aws-cdk-lib 2.219.0__py3-none-any.whl → 2.221.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1422,6 +1422,21 @@ endpoint = vpc.add_client_vpn_endpoint("Endpoint",
 )
 ```
 
+To control whether clients are automatically disconnected when the maximum session duration is reached, use the `disconnectOnSessionTimeout` prop.
+By default (`true`), clients are disconnected and must manually reconnect.
+Set to `false` to allow automatic reconnection attempts:
+
+```python
+endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+    cidr="10.100.0.0/16",
+    server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+    client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+    disconnect_on_session_timeout=False
+)
+```
+
+Detail information about maximum VPN session duration timeout can be found in the [AWS documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html).
+
 ## Instances
 
 You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend
@@ -2936,6 +2951,9 @@ class AcceleratorManufacturer(enum.Enum):
             propagate_tags=ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER
         )
         
+        # Optionally configure security group rules using IConnectable interface
+        mi_capacity_provider.connections.allow_from(ec2.Peer.ipv4(vpc.vpc_cidr_block), ec2.Port.tcp(80))
+        
         # Add the capacity provider to the cluster
         cluster.add_managed_instances_capacity_provider(mi_capacity_provider)
         
@@ -6678,7 +6696,7 @@ class CfnCapacityReservationProps:
         :param instance_platform: The type of operating system for which to reserve capacity.
         :param instance_type: The instance type for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for instance types in the C, M, R, I, T, and G instance families only. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
         :param availability_zone: The Availability Zone in which to create the Capacity Reservation.
-        :param availability_zone_id: The Availability Zone ID of the Capacity Reservation.
+        :param availability_zone_id: The ID of the Availability Zone in which the capacity is reserved.
         :param ebs_optimized: Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.
         :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019. If you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.
         :param end_date_type: Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types: - ``unlimited`` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an ``EndDate`` if the ``EndDateType`` is ``unlimited`` . - ``limited`` - The Capacity Reservation expires automatically at a specified date and time. You must provide an ``EndDate`` value if the ``EndDateType`` value is ``limited`` .
@@ -6825,7 +6843,7 @@ class CfnCapacityReservationProps:
 
     @builtins.property
     def availability_zone_id(self) -> typing.Optional[builtins.str]:
-        '''The Availability Zone ID of the Capacity Reservation.
+        '''The ID of the Availability Zone in which the capacity is reserved.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-capacityreservation.html#cfn-ec2-capacityreservation-availabilityzoneid
         '''
@@ -12841,6 +12859,7 @@ class CfnLocalGatewayVirtualInterfaceProps:
         "secondary_private_ip_addresses": "secondaryPrivateIpAddresses",
         "subnet_id": "subnetId",
         "tags": "tags",
+        "vpc_id": "vpcId",
     },
 )
 class CfnNatGatewayProps:
@@ -12856,6 +12875,7 @@ class CfnNatGatewayProps:
         secondary_private_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         subnet_id: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        vpc_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnNatGateway``.
 
@@ -12868,6 +12888,7 @@ class CfnNatGatewayProps:
         :param secondary_private_ip_addresses: Secondary private IPv4 addresses. For more information about secondary addresses, see `Create a NAT gateway <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating>`_ in the *Amazon Virtual Private Cloud User Guide* . ``SecondaryPrivateIpAddressCount`` and ``SecondaryPrivateIpAddresses`` cannot be set at the same time.
         :param subnet_id: The ID of the subnet in which the NAT gateway is located.
         :param tags: The tags for the NAT gateway.
+        :param vpc_id: The ID of the VPC in which the NAT gateway is located.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-natgateway.html
         :exampleMetadata: fixture=_generated
@@ -12890,7 +12911,8 @@ class CfnNatGatewayProps:
                 tags=[CfnTag(
                     key="key",
                     value="value"
-                )]
+                )],
+                vpc_id="vpcId"
             )
         '''
         if __debug__:
@@ -12904,6 +12926,7 @@ class CfnNatGatewayProps:
             check_type(argname="argument secondary_private_ip_addresses", value=secondary_private_ip_addresses, expected_type=type_hints["secondary_private_ip_addresses"])
             check_type(argname="argument subnet_id", value=subnet_id, expected_type=type_hints["subnet_id"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+            check_type(argname="argument vpc_id", value=vpc_id, expected_type=type_hints["vpc_id"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if allocation_id is not None:
             self._values["allocation_id"] = allocation_id
@@ -12923,6 +12946,8 @@ class CfnNatGatewayProps:
             self._values["subnet_id"] = subnet_id
         if tags is not None:
             self._values["tags"] = tags
+        if vpc_id is not None:
+            self._values["vpc_id"] = vpc_id
 
     @builtins.property
     def allocation_id(self) -> typing.Optional[builtins.str]:
@@ -13025,6 +13050,15 @@ class CfnNatGatewayProps:
         result = self._values.get("tags")
         return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
 
+    @builtins.property
+    def vpc_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the VPC in which the NAT gateway is located.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-natgateway.html#cfn-ec2-natgateway-vpcid
+        '''
+        result = self._values.get("vpc_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -23080,11 +23114,11 @@ class CfnVolumeProps:
         :param availability_zone: The ID of the Availability Zone in which to create the volume. For example, ``us-east-1a`` . Either ``AvailabilityZone`` or ``AvailabilityZoneId`` must be specified, but not both.
         :param auto_enable_io: Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.
         :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default>`_ in the *Amazon EBS User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances>`_ .
-        :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 80,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS. This parameter is not supported for ``gp2`` , ``st1`` , ``sc1`` , or ``standard`` volumes.
+        :param iops: The number of I/O operations per second (IOPS) to provision for the volume. Required for ``io1`` and ``io2`` volumes. Optional for ``gp3`` volumes. Omit for all other volume types. Valid ranges: - gp3: ``3,000`` ( *default* ) ``- 80,000`` IOPS - io1: ``100 - 64,000`` IOPS - io2: ``100 - 256,000`` IOPS .. epigraph:: `Instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ can support up to 256,000 IOPS. Other instances can support up to 32,000 IOPS.
         :param kms_key_id: The identifier of the AWS KMS key to use for Amazon EBS encryption. If ``KmsKeyId`` is specified, the encrypted state must be ``true`` . If you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to ``true`` , then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the AWS managed key . Alternatively, if you want to specify a different key, you can specify one of the following: - Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. - Key alias. Specify the alias for the key, prefixed with ``alias/`` . For example, for a key with the alias ``my_cmk`` , use ``alias/my_cmk`` . Or to specify the AWS managed key , use ``alias/aws/ebs`` . - Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab. - Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
         :param multi_attach_enabled: Indicates whether Amazon EBS Multi-Attach is enabled. AWS CloudFormation does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.
         :param outpost_arn: The Amazon Resource Name (ARN) of the Outpost.
-        :param size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size. The following are the supported volumes sizes for each volume type: - ``gp2`` : 1 - 16,384 GiB - ``gp3`` : 1 - 65,536 GiB - ``io1`` : 4 - 16,384 GiB - ``io2`` : 4 - 65,536 GiB - ``st1`` and ``sc1`` : 125 - 16,384 GiB - ``standard`` : 1 - 1024 GiB
+        :param size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size, and you can specify a volume size that is equal to or larger than the snapshot size. Valid sizes: - gp2: ``1 - 16,384`` GiB - gp3: ``1 - 65,536`` GiB - io1: ``4 - 16,384`` GiB - io2: ``4 - 65,536`` GiB - st1 and sc1: ``125 - 16,384`` GiB - standard: ``1 - 1024`` GiB
         :param snapshot_id: The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.
         :param tags: The tags to apply to the volume during creation.
         :param throughput: The throughput to provision for a volume, with a maximum of 1,000 MiB/s. This parameter is valid only for ``gp3`` volumes. The default value is 125. Valid Range: Minimum value of 125. Maximum value of 1000.
@@ -23206,19 +23240,19 @@ class CfnVolumeProps:
 
     @builtins.property
     def iops(self) -> typing.Optional[jsii.Number]:
-        '''The number of I/O operations per second (IOPS).
+        '''The number of I/O operations per second (IOPS) to provision for the volume.
 
-        For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.
+        Required for ``io1`` and ``io2`` volumes. Optional for ``gp3`` volumes. Omit for all other volume types.
 
-        The following are the supported values for each volume type:
+        Valid ranges:
 
-        - ``gp3`` : 3,000 - 80,000 IOPS
-        - ``io1`` : 100 - 64,000 IOPS
-        - ``io2`` : 100 - 256,000 IOPS
+        - gp3: ``3,000`` ( *default* ) ``- 80,000`` IOPS
+        - io1: ``100 - 64,000`` IOPS
+        - io2: ``100 - 256,000`` IOPS
 
-        For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ . On other instances, you can achieve performance up to 32,000 IOPS.
+        .. epigraph::
 
-        This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS. This parameter is not supported for ``gp2`` , ``st1`` , ``sc1`` , or ``standard`` volumes.
+           `Instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ can support up to 256,000 IOPS. Other instances can support up to 32,000 IOPS.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html#cfn-ec2-volume-iops
         '''
@@ -23271,16 +23305,16 @@ class CfnVolumeProps:
     def size(self) -> typing.Optional[jsii.Number]:
         '''The size of the volume, in GiBs.
 
-        You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.
+        You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size, and you can specify a volume size that is equal to or larger than the snapshot size.
 
-        The following are the supported volumes sizes for each volume type:
+        Valid sizes:
 
-        - ``gp2`` : 1 - 16,384 GiB
-        - ``gp3`` : 1 - 65,536 GiB
-        - ``io1`` : 4 - 16,384 GiB
-        - ``io2`` : 4 - 65,536 GiB
-        - ``st1`` and ``sc1`` : 125 - 16,384 GiB
-        - ``standard`` : 1 - 1024 GiB
+        - gp2: ``1 - 16,384`` GiB
+        - gp3: ``1 - 65,536`` GiB
+        - io1: ``4 - 16,384`` GiB
+        - io2: ``4 - 65,536`` GiB
+        - st1 and sc1: ``125 - 16,384`` GiB
+        - standard: ``1 - 1024`` GiB
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html#cfn-ec2-volume-size
         '''
@@ -23814,6 +23848,7 @@ class ClientVpnEndpointAttributes:
         "client_login_banner": "clientLoginBanner",
         "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
+        "disconnect_on_session_timeout": "disconnectOnSessionTimeout",
         "dns_servers": "dnsServers",
         "logging": "logging",
         "log_group": "logGroup",
@@ -23840,6 +23875,7 @@ class ClientVpnEndpointOptions:
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -23863,6 +23899,7 @@ class ClientVpnEndpointOptions:
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -23880,16 +23917,13 @@ class ClientVpnEndpointOptions:
 
         Example::
 
-            endpoint = vpc.add_client_vpn_endpoint("Endpoint",
+            vpc.add_client_vpn_endpoint("Endpoint",
                 cidr="10.100.0.0/16",
                 server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
-                user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider),
-                authorize_all_users_to_vpc_cidr=False
-            )
-            
-            endpoint.add_authorization_rule("Rule",
-                cidr="10.0.10.0/32",
-                group_id="group-id"
+                # Mutual authentication
+                client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+                # User-based authentication
+                user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider)
             )
         '''
         if isinstance(client_route_enforcement_options, dict):
@@ -23906,6 +23940,7 @@ class ClientVpnEndpointOptions:
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
             check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument disconnect_on_session_timeout", value=disconnect_on_session_timeout, expected_type=type_hints["disconnect_on_session_timeout"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
             check_type(argname="argument log_group", value=log_group, expected_type=type_hints["log_group"])
@@ -23934,6 +23969,8 @@ class ClientVpnEndpointOptions:
             self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
+        if disconnect_on_session_timeout is not None:
+            self._values["disconnect_on_session_timeout"] = disconnect_on_session_timeout
         if dns_servers is not None:
             self._values["dns_servers"] = dns_servers
         if logging is not None:
@@ -24054,6 +24091,20 @@ class ClientVpnEndpointOptions:
         result = self._values.get("description")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def disconnect_on_session_timeout(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached.
+
+        If ``true``, users are prompted to reconnect client VPN.
+        If ``false``, client VPN attempts to reconnect automatically.
+
+        :default: undefined - AWS Client VPN default is true
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html
+        '''
+        result = self._values.get("disconnect_on_session_timeout")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def dns_servers(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Information about the DNS servers to be used for DNS resolution.
@@ -24194,6 +24245,7 @@ class ClientVpnEndpointOptions:
         "client_login_banner": "clientLoginBanner",
         "client_route_enforcement_options": "clientRouteEnforcementOptions",
         "description": "description",
+        "disconnect_on_session_timeout": "disconnectOnSessionTimeout",
         "dns_servers": "dnsServers",
         "logging": "logging",
         "log_group": "logGroup",
@@ -24221,6 +24273,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -24245,6 +24298,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -24291,6 +24345,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
                     enforced=False
                 ),
                 description="description",
+                disconnect_on_session_timeout=False,
                 dns_servers=["dnsServers"],
                 logging=False,
                 log_group=log_group,
@@ -24326,6 +24381,7 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             check_type(argname="argument client_login_banner", value=client_login_banner, expected_type=type_hints["client_login_banner"])
             check_type(argname="argument client_route_enforcement_options", value=client_route_enforcement_options, expected_type=type_hints["client_route_enforcement_options"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument disconnect_on_session_timeout", value=disconnect_on_session_timeout, expected_type=type_hints["disconnect_on_session_timeout"])
             check_type(argname="argument dns_servers", value=dns_servers, expected_type=type_hints["dns_servers"])
             check_type(argname="argument logging", value=logging, expected_type=type_hints["logging"])
             check_type(argname="argument log_group", value=log_group, expected_type=type_hints["log_group"])
@@ -24356,6 +24412,8 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
             self._values["client_route_enforcement_options"] = client_route_enforcement_options
         if description is not None:
             self._values["description"] = description
+        if disconnect_on_session_timeout is not None:
+            self._values["disconnect_on_session_timeout"] = disconnect_on_session_timeout
         if dns_servers is not None:
             self._values["dns_servers"] = dns_servers
         if logging is not None:
@@ -24476,6 +24534,20 @@ class ClientVpnEndpointProps(ClientVpnEndpointOptions):
         result = self._values.get("description")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def disconnect_on_session_timeout(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached.
+
+        If ``true``, users are prompted to reconnect client VPN.
+        If ``false``, client VPN attempts to reconnect automatically.
+
+        :default: undefined - AWS Client VPN default is true
+
+        :see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html
+        '''
+        result = self._values.get("disconnect_on_session_timeout")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def dns_servers(self) -> typing.Optional[typing.List[builtins.str]]:
         '''Information about the DNS servers to be used for DNS resolution.
@@ -25984,6 +26056,9 @@ class CpuManufacturer(enum.Enum):
             propagate_tags=ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER
         )
         
+        # Optionally configure security group rules using IConnectable interface
+        mi_capacity_provider.connections.allow_from(ec2.Peer.ipv4(vpc.vpc_cidr_block), ec2.Port.tcp(80))
+        
         # Add the capacity provider to the cluster
         cluster.add_managed_instances_capacity_provider(mi_capacity_provider)
         
@@ -33726,6 +33801,7 @@ class IVpc(_IResource_c80c4260, IVPCRef, typing_extensions.Protocol):
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -33750,6 +33826,7 @@ class IVpc(_IResource_c80c4260, IVPCRef, typing_extensions.Protocol):
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -33977,6 +34054,7 @@ class _IVpcProxy(
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -34001,6 +34079,7 @@ class _IVpcProxy(
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -34026,6 +34105,7 @@ class _IVpcProxy(
             client_login_banner=client_login_banner,
             client_route_enforcement_options=client_route_enforcement_options,
             description=description,
+            disconnect_on_session_timeout=disconnect_on_session_timeout,
             dns_servers=dns_servers,
             logging=logging,
             log_group=log_group,
@@ -37179,6 +37259,14 @@ class InstanceClass(enum.Enum):
     '''Compute optimized instances based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation C7i-flex instances efficiently use compute resources to deliver a baseline level of performance with the ability to scale up to the full compute performance a majority of the time.'''
     C7I_FLEX = "C7I_FLEX"
     '''Compute optimized instances based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation C7i-flex instances efficiently use compute resources to deliver a baseline level of performance with the ability to scale up to the full compute performance a majority of the time.'''
+    COMPUTE8_INTEL = "COMPUTE8_INTEL"
+    '''Compute optimized instances based on custom Intel Xeon 6 processors, available only on AWS, 8th generation.'''
+    C8I = "C8I"
+    '''Compute optimized instances based on custom Intel Xeon 6 processors, available only on AWS, 8th generation.'''
+    COMPUTE8_INTEL_FLEX = "COMPUTE8_INTEL_FLEX"
+    '''Compute optimized instances based on custom Intel Xeon 6 processors, available only on AWS, 8th generation C8i-flex instances efficiently use compute resources to deliver a baseline level of performance with the ability to scale up to the full compute performance a majority of the time.'''
+    C8I_FLEX = "C8I_FLEX"
+    '''Compute optimized instances based on custom Intel Xeon 6 processors, available only on AWS, 8th generation C8i-flex instances efficiently use compute resources to deliver a baseline level of performance with the ability to scale up to the full compute performance a majority of the time.'''
     COMPUTE7_AMD = "COMPUTE7_AMD"
     '''Compute optimized instances based on 4th generation AMD EPYC (codename Genoa), 7th generation.'''
     C7A = "C7A"
@@ -37477,6 +37565,10 @@ class InstanceClass(enum.Enum):
     '''Standard instances based on 4th generation AMD EPYC (codename Genoa), 7th generation.'''
     M7A = "M7A"
     '''Standard instances based on 4th generation AMD EPYC (codename Genoa), 7th generation.'''
+    STANDARD8_AMD = "STANDARD8_AMD"
+    '''Standard instances based on 5th generation AMD EPYC (formerly code named Turin), 8th generation.'''
+    M8A = "M8A"
+    '''Standard instances based on 5th generation AMD EPYC (formerly code named Turin), 8th generation.'''
     HIGH_COMPUTE_MEMORY1 = "HIGH_COMPUTE_MEMORY1"
     '''High memory and compute capacity instances, 1st generation.'''
     Z1D = "Z1D"
@@ -38679,6 +38771,9 @@ class InstanceRequirementsConfig:
                 propagate_tags=ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER
             )
             
+            # Optionally configure security group rules using IConnectable interface
+            mi_capacity_provider.connections.allow_from(ec2.Peer.ipv4(vpc.vpc_cidr_block), ec2.Port.tcp(80))
+            
             # Add the capacity provider to the cluster
             cluster.add_managed_instances_capacity_provider(mi_capacity_provider)
             
@@ -39672,6 +39767,16 @@ class InterfaceVpcEndpointAwsService(
     def BEDROCK_AGENT_RUNTIME(cls) -> "InterfaceVpcEndpointAwsService":
         return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENT_RUNTIME"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENTCORE")
+    def BEDROCK_AGENTCORE(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENTCORE"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="BEDROCK_AGENTCORE_GATEWAY")
+    def BEDROCK_AGENTCORE_GATEWAY(cls) -> "InterfaceVpcEndpointAwsService":
+        return typing.cast("InterfaceVpcEndpointAwsService", jsii.sget(cls, "BEDROCK_AGENTCORE_GATEWAY"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="BEDROCK_DATA_AUTOMATION")
     def BEDROCK_DATA_AUTOMATION(cls) -> "InterfaceVpcEndpointAwsService":
@@ -47310,7 +47415,7 @@ class Peer(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Peer"):
         
         cluster = msk.Cluster(self, "Cluster",
             cluster_name="myCluster",
-            kafka_version=msk.KafkaVersion.V4_0_X_KRAFT,
+            kafka_version=msk.KafkaVersion.V4_1_X_KRAFT,
             vpc=vpc
         )
         
@@ -47632,20 +47737,25 @@ class Port(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Port"):
 
     Example::
 
-        # vpc: ec2.Vpc
+        # load_balancer: elbv2.ApplicationLoadBalancer
         
-        cluster = msk.Cluster(self, "Cluster",
-            cluster_name="myCluster",
-            kafka_version=msk.KafkaVersion.V4_0_X_KRAFT,
+        
+        vpc = ec2.Vpc(self, "MyVPC")
+        fleet = codebuild.Fleet(self, "MyProject",
+            compute_type=codebuild.FleetComputeType.MEDIUM,
+            environment_type=codebuild.EnvironmentType.LINUX_CONTAINER,
+            base_capacity=1,
             vpc=vpc
         )
         
-        cluster.connections.allow_from(
-            ec2.Peer.ipv4("1.2.3.4/8"),
-            ec2.Port.tcp(2181))
-        cluster.connections.allow_from(
-            ec2.Peer.ipv4("1.2.3.4/8"),
-            ec2.Port.tcp(9094))
+        fleet.connections.allow_to(load_balancer, ec2.Port.tcp(443))
+        
+        project = codebuild.Project(self, "MyProject",
+            environment=codebuild.BuildEnvironment(
+                fleet=fleet
+            ),
+            build_spec=codebuild.BuildSpec.from_object({})
+        )
     '''
 
     def __init__(
@@ -54786,6 +54896,7 @@ class Vpc(
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -54810,6 +54921,7 @@ class Vpc(
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -54835,6 +54947,7 @@ class Vpc(
             client_login_banner=client_login_banner,
             client_route_enforcement_options=client_route_enforcement_options,
             description=description,
+            disconnect_on_session_timeout=disconnect_on_session_timeout,
             dns_servers=dns_servers,
             logging=logging,
             log_group=log_group,
@@ -58928,7 +59041,7 @@ class CfnCapacityReservation(
         :param instance_platform: The type of operating system for which to reserve capacity.
         :param instance_type: The instance type for which to reserve capacity. .. epigraph:: You can request future-dated Capacity Reservations for instance types in the C, M, R, I, T, and G instance families only. For more information, see `Instance types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html>`_ in the *Amazon EC2 User Guide* .
         :param availability_zone: The Availability Zone in which to create the Capacity Reservation.
-        :param availability_zone_id: The Availability Zone ID of the Capacity Reservation.
+        :param availability_zone_id: The ID of the Availability Zone in which the capacity is reserved.
         :param ebs_optimized: Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS- optimized instance.
         :param end_date: The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. The Capacity Reservation's state changes to ``expired`` when it reaches its end date and time. You must provide an ``EndDate`` value if ``EndDateType`` is ``limited`` . Omit ``EndDate`` if ``EndDateType`` is ``unlimited`` . If the ``EndDateType`` is ``limited`` , the Capacity Reservation is cancelled within an hour from the specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019. If you are requesting a future-dated Capacity Reservation, you can't specify an end date and time that is within the commitment duration.
         :param end_date_type: Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types: - ``unlimited`` - The Capacity Reservation remains active until you explicitly cancel it. Do not provide an ``EndDate`` if the ``EndDateType`` is ``unlimited`` . - ``limited`` - The Capacity Reservation expires automatically at a specified date and time. You must provide an ``EndDate`` value if the ``EndDateType`` value is ``limited`` .
@@ -59097,7 +59210,7 @@ class CfnCapacityReservation(
     @builtins.property
     @jsii.member(jsii_name="attrCreateDate")
     def attr_create_date(self) -> builtins.str:
-        '''The date and time at which the Capacity Reservation was created.
+        '''The date and time the Capacity Reservation was created.
 
         :cloudformationAttribute: CreateDate
         '''
@@ -59155,7 +59268,7 @@ class CfnCapacityReservation(
     @builtins.property
     @jsii.member(jsii_name="attrStartDate")
     def attr_start_date(self) -> builtins.str:
-        '''The date and time at which the Capacity Reservation was started.
+        '''The date and time the Capacity Reservation was started.
 
         :cloudformationAttribute: StartDate
         '''
@@ -59276,7 +59389,7 @@ class CfnCapacityReservation(
     @builtins.property
     @jsii.member(jsii_name="availabilityZoneId")
     def availability_zone_id(self) -> typing.Optional[builtins.str]:
-        '''The Availability Zone ID of the Capacity Reservation.'''
+        '''The ID of the Availability Zone in which the capacity is reserved.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "availabilityZoneId"))
 
     @availability_zone_id.setter
@@ -81415,7 +81528,8 @@ class CfnNatGateway(
             tags=[CfnTag(
                 key="key",
                 value="value"
-            )]
+            )],
+            vpc_id="vpcId"
         )
     '''
 
@@ -81433,6 +81547,7 @@ class CfnNatGateway(
         secondary_private_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
         subnet_id: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+        vpc_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -81446,6 +81561,7 @@ class CfnNatGateway(
         :param secondary_private_ip_addresses: Secondary private IPv4 addresses. For more information about secondary addresses, see `Create a NAT gateway <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating>`_ in the *Amazon Virtual Private Cloud User Guide* . ``SecondaryPrivateIpAddressCount`` and ``SecondaryPrivateIpAddresses`` cannot be set at the same time.
         :param subnet_id: The ID of the subnet in which the NAT gateway is located.
         :param tags: The tags for the NAT gateway.
+        :param vpc_id: The ID of the VPC in which the NAT gateway is located.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4d23f1a46df0174ce142c0ff05ac9cb901ecac30141c8b466b44569b409414aa)
@@ -81461,6 +81577,7 @@ class CfnNatGateway(
             secondary_private_ip_addresses=secondary_private_ip_addresses,
             subnet_id=subnet_id,
             tags=tags,
+            vpc_id=vpc_id,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -81516,6 +81633,14 @@ class CfnNatGateway(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="attrEniId")
+    def attr_eni_id(self) -> builtins.str:
+        '''
+        :cloudformationAttribute: EniId
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrEniId"))
+
     @builtins.property
     @jsii.member(jsii_name="attrNatGatewayId")
     def attr_nat_gateway_id(self) -> builtins.str:
@@ -81670,6 +81795,19 @@ class CfnNatGateway(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="vpcId")
+    def vpc_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of the VPC in which the NAT gateway is located.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "vpcId"))
+
+    @vpc_id.setter
+    def vpc_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1a7629fb99b0083bc9b9f7b7909bf15223816d1751b43e5e09c5e00cb6f63a09)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "vpcId", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.implements(_IInspectable_c2943556, INetworkAclRef, _ITaggable_36806126)
 class CfnNetworkAcl(
@@ -110904,11 +111042,11 @@ class CfnVolume(
         :param availability_zone: The ID of the Availability Zone in which to create the volume. For example, ``us-east-1a`` . Either ``AvailabilityZone`` or ``AvailabilityZoneId`` must be specified, but not both.
         :param auto_enable_io: Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.
         :param encrypted: Indicates whether the volume should be encrypted. The effect of setting the encryption state to ``true`` depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see `Encryption by default <https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default>`_ in the *Amazon EBS User Guide* . Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see `Supported instance types <https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption_supported_instances>`_ .
-        :param iops: The number of I/O operations per second (IOPS). For ``gp3`` , ``io1`` , and ``io2`` volumes, this represents the number of IOPS that are provisioned for the volume. For ``gp2`` volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. The following are the supported values for each volume type: - ``gp3`` : 3,000 - 80,000 IOPS - ``io1`` : 100 - 64,000 IOPS - ``io2`` : 100 - 256,000 IOPS For ``io2`` volumes, you can achieve up to 256,000 IOPS on `instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ . On other instances, you can achieve performance up to 32,000 IOPS. This parameter is required for ``io1`` and ``io2`` volumes. The default for ``gp3`` volumes is 3,000 IOPS. This parameter is not supported for ``gp2`` , ``st1`` , ``sc1`` , or ``standard`` volumes.
+        :param iops: The number of I/O operations per second (IOPS) to provision for the volume. Required for ``io1`` and ``io2`` volumes. Optional for ``gp3`` volumes. Omit for all other volume types. Valid ranges: - gp3: ``3,000`` ( *default* ) ``- 80,000`` IOPS - io1: ``100 - 64,000`` IOPS - io2: ``100 - 256,000`` IOPS .. epigraph:: `Instances built on the Nitro System <https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html>`_ can support up to 256,000 IOPS. Other instances can support up to 32,000 IOPS.
         :param kms_key_id: The identifier of the AWS KMS key to use for Amazon EBS encryption. If ``KmsKeyId`` is specified, the encrypted state must be ``true`` . If you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to ``true`` , then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the AWS managed key . Alternatively, if you want to specify a different key, you can specify one of the following: - Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. - Key alias. Specify the alias for the key, prefixed with ``alias/`` . For example, for a key with the alias ``my_cmk`` , use ``alias/my_cmk`` . Or to specify the AWS managed key , use ``alias/aws/ebs`` . - Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab. - Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
         :param multi_attach_enabled: Indicates whether Amazon EBS Multi-Attach is enabled. AWS CloudFormation does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.
         :param outpost_arn: The Amazon Resource Name (ARN) of the Outpost.
-        :param size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size. The following are the supported volumes sizes for each volume type: - ``gp2`` : 1 - 16,384 GiB - ``gp3`` : 1 - 65,536 GiB - ``io1`` : 4 - 16,384 GiB - ``io2`` : 4 - 65,536 GiB - ``st1`` and ``sc1`` : 125 - 16,384 GiB - ``standard`` : 1 - 1024 GiB
+        :param size: The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size, and you can specify a volume size that is equal to or larger than the snapshot size. Valid sizes: - gp2: ``1 - 16,384`` GiB - gp3: ``1 - 65,536`` GiB - io1: ``4 - 16,384`` GiB - io2: ``4 - 65,536`` GiB - st1 and sc1: ``125 - 16,384`` GiB - standard: ``1 - 1024`` GiB
         :param snapshot_id: The snapshot from which to create the volume. You must specify either a snapshot ID or a volume size.
         :param tags: The tags to apply to the volume during creation.
         :param throughput: The throughput to provision for a volume, with a maximum of 1,000 MiB/s. This parameter is valid only for ``gp3`` volumes. The default value is 125. Valid Range: Minimum value of 125. Maximum value of 1000.
@@ -111069,7 +111207,7 @@ class CfnVolume(
     @builtins.property
     @jsii.member(jsii_name="iops")
     def iops(self) -> typing.Optional[jsii.Number]:
-        '''The number of I/O operations per second (IOPS).'''
+        '''The number of I/O operations per second (IOPS) to provision for the volume.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "iops"))
 
     @iops.setter
@@ -119229,6 +119367,7 @@ class ClientVpnEndpoint(
         client_login_banner: typing.Optional[builtins.str] = None,
         client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         description: typing.Optional[builtins.str] = None,
+        disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
         dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
         logging: typing.Optional[builtins.bool] = None,
         log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -119254,6 +119393,7 @@ class ClientVpnEndpoint(
         :param client_login_banner: Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
         :param client_route_enforcement_options: Options for Client Route Enforcement. Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. Default: undefined - AWS Client VPN default setting is disable client route enforcement
         :param description: A brief description of the Client VPN endpoint. Default: - no description
+        :param disconnect_on_session_timeout: Indicates whether the client VPN session is disconnected after the maximum ``sessionTimeout`` is reached. If ``true``, users are prompted to reconnect client VPN. If ``false``, client VPN attempts to reconnect automatically. Default: undefined - AWS Client VPN default is true
         :param dns_servers: Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
         :param logging: Whether to enable connections logging. Default: true
         :param log_group: A CloudWatch Logs log group for connection logging. Default: - a new group is created
@@ -119281,6 +119421,7 @@ class ClientVpnEndpoint(
             client_login_banner=client_login_banner,
             client_route_enforcement_options=client_route_enforcement_options,
             description=description,
+            disconnect_on_session_timeout=disconnect_on_session_timeout,
             dns_servers=dns_servers,
             logging=logging,
             log_group=log_group,
@@ -121400,6 +121541,7 @@ def _typecheckingstub__1aba83edf7a8e3f14e1d4f9ca76c7049f7f7c569d2ffb43bcad65b330
     secondary_private_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
     subnet_id: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    vpc_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -122258,6 +122400,7 @@ def _typecheckingstub__73f8593e2e6199f8ae542cff4cbe02f0be09fd9043b8072cbb652d5b0
     client_login_banner: typing.Optional[builtins.str] = None,
     client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
+    disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
     log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -122284,6 +122427,7 @@ def _typecheckingstub__8e89ba9082e1bc80500c526e8522c5a90e2a91bd17d985f5932611e0b
     client_login_banner: typing.Optional[builtins.str] = None,
     client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
+    disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
     log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -122798,6 +122942,7 @@ def _typecheckingstub__19cdaa7bec0f733a863944b2be6c76392b1e518714158a913370b8de7
     client_login_banner: typing.Optional[builtins.str] = None,
     client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
+    disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
     log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -124810,6 +124955,7 @@ def _typecheckingstub__04f8b7e933af74b695401b45c9c6b308e4684ecde3cb9a2a1e358a336
     client_login_banner: typing.Optional[builtins.str] = None,
     client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
+    disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
     log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -128861,6 +129007,7 @@ def _typecheckingstub__4d23f1a46df0174ce142c0ff05ac9cb901ecac30141c8b466b44569b4
     secondary_private_ip_addresses: typing.Optional[typing.Sequence[builtins.str]] = None,
     subnet_id: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    vpc_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -128939,6 +129086,12 @@ def _typecheckingstub__76a6a3daaab575df04de03efcf802de9ee1357d57a0474a96922bc7d4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__1a7629fb99b0083bc9b9f7b7909bf15223816d1751b43e5e09c5e00cb6f63a09(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__63ab91eb0620cbae6ae1a944345b6c561c70134e58fe810193ad3be248faf08e(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -135439,6 +135592,7 @@ def _typecheckingstub__9a2422e1dfabadbd7f572317ed37670a87714b6f36fe9da2a01f1e26e
     client_login_banner: typing.Optional[builtins.str] = None,
     client_route_enforcement_options: typing.Optional[typing.Union[ClientRouteEnforcementOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     description: typing.Optional[builtins.str] = None,
+    disconnect_on_session_timeout: typing.Optional[builtins.bool] = None,
     dns_servers: typing.Optional[typing.Sequence[builtins.str]] = None,
     logging: typing.Optional[builtins.bool] = None,
     log_group: typing.Optional[_ILogGroup_3c4fa718] = None,
@@ -135583,3 +135737,6 @@ def _typecheckingstub__08d76813e07f02784a1108bd81a7030a5244d286c7db7897110323a0d
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [ICapacityReservationFleetRef, ICapacityReservationRef, ICarrierGatewayRef, IClientVpnAuthorizationRuleRef, IClientVpnConnectionHandler, IClientVpnEndpoint, IClientVpnEndpointRef, IClientVpnRouteRef, IClientVpnTargetNetworkAssociationRef, IConnectable, ICustomerGatewayRef, IDHCPOptionsRef, IEC2FleetRef, IEIPAssociationRef, IEIPRef, IEgressOnlyInternetGatewayRef, IEnclaveCertificateIamRoleAssociationRef, IFlowLog, IFlowLogRef, IGatewayRouteTableAssociationRef, IGatewayVpcEndpoint, IGatewayVpcEndpointService, IHostRef, IIPAMAllocationRef, IIPAMPoolCidrRef, IIPAMPoolRef, IIPAMRef, IIPAMResourceDiscoveryAssociationRef, IIPAMResourceDiscoveryRef, IIPAMScopeRef, IInstance, IInstanceConnectEndpointRef, IInstanceRef, IInterfaceVpcEndpoint, IInterfaceVpcEndpointService, IInternetGatewayRef, IIpAddresses, IIpPoolRouteTableAssociationRef, IIpv6Addresses, IKeyPair, IKeyPairRef, ILaunchTemplate, ILaunchTemplateRef, ILocalGatewayRouteRef, ILocalGatewayRouteTableRef, ILocalGatewayRouteTableVPCAssociationRef, ILocalGatewayRouteTableVirtualInterfaceGroupAssociationRef, ILocalGatewayVirtualInterfaceGroupRef, ILocalGatewayVirtualInterfaceRef, IMachineImage, INatGatewayRef, INetworkAcl, INetworkAclEntry, INetworkAclEntryRef, INetworkAclRef, INetworkInsightsAccessScopeAnalysisRef, INetworkInsightsAccessScopeRef, INetworkInsightsAnalysisRef, INetworkInsightsPathRef, INetworkInterfaceAttachmentRef, INetworkInterfacePermissionRef, INetworkInterfaceRef, INetworkPerformanceMetricSubscriptionRef, IPeer, IPlacementGroup, IPlacementGroupRef, IPrefixList, IPrefixListRef, IPrivateSubnet, IPublicSubnet, IRouteRef, IRouteServerAssociationRef, IRouteServerEndpointRef, IRouteServerPeerRef, IRouteServerPropagationRef, IRouteServerRef, IRouteTable, IRouteTableRef, ISecurityGroup, ISecurityGroupEgressRef, ISecurityGroupIngressRef, ISecurityGroupRef, ISecurityGroupVpcAssociationRef, ISnapshotBlockPublicAccessRef, ISpotFleetRef, ISubnet, ISubnetCidrBlockRef, ISubnetNetworkAclAssociation, ISubnetNetworkAclAssociationRef, ISubnetRef, ISubnetRouteTableAssociationRef, ITrafficMirrorFilterRef, ITrafficMirrorFilterRuleRef, ITrafficMirrorSessionRef, ITrafficMirrorTargetRef, ITransitGatewayAttachmentRef, ITransitGatewayConnectPeerRef, ITransitGatewayConnectRef, ITransitGatewayMulticastDomainAssociationRef, ITransitGatewayMulticastDomainRef, ITransitGatewayMulticastGroupMemberRef, ITransitGatewayMulticastGroupSourceRef, ITransitGatewayPeeringAttachmentRef, ITransitGatewayRef, ITransitGatewayRouteRef, ITransitGatewayRouteTableAssociationRef, ITransitGatewayRouteTablePropagationRef, ITransitGatewayRouteTableRef, ITransitGatewayVpcAttachmentRef, IVPCBlockPublicAccessExclusionRef, IVPCBlockPublicAccessOptionsRef, IVPCCidrBlockRef, IVPCDHCPOptionsAssociationRef, IVPCEndpointConnectionNotificationRef, IVPCEndpointRef, IVPCEndpointServicePermissionsRef, IVPCEndpointServiceRef, IVPCGatewayAttachmentRef, IVPCPeeringConnectionRef, IVPCRef, IVPNConnectionRef, IVPNConnectionRouteRef, IVPNGatewayRef, IVPNGatewayRoutePropagationRef, IVerifiedAccessEndpointRef, IVerifiedAccessGroupRef, IVerifiedAccessInstanceRef, IVerifiedAccessTrustProviderRef, IVolume, IVolumeAttachmentRef, IVolumeRef, IVpc, IVpcEndpoint, IVpcEndpointService, IVpcEndpointServiceLoadBalancer, IVpnConnection, IVpnGateway]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])