aws-cdk-lib 2.90.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_guardduty/__init__.py

@@ -1477,7 +1477,7 @@ class CfnFilter(
         ) -> None:
             '''Represents a map of finding properties that match specified conditions and values when querying findings.
 
-            :param criterion: Represents a map of finding properties that match specified conditions and values when querying findings. For a mapping of JSON criterion to their console equivalent see `Finding criteria <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria>`_ . The following are the available criterion: - accountId - region - confidence - id - resource.accessKeyDetails.accessKeyId - resource.accessKeyDetails.principalId - resource.accessKeyDetails.userName - resource.accessKeyDetails.userType - resource.instanceDetails.iamInstanceProfile.id - resource.instanceDetails.imageId - resource.instanceDetails.instanceId - resource.instanceDetails.outpostArn - resource.instanceDetails.networkInterfaces.ipv6Addresses - resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress - resource.instanceDetails.networkInterfaces.publicDnsName - resource.instanceDetails.networkInterfaces.publicIp - resource.instanceDetails.networkInterfaces.securityGroups.groupId - resource.instanceDetails.networkInterfaces.securityGroups.groupName - resource.instanceDetails.networkInterfaces.subnetId - resource.instanceDetails.networkInterfaces.vpcId - resource.instanceDetails.tags.key - resource.instanceDetails.tags.value - resource.resourceType - service.action.actionType - service.action.awsApiCallAction.api - service.action.awsApiCallAction.callerType - service.action.awsApiCallAction.errorCode - service.action.awsApiCallAction.remoteIpDetails.city.cityName - service.action.awsApiCallAction.remoteIpDetails.country.countryName - service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 - service.action.awsApiCallAction.remoteIpDetails.organization.asn - service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg - service.action.awsApiCallAction.serviceName - service.action.dnsRequestAction.domain - service.action.networkConnectionAction.blocked - service.action.networkConnectionAction.connectionDirection - service.action.networkConnectionAction.localPortDetails.port - service.action.networkConnectionAction.protocol - service.action.networkConnectionAction.localIpDetails.ipAddressV4 - service.action.networkConnectionAction.remoteIpDetails.city.cityName - service.action.networkConnectionAction.remoteIpDetails.country.countryName - service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 - service.action.networkConnectionAction.remoteIpDetails.organization.asn - service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg - service.action.networkConnectionAction.remotePortDetails.port - service.additionalInfo.threatListName - service.archived When this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed. - service.resourceRole - severity - type - updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
+            :param criterion: Represents a map of finding properties that match specified conditions and values when querying findings. For information about JSON criterion mapping to their console equivalent, see `Finding criteria <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria>`_ . The following are the available criterion: - accountId - id - region - severity To filter on the basis of severity, API and CFN use the following input list for the condition: - *Low* : ``["1", "2", "3"]`` - *Medium* : ``["4", "5", "6"]`` - *High* : ``["7", "8", "9"]`` For more information, see `Severity levels for GuardDuty findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity>`_ . - type - updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds. - resource.accessKeyDetails.accessKeyId - resource.accessKeyDetails.principalId - resource.accessKeyDetails.userName - resource.accessKeyDetails.userType - resource.instanceDetails.iamInstanceProfile.id - resource.instanceDetails.imageId - resource.instanceDetails.instanceId - resource.instanceDetails.tags.key - resource.instanceDetails.tags.value - resource.instanceDetails.networkInterfaces.ipv6Addresses - resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress - resource.instanceDetails.networkInterfaces.publicDnsName - resource.instanceDetails.networkInterfaces.publicIp - resource.instanceDetails.networkInterfaces.securityGroups.groupId - resource.instanceDetails.networkInterfaces.securityGroups.groupName - resource.instanceDetails.networkInterfaces.subnetId - resource.instanceDetails.networkInterfaces.vpcId - resource.instanceDetails.outpostArn - resource.resourceType - resource.s3BucketDetails.publicAccess.effectivePermissions - resource.s3BucketDetails.name - resource.s3BucketDetails.tags.key - resource.s3BucketDetails.tags.value - resource.s3BucketDetails.type - service.action.actionType - service.action.awsApiCallAction.api - service.action.awsApiCallAction.callerType - service.action.awsApiCallAction.errorCode - service.action.awsApiCallAction.remoteIpDetails.city.cityName - service.action.awsApiCallAction.remoteIpDetails.country.countryName - service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 - service.action.awsApiCallAction.remoteIpDetails.organization.asn - service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg - service.action.awsApiCallAction.serviceName - service.action.dnsRequestAction.domain - service.action.networkConnectionAction.blocked - service.action.networkConnectionAction.connectionDirection - service.action.networkConnectionAction.localPortDetails.port - service.action.networkConnectionAction.protocol - service.action.networkConnectionAction.remoteIpDetails.city.cityName - service.action.networkConnectionAction.remoteIpDetails.country.countryName - service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 - service.action.networkConnectionAction.remoteIpDetails.organization.asn - service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg - service.action.networkConnectionAction.remotePortDetails.port - service.action.awsApiCallAction.remoteAccountDetails.affiliated - service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 - service.action.kubernetesApiCallAction.requestUri - service.action.networkConnectionAction.localIpDetails.ipAddressV4 - service.action.networkConnectionAction.protocol - service.action.awsApiCallAction.serviceName - service.action.awsApiCallAction.remoteAccountDetails.accountId - service.additionalInfo.threatListName - service.resourceRole - resource.eksClusterDetails.name - resource.kubernetesDetails.kubernetesWorkloadDetails.name - resource.kubernetesDetails.kubernetesWorkloadDetails.namespace - resource.kubernetesDetails.kubernetesUserDetails.username - resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image - resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix - service.ebsVolumeScanDetails.scanId - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash - resource.ecsClusterDetails.name - resource.ecsClusterDetails.taskDetails.containers.image - resource.ecsClusterDetails.taskDetails.definitionArn - resource.containerDetails.image - resource.rdsDbInstanceDetails.dbInstanceIdentifier - resource.rdsDbInstanceDetails.dbClusterIdentifier - resource.rdsDbInstanceDetails.engine - resource.rdsDbUserDetails.user - resource.rdsDbInstanceDetails.tags.key - resource.rdsDbInstanceDetails.tags.value - service.runtimeDetails.process.executableSha256 - service.runtimeDetails.process.name - service.runtimeDetails.process.name - resource.lambdaDetails.functionName - resource.lambdaDetails.functionArn - resource.lambdaDetails.tags.key - resource.lambdaDetails.tags.value
             :param item_type: Specifies the condition to be applied to a single field when filtering through findings.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-guardduty-filter-findingcriteria.html
@@ -1523,12 +1523,26 @@ class CfnFilter(
         def criterion(self) -> typing.Any:
             '''Represents a map of finding properties that match specified conditions and values when querying findings.
 
-            For a mapping of JSON criterion to their console equivalent see `Finding criteria <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria>`_ . The following are the available criterion:
+            For information about JSON criterion mapping to their console equivalent, see `Finding criteria <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria>`_ . The following are the available criterion:
 
             - accountId
-            - region
-            - confidence
             - id
+            - region
+            - severity
+
+            To filter on the basis of severity, API and CFN use the following input list for the condition:
+
+            - *Low* : ``["1", "2", "3"]``
+            - *Medium* : ``["4", "5", "6"]``
+            - *High* : ``["7", "8", "9"]``
+
+            For more information, see `Severity levels for GuardDuty findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity>`_ .
+
+            - type
+            - updatedAt
+
+            Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
+
             - resource.accessKeyDetails.accessKeyId
             - resource.accessKeyDetails.principalId
             - resource.accessKeyDetails.userName
@@ -1536,7 +1550,8 @@ class CfnFilter(
             - resource.instanceDetails.iamInstanceProfile.id
             - resource.instanceDetails.imageId
             - resource.instanceDetails.instanceId
-            - resource.instanceDetails.outpostArn
+            - resource.instanceDetails.tags.key
+            - resource.instanceDetails.tags.value
             - resource.instanceDetails.networkInterfaces.ipv6Addresses
             - resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
             - resource.instanceDetails.networkInterfaces.publicDnsName
@@ -1545,9 +1560,13 @@ class CfnFilter(
             - resource.instanceDetails.networkInterfaces.securityGroups.groupName
             - resource.instanceDetails.networkInterfaces.subnetId
             - resource.instanceDetails.networkInterfaces.vpcId
-            - resource.instanceDetails.tags.key
-            - resource.instanceDetails.tags.value
+            - resource.instanceDetails.outpostArn
             - resource.resourceType
+            - resource.s3BucketDetails.publicAccess.effectivePermissions
+            - resource.s3BucketDetails.name
+            - resource.s3BucketDetails.tags.key
+            - resource.s3BucketDetails.tags.value
+            - resource.s3BucketDetails.type
             - service.action.actionType
             - service.action.awsApiCallAction.api
             - service.action.awsApiCallAction.callerType
@@ -1563,24 +1582,48 @@ class CfnFilter(
             - service.action.networkConnectionAction.connectionDirection
             - service.action.networkConnectionAction.localPortDetails.port
             - service.action.networkConnectionAction.protocol
-            - service.action.networkConnectionAction.localIpDetails.ipAddressV4
             - service.action.networkConnectionAction.remoteIpDetails.city.cityName
             - service.action.networkConnectionAction.remoteIpDetails.country.countryName
             - service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
             - service.action.networkConnectionAction.remoteIpDetails.organization.asn
             - service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
             - service.action.networkConnectionAction.remotePortDetails.port
+            - service.action.awsApiCallAction.remoteAccountDetails.affiliated
+            - service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
+            - service.action.kubernetesApiCallAction.requestUri
+            - service.action.networkConnectionAction.localIpDetails.ipAddressV4
+            - service.action.networkConnectionAction.protocol
+            - service.action.awsApiCallAction.serviceName
+            - service.action.awsApiCallAction.remoteAccountDetails.accountId
             - service.additionalInfo.threatListName
-            - service.archived
-
-            When this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
-
             - service.resourceRole
-            - severity
-            - type
-            - updatedAt
-
-            Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
+            - resource.eksClusterDetails.name
+            - resource.kubernetesDetails.kubernetesWorkloadDetails.name
+            - resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
+            - resource.kubernetesDetails.kubernetesUserDetails.username
+            - resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
+            - resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
+            - service.ebsVolumeScanDetails.scanId
+            - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
+            - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
+            - service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
+            - resource.ecsClusterDetails.name
+            - resource.ecsClusterDetails.taskDetails.containers.image
+            - resource.ecsClusterDetails.taskDetails.definitionArn
+            - resource.containerDetails.image
+            - resource.rdsDbInstanceDetails.dbInstanceIdentifier
+            - resource.rdsDbInstanceDetails.dbClusterIdentifier
+            - resource.rdsDbInstanceDetails.engine
+            - resource.rdsDbUserDetails.user
+            - resource.rdsDbInstanceDetails.tags.key
+            - resource.rdsDbInstanceDetails.tags.value
+            - service.runtimeDetails.process.executableSha256
+            - service.runtimeDetails.process.name
+            - service.runtimeDetails.process.name
+            - resource.lambdaDetails.functionName
+            - resource.lambdaDetails.functionArn
+            - resource.lambdaDetails.tags.key
+            - resource.lambdaDetails.tags.value
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-guardduty-filter-findingcriteria.html#cfn-guardduty-filter-findingcriteria-criterion
             '''

aws_cdk/aws_iam/__init__.py

@@ -3072,7 +3072,8 @@ class CfnPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The provider-assigned unique ID for this resource.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -13384,18 +13385,16 @@ class User(
 ):
     '''Define a new IAM user.
 
-    :exampleMetadata: infused
+    :exampleMetadata: lit=aws-iam/test/example.attaching.lit.ts infused
 
     Example::
 
-        # definition: sfn.IChainable
-        user = iam.User(self, "MyUser")
-        state_machine = sfn.StateMachine(self, "StateMachine",
-            definition=definition
-        )
+        user = User(self, "MyUser", password=SecretValue.plain_text("1234"))
+        group = Group(self, "MyGroup")
         
-        # give user permission to send task success to the state machine
-        state_machine.grant(user, "states:SendTaskSuccess")
+        policy = Policy(self, "MyPolicy")
+        policy.attach_to_user(user)
+        group.attach_inline_policy(policy)
     '''
 
     def __init__(

aws_cdk/aws_iot/__init__.py

@@ -9339,7 +9339,7 @@ class CfnSecurityProfile(
             '''A Device Defender security profile behavior.
 
             :param name: The name you've given to the behavior.
-            :param criteria: The criteria that determine if a device is behaving normally in regard to the ``metric`` .
+            :param criteria: The criteria that determine if a device is behaving normally in regard to the ``metric`` . .. epigraph:: In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.
             :param metric: What is measured by the behavior.
             :param metric_dimension: The dimension of the metric.
             :param suppress_alerts: The alert status. If you set the value to ``true`` , alerts will be suppressed.
@@ -9422,6 +9422,10 @@ class CfnSecurityProfile(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnSecurityProfile.BehaviorCriteriaProperty"]]:
             '''The criteria that determine if a device is behaving normally in regard to the ``metric`` .
 
+            .. epigraph::
+
+               In the AWS IoT console, you can choose to be sent an alert through Amazon SNS when AWS IoT Device Defender detects that a device is behaving anomalously.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-securityprofile-behavior.html#cfn-iot-securityprofile-behavior-criteria
             '''
             result = self._values.get("criteria")

aws_cdk/aws_kms/__init__.py

@@ -711,10 +711,11 @@ class CfnKey(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        key_policy: typing.Any,
+        bypass_policy_lockout_safety_check: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         description: typing.Optional[builtins.str] = None,
         enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         enable_key_rotation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        key_policy: typing.Any = None,
         key_spec: typing.Optional[builtins.str] = None,
         key_usage: typing.Optional[builtins.str] = None,
         multi_region: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -725,10 +726,11 @@ class CfnKey(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param key_policy: The key policy that authorizes use of the KMS key. The key policy must conform to the following rules. - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** . - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* . If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* . A key policy document can include only the following characters: - Printable ASCII characters - Printable characters in the Basic Latin and Latin-1 Supplement character set - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters *Minimum* : ``1`` *Maximum* : ``32768``
+        :param bypass_policy_lockout_safety_check: Skips ("bypasses") the key policy lockout safety check. The default value is false. Default: - false
         :param description: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
         :param enabled: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When ``Enabled`` is ``true`` , the *key state* of the KMS key is ``Enabled`` . When ``Enabled`` is ``false`` , the key state of the KMS key is ``Disabled`` . The default value is ``true`` . The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the `EnableKey <https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html>`_ , `DisableKey <https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html>`_ , or `ScheduleKeyDeletion <https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html>`_ operations. For information about the key states of a KMS key, see `Key state: Effect on your KMS key <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html>`_ in the *AWS Key Management Service Developer Guide* .
         :param enable_key_rotation: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. AWS KMS supports automatic rotation only for symmetric encryption KMS keys ( ``KeySpec`` = ``SYMMETRIC_DEFAULT`` ). For asymmetric KMS keys and HMAC KMS keys, omit the ``EnableKeyRotation`` property or set it to ``false`` . To enable automatic key rotation of the key material for a multi-Region KMS key, set ``EnableKeyRotation`` to ``true`` on the primary key (created by using ``AWS::KMS::Key`` ). AWS KMS copies the rotation status to all replica keys. For details, see `Rotating multi-Region keys <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate>`_ in the *AWS Key Management Service Developer Guide* . When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see `Rotating KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html>`_ in the *AWS Key Management Service Developer Guide* .
+        :param key_policy: The key policy that authorizes use of the KMS key. The key policy must conform to the following rules. - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** . - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* . If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* . A key policy document can include only the following characters: - Printable ASCII characters - Printable characters in the Basic Latin and Latin-1 Supplement character set - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters *Minimum* : ``1`` *Maximum* : ``32768``
         :param key_spec: Specifies the type of KMS key to create. The default value, ``SYMMETRIC_DEFAULT`` , creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, ``SYMMETRIC_DEFAULT`` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the ``KeySpec`` value after the KMS key is created. For help choosing a key spec for your KMS key, see `Choosing a KMS key type <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html>`_ in the *AWS Key Management Service Developer Guide* . The ``KeySpec`` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see `AWS KMS condition keys <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms>`_ in the *AWS Key Management Service Developer Guide* . .. epigraph:: If you change the value of the ``KeySpec`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. > `AWS services that are integrated with AWS KMS <https://docs.aws.amazon.com/kms/features/#AWS_Service_Integration>`_ use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see `Identifying asymmetric KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html>`_ in the *AWS Key Management Service Developer Guide* . AWS KMS supports the following key specs for KMS keys: - Symmetric encryption key (default) - ``SYMMETRIC_DEFAULT`` (AES-256-GCM) - HMAC keys (symmetric) - ``HMAC_224`` - ``HMAC_256`` - ``HMAC_384`` - ``HMAC_512`` - Asymmetric RSA key pairs - ``RSA_2048`` - ``RSA_3072`` - ``RSA_4096`` - Asymmetric NIST-recommended elliptic curve key pairs - ``ECC_NIST_P256`` (secp256r1) - ``ECC_NIST_P384`` (secp384r1) - ``ECC_NIST_P521`` (secp521r1) - Other asymmetric elliptic curve key pairs - ``ECC_SECG_P256K1`` (secp256k1), commonly used for cryptocurrencies. - SM2 key pairs (China Regions only) - ``SM2`` Default: - "SYMMETRIC_DEFAULT"
         :param key_usage: Determines the `cryptographic operations <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations>`_ for which you can use the KMS key. The default value is ``ENCRYPT_DECRYPT`` . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the ``KeyUsage`` value after the KMS key is created. .. epigraph:: If you change the value of the ``KeyUsage`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. - For symmetric encryption KMS keys, omit the property or specify ``ENCRYPT_DECRYPT`` . - For asymmetric KMS keys with RSA key material, specify ``ENCRYPT_DECRYPT`` or ``SIGN_VERIFY`` . - For asymmetric KMS keys with ECC key material, specify ``SIGN_VERIFY`` . - For asymmetric KMS keys with SM2 (China Regions only) key material, specify ``ENCRYPT_DECRYPT`` or ``SIGN_VERIFY`` . - For HMAC KMS keys, specify ``GENERATE_VERIFY_MAC`` . Default: - "ENCRYPT_DECRYPT"
         :param multi_region: Creates a multi-Region primary key that you can replicate in other AWS Regions . You can't change the ``MultiRegion`` value after the KMS key is created. For a list of AWS Regions in which multi-Region keys are supported, see `Multi-Region keys in AWS KMS <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`_ in the ** . .. epigraph:: If you change the value of the ``MultiRegion`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to ``true`` . For a single-Region key, omit this property or set it to ``false`` . The default value is ``false`` . *Multi-Region keys* are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see `Multi-Region keys <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`_ in the *AWS Key Management Service Developer Guide* . You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS Region , create an `AWS::KMS::ReplicaKey <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-replicakey.html>`_ resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key. Default: - false
@@ -741,10 +743,11 @@ class CfnKey(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnKeyProps(
-            key_policy=key_policy,
+            bypass_policy_lockout_safety_check=bypass_policy_lockout_safety_check,
             description=description,
             enabled=enabled,
             enable_key_rotation=enable_key_rotation,
+            key_policy=key_policy,
             key_spec=key_spec,
             key_usage=key_usage,
             multi_region=multi_region,
@@ -819,20 +822,22 @@ class CfnKey(
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
     @builtins.property
-    @jsii.member(jsii_name="keyPolicy")
-    def key_policy(self) -> typing.Any:
-        '''The key policy that authorizes use of the KMS key.
-
-        The key policy must conform to the following rules.
-        '''
-        return typing.cast(typing.Any, jsii.get(self, "keyPolicy"))
+    @jsii.member(jsii_name="bypassPolicyLockoutSafetyCheck")
+    def bypass_policy_lockout_safety_check(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Skips ("bypasses") the key policy lockout safety check.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "bypassPolicyLockoutSafetyCheck"))
 
-    @key_policy.setter
-    def key_policy(self, value: typing.Any) -> None:
+    @bypass_policy_lockout_safety_check.setter
+    def bypass_policy_lockout_safety_check(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__cd3f4724ca140c9b1dca16904dd53ab0905d0688de411b0f60d4f538cb2ac4a2)
+            type_hints = typing.get_type_hints(_typecheckingstub__ba782ca88c8b210d0c18f73ecee5e7266ed06b7428c903676aca9b26b6490443)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "keyPolicy", value)
+        jsii.set(self, "bypassPolicyLockoutSafetyCheck", value)
 
     @builtins.property
     @jsii.member(jsii_name="description")
@@ -886,6 +891,22 @@ class CfnKey(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "enableKeyRotation", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="keyPolicy")
+    def key_policy(self) -> typing.Any:
+        '''The key policy that authorizes use of the KMS key.
+
+        The key policy must conform to the following rules.
+        '''
+        return typing.cast(typing.Any, jsii.get(self, "keyPolicy"))
+
+    @key_policy.setter
+    def key_policy(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__cd3f4724ca140c9b1dca16904dd53ab0905d0688de411b0f60d4f538cb2ac4a2)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "keyPolicy", value)
+
     @builtins.property
     @jsii.member(jsii_name="keySpec")
     def key_spec(self) -> typing.Optional[builtins.str]:
@@ -974,10 +995,11 @@ class CfnKey(
     jsii_type="aws-cdk-lib.aws_kms.CfnKeyProps",
     jsii_struct_bases=[],
     name_mapping={
-        "key_policy": "keyPolicy",
+        "bypass_policy_lockout_safety_check": "bypassPolicyLockoutSafetyCheck",
         "description": "description",
         "enabled": "enabled",
         "enable_key_rotation": "enableKeyRotation",
+        "key_policy": "keyPolicy",
         "key_spec": "keySpec",
         "key_usage": "keyUsage",
         "multi_region": "multiRegion",
@@ -990,10 +1012,11 @@ class CfnKeyProps:
     def __init__(
         self,
         *,
-        key_policy: typing.Any,
+        bypass_policy_lockout_safety_check: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         description: typing.Optional[builtins.str] = None,
         enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
         enable_key_rotation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        key_policy: typing.Any = None,
         key_spec: typing.Optional[builtins.str] = None,
         key_usage: typing.Optional[builtins.str] = None,
         multi_region: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -1003,10 +1026,11 @@ class CfnKeyProps:
     ) -> None:
         '''Properties for defining a ``CfnKey``.
 
-        :param key_policy: The key policy that authorizes use of the KMS key. The key policy must conform to the following rules. - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** . - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* . If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* . A key policy document can include only the following characters: - Printable ASCII characters - Printable characters in the Basic Latin and Latin-1 Supplement character set - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters *Minimum* : ``1`` *Maximum* : ``32768``
+        :param bypass_policy_lockout_safety_check: Skips ("bypasses") the key policy lockout safety check. The default value is false. Default: - false
         :param description: A description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
         :param enabled: Specifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When ``Enabled`` is ``true`` , the *key state* of the KMS key is ``Enabled`` . When ``Enabled`` is ``false`` , the key state of the KMS key is ``Disabled`` . The default value is ``true`` . The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the `EnableKey <https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html>`_ , `DisableKey <https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html>`_ , or `ScheduleKeyDeletion <https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html>`_ operations. For information about the key states of a KMS key, see `Key state: Effect on your KMS key <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html>`_ in the *AWS Key Management Service Developer Guide* .
         :param enable_key_rotation: Enables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. AWS KMS supports automatic rotation only for symmetric encryption KMS keys ( ``KeySpec`` = ``SYMMETRIC_DEFAULT`` ). For asymmetric KMS keys and HMAC KMS keys, omit the ``EnableKeyRotation`` property or set it to ``false`` . To enable automatic key rotation of the key material for a multi-Region KMS key, set ``EnableKeyRotation`` to ``true`` on the primary key (created by using ``AWS::KMS::Key`` ). AWS KMS copies the rotation status to all replica keys. For details, see `Rotating multi-Region keys <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate>`_ in the *AWS Key Management Service Developer Guide* . When you enable automatic rotation, AWS KMS automatically creates new key material for the KMS key one year after the enable date and every year thereafter. AWS KMS retains all key material until you delete the KMS key. For detailed information about automatic key rotation, see `Rotating KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html>`_ in the *AWS Key Management Service Developer Guide* .
+        :param key_policy: The key policy that authorizes use of the KMS key. The key policy must conform to the following rules. - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** . - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* . If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* . A key policy document can include only the following characters: - Printable ASCII characters - Printable characters in the Basic Latin and Latin-1 Supplement character set - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters *Minimum* : ``1`` *Maximum* : ``32768``
         :param key_spec: Specifies the type of KMS key to create. The default value, ``SYMMETRIC_DEFAULT`` , creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, ``SYMMETRIC_DEFAULT`` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the ``KeySpec`` value after the KMS key is created. For help choosing a key spec for your KMS key, see `Choosing a KMS key type <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html>`_ in the *AWS Key Management Service Developer Guide* . The ``KeySpec`` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see `AWS KMS condition keys <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms>`_ in the *AWS Key Management Service Developer Guide* . .. epigraph:: If you change the value of the ``KeySpec`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. > `AWS services that are integrated with AWS KMS <https://docs.aws.amazon.com/kms/features/#AWS_Service_Integration>`_ use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see `Identifying asymmetric KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html>`_ in the *AWS Key Management Service Developer Guide* . AWS KMS supports the following key specs for KMS keys: - Symmetric encryption key (default) - ``SYMMETRIC_DEFAULT`` (AES-256-GCM) - HMAC keys (symmetric) - ``HMAC_224`` - ``HMAC_256`` - ``HMAC_384`` - ``HMAC_512`` - Asymmetric RSA key pairs - ``RSA_2048`` - ``RSA_3072`` - ``RSA_4096`` - Asymmetric NIST-recommended elliptic curve key pairs - ``ECC_NIST_P256`` (secp256r1) - ``ECC_NIST_P384`` (secp384r1) - ``ECC_NIST_P521`` (secp521r1) - Other asymmetric elliptic curve key pairs - ``ECC_SECG_P256K1`` (secp256k1), commonly used for cryptocurrencies. - SM2 key pairs (China Regions only) - ``SM2`` Default: - "SYMMETRIC_DEFAULT"
         :param key_usage: Determines the `cryptographic operations <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations>`_ for which you can use the KMS key. The default value is ``ENCRYPT_DECRYPT`` . This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the ``KeyUsage`` value after the KMS key is created. .. epigraph:: If you change the value of the ``KeyUsage`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. - For symmetric encryption KMS keys, omit the property or specify ``ENCRYPT_DECRYPT`` . - For asymmetric KMS keys with RSA key material, specify ``ENCRYPT_DECRYPT`` or ``SIGN_VERIFY`` . - For asymmetric KMS keys with ECC key material, specify ``SIGN_VERIFY`` . - For asymmetric KMS keys with SM2 (China Regions only) key material, specify ``ENCRYPT_DECRYPT`` or ``SIGN_VERIFY`` . - For HMAC KMS keys, specify ``GENERATE_VERIFY_MAC`` . Default: - "ENCRYPT_DECRYPT"
         :param multi_region: Creates a multi-Region primary key that you can replicate in other AWS Regions . You can't change the ``MultiRegion`` value after the KMS key is created. For a list of AWS Regions in which multi-Region keys are supported, see `Multi-Region keys in AWS KMS <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`_ in the ** . .. epigraph:: If you change the value of the ``MultiRegion`` property on an existing KMS key, the update request fails, regardless of the value of the ```UpdateReplacePolicy`` attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html>`_ . This prevents you from accidentally deleting a KMS key by changing an immutable property value. For a multi-Region key, set to this property to ``true`` . For a single-Region key, omit this property or set it to ``false`` . The default value is ``false`` . *Multi-Region keys* are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see `Multi-Region keys <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`_ in the *AWS Key Management Service Developer Guide* . You can create a symmetric encryption, HMAC, or asymmetric multi-Region KMS key, and you can create a multi-Region key with imported key material. However, you cannot create a multi-Region key in a custom key store. To create a replica of this primary key in a different AWS Region , create an `AWS::KMS::ReplicaKey <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-replicakey.html>`_ resource in a CloudFormation stack in the replica Region. Specify the key ARN of this primary key. Default: - false
@@ -1026,12 +1050,11 @@ class CfnKeyProps:
             # key_policy: Any
             
             cfn_key_props = kms.CfnKeyProps(
-                key_policy=key_policy,
-            
-                # the properties below are optional
+                bypass_policy_lockout_safety_check=False,
                 description="description",
                 enabled=False,
                 enable_key_rotation=False,
+                key_policy=key_policy,
                 key_spec="keySpec",
                 key_usage="keyUsage",
                 multi_region=False,
@@ -1045,25 +1068,28 @@ class CfnKeyProps:
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__52751771c8b3e52917eaf0c78bad67c065fa3f95795e92f5eab3e92ce5051178)
-            check_type(argname="argument key_policy", value=key_policy, expected_type=type_hints["key_policy"])
+            check_type(argname="argument bypass_policy_lockout_safety_check", value=bypass_policy_lockout_safety_check, expected_type=type_hints["bypass_policy_lockout_safety_check"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
             check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
             check_type(argname="argument enable_key_rotation", value=enable_key_rotation, expected_type=type_hints["enable_key_rotation"])
+            check_type(argname="argument key_policy", value=key_policy, expected_type=type_hints["key_policy"])
             check_type(argname="argument key_spec", value=key_spec, expected_type=type_hints["key_spec"])
             check_type(argname="argument key_usage", value=key_usage, expected_type=type_hints["key_usage"])
             check_type(argname="argument multi_region", value=multi_region, expected_type=type_hints["multi_region"])
             check_type(argname="argument origin", value=origin, expected_type=type_hints["origin"])
             check_type(argname="argument pending_window_in_days", value=pending_window_in_days, expected_type=type_hints["pending_window_in_days"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {
-            "key_policy": key_policy,
-        }
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if bypass_policy_lockout_safety_check is not None:
+            self._values["bypass_policy_lockout_safety_check"] = bypass_policy_lockout_safety_check
         if description is not None:
             self._values["description"] = description
         if enabled is not None:
             self._values["enabled"] = enabled
         if enable_key_rotation is not None:
             self._values["enable_key_rotation"] = enable_key_rotation
+        if key_policy is not None:
+            self._values["key_policy"] = key_policy
         if key_spec is not None:
             self._values["key_spec"] = key_spec
         if key_usage is not None:
@@ -1078,29 +1104,19 @@ class CfnKeyProps:
             self._values["tags"] = tags
 
     @builtins.property
-    def key_policy(self) -> typing.Any:
-        '''The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.
-
-        - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** .
-        - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* .
-
-        If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* .
-
-        A key policy document can include only the following characters:
-
-        - Printable ASCII characters
-        - Printable characters in the Basic Latin and Latin-1 Supplement character set
-        - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters
+    def bypass_policy_lockout_safety_check(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Skips ("bypasses") the key policy lockout safety check.
 
-        *Minimum* : ``1``
+        The default value is false.
 
-        *Maximum* : ``32768``
+        :default: - false
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-bypasspolicylockoutsafetycheck
         '''
-        result = self._values.get("key_policy")
-        assert result is not None, "Required property 'key_policy' is missing"
-        return typing.cast(typing.Any, result)
+        result = self._values.get("bypass_policy_lockout_safety_check")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
     @builtins.property
     def description(self) -> typing.Optional[builtins.str]:
@@ -1149,6 +1165,30 @@ class CfnKeyProps:
         result = self._values.get("enable_key_rotation")
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
+    @builtins.property
+    def key_policy(self) -> typing.Any:
+        '''The key policy that authorizes use of the KMS key. The key policy must conform to the following rules.
+
+        - The key policy must allow the caller to make a subsequent `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`_ request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, refer to the scenario in the `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam>`_ section of the **AWS Key Management Service Developer Guide** .
+        - Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS . When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS . For more information, see `Changes that I make are not always immediately visible <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency>`_ in the *AWS Identity and Access Management User Guide* .
+
+        If you are unsure of which policy to use, consider the *default key policy* . This is the key policy that AWS KMS applies to KMS keys that are created by using the CreateKey API with no specified key policy. It gives the AWS account that owns the key permission to perform all operations on the key. It also allows you write IAM policies to authorize access to the key. For details, see `Default key policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default>`_ in the *AWS Key Management Service Developer Guide* .
+
+        A key policy document can include only the following characters:
+
+        - Printable ASCII characters
+        - Printable characters in the Basic Latin and Latin-1 Supplement character set
+        - The tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` ) special characters
+
+        *Minimum* : ``1``
+
+        *Maximum* : ``32768``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy
+        '''
+        result = self._values.get("key_policy")
+        return typing.cast(typing.Any, result)
+
     @builtins.property
     def key_spec(self) -> typing.Optional[builtins.str]:
         '''Specifies the type of KMS key to create.
@@ -3115,10 +3155,11 @@ def _typecheckingstub__5ea678e9e5a947601d16e5bb11fec3683fbb15bba768bee0b88be7e19
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    key_policy: typing.Any,
+    bypass_policy_lockout_safety_check: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     description: typing.Optional[builtins.str] = None,
     enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     enable_key_rotation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    key_policy: typing.Any = None,
     key_spec: typing.Optional[builtins.str] = None,
     key_usage: typing.Optional[builtins.str] = None,
     multi_region: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
@@ -3141,8 +3182,8 @@ def _typecheckingstub__7468635e1eaf46c92748f2c14a3230215aa887e54ed03c370eee59b7e
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__cd3f4724ca140c9b1dca16904dd53ab0905d0688de411b0f60d4f538cb2ac4a2(
-    value: typing.Any,
+def _typecheckingstub__ba782ca88c8b210d0c18f73ecee5e7266ed06b7428c903676aca9b26b6490443(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -3165,6 +3206,12 @@ def _typecheckingstub__1949abfe35e26dd5174b35137bea94a550270331496fd2f865d63e223
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__cd3f4724ca140c9b1dca16904dd53ab0905d0688de411b0f60d4f538cb2ac4a2(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__00b8e7e0c6c26ba4d81ad2ec83a06ba02111a601de28c48a34e711a20bdb960d(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -3203,10 +3250,11 @@ def _typecheckingstub__b85648b8166c62900697e128ab3a35c1360fdab37323145ed7b7c76dd
 
 def _typecheckingstub__52751771c8b3e52917eaf0c78bad67c065fa3f95795e92f5eab3e92ce5051178(
     *,
-    key_policy: typing.Any,
+    bypass_policy_lockout_safety_check: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     description: typing.Optional[builtins.str] = None,
     enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     enable_key_rotation: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    key_policy: typing.Any = None,
     key_spec: typing.Optional[builtins.str] = None,
     key_usage: typing.Optional[builtins.str] = None,
     multi_region: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,

aws_cdk/aws_lambda/__init__.py

@@ -8094,7 +8094,8 @@ class CfnLayerVersionPermission(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''ID generated by service.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -8618,7 +8619,8 @@ class CfnPermission(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''A statement identifier that differentiates the statement from others in the same policy.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))

aws_cdk/aws_lambda_nodejs/__init__.py

@@ -1460,7 +1460,7 @@ class NodejsFunction(
         :param entry: Path to the entry file (JavaScript or TypeScript). Default: - Derived from the name of the defining file and the construct's id. If the ``NodejsFunction`` is defined in ``stack.ts`` with ``my-handler`` as id (``new NodejsFunction(this, 'my-handler')``), the construct will look at ``stack.my-handler.ts`` and ``stack.my-handler.js``.
         :param handler: The name of the exported handler in the entry file. The handler is prefixed with ``index.`` unless the specified handler value contains a ``.``, in which case it is used as-is. Default: handler
         :param project_root: The path to the directory containing project config files (``package.json`` or ``tsconfig.json``). Default: - the directory containing the ``depsLockFilePath``
-        :param runtime: The runtime environment. Only runtimes of the Node.js family are supported. Default: Runtime.NODEJS_14_X
+        :param runtime: The runtime environment. Only runtimes of the Node.js family are supported. Default: Runtime.NODEJS_18_X
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
         :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
@@ -1702,7 +1702,7 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
         :param entry: Path to the entry file (JavaScript or TypeScript). Default: - Derived from the name of the defining file and the construct's id. If the ``NodejsFunction`` is defined in ``stack.ts`` with ``my-handler`` as id (``new NodejsFunction(this, 'my-handler')``), the construct will look at ``stack.my-handler.ts`` and ``stack.my-handler.js``.
         :param handler: The name of the exported handler in the entry file. The handler is prefixed with ``index.`` unless the specified handler value contains a ``.``, in which case it is used as-is. Default: handler
         :param project_root: The path to the directory containing project config files (``package.json`` or ``tsconfig.json``). Default: - the directory containing the ``depsLockFilePath``
-        :param runtime: The runtime environment. Only runtimes of the Node.js family are supported. Default: Runtime.NODEJS_14_X
+        :param runtime: The runtime environment. Only runtimes of the Node.js family are supported. Default: Runtime.NODEJS_18_X
 
         :exampleMetadata: infused
 
@@ -2394,7 +2394,7 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
         Only runtimes of the Node.js family are
         supported.
 
-        :default: Runtime.NODEJS_14_X
+        :default: Runtime.NODEJS_18_X
         '''
         result = self._values.get("runtime")
         return typing.cast(typing.Optional[_Runtime_b4eaa844], result)