aws-cdk-lib 2.73.0__py3-none-any.whl → 2.76.0__py3-none-any.whl

aws_cdk/aws_wafv2/__init__.py

@@ -3278,7 +3278,7 @@ class CfnRuleGroup(
 
             This is used to indicate the web request component to inspect, in the ``FieldToMatch`` specification.
 
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-body.html
             :exampleMetadata: fixture=_generated
@@ -3304,7 +3304,9 @@ class CfnRuleGroup(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+
+            The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -3312,7 +3314,7 @@ class CfnRuleGroup(
             - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
             - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
 
-            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
+            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
 
             Default: ``CONTINUE``
 
@@ -4434,10 +4436,10 @@ class CfnRuleGroup(
             ``"FieldToMatch": { "Method": { "Name": "DELETE" } }``
 
             :param all_query_arguments: Inspect all query arguments.
-            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
             :param cookies: Inspect the request cookies. You must configure scope and pattern matching filters in the ``Cookies`` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the ``Cookies`` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
             :param headers: Inspect the request headers. You must configure scope and pattern matching filters in the ``Headers`` object, to define the set of headers to and the parts of the headers that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the ``Headers`` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
-            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
             :param method: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
             :param query_string: Inspect the query string. This is the part of a URL that appears after a ``?`` character, if any.
             :param single_header: Inspect a single header. Provide the name of the header to inspect, for example, ``User-Agent`` or ``Referer`` . This setting isn't case sensitive. Example JSON: ``"SingleHeader": { "Name": "haystack" }`` Alternately, you can filter and inspect all headers with the ``Headers`` ``FieldToMatch`` setting.
@@ -4553,7 +4555,9 @@ class CfnRuleGroup(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+
+            For information about how to handle oversized request bodies, see the ``Body`` object configuration.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-fieldtomatch.html#cfn-wafv2-rulegroup-fieldtomatch-body
             '''
@@ -4598,7 +4602,9 @@ class CfnRuleGroup(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+
+            For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-fieldtomatch.html#cfn-wafv2-rulegroup-fieldtomatch-jsonbody
             '''
@@ -5385,7 +5391,7 @@ class CfnRuleGroup(
             :param match_pattern: The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.
             :param match_scope: The parts of the JSON to match against using the ``MatchPattern`` . If you specify ``All`` , AWS WAF matches against keys and values.
             :param invalid_fallback_behavior: What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:. - ``EVALUATE_AS_STRING`` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. If you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters. AWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array. AWS WAF parses the JSON in the following examples as two valid key, value pairs: - Missing comma: ``{"key1":"value1""key2":"value2"}`` - Missing colon: ``{"key1":"value1","key2""value2"}`` - Extra colons: ``{"key1"::"value1","key2""value2"}``
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-jsonbody.html
             :exampleMetadata: fixture=_generated
@@ -5478,7 +5484,9 @@ class CfnRuleGroup(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+
+            The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -5486,7 +5494,7 @@ class CfnRuleGroup(
             - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
             - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
 
-            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
+            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
 
             Default: ``CONTINUE``
 
@@ -8209,7 +8217,7 @@ class CfnRuleGroup(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -8559,7 +8567,7 @@ class CfnRuleGroup(
             :param rate_based_statement: A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests. AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF . When the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit. You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements: - An IP match statement with an IP set that specifies the address 192.0.2.44. - A string match statement that searches in the User-Agent header for the string BadBot. In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule. You cannot nest a ``RateBasedStatement`` inside another statement, for example inside a ``NotStatement`` or ``OrStatement`` . You can define a ``RateBasedStatement`` inside a web ACL and inside a rule group.
             :param regex_match_statement: A rule statement used to search web request components for a match against a single regular expression.
             :param regex_pattern_set_reference_statement: A rule statement used to search web request components for matches with regular expressions. To use this, create a ``RegexPatternSet`` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. Each regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.
-            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
+            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
             :param sqli_match_statement: A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.
             :param xss_match_statement: A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.
 
@@ -10428,7 +10436,7 @@ class CfnRuleGroup(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -13397,7 +13405,7 @@ class CfnWebACL(
 
             This is used to indicate the web request component to inspect, in the ``FieldToMatch`` specification.
 
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-body.html
             :exampleMetadata: fixture=_generated
@@ -13423,7 +13431,9 @@ class CfnWebACL(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+
+            The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -13431,7 +13441,7 @@ class CfnWebACL(
             - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
             - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
 
-            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
+            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
 
             Default: ``CONTINUE``
 
@@ -14801,10 +14811,10 @@ class CfnWebACL(
             ``"FieldToMatch": { "Method": { "Name": "DELETE" } }``
 
             :param all_query_arguments: Inspect all query arguments.
-            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
             :param cookies: Inspect the request cookies. You must configure scope and pattern matching filters in the ``Cookies`` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the ``Cookies`` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
             :param headers: Inspect the request headers. You must configure scope and pattern matching filters in the ``Headers`` object, to define the set of headers to and the parts of the headers that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the ``Headers`` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
-            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
             :param method: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
             :param query_string: Inspect the query string. This is the part of a URL that appears after a ``?`` character, if any.
             :param single_header: Inspect a single header. Provide the name of the header to inspect, for example, ``User-Agent`` or ``Referer`` . This setting isn't case sensitive. Example JSON: ``"SingleHeader": { "Name": "haystack" }`` Alternately, you can filter and inspect all headers with the ``Headers`` ``FieldToMatch`` setting.
@@ -14920,7 +14930,9 @@ class CfnWebACL(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+
+            For information about how to handle oversized request bodies, see the ``Body`` object configuration.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.html#cfn-wafv2-webacl-fieldtomatch-body
             '''
@@ -14965,7 +14977,9 @@ class CfnWebACL(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            Only the first 8 KB (8192 bytes) of the request body are forwarded to AWS WAF for inspection by the underlying host service. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+
+            For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.html#cfn-wafv2-webacl-fieldtomatch-jsonbody
             '''
@@ -15752,7 +15766,7 @@ class CfnWebACL(
             :param match_pattern: The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.
             :param match_scope: The parts of the JSON to match against using the ``MatchPattern`` . If you specify ``All`` , AWS WAF matches against keys and values.
             :param invalid_fallback_behavior: What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:. - ``EVALUATE_AS_STRING`` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. If you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters. AWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array. AWS WAF parses the JSON in the following examples as two valid key, value pairs: - Missing comma: ``{"key1":"value1""key2":"value2"}`` - Missing colon: ``{"key1":"value1","key2""value2"}`` - Extra colons: ``{"key1"::"value1","key2""value2"}``
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the body normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-jsonbody.html
             :exampleMetadata: fixture=_generated
@@ -15845,7 +15859,9 @@ class CfnWebACL(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to AWS WAF by the underlying host service.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+
+            The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -15853,7 +15869,7 @@ class CfnWebACL(
             - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
             - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
 
-            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
+            You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
 
             Default: ``CONTINUE``
 
@@ -21297,7 +21313,7 @@ class CfnWebACL(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -21653,7 +21669,7 @@ class CfnWebACL(
             :param regex_match_statement: A rule statement used to search web request components for a match against a single regular expression.
             :param regex_pattern_set_reference_statement: A rule statement used to search web request components for matches with regular expressions. To use this, create a ``RegexPatternSet`` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. Each regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.
             :param rule_group_reference_statement: A rule statement used to run the rules that are defined in a ``RuleGroup`` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement. You cannot nest a ``RuleGroupReferenceStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . You can only use a rule group reference statement at the top level inside a web ACL.
-            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
+            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
             :param sqli_match_statement: A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.
             :param xss_match_statement: A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.
 
@@ -24767,7 +24783,7 @@ class CfnWebACL(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -25224,7 +25240,7 @@ class CfnWebACLAssociation(
 
         :param scope: - scope in which this resource is defined.
         :param id: - scoped id of the resource.
-        :param resource_arn: The Amazon Resource Name (ARN) of the resource to associate with the web ACL. The ARN must be in one of the following formats: - For an Application Load Balancer: ``arn:aws:elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`` - For an Amazon API Gateway REST API: ``arn:aws:apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`` - For an AWS AppSync GraphQL API: ``arn:aws:appsync: *region* : *account-id* :apis/ *GraphQLApiId*`` - For an Amazon Cognito user pool: ``arn:aws:cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`` - For an AWS App Runner service: ``arn:aws:apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
+        :param resource_arn: The Amazon Resource Name (ARN) of the resource to associate with the web ACL. The ARN must be in one of the following formats: - For an Application Load Balancer: ``arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`` - For an Amazon API Gateway REST API: ``arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`` - For an AWS AppSync GraphQL API: ``arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`` - For an Amazon Cognito user pool: ``arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`` - For an AWS App Runner service: ``arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
         :param web_acl_arn: The Amazon Resource Name (ARN) of the web ACL that you want to associate with the resource.
         '''
         if __debug__:
@@ -25279,11 +25295,11 @@ class CfnWebACLAssociation(
 
         The ARN must be in one of the following formats:
 
-        - For an Application Load Balancer: ``arn:aws:elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*``
-        - For an Amazon API Gateway REST API: ``arn:aws:apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*``
-        - For an AWS AppSync GraphQL API: ``arn:aws:appsync: *region* : *account-id* :apis/ *GraphQLApiId*``
-        - For an Amazon Cognito user pool: ``arn:aws:cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*``
-        - For an AWS App Runner service: ``arn:aws:apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
+        - For an Application Load Balancer: ``arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*``
+        - For an Amazon API Gateway REST API: ``arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*``
+        - For an AWS AppSync GraphQL API: ``arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*``
+        - For an Amazon Cognito user pool: ``arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*``
+        - For an AWS App Runner service: ``arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn
         '''
@@ -25327,7 +25343,7 @@ class CfnWebACLAssociationProps:
     ) -> None:
         '''Properties for defining a ``CfnWebACLAssociation``.
 
-        :param resource_arn: The Amazon Resource Name (ARN) of the resource to associate with the web ACL. The ARN must be in one of the following formats: - For an Application Load Balancer: ``arn:aws:elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`` - For an Amazon API Gateway REST API: ``arn:aws:apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`` - For an AWS AppSync GraphQL API: ``arn:aws:appsync: *region* : *account-id* :apis/ *GraphQLApiId*`` - For an Amazon Cognito user pool: ``arn:aws:cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`` - For an AWS App Runner service: ``arn:aws:apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
+        :param resource_arn: The Amazon Resource Name (ARN) of the resource to associate with the web ACL. The ARN must be in one of the following formats: - For an Application Load Balancer: ``arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*`` - For an Amazon API Gateway REST API: ``arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*`` - For an AWS AppSync GraphQL API: ``arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*`` - For an Amazon Cognito user pool: ``arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*`` - For an AWS App Runner service: ``arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
         :param web_acl_arn: The Amazon Resource Name (ARN) of the web ACL that you want to associate with the resource.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
@@ -25359,11 +25375,11 @@ class CfnWebACLAssociationProps:
 
         The ARN must be in one of the following formats:
 
-        - For an Application Load Balancer: ``arn:aws:elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*``
-        - For an Amazon API Gateway REST API: ``arn:aws:apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*``
-        - For an AWS AppSync GraphQL API: ``arn:aws:appsync: *region* : *account-id* :apis/ *GraphQLApiId*``
-        - For an Amazon Cognito user pool: ``arn:aws:cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*``
-        - For an AWS App Runner service: ``arn:aws:apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
+        - For an Application Load Balancer: ``arn: *partition* :elasticloadbalancing: *region* : *account-id* :loadbalancer/app/ *load-balancer-name* / *load-balancer-id*``
+        - For an Amazon API Gateway REST API: ``arn: *partition* :apigateway: *region* ::/restapis/ *api-id* /stages/ *stage-name*``
+        - For an AWS AppSync GraphQL API: ``arn: *partition* :appsync: *region* : *account-id* :apis/ *GraphQLApiId*``
+        - For an Amazon Cognito user pool: ``arn: *partition* :cognito-idp: *region* : *account-id* :userpool/ *user-pool-id*``
+        - For an AWS App Runner service: ``arn: *partition* :apprunner: *region* : *account-id* :service/ *apprunner-service-name* / *apprunner-service-id*``
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn
         '''

aws_cdk/aws_xray/__init__.py

@@ -502,8 +502,6 @@ class CfnResourcePolicy(
 ):
     '''A CloudFormation ``AWS::XRay::ResourcePolicy``.
 
-    Sets the resource policy to grant one or more AWS services and accounts permissions to access X-Ray. Each resource policy will be associated with a specific AWS account. Each AWS account can have a maximum of 5 resource policies, and each policy name must be unique within that account. The maximum size of each resource policy is 5KB.
-
     :cloudformationResource: AWS::XRay::ResourcePolicy
     :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html
     :exampleMetadata: fixture=_generated
@@ -536,8 +534,8 @@ class CfnResourcePolicy(
 
         :param scope: - scope in which this resource is defined.
         :param id: - scoped id of the resource.
-        :param policy_document: The resource policy document, which can be up to 5kb in size.
-        :param policy_name: The name of the resource policy. Must be unique within a specific AWS account.
+        :param policy_document: ``AWS::XRay::ResourcePolicy.PolicyDocument``.
+        :param policy_name: ``AWS::XRay::ResourcePolicy.PolicyName``.
         :param bypass_policy_lockout_check: ``AWS::XRay::ResourcePolicy.BypassPolicyLockoutCheck``.
         '''
         if __debug__:
@@ -590,7 +588,7 @@ class CfnResourcePolicy(
     @builtins.property
     @jsii.member(jsii_name="policyDocument")
     def policy_document(self) -> builtins.str:
-        '''The resource policy document, which can be up to 5kb in size.
+        '''``AWS::XRay::ResourcePolicy.PolicyDocument``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html#cfn-xray-resourcepolicy-policydocument
         '''
@@ -606,9 +604,7 @@ class CfnResourcePolicy(
     @builtins.property
     @jsii.member(jsii_name="policyName")
     def policy_name(self) -> builtins.str:
-        '''The name of the resource policy.
-
-        Must be unique within a specific AWS account.
+        '''``AWS::XRay::ResourcePolicy.PolicyName``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html#cfn-xray-resourcepolicy-policyname
         '''
@@ -662,8 +658,8 @@ class CfnResourcePolicyProps:
     ) -> None:
         '''Properties for defining a ``CfnResourcePolicy``.
 
-        :param policy_document: The resource policy document, which can be up to 5kb in size.
-        :param policy_name: The name of the resource policy. Must be unique within a specific AWS account.
+        :param policy_document: ``AWS::XRay::ResourcePolicy.PolicyDocument``.
+        :param policy_name: ``AWS::XRay::ResourcePolicy.PolicyName``.
         :param bypass_policy_lockout_check: ``AWS::XRay::ResourcePolicy.BypassPolicyLockoutCheck``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html
@@ -697,7 +693,7 @@ class CfnResourcePolicyProps:
 
     @builtins.property
     def policy_document(self) -> builtins.str:
-        '''The resource policy document, which can be up to 5kb in size.
+        '''``AWS::XRay::ResourcePolicy.PolicyDocument``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html#cfn-xray-resourcepolicy-policydocument
         '''
@@ -707,9 +703,7 @@ class CfnResourcePolicyProps:
 
     @builtins.property
     def policy_name(self) -> builtins.str:
-        '''The name of the resource policy.
-
-        Must be unique within a specific AWS account.
+        '''``AWS::XRay::ResourcePolicy.PolicyName``.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-xray-resourcepolicy.html#cfn-xray-resourcepolicy-policyname
         '''
@@ -1293,11 +1287,10 @@ class CfnSamplingRule(
             modified_at: typing.Optional[builtins.str] = None,
             sampling_rule: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnSamplingRule.SamplingRuleProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''A `SamplingRule <https://docs.aws.amazon.com//xray/latest/api/API_SamplingRule.html>`_ and its metadata.
-
-            :param created_at: When the rule was created, in Unix time seconds.
-            :param modified_at: When the rule was last modified, in Unix time seconds.
-            :param sampling_rule: The sampling rule.
+            '''
+            :param created_at: ``CfnSamplingRule.SamplingRuleRecordProperty.CreatedAt``.
+            :param modified_at: ``CfnSamplingRule.SamplingRuleRecordProperty.ModifiedAt``.
+            :param sampling_rule: ``CfnSamplingRule.SamplingRuleRecordProperty.SamplingRule``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-xray-samplingrule-samplingrulerecord.html
             :exampleMetadata: fixture=_generated
@@ -1345,7 +1338,7 @@ class CfnSamplingRule(
 
         @builtins.property
         def created_at(self) -> typing.Optional[builtins.str]:
-            '''When the rule was created, in Unix time seconds.
+            '''``CfnSamplingRule.SamplingRuleRecordProperty.CreatedAt``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-xray-samplingrule-samplingrulerecord.html#cfn-xray-samplingrule-samplingrulerecord-createdat
             '''
@@ -1354,7 +1347,7 @@ class CfnSamplingRule(
 
         @builtins.property
         def modified_at(self) -> typing.Optional[builtins.str]:
-            '''When the rule was last modified, in Unix time seconds.
+            '''``CfnSamplingRule.SamplingRuleRecordProperty.ModifiedAt``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-xray-samplingrule-samplingrulerecord.html#cfn-xray-samplingrule-samplingrulerecord-modifiedat
             '''
@@ -1365,7 +1358,7 @@ class CfnSamplingRule(
         def sampling_rule(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnSamplingRule.SamplingRuleProperty"]]:
-            '''The sampling rule.
+            '''``CfnSamplingRule.SamplingRuleRecordProperty.SamplingRule``.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-xray-samplingrule-samplingrulerecord.html#cfn-xray-samplingrule-samplingrulerecord-samplingrule
             '''

aws_cdk/cloud_assembly_schema/__init__.py

@@ -1686,7 +1686,6 @@ class ContainerImageAssetCacheOption:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             "registry"
         '''
         result = self._values.get("type")
@@ -1703,8 +1702,13 @@ class ContainerImageAssetCacheOption:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
-            ref: `12345678.dkr.ecr.us-west-2.amazonaws.com/cache:${branch}`, mode"max"
+            # branch: str
+            
+            
+            params = {
+                "ref": f"12345678.dkr.ecr.us-west-2.amazonaws.com/cache:{branch}",
+                "mode": "max"
+            }
         '''
         result = self._values.get("params")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
@@ -3842,7 +3846,6 @@ class DockerCacheOption:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             "registry"
         '''
         result = self._values.get("type")
@@ -3859,8 +3862,13 @@ class DockerCacheOption:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
-            ref: `12345678.dkr.ecr.us-west-2.amazonaws.com/cache:${branch}`, mode"max"
+            # branch: str
+            
+            
+            params = {
+                "ref": f"12345678.dkr.ecr.us-west-2.amazonaws.com/cache:{branch}",
+                "mode": "max"
+            }
         '''
         result = self._values.get("params")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)

aws_cdk/custom_resources/__init__.py

@@ -535,12 +535,11 @@ Additionally, the Lambda function can be placed in a private VPC by using the `v
 and `vpcSubnets` properties.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
-# my_vpc: ec2.Vpc
+# vpc: ec2.Vpc
 
 cr.AwsCustomResource(self, "CustomizedInVpc",
     vpc=vpc,
-    vpc_subnets=SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_NAT),
+    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS),
     policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
         resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
     )