aws-cdk-lib 2.90.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_opensearchservice/__init__.py

@@ -199,6 +199,32 @@ domain = Domain(self, "Domain",
 master_user_password = domain.master_user_password
 ```
 
+## SAML authentication
+
+You can enable SAML authentication to use your existing identity provider
+to offer single sign-on (SSO) for dashboards on Amazon OpenSearch Service domains
+running OpenSearch or Elasticsearch 6.7 or later.
+To use SAML authentication, fine-grained access control must be enabled.
+
+```python
+domain = Domain(self, "Domain",
+    version=EngineVersion.OPENSEARCH_1_0,
+    enforce_https=True,
+    node_to_node_encryption=True,
+    encryption_at_rest=EncryptionAtRestOptions(
+        enabled=True
+    ),
+    fine_grained_access_control=AdvancedSecurityOptions(
+        master_user_name="master-user",
+        saml_authentication_enabled=True,
+        saml_authentication_options=SAMLOptionsProperty(
+            idp_entity_id="entity-id",
+            idp_metadata_content="metadata-content-with-quotes-escaped"
+        )
+    )
+)
+```
+
 ## Using unsigned basic auth
 
 For convenience, the domain can be configured to allow unsigned HTTP requests
@@ -486,6 +512,8 @@ from ..aws_route53 import IHostedZone as _IHostedZone_9a6907ad
         "master_user_arn": "masterUserArn",
         "master_user_name": "masterUserName",
         "master_user_password": "masterUserPassword",
+        "saml_authentication_enabled": "samlAuthenticationEnabled",
+        "saml_authentication_options": "samlAuthenticationOptions",
     },
 )
 class AdvancedSecurityOptions:
@@ -495,12 +523,16 @@ class AdvancedSecurityOptions:
         master_user_arn: typing.Optional[builtins.str] = None,
         master_user_name: typing.Optional[builtins.str] = None,
         master_user_password: typing.Optional[_SecretValue_3dd0ddae] = None,
+        saml_authentication_enabled: typing.Optional[builtins.bool] = None,
+        saml_authentication_options: typing.Optional[typing.Union["SAMLOptionsProperty", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''Specifies options for fine-grained access control.
 
         :param master_user_arn: ARN for the master user. Only specify this or masterUserName, but not both. Default: - fine-grained access control is disabled
         :param master_user_name: Username for the master user. Only specify this or masterUserArn, but not both. Default: - fine-grained access control is disabled
         :param master_user_password: Password for the master user. You can use ``SecretValue.unsafePlainText`` to specify a password in plain text or use ``secretsmanager.Secret.fromSecretAttributes`` to reference a secret in Secrets Manager. Default: - A Secrets Manager generated password
+        :param saml_authentication_enabled: True to enable SAML authentication for a domain. Default: - SAML authentication is disabled. Enabled if ``samlAuthenticationOptions`` is set.
+        :param saml_authentication_options: Container for information about the SAML configuration for OpenSearch Dashboards. If set, ``samlAuthenticationEnabled`` will be enabled. Default: - no SAML authentication options
 
         :exampleMetadata: infused
 
@@ -514,21 +546,24 @@ class AdvancedSecurityOptions:
                     enabled=True
                 ),
                 fine_grained_access_control=AdvancedSecurityOptions(
-                    master_user_name="master-user"
-                ),
-                logging=LoggingOptions(
-                    audit_log_enabled=True,
-                    slow_search_log_enabled=True,
-                    app_log_enabled=True,
-                    slow_index_log_enabled=True
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
                 )
             )
         '''
+        if isinstance(saml_authentication_options, dict):
+            saml_authentication_options = SAMLOptionsProperty(**saml_authentication_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c1e95392d4761126042f2d6d6160889a80c269d2f13c21476fe92febdb7f04e3)
             check_type(argname="argument master_user_arn", value=master_user_arn, expected_type=type_hints["master_user_arn"])
             check_type(argname="argument master_user_name", value=master_user_name, expected_type=type_hints["master_user_name"])
             check_type(argname="argument master_user_password", value=master_user_password, expected_type=type_hints["master_user_password"])
+            check_type(argname="argument saml_authentication_enabled", value=saml_authentication_enabled, expected_type=type_hints["saml_authentication_enabled"])
+            check_type(argname="argument saml_authentication_options", value=saml_authentication_options, expected_type=type_hints["saml_authentication_options"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if master_user_arn is not None:
             self._values["master_user_arn"] = master_user_arn
@@ -536,6 +571,10 @@ class AdvancedSecurityOptions:
             self._values["master_user_name"] = master_user_name
         if master_user_password is not None:
             self._values["master_user_password"] = master_user_password
+        if saml_authentication_enabled is not None:
+            self._values["saml_authentication_enabled"] = saml_authentication_enabled
+        if saml_authentication_options is not None:
+            self._values["saml_authentication_options"] = saml_authentication_options
 
     @builtins.property
     def master_user_arn(self) -> typing.Optional[builtins.str]:
@@ -572,6 +611,28 @@ class AdvancedSecurityOptions:
         result = self._values.get("master_user_password")
         return typing.cast(typing.Optional[_SecretValue_3dd0ddae], result)
 
+    @builtins.property
+    def saml_authentication_enabled(self) -> typing.Optional[builtins.bool]:
+        '''True to enable SAML authentication for a domain.
+
+        :default: - SAML authentication is disabled. Enabled if ``samlAuthenticationOptions`` is set.
+
+        :see: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html
+        '''
+        result = self._values.get("saml_authentication_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def saml_authentication_options(self) -> typing.Optional["SAMLOptionsProperty"]:
+        '''Container for information about the SAML configuration for OpenSearch Dashboards.
+
+        If set, ``samlAuthenticationEnabled`` will be enabled.
+
+        :default: - no SAML authentication options
+        '''
+        result = self._values.get("saml_authentication_options")
+        return typing.cast(typing.Optional["SAMLOptionsProperty"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4772,13 +4833,12 @@ class EncryptionAtRestOptions:
                     enabled=True
                 ),
                 fine_grained_access_control=AdvancedSecurityOptions(
-                    master_user_name="master-user"
-                ),
-                logging=LoggingOptions(
-                    audit_log_enabled=True,
-                    slow_search_log_enabled=True,
-                    app_log_enabled=True,
-                    slow_index_log_enabled=True
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
                 )
             )
         '''
@@ -6619,6 +6679,163 @@ class LoggingOptions:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_opensearchservice.SAMLOptionsProperty",
+    jsii_struct_bases=[],
+    name_mapping={
+        "idp_entity_id": "idpEntityId",
+        "idp_metadata_content": "idpMetadataContent",
+        "master_backend_role": "masterBackendRole",
+        "master_user_name": "masterUserName",
+        "roles_key": "rolesKey",
+        "session_timeout_minutes": "sessionTimeoutMinutes",
+        "subject_key": "subjectKey",
+    },
+)
+class SAMLOptionsProperty:
+    def __init__(
+        self,
+        *,
+        idp_entity_id: builtins.str,
+        idp_metadata_content: builtins.str,
+        master_backend_role: typing.Optional[builtins.str] = None,
+        master_user_name: typing.Optional[builtins.str] = None,
+        roles_key: typing.Optional[builtins.str] = None,
+        session_timeout_minutes: typing.Optional[jsii.Number] = None,
+        subject_key: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Container for information about the SAML configuration for OpenSearch Dashboards.
+
+        :param idp_entity_id: The unique entity ID of the application in the SAML identity provider.
+        :param idp_metadata_content: The metadata of the SAML application, in XML format.
+        :param master_backend_role: The backend role that the SAML master user is mapped to. Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana. To use a SAML master backend role, configure the ``rolesKey`` property. Default: - The master user is not mapped to a backend role
+        :param master_user_name: The SAML master username, which is stored in the domain's internal user database. This SAML user receives full permission in OpenSearch Dashboards/Kibana. Creating a new master username does not delete any existing master usernames. Default: - No master user name is configured
+        :param roles_key: Element of the SAML assertion to use for backend roles. Default: - roles
+        :param session_timeout_minutes: The duration, in minutes, after which a user session becomes inactive. Default: - 60
+        :param subject_key: Element of the SAML assertion to use for the user name. Default: - NameID element of the SAML assertion fot the user name
+
+        :exampleMetadata: infused
+
+        Example::
+
+            domain = Domain(self, "Domain",
+                version=EngineVersion.OPENSEARCH_1_0,
+                enforce_https=True,
+                node_to_node_encryption=True,
+                encryption_at_rest=EncryptionAtRestOptions(
+                    enabled=True
+                ),
+                fine_grained_access_control=AdvancedSecurityOptions(
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3971b3c73627d57587c667b1ede64fbba4de4fd4a086af959dc2d0f812f8e36b)
+            check_type(argname="argument idp_entity_id", value=idp_entity_id, expected_type=type_hints["idp_entity_id"])
+            check_type(argname="argument idp_metadata_content", value=idp_metadata_content, expected_type=type_hints["idp_metadata_content"])
+            check_type(argname="argument master_backend_role", value=master_backend_role, expected_type=type_hints["master_backend_role"])
+            check_type(argname="argument master_user_name", value=master_user_name, expected_type=type_hints["master_user_name"])
+            check_type(argname="argument roles_key", value=roles_key, expected_type=type_hints["roles_key"])
+            check_type(argname="argument session_timeout_minutes", value=session_timeout_minutes, expected_type=type_hints["session_timeout_minutes"])
+            check_type(argname="argument subject_key", value=subject_key, expected_type=type_hints["subject_key"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "idp_entity_id": idp_entity_id,
+            "idp_metadata_content": idp_metadata_content,
+        }
+        if master_backend_role is not None:
+            self._values["master_backend_role"] = master_backend_role
+        if master_user_name is not None:
+            self._values["master_user_name"] = master_user_name
+        if roles_key is not None:
+            self._values["roles_key"] = roles_key
+        if session_timeout_minutes is not None:
+            self._values["session_timeout_minutes"] = session_timeout_minutes
+        if subject_key is not None:
+            self._values["subject_key"] = subject_key
+
+    @builtins.property
+    def idp_entity_id(self) -> builtins.str:
+        '''The unique entity ID of the application in the SAML identity provider.'''
+        result = self._values.get("idp_entity_id")
+        assert result is not None, "Required property 'idp_entity_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def idp_metadata_content(self) -> builtins.str:
+        '''The metadata of the SAML application, in XML format.'''
+        result = self._values.get("idp_metadata_content")
+        assert result is not None, "Required property 'idp_metadata_content' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def master_backend_role(self) -> typing.Optional[builtins.str]:
+        '''The backend role that the SAML master user is mapped to.
+
+        Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana.
+        To use a SAML master backend role, configure the ``rolesKey`` property.
+
+        :default: - The master user is not mapped to a backend role
+        '''
+        result = self._values.get("master_backend_role")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def master_user_name(self) -> typing.Optional[builtins.str]:
+        '''The SAML master username, which is stored in the domain's internal user database.
+
+        This SAML user receives full permission in OpenSearch Dashboards/Kibana.
+        Creating a new master username does not delete any existing master usernames.
+
+        :default: - No master user name is configured
+        '''
+        result = self._values.get("master_user_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def roles_key(self) -> typing.Optional[builtins.str]:
+        '''Element of the SAML assertion to use for backend roles.
+
+        :default: - roles
+        '''
+        result = self._values.get("roles_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def session_timeout_minutes(self) -> typing.Optional[jsii.Number]:
+        '''The duration, in minutes, after which a user session becomes inactive.
+
+        :default: - 60
+        '''
+        result = self._values.get("session_timeout_minutes")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def subject_key(self) -> typing.Optional[builtins.str]:
+        '''Element of the SAML assertion to use for the user name.
+
+        :default: - NameID element of the SAML assertion fot the user name
+        '''
+        result = self._values.get("subject_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "SAMLOptionsProperty(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_opensearchservice.TLSSecurityPolicy")
 class TLSSecurityPolicy(enum.Enum):
     '''The minimum TLS version required for traffic to the domain.'''
@@ -7823,6 +8040,7 @@ __all__ = [
     "EngineVersion",
     "IDomain",
     "LoggingOptions",
+    "SAMLOptionsProperty",
     "TLSSecurityPolicy",
     "WindowStartTime",
     "ZoneAwarenessConfig",
@@ -7835,6 +8053,8 @@ def _typecheckingstub__c1e95392d4761126042f2d6d6160889a80c269d2f13c21476fe92febd
     master_user_arn: typing.Optional[builtins.str] = None,
     master_user_name: typing.Optional[builtins.str] = None,
     master_user_password: typing.Optional[_SecretValue_3dd0ddae] = None,
+    saml_authentication_enabled: typing.Optional[builtins.bool] = None,
+    saml_authentication_options: typing.Optional[typing.Union[SAMLOptionsProperty, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -8378,6 +8598,19 @@ def _typecheckingstub__6f2efbcf1fc757504a748851740a44deb59ed98ee9c1d8c213d60960f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__3971b3c73627d57587c667b1ede64fbba4de4fd4a086af959dc2d0f812f8e36b(
+    *,
+    idp_entity_id: builtins.str,
+    idp_metadata_content: builtins.str,
+    master_backend_role: typing.Optional[builtins.str] = None,
+    master_user_name: typing.Optional[builtins.str] = None,
+    roles_key: typing.Optional[builtins.str] = None,
+    session_timeout_minutes: typing.Optional[jsii.Number] = None,
+    subject_key: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6aa10c95f5a58e650c77a0c42630f2fa77e6475974ad59138caebb586e5fad2c(
     *,
     hours: jsii.Number,

aws_cdk/aws_organizations/__init__.py

@@ -62,15 +62,15 @@ class CfnAccount(
     AWS CloudFormation uses the ```CreateAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html>`_ operation to create accounts. This is an asynchronous request that AWS performs in the background. Because ``CreateAccount`` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
 
     - Use the ``Id`` value of the ``CreateAccountStatus`` response element from the ``CreateAccount`` operation to provide as a parameter to the ```DescribeCreateAccountStatus`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html>`_ operation.
-    - Check the CloudTrail log for the ``CreateAccountResult`` event. For information on using CloudTrail with AWS Organizations , see `Logging and monitoring in AWS Organizations <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration>`_ in the *AWS Organizations User Guide.*
+    - Check the CloudTrail log for the ``CreateAccountResult`` event. For information on using CloudTrail with AWS Organizations , see `Logging and monitoring in AWS Organizations <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration>`_ in the *AWS Organizations User Guide* .
 
-    The user who calls the API to create an account must have the ``organizations:CreateAccount`` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named ``AWSServiceRoleForOrganizations`` . For more information, see `AWS Organizations and Service-Linked Roles <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs>`_ in the *AWS Organizations User Guide* .
+    The user who calls the API to create an account must have the ``organizations:CreateAccount`` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named ``AWSServiceRoleForOrganizations`` . For more information, see `AWS Organizations and service-linked roles <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs>`_ in the *AWS Organizations User Guide* .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.
 
     AWS Organizations preconfigures the new member account with a role (named ``OrganizationAccountAccessRole`` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
 
-    For more information about creating accounts, see `Creating an AWS account in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html>`_ in the *AWS Organizations User Guide.*
+    For more information about creating accounts, see `Creating a member account in your organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html>`_ in the *AWS Organizations User Guide* .
 
     This operation can be called only from the organization's management account.
 
@@ -85,14 +85,14 @@ class CfnAccount(
        - Email
        - RoleName
 
-       If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a `registered delegated administrator <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html>`_ account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters ``AccountName`` and ``Email`` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see `Modifying the account name, email address, or password for the AWS account root user <https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html>`_ in the *AWS Account Management Reference Guide* .
+       If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a `registered delegated administrator <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html>`_ account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters ``AccountName`` and ``Email`` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see `Update the AWS account name, email address, or password for the root user <https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html>`_ in the *AWS Account Management Reference Guide* .
 
-       - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at `To leave an organization as a member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info>`_ in the *AWS Organizations User Guide* .
+       - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see `Considerations before removing an account from an organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html>`_ in the *AWS Organizations User Guide* .
        - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the ``CreateAccount`` operation parameter ``IamUserAccessToBilling`` . The default value for parameter ``IamUserAccessToBilling`` is ``ALLOW`` , and IAM users and roles with the required permissions can access billing information for the new account.
        - If you get an exception that indicates ``DescribeCreateAccountStatus returns IN_PROGRESS state before time out`` . You must check the account creation status using the ```DescribeCreateAccountStatus`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html>`_ operation. If the account state returns as ``SUCCEEDED`` , you can import the account into AWS CloudFormation management using ```resource import`` <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html>`_ .
        - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the `Service Quotas console <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html>`_ .
        - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact `AWS Support <https://docs.aws.amazon.com/support/home#/>`_ .
-       - We don't recommend that you use the ``CreateAccount`` operation to create multiple temporary accounts. You can close accounts using the ```CloseAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html>`_ operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see `Closing an AWS account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html>`_ in the *AWS Organizations User Guide* .
+       - We don't recommend that you use the ``CreateAccount`` operation to create multiple temporary accounts. You can close accounts using the ```CloseAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html>`_ operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see `Closing a member account in your organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html>`_ in the *AWS Organizations User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-account.html
     :exampleMetadata: fixture=_generated
@@ -134,7 +134,7 @@ class CfnAccount(
         :param account_name: The account name given to the account when it was created.
         :param email: The email address associated with the AWS account. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for this parameter is a string of characters that represents a standard internet email address.
         :param parent_ids: The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the ``ParentId`` defaults to the root ID. This parameter only accepts a string array with one string value. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for a parent ID string requires one of the following: - *Root* - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. - *Organizational unit (OU)* - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
-        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
+        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
         :param tags: A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to ``null`` . For more information about tagging, see `Tagging AWS Organizations resources <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html>`_ in the AWS Organizations User Guide. .. epigraph:: If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.
         '''
         if __debug__:
@@ -339,7 +339,7 @@ class CfnAccountProps:
         :param account_name: The account name given to the account when it was created.
         :param email: The email address associated with the AWS account. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for this parameter is a string of characters that represents a standard internet email address.
         :param parent_ids: The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the ``ParentId`` defaults to the root ID. This parameter only accepts a string array with one string value. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for a parent ID string requires one of the following: - *Root* - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. - *Organizational unit (OU)* - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
-        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
+        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
         :param tags: A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to ``null`` . For more information about tagging, see `Tagging AWS Organizations resources <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html>`_ in the AWS Organizations User Guide. .. epigraph:: If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-account.html
@@ -432,8 +432,8 @@ class CfnAccountProps:
 
         For more information about how to use this role to access the member account, see the following links:
 
-        - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide*
-        - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide*
+        - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide*
+        - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide*
 
         The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-
 
@@ -484,10 +484,10 @@ class CfnOrganization(
     .. epigraph::
 
        - If you delete an organization, you can't recover it. If you created any policies inside of the organization, they're also deleted and you can't recover them.
-       - You can delete an organization only after you remove all member accounts from the organization. If you created some of your member accounts using AWS Organizations , you might be blocked from removing those accounts. You can remove a member account only if it has all the information that's required to operate as a standalone AWS account. For more information about how to provide that information and then remove the account, see `Leaving an organization as a member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#orgs_manage_accounts_leave-as-member>`_ in the *AWS Organizations User Guide* .
+       - You can delete an organization only after you remove all member accounts from the organization. If you created some of your member accounts using AWS Organizations , you might be blocked from removing those accounts. You can remove a member account only if it has all the information that's required to operate as a standalone AWS account. For more information about how to provide that information and then remove the account, see `Leave an organization from your member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_leave-as-member.html>`_ in the *AWS Organizations User Guide* .
        - If you closed a member account before you remove it from the organization, it enters a 'suspended' state for a period of time and you can't remove the account from the organization until it is finally closed. This can take up to 90 days and can prevent you from deleting the organization until all member accounts are completely closed.
 
-       For more information, see `Deleting the organization by removing the management account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html>`_ in the *AWS Organizations User Guide* .
+       For more information, see `Deleting an organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html>`_ in the *AWS Organizations User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-organization.html
     :exampleMetadata: fixture=_generated
@@ -513,7 +513,7 @@ class CfnOrganization(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.* The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
+        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* . The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__450a54c6b7334fcb8f406a9a29b8e1f90a618bcbd127f2d5a6a9fa43ff254400)
@@ -638,7 +638,7 @@ class CfnOrganizationProps:
     def __init__(self, *, feature_set: typing.Optional[builtins.str] = None) -> None:
         '''Properties for defining a ``CfnOrganization``.
 
-        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.* The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
+        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* . The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-organization.html
         :exampleMetadata: fixture=_generated
@@ -665,7 +665,7 @@ class CfnOrganizationProps:
         '''Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.
 
         - ``ALL``  In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* .
-        - ``CONSOLIDATED_BILLING``  All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.*
+        - ``CONSOLIDATED_BILLING``  All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* .
 
         The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.
 
@@ -706,7 +706,7 @@ class CfnOrganizationalUnit(
 
     An OU is a container for accounts that enables you to organize your accounts to apply policies according to your business requirements. The number of levels deep that you can nest OUs is dependent upon the policy types enabled for that root. For service control policies, the limit is five.
 
-    For more information about OUs, see `Managing Organizational Units <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html>`_ in the *AWS Organizations User Guide.*
+    For more information about OUs, see `Managing organizational units (OUs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html>`_ in the *AWS Organizations User Guide* .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.
 
@@ -976,7 +976,7 @@ class CfnPolicy(
 ):
     '''Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account .
 
-    For more information about policies and their use, see `Managing Organization Policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html>`_ .
+    For more information about policies and their use, see `Managing AWS Organizations policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html>`_ .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.