
+    READ_PROVISIONED_THROUGHPUT_EXCEEDED = "READ_PROVISIONED_THROUGHPUT_EXCEEDED"
+    '''The number of GetRecords calls throttled for the shard over the specified time period.'''
+    WRITE_PROVISIONED_THROUGHPUT_EXCEEDED = "WRITE_PROVISIONED_THROUGHPUT_EXCEEDED"
+    '''The number of records rejected due to throttling for the shard over the specified time period.'''
+    ALL = "ALL"
+    '''All metrics.'''
+
+
 @jsii.implements(IStream)
 class Stream(
     _Resource_45bc6135,
@@ -3311,6 +3379,7 @@ class Stream(
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         retention_period: typing.Optional[_Duration_4839e8c3] = None,
         shard_count: typing.Optional[jsii.Number] = None,
+        shard_level_metrics: typing.Optional[typing.Sequence[ShardLevelMetrics]] = None,
         stream_mode: typing.Optional["StreamMode"] = None,
         stream_name: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -3322,6 +3391,7 @@ class Stream(
         :param removal_policy: Policy to apply when the stream is removed from the stack. Default: RemovalPolicy.RETAIN
         :param retention_period: The number of hours for the data records that are stored in shards to remain accessible. Default: Duration.hours(24)
         :param shard_count: The number of shards for the stream. Can only be provided if streamMode is Provisioned. Default: 1
+        :param shard_level_metrics: A list of shard-level metrics in properties to enable enhanced monitoring mode. Default: undefined - AWS Kinesis default is disabled
         :param stream_mode: The capacity mode of this stream. Default: StreamMode.PROVISIONED
         :param stream_name: Enforces a particular physical stream name. Default: 
         '''
@@ -3335,6 +3405,7 @@ class Stream(
             removal_policy=removal_policy,
             retention_period=retention_period,
             shard_count=shard_count,
+            shard_level_metrics=shard_level_metrics,
             stream_mode=stream_mode,
             stream_name=stream_name,
         )
@@ -5034,6 +5105,7 @@ class StreamMode(enum.Enum):
         "removal_policy": "removalPolicy",
         "retention_period": "retentionPeriod",
         "shard_count": "shardCount",
+        "shard_level_metrics": "shardLevelMetrics",
         "stream_mode": "streamMode",
         "stream_name": "streamName",
     },
@@ -5047,6 +5119,7 @@ class StreamProps:
         removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
         retention_period: typing.Optional[_Duration_4839e8c3] = None,
         shard_count: typing.Optional[jsii.Number] = None,
+        shard_level_metrics: typing.Optional[typing.Sequence[ShardLevelMetrics]] = None,
         stream_mode: typing.Optional[StreamMode] = None,
         stream_name: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -5057,6 +5130,7 @@ class StreamProps:
         :param removal_policy: Policy to apply when the stream is removed from the stack. Default: RemovalPolicy.RETAIN
         :param retention_period: The number of hours for the data records that are stored in shards to remain accessible. Default: Duration.hours(24)
         :param shard_count: The number of shards for the stream. Can only be provided if streamMode is Provisioned. Default: 1
+        :param shard_level_metrics: A list of shard-level metrics in properties to enable enhanced monitoring mode. Default: undefined - AWS Kinesis default is disabled
         :param stream_mode: The capacity mode of this stream. Default: StreamMode.PROVISIONED
         :param stream_name: Enforces a particular physical stream name. Default: 
 
@@ -5078,6 +5152,7 @@ class StreamProps:
             check_type(argname="argument removal_policy", value=removal_policy, expected_type=type_hints["removal_policy"])
             check_type(argname="argument retention_period", value=retention_period, expected_type=type_hints["retention_period"])
             check_type(argname="argument shard_count", value=shard_count, expected_type=type_hints["shard_count"])
+            check_type(argname="argument shard_level_metrics", value=shard_level_metrics, expected_type=type_hints["shard_level_metrics"])
             check_type(argname="argument stream_mode", value=stream_mode, expected_type=type_hints["stream_mode"])
             check_type(argname="argument stream_name", value=stream_name, expected_type=type_hints["stream_name"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
@@ -5091,6 +5166,8 @@ class StreamProps:
             self._values["retention_period"] = retention_period
         if shard_count is not None:
             self._values["shard_count"] = shard_count
+        if shard_level_metrics is not None:
+            self._values["shard_level_metrics"] = shard_level_metrics
         if stream_mode is not None:
             self._values["stream_mode"] = stream_mode
         if stream_name is not None:
@@ -5156,6 +5233,17 @@ class StreamProps:
         result = self._values.get("shard_count")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def shard_level_metrics(self) -> typing.Optional[typing.List[ShardLevelMetrics]]:
+        '''A list of shard-level metrics in properties to enable enhanced monitoring mode.
+
+        :default: undefined - AWS Kinesis default is disabled
+
+        :see: https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html#kinesis-metrics-shard
+        '''
+        result = self._values.get("shard_level_metrics")
+        return typing.cast(typing.Optional[typing.List[ShardLevelMetrics]], result)
+
     @builtins.property
     def stream_mode(self) -> typing.Optional[StreamMode]:
         '''The capacity mode of this stream.
@@ -5292,7 +5380,7 @@ class CfnResourcePolicy(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param resource_arn: This is the name for the resource policy.
+        :param resource_arn: Returns the Amazon Resource Name (ARN) of the resource-based policy.
         :param resource_policy: This is the description for the resource policy.
         '''
         if __debug__:
@@ -5349,7 +5437,7 @@ class CfnResourcePolicy(
     @builtins.property
     @jsii.member(jsii_name="resourceArn")
     def resource_arn(self) -> builtins.str:
-        '''This is the name for the resource policy.'''
+        '''Returns the Amazon Resource Name (ARN) of the resource-based policy.'''
         return typing.cast(builtins.str, jsii.get(self, "resourceArn"))
 
     @resource_arn.setter
@@ -6015,6 +6103,7 @@ __all__ = [
     "ResourcePolicy",
     "ResourcePolicyProps",
     "ResourcePolicyReference",
+    "ShardLevelMetrics",
     "Stream",
     "StreamAttributes",
     "StreamConsumer",
@@ -6164,6 +6253,7 @@ def _typecheckingstub__d9e4f581406090d861e3fe8214f939eedc5d1ccaffe122a7542878ec4
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     retention_period: typing.Optional[_Duration_4839e8c3] = None,
     shard_count: typing.Optional[jsii.Number] = None,
+    shard_level_metrics: typing.Optional[typing.Sequence[ShardLevelMetrics]] = None,
     stream_mode: typing.Optional[StreamMode] = None,
     stream_name: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -6321,6 +6411,7 @@ def _typecheckingstub__88629f78086711b76f550ae13e14f2db1429deb350aa5b10b7073d585
     removal_policy: typing.Optional[_RemovalPolicy_9f93c814] = None,
     retention_period: typing.Optional[_Duration_4839e8c3] = None,
     shard_count: typing.Optional[jsii.Number] = None,
+    shard_level_metrics: typing.Optional[typing.Sequence[ShardLevelMetrics]] = None,
     stream_mode: typing.Optional[StreamMode] = None,
     stream_name: typing.Optional[builtins.str] = None,
 ) -> None:

aws_cdk/aws_lambda/__init__.py

@@ -661,6 +661,17 @@ CfnOutput(self, "TheUrl",
 )
 ```
 
+### Important Function URL Permission Update - Oct 2025
+
+Starting Oct 2025, Function URL invocation will require two permissions
+
+* lambda:InvokeFunctionUrl
+* lambda:InvokeFunction (New)
+
+CDK has updated `grantInvokeUrl` and `addFunctionUrl` to add both permission above.
+
+If your existing CDK stack uses `grantInvokeUrl` or `addFunctionUrl`, your next deployment will automatically add the `lambda:InvokeFunction` permission without requiring any code changes. This ensures your Function URLs continue working seamlessly. No additional actions are needed.
+
 ### CORS configuration for Function URLs
 
 If you want your Function URLs to be invokable from a web page in browser, you
@@ -15337,6 +15348,7 @@ class ParamsAndSecretsVersions(enum.Enum):
         "action": "action",
         "event_source_token": "eventSourceToken",
         "function_url_auth_type": "functionUrlAuthType",
+        "invoked_via_function_url": "invokedViaFunctionUrl",
         "organization_id": "organizationId",
         "scope": "scope",
         "source_account": "sourceAccount",
@@ -15351,6 +15363,7 @@ class Permission:
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -15362,6 +15375,7 @@ class Permission:
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -15389,6 +15403,7 @@ class Permission:
             check_type(argname="argument action", value=action, expected_type=type_hints["action"])
             check_type(argname="argument event_source_token", value=event_source_token, expected_type=type_hints["event_source_token"])
             check_type(argname="argument function_url_auth_type", value=function_url_auth_type, expected_type=type_hints["function_url_auth_type"])
+            check_type(argname="argument invoked_via_function_url", value=invoked_via_function_url, expected_type=type_hints["invoked_via_function_url"])
             check_type(argname="argument organization_id", value=organization_id, expected_type=type_hints["organization_id"])
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument source_account", value=source_account, expected_type=type_hints["source_account"])
@@ -15402,6 +15417,8 @@ class Permission:
             self._values["event_source_token"] = event_source_token
         if function_url_auth_type is not None:
             self._values["function_url_auth_type"] = function_url_auth_type
+        if invoked_via_function_url is not None:
+            self._values["invoked_via_function_url"] = invoked_via_function_url
         if organization_id is not None:
             self._values["organization_id"] = organization_id
         if scope is not None:
@@ -15463,6 +15480,17 @@ class Permission:
         result = self._values.get("function_url_auth_type")
         return typing.cast(typing.Optional[FunctionUrlAuthType], result)
 
+    @builtins.property
+    def invoked_via_function_url(self) -> typing.Optional[builtins.bool]:
+        '''The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only.
+
+        When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs.
+
+        :default: - false
+        '''
+        result = self._values.get("invoked_via_function_url")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def organization_id(self) -> typing.Optional[builtins.str]:
         '''The organization you want to grant permissions to.
@@ -27005,6 +27033,7 @@ class IFunction(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -27017,6 +27046,7 @@ class IFunction(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -27504,6 +27534,7 @@ class _IFunctionProxy(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -27516,6 +27547,7 @@ class _IFunctionProxy(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -27531,6 +27563,7 @@ class _IFunctionProxy(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -28806,6 +28839,7 @@ class FunctionBase(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -28818,6 +28852,7 @@ class FunctionBase(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -28833,6 +28868,7 @@ class FunctionBase(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -29892,6 +29928,7 @@ class SingletonFunction(
         action: typing.Optional[builtins.str] = None,
         event_source_token: typing.Optional[builtins.str] = None,
         function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+        invoked_via_function_url: typing.Optional[builtins.bool] = None,
         organization_id: typing.Optional[builtins.str] = None,
         scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
         source_account: typing.Optional[builtins.str] = None,
@@ -29904,6 +29941,7 @@ class SingletonFunction(
         :param action: The Lambda actions that you want to allow in this statement. For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide. Default: 'lambda:InvokeFunction'
         :param event_source_token: A unique token that must be supplied by the principal invoking the function. Default: - The caller would not need to present a token.
         :param function_url_auth_type: The authType for the function URL that you are granting permissions for. Default: - No functionUrlAuthType
+        :param invoked_via_function_url: The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. Default: - false
         :param organization_id: The organization you want to grant permissions to. Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the ``principal`` property will suffice. You can use this property to ensure that all source principals are owned by a specific organization. Default: - No organizationId
         :param scope: The scope to which the permission constructs be attached. The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller). Default: - The instance of lambda.IFunction
         :param source_account: The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
@@ -29917,6 +29955,7 @@ class SingletonFunction(
             action=action,
             event_source_token=event_source_token,
             function_url_auth_type=function_url_auth_type,
+            invoked_via_function_url=invoked_via_function_url,
             organization_id=organization_id,
             scope=scope,
             source_account=source_account,
@@ -33115,6 +33154,7 @@ def _typecheckingstub__43f02634f6ed895ea88b35db6c7a6ba5a7da45fa4945d0f90bf36d079
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -34803,6 +34843,7 @@ def _typecheckingstub__012ac5126b1401118a0cd31e22b2fef5e1ab897a320c6edf7d16633af
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -35048,6 +35089,7 @@ def _typecheckingstub__213097e02686d5b4e582802e2e3e822fb2c79f2920c55d92f2f4f8f05
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,
@@ -35245,6 +35287,7 @@ def _typecheckingstub__6d48a048e22819587505668ae6e1fbdfeedaaaf355ad52bd1196e683b
     action: typing.Optional[builtins.str] = None,
     event_source_token: typing.Optional[builtins.str] = None,
     function_url_auth_type: typing.Optional[FunctionUrlAuthType] = None,
+    invoked_via_function_url: typing.Optional[builtins.bool] = None,
     organization_id: typing.Optional[builtins.str] = None,
     scope: typing.Optional[_constructs_77d1e7e8.Construct] = None,
     source_account: typing.Optional[builtins.str] = None,