aws-cdk-lib 2.91.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_organizations/__init__.py

@@ -62,15 +62,15 @@ class CfnAccount(
     AWS CloudFormation uses the ```CreateAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html>`_ operation to create accounts. This is an asynchronous request that AWS performs in the background. Because ``CreateAccount`` operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:
 
     - Use the ``Id`` value of the ``CreateAccountStatus`` response element from the ``CreateAccount`` operation to provide as a parameter to the ```DescribeCreateAccountStatus`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html>`_ operation.
-    - Check the CloudTrail log for the ``CreateAccountResult`` event. For information on using CloudTrail with AWS Organizations , see `Logging and monitoring in AWS Organizations <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration>`_ in the *AWS Organizations User Guide.*
+    - Check the CloudTrail log for the ``CreateAccountResult`` event. For information on using CloudTrail with AWS Organizations , see `Logging and monitoring in AWS Organizations <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration>`_ in the *AWS Organizations User Guide* .
 
-    The user who calls the API to create an account must have the ``organizations:CreateAccount`` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named ``AWSServiceRoleForOrganizations`` . For more information, see `AWS Organizations and Service-Linked Roles <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs>`_ in the *AWS Organizations User Guide* .
+    The user who calls the API to create an account must have the ``organizations:CreateAccount`` permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named ``AWSServiceRoleForOrganizations`` . For more information, see `AWS Organizations and service-linked roles <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs>`_ in the *AWS Organizations User Guide* .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.
 
     AWS Organizations preconfigures the new member account with a role (named ``OrganizationAccountAccessRole`` by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.
 
-    For more information about creating accounts, see `Creating an AWS account in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html>`_ in the *AWS Organizations User Guide.*
+    For more information about creating accounts, see `Creating a member account in your organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html>`_ in the *AWS Organizations User Guide* .
 
     This operation can be called only from the organization's management account.
 
@@ -85,14 +85,14 @@ class CfnAccount(
        - Email
        - RoleName
 
-       If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a `registered delegated administrator <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html>`_ account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters ``AccountName`` and ``Email`` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see `Modifying the account name, email address, or password for the AWS account root user <https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html>`_ in the *AWS Account Management Reference Guide* .
+       If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a `registered delegated administrator <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html>`_ account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters ``AccountName`` and ``Email`` , you must sign in to the AWS Management Console as the AWS account root user. For more information, see `Update the AWS account name, email address, or password for the root user <https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html>`_ in the *AWS Account Management Reference Guide* .
 
-       - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at `To leave an organization as a member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info>`_ in the *AWS Organizations User Guide* .
+       - When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. For more information, see `Considerations before removing an account from an organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_account-before-remove.html>`_ in the *AWS Organizations User Guide* .
        - When you create an account in an organization using AWS CloudFormation , you can't specify a value for the ``CreateAccount`` operation parameter ``IamUserAccessToBilling`` . The default value for parameter ``IamUserAccessToBilling`` is ``ALLOW`` , and IAM users and roles with the required permissions can access billing information for the new account.
        - If you get an exception that indicates ``DescribeCreateAccountStatus returns IN_PROGRESS state before time out`` . You must check the account creation status using the ```DescribeCreateAccountStatus`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html>`_ operation. If the account state returns as ``SUCCEEDED`` , you can import the account into AWS CloudFormation management using ```resource import`` <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html>`_ .
        - If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the `Service Quotas console <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html>`_ .
        - If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact `AWS Support <https://docs.aws.amazon.com/support/home#/>`_ .
-       - We don't recommend that you use the ``CreateAccount`` operation to create multiple temporary accounts. You can close accounts using the ```CloseAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html>`_ operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see `Closing an AWS account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html>`_ in the *AWS Organizations User Guide* .
+       - We don't recommend that you use the ``CreateAccount`` operation to create multiple temporary accounts. You can close accounts using the ```CloseAccount`` <https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html>`_ operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see `Closing a member account in your organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html>`_ in the *AWS Organizations User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-account.html
     :exampleMetadata: fixture=_generated
@@ -134,7 +134,7 @@ class CfnAccount(
         :param account_name: The account name given to the account when it was created.
         :param email: The email address associated with the AWS account. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for this parameter is a string of characters that represents a standard internet email address.
         :param parent_ids: The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the ``ParentId`` defaults to the root ID. This parameter only accepts a string array with one string value. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for a parent ID string requires one of the following: - *Root* - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. - *Organizational unit (OU)* - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
-        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
+        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
         :param tags: A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to ``null`` . For more information about tagging, see `Tagging AWS Organizations resources <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html>`_ in the AWS Organizations User Guide. .. epigraph:: If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.
         '''
         if __debug__:
@@ -339,7 +339,7 @@ class CfnAccountProps:
         :param account_name: The account name given to the account when it was created.
         :param email: The email address associated with the AWS account. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for this parameter is a string of characters that represents a standard internet email address.
         :param parent_ids: The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in. If you don't specify this parameter, the ``ParentId`` defaults to the root ID. This parameter only accepts a string array with one string value. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ for a parent ID string requires one of the following: - *Root* - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits. - *Organizational unit (OU)* - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
-        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
+        :param role_name: The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account. If you don't specify this parameter, the role name defaults to ``OrganizationAccountAccessRole`` . For more information about how to use this role to access the member account, see the following links: - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide* - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide* The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@- Default: - "OrganizationAccountAccessRole"
         :param tags: A list of tags that you want to attach to the newly created account. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to ``null`` . For more information about tagging, see `Tagging AWS Organizations resources <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html>`_ in the AWS Organizations User Guide. .. epigraph:: If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-account.html
@@ -432,8 +432,8 @@ class CfnAccountProps:
 
         For more information about how to use this role to access the member account, see the following links:
 
-        - `Accessing and Administering the Member Accounts in Your Organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide*
-        - Steps 2 and 3 in `Tutorial: Delegate Access Across AWS accounts Using IAM Roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide*
+        - `Creating the OrganizationAccountAccessRole in an invited member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role>`_ in the *AWS Organizations User Guide*
+        - Steps 2 and 3 in `IAM Tutorial: Delegate access across AWS accounts using IAM roles <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html>`_ in the *IAM User Guide*
 
         The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-
 
@@ -484,10 +484,10 @@ class CfnOrganization(
     .. epigraph::
 
        - If you delete an organization, you can't recover it. If you created any policies inside of the organization, they're also deleted and you can't recover them.
-       - You can delete an organization only after you remove all member accounts from the organization. If you created some of your member accounts using AWS Organizations , you might be blocked from removing those accounts. You can remove a member account only if it has all the information that's required to operate as a standalone AWS account. For more information about how to provide that information and then remove the account, see `Leaving an organization as a member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#orgs_manage_accounts_leave-as-member>`_ in the *AWS Organizations User Guide* .
+       - You can delete an organization only after you remove all member accounts from the organization. If you created some of your member accounts using AWS Organizations , you might be blocked from removing those accounts. You can remove a member account only if it has all the information that's required to operate as a standalone AWS account. For more information about how to provide that information and then remove the account, see `Leave an organization from your member account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_leave-as-member.html>`_ in the *AWS Organizations User Guide* .
        - If you closed a member account before you remove it from the organization, it enters a 'suspended' state for a period of time and you can't remove the account from the organization until it is finally closed. This can take up to 90 days and can prevent you from deleting the organization until all member accounts are completely closed.
 
-       For more information, see `Deleting the organization by removing the management account <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html>`_ in the *AWS Organizations User Guide* .
+       For more information, see `Deleting an organization <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html>`_ in the *AWS Organizations User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-organization.html
     :exampleMetadata: fixture=_generated
@@ -513,7 +513,7 @@ class CfnOrganization(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.* The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
+        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* . The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__450a54c6b7334fcb8f406a9a29b8e1f90a618bcbd127f2d5a6a9fa43ff254400)
@@ -638,7 +638,7 @@ class CfnOrganizationProps:
     def __init__(self, *, feature_set: typing.Optional[builtins.str] = None) -> None:
         '''Properties for defining a ``CfnOrganization``.
 
-        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.* The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
+        :param feature_set: Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality. - ``ALL`` In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* . - ``CONSOLIDATED_BILLING`` All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* . The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region. Feature set ``ALL`` provides the following advanced features: - Apply any `policy type <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types>`_ to any member account in the organization. - Apply `service control policies (SCPs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html>`_ to member accounts that restrict the services and actions that users (including the root user) and roles in an account can access. Using SCPs you can prevent member accounts from leaving the organization. - Enable `integration with supported AWS services <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html>`_ to let those services provide functionality across all of the accounts in your organization. If you don't specify this property, the default value is ``ALL`` . Default: - "ALL"
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-organizations-organization.html
         :exampleMetadata: fixture=_generated
@@ -665,7 +665,7 @@ class CfnOrganizationProps:
         '''Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.
 
         - ``ALL``  In addition to all the features supported by the consolidated billing feature set, the management account gains access to advanced features that give you more control over accounts in your organization. By default or if you set the ``FeatureSet`` property to ``ALL`` , the new organization is created with all features enabled and service control policies automatically enabled in the `root <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#root>`_ . For more information, see `All features <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all>`_ in the *AWS Organizations User Guide* .
-        - ``CONSOLIDATED_BILLING``  All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide.*
+        - ``CONSOLIDATED_BILLING``  All member accounts have their bills consolidated to and paid by the management account. For more information, see `Consolidated billing <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only>`_ in the *AWS Organizations User Guide* .
 
         The consolidated billing feature subset isn't available for organizations in the AWS GovCloud (US) Region.
 
@@ -706,7 +706,7 @@ class CfnOrganizationalUnit(
 
     An OU is a container for accounts that enables you to organize your accounts to apply policies according to your business requirements. The number of levels deep that you can nest OUs is dependent upon the policy types enabled for that root. For service control policies, the limit is five.
 
-    For more information about OUs, see `Managing Organizational Units <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html>`_ in the *AWS Organizations User Guide.*
+    For more information about OUs, see `Managing organizational units (OUs) <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html>`_ in the *AWS Organizations User Guide* .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.
 
@@ -976,7 +976,7 @@ class CfnPolicy(
 ):
     '''Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account .
 
-    For more information about policies and their use, see `Managing Organization Policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html>`_ .
+    For more information about policies and their use, see `Managing AWS Organizations policies <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html>`_ .
 
     If the request includes tags, then the requester must have the ``organizations:TagResource`` permission.
 

aws_cdk/aws_route53/__init__.py

@@ -4211,7 +4211,7 @@ class CfnRecordSetGroup(
             :param failover: *Failover resource record sets only:* To configure failover, you add the ``Failover`` element to two resource record sets. For one resource record set, you specify ``PRIMARY`` as the value for ``Failover`` ; for the other resource record set, you specify ``SECONDARY`` . In addition, you include the ``HealthCheckId`` element and specify the health check that you want Amazon Route 53 to perform for each resource record set. Except where noted, the following failover behaviors assume that you have included the ``HealthCheckId`` element in both resource record sets: - When the primary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the secondary resource record set. - When the primary resource record set is unhealthy and the secondary resource record set is healthy, Route 53 responds to DNS queries with the applicable value from the secondary resource record set. - When the secondary resource record set is unhealthy, Route 53 responds to DNS queries with the applicable value from the primary resource record set regardless of the health of the primary resource record set. - If you omit the ``HealthCheckId`` element for the secondary resource record set, and if the primary resource record set is unhealthy, Route 53 always responds to DNS queries with the applicable value from the secondary resource record set. This is true regardless of the health of the associated endpoint. You can't create non-failover resource record sets that have the same values for the ``Name`` and ``Type`` elements as failover resource record sets. For failover alias resource record sets, you must also include the ``EvaluateTargetHealth`` element and set the value to true. For more information about configuring failover for Route 53, see the following topics in the *Amazon Route 53 Developer Guide* : - `Route 53 Health Checks and DNS Failover <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html>`_ - `Configuring Failover in a Private Hosted Zone <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html>`_
             :param geo_location: *Geolocation resource record sets only:* A complex type that lets you control how Amazon Route 53 responds to DNS queries based on the geographic origin of the query. For example, if you want all queries from Africa to be routed to a web server with an IP address of ``192.0.2.111`` , create a resource record set with a ``Type`` of ``A`` and a ``ContinentCode`` of ``AF`` . .. epigraph:: Although creating geolocation and geolocation alias resource record sets in a private hosted zone is allowed, it's not supported. If you create separate resource record sets for overlapping geographic regions (for example, one resource record set for a continent and one for a country on the same continent), priority goes to the smallest geographic region. This allows you to route most queries for a continent to one resource and to route queries for a country on that continent to a different resource. You can't create two geolocation resource record sets that specify the same geographic location. The value ``*`` in the ``CountryCode`` element matches all geographic locations that aren't specified in other geolocation resource record sets that have the same values for the ``Name`` and ``Type`` elements. .. epigraph:: Geolocation works by mapping IP addresses to locations. However, some IP addresses aren't mapped to geographic locations, so even if you create geolocation resource record sets that cover all seven continents, Route 53 will receive some DNS queries from locations that it can't identify. We recommend that you create a resource record set for which the value of ``CountryCode`` is ``*`` . Two groups of queries are routed to the resource that you specify in this record: queries that come from locations for which you haven't created geolocation resource record sets and queries from IP addresses that aren't mapped to a location. If you don't create a ``*`` resource record set, Route 53 returns a "no answer" response for queries from those locations. You can't create non-geolocation resource record sets that have the same values for the ``Name`` and ``Type`` elements as geolocation resource record sets.
             :param health_check_id: If you want Amazon Route 53 to return this resource record set in response to a DNS query only when the status of a health check is healthy, include the ``HealthCheckId`` element and specify the ID of the applicable health check. Route 53 determines whether a resource record set is healthy based on one of the following: - By periodically sending a request to the endpoint that is specified in the health check - By aggregating the status of a specified group of health checks (calculated health checks) - By determining the current state of a CloudWatch alarm (CloudWatch metric health checks) .. epigraph:: Route 53 doesn't check the health of the endpoint that is specified in the resource record set, for example, the endpoint specified by the IP address in the ``Value`` element. When you add a ``HealthCheckId`` element to a resource record set, Route 53 checks the health of the endpoint that you specified in the health check. For more information, see the following topics in the *Amazon Route 53 Developer Guide* : - `How Amazon Route 53 Determines Whether an Endpoint Is Healthy <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-determining-health-of-endpoints.html>`_ - `Route 53 Health Checks and DNS Failover <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html>`_ - `Configuring Failover in a Private Hosted Zone <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-private-hosted-zones.html>`_ *When to Specify HealthCheckId* Specifying a value for ``HealthCheckId`` is useful only when Route 53 is choosing between two or more resource record sets to respond to a DNS query, and you want Route 53 to base the choice in part on the status of a health check. Configuring health checks makes sense only in the following configurations: - *Non-alias resource record sets* : You're checking the health of a group of non-alias resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A) and you specify health check IDs for all the resource record sets. If the health check status for a resource record set is healthy, Route 53 includes the record among the records that it responds to DNS queries with. If the health check status for a resource record set is unhealthy, Route 53 stops responding to DNS queries using the value for that resource record set. If the health check status for all resource record sets in the group is unhealthy, Route 53 considers all resource record sets in the group healthy and responds to DNS queries accordingly. - *Alias resource record sets* : You specify the following settings: - You set ``EvaluateTargetHealth`` to true for an alias resource record set in a group of resource record sets that have the same routing policy, name, and type (such as multiple weighted records named www.example.com with a type of A). - You configure the alias resource record set to route traffic to a non-alias resource record set in the same hosted zone. - You specify a health check ID for the non-alias resource record set. If the health check status is healthy, Route 53 considers the alias resource record set to be healthy and includes the alias record among the records that it responds to DNS queries with. If the health check status is unhealthy, Route 53 stops responding to DNS queries using the alias resource record set. .. epigraph:: The alias resource record set can also route traffic to a *group* of non-alias resource record sets that have the same routing policy, name, and type. In that configuration, associate health checks with all of the resource record sets in the group of non-alias resource record sets. *Geolocation Routing* For geolocation resource record sets, if an endpoint is unhealthy, Route 53 looks for a resource record set for the larger, associated geographic region. For example, suppose you have resource record sets for a state in the United States, for the entire United States, for North America, and a resource record set that has ``*`` for ``CountryCode`` is ``*`` , which applies to all locations. If the endpoint for the state resource record set is unhealthy, Route 53 checks for healthy resource record sets in the following order until it finds a resource record set for which the endpoint is healthy: - The United States - North America - The default resource record set *Specifying the Health Check Endpoint by Domain Name* If your health checks specify the endpoint only by domain name, we recommend that you create a separate health check for each endpoint. For example, create a health check for each ``HTTP`` server that is serving content for ``www.example.com`` . For the value of ``FullyQualifiedDomainName`` , specify the domain name of the server (such as ``us-east-2-www.example.com`` ), not the name of the resource record sets ( ``www.example.com`` ). .. epigraph:: Health check results will be unpredictable if you do the following: - Create a health check that has the same value for ``FullyQualifiedDomainName`` as the name of a resource record set. - Associate that health check with the resource record set.
-            :param hosted_zone_id: The ID of the hosted zone that you want to create records in. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
+            :param hosted_zone_id: The ID of the hosted zone that you want to create records in. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` . Do not provide the ``HostedZoneId`` if it is already defined in ``AWS::Route53::RecordSetGroup`` . The creation fails if ``HostedZoneId`` is defined in both.
             :param hosted_zone_name: The name of the hosted zone that you want to create records in. You must include a trailing dot (for example, ``www.example.com.`` ) as part of the ``HostedZoneName`` . When you create a stack using an ``AWS::Route53::RecordSet`` that specifies ``HostedZoneName`` , AWS CloudFormation attempts to find a hosted zone whose name matches the ``HostedZoneName`` . If AWS CloudFormation can't find a hosted zone with a matching domain name, or if there is more than one hosted zone with the specified domain name, AWS CloudFormation will not create the stack. Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
             :param multi_value_answer: *Multivalue answer resource record sets only* : To route traffic approximately randomly to multiple resources, such as web servers, create one multivalue answer record for each resource and specify ``true`` for ``MultiValueAnswer`` . Note the following: - If you associate a health check with a multivalue answer resource record set, Amazon Route 53 responds to DNS queries with the corresponding IP address only when the health check is healthy. - If you don't associate a health check with a multivalue answer record, Route 53 always considers the record to be healthy. - Route 53 responds to DNS queries with up to eight healthy records; if you have eight or fewer healthy records, Route 53 responds to all DNS queries with all the healthy records. - If you have more than eight healthy records, Route 53 responds to different DNS resolvers with different combinations of healthy records. - When all records are unhealthy, Route 53 responds to DNS queries with up to eight unhealthy records. - If a resource becomes unavailable after a resolver caches a response, client software typically tries another of the IP addresses in the response. You can't create multivalue answer alias records.
             :param region: *Latency-based resource record sets only:* The Amazon EC2 Region where you created the resource that this resource record set refers to. The resource typically is an AWS resource, such as an EC2 instance or an ELB load balancer, and is referred to by an IP address or a DNS domain name, depending on the record type. When Amazon Route 53 receives a DNS query for a domain name and type for which you have created latency resource record sets, Route 53 selects the latency resource record set that has the lowest latency between the end user and the associated Amazon EC2 Region. Route 53 then returns the value that is associated with the selected resource record set. Note the following: - You can only specify one ``ResourceRecord`` per latency resource record set. - You can only create one latency resource record set for each Amazon EC2 Region. - You aren't required to create latency resource record sets for all Amazon EC2 Regions. Route 53 will choose the region with the best latency from among the regions that you create latency resource record sets for. - You can't create non-latency resource record sets that have the same values for the ``Name`` and ``Type`` elements as latency resource record sets.
@@ -4531,6 +4531,8 @@ class CfnRecordSetGroup(
 
             Specify either ``HostedZoneName`` or ``HostedZoneId`` , but not both. If you have multiple hosted zones with the same domain name, you must specify the hosted zone using ``HostedZoneId`` .
 
+            Do not provide the ``HostedZoneId`` if it is already defined in ``AWS::Route53::RecordSetGroup`` . The creation fails if ``HostedZoneId`` is defined in both.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordsetgroup-recordset.html#cfn-route53-recordsetgroup-recordset-hostedzoneid
             '''
             result = self._values.get("hosted_zone_id")

aws_cdk/aws_sns/__init__.py

@@ -919,7 +919,7 @@ class CfnTopic(
         :param subscription: The Amazon SNS subscriptions (endpoints) for this topic. .. epigraph:: If you specify the ``Subscription`` property in the ``AWS::SNS::Topic`` resource and it creates an associated subscription resource, the associated subscription is not deleted when the ``AWS::SNS::Topic`` resource is deleted.
         :param tags: The list of tags to add to a new topic. .. epigraph:: To be able to tag a topic on creation, you must have the ``sns:CreateTopic`` and ``sns:TagResource`` permissions.
         :param topic_name: The name of the topic you want to create. Topic names must include only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 256 characters long. FIFO topic names must end with ``.fifo`` . If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the topic name. For more information, see `Name type <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html>`_ . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
-        :param tracing_config: Tracing mode of an Amazon SNS topic. By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to ``Active`` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
+        :param tracing_config: Tracing mode of an Amazon SNS topic. By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to ``Active`` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3c3e689eaa6b740299fa6db2e53acc51021bc5deb0a8dd6d7bc29e8a364a1dfe)
@@ -1225,7 +1225,7 @@ class CfnTopicInlinePolicy(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_sns.CfnTopicInlinePolicy",
 ):
-    '''Schema for AWS::SNS::TopicInlinePolicy.
+    '''The ``AWS::SNS::TopicInlinePolicy`` resource associates one Amazon SNS topic with one policy.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topicinlinepolicy.html
     :exampleMetadata: fixture=_generated
@@ -1255,7 +1255,7 @@ class CfnTopicInlinePolicy(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param policy_document: A policy document that contains permissions to add to the specified SNS topics.
+        :param policy_document: A policy document that contains permissions to add to the specified Amazon SNS topic.
         :param topic_arn: The Amazon Resource Name (ARN) of the topic to which you want to add the policy.
         '''
         if __debug__:
@@ -1306,7 +1306,7 @@ class CfnTopicInlinePolicy(
     @builtins.property
     @jsii.member(jsii_name="policyDocument")
     def policy_document(self) -> typing.Any:
-        '''A policy document that contains permissions to add to the specified SNS topics.'''
+        '''A policy document that contains permissions to add to the specified Amazon SNS topic.'''
         return typing.cast(typing.Any, jsii.get(self, "policyDocument"))
 
     @policy_document.setter
@@ -1339,7 +1339,7 @@ class CfnTopicInlinePolicyProps:
     def __init__(self, *, policy_document: typing.Any, topic_arn: builtins.str) -> None:
         '''Properties for defining a ``CfnTopicInlinePolicy``.
 
-        :param policy_document: A policy document that contains permissions to add to the specified SNS topics.
+        :param policy_document: A policy document that contains permissions to add to the specified Amazon SNS topic.
         :param topic_arn: The Amazon Resource Name (ARN) of the topic to which you want to add the policy.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topicinlinepolicy.html
@@ -1369,7 +1369,7 @@ class CfnTopicInlinePolicyProps:
 
     @builtins.property
     def policy_document(self) -> typing.Any:
-        '''A policy document that contains permissions to add to the specified SNS topics.
+        '''A policy document that contains permissions to add to the specified Amazon SNS topic.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topicinlinepolicy.html#cfn-sns-topicinlinepolicy-policydocument
         '''
@@ -1637,7 +1637,7 @@ class CfnTopicProps:
         :param subscription: The Amazon SNS subscriptions (endpoints) for this topic. .. epigraph:: If you specify the ``Subscription`` property in the ``AWS::SNS::Topic`` resource and it creates an associated subscription resource, the associated subscription is not deleted when the ``AWS::SNS::Topic`` resource is deleted.
         :param tags: The list of tags to add to a new topic. .. epigraph:: To be able to tag a topic on creation, you must have the ``sns:CreateTopic`` and ``sns:TagResource`` permissions.
         :param topic_name: The name of the topic you want to create. Topic names must include only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 256 characters long. FIFO topic names must end with ``.fifo`` . If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the topic name. For more information, see `Name type <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html>`_ . .. epigraph:: If you specify a name, you can't perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
-        :param tracing_config: Tracing mode of an Amazon SNS topic. By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to ``Active`` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
+        :param tracing_config: Tracing mode of an Amazon SNS topic. By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to ``Active`` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html
         :exampleMetadata: fixture=_generated
@@ -1828,7 +1828,7 @@ class CfnTopicProps:
     def tracing_config(self) -> typing.Optional[builtins.str]:
         '''Tracing mode of an Amazon SNS topic.
 
-        By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an SNS publisher to its subscriptions. If set to ``Active`` , SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
+        By default ``TracingConfig`` is set to ``PassThrough`` , and the topic passes through the tracing header it receives from an Amazon SNS publisher to its subscriptions. If set to ``Active`` , Amazon SNS will vend X-Ray segment data to topic owner account if the sampled flag in the tracing header is true. Only supported on standard topics.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html#cfn-sns-topic-tracingconfig
         '''

aws_cdk/aws_sqs/__init__.py

@@ -560,7 +560,7 @@ class CfnQueueInlinePolicy(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_sqs.CfnQueueInlinePolicy",
 ):
-    '''Schema for SQS QueueInlinePolicy.
+    '''The ``AWS::SQS::QueueInlinePolicy`` resource associates one Amazon SQS queue with one policy.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queueinlinepolicy.html
     :exampleMetadata: fixture=_generated
@@ -590,8 +590,8 @@ class CfnQueueInlinePolicy(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param policy_document: A policy document that contains permissions to add to the specified SQS queue.
-        :param queue: The URL of the SQS queue.
+        :param policy_document: A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see `Using custom policies with the Amazon SQS access policy language <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html>`_ in the *Amazon SQS Developer Guide* .
+        :param queue: The URLs of the queues to which you want to add the policy. You can use the ``[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)`` function to specify an ``[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)`` resource.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5a4a58f0061e5bc1b45f4a41f066d63064e48860dda7c96bf6a78c07d708be3e)
@@ -639,7 +639,7 @@ class CfnQueueInlinePolicy(
     @builtins.property
     @jsii.member(jsii_name="policyDocument")
     def policy_document(self) -> typing.Any:
-        '''A policy document that contains permissions to add to the specified SQS queue.'''
+        '''A policy document that contains the permissions for the specified Amazon SQS queues.'''
         return typing.cast(typing.Any, jsii.get(self, "policyDocument"))
 
     @policy_document.setter
@@ -652,7 +652,7 @@ class CfnQueueInlinePolicy(
     @builtins.property
     @jsii.member(jsii_name="queue")
     def queue(self) -> builtins.str:
-        '''The URL of the SQS queue.'''
+        '''The URLs of the queues to which you want to add the policy.'''
         return typing.cast(builtins.str, jsii.get(self, "queue"))
 
     @queue.setter
@@ -672,8 +672,8 @@ class CfnQueueInlinePolicyProps:
     def __init__(self, *, policy_document: typing.Any, queue: builtins.str) -> None:
         '''Properties for defining a ``CfnQueueInlinePolicy``.
 
-        :param policy_document: A policy document that contains permissions to add to the specified SQS queue.
-        :param queue: The URL of the SQS queue.
+        :param policy_document: A policy document that contains the permissions for the specified Amazon SQS queues. For more information about Amazon SQS policies, see `Using custom policies with the Amazon SQS access policy language <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html>`_ in the *Amazon SQS Developer Guide* .
+        :param queue: The URLs of the queues to which you want to add the policy. You can use the ``[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)`` function to specify an ``[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)`` resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queueinlinepolicy.html
         :exampleMetadata: fixture=_generated
@@ -702,7 +702,9 @@ class CfnQueueInlinePolicyProps:
 
     @builtins.property
     def policy_document(self) -> typing.Any:
-        '''A policy document that contains permissions to add to the specified SQS queue.
+        '''A policy document that contains the permissions for the specified Amazon SQS queues.
+
+        For more information about Amazon SQS policies, see `Using custom policies with the Amazon SQS access policy language <https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html>`_ in the *Amazon SQS Developer Guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queueinlinepolicy.html#cfn-sqs-queueinlinepolicy-policydocument
         '''
@@ -712,7 +714,9 @@ class CfnQueueInlinePolicyProps:
 
     @builtins.property
     def queue(self) -> builtins.str:
-        '''The URL of the SQS queue.
+        '''The URLs of the queues to which you want to add the policy.
+
+        You can use the ``[Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html)`` function to specify an ``[AWS::SQS::Queue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html)`` resource.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queueinlinepolicy.html#cfn-sqs-queueinlinepolicy-queue
         '''

aws_cdk/aws_transfer/__init__.py

@@ -1015,7 +1015,7 @@ class CfnConnector(
         :param url: The URL of the partner's AS2 or SFTP endpoint.
         :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
-        :param sftp_config: Configuration for an SFTP connector.
+        :param sftp_config: A structure that contains the parameters for an SFTP connector object.
         :param tags: Key-value pairs that can be used to group and search for connectors.
         '''
         if __debug__:
@@ -1149,7 +1149,7 @@ class CfnConnector(
     def sftp_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConnector.SftpConfigProperty"]]:
-        '''Configuration for an SFTP connector.'''
+        '''A structure that contains the parameters for an SFTP connector object.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConnector.SftpConfigProperty"]], jsii.get(self, "sftpConfig"))
 
     @sftp_config.setter
@@ -1206,7 +1206,7 @@ class CfnConnector(
         ) -> None:
             '''A structure that contains the parameters for an AS2 connector object.
 
-            :param basic_auth_secret_id: ARN or name of the secret in AWS Secrets Manager which contains the credentials for Basic authentication. If empty, Basic authentication is disabled for the AS2 connector
+            :param basic_auth_secret_id: Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager . The default value for this parameter is ``null`` , which indicates that Basic authentication is not enabled for the connector. If the connector should use Basic authentication, the secret needs to be in the following format: ``{ "Username": "user-name", "Password": "user-password" }`` Replace ``user-name`` and ``user-password`` with the credentials for the actual user that is being authenticated. Note the following: - You are storing these credentials in Secrets Manager, *not passing them directly* into this API. - If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you. If you have previously enabled Basic authentication for a connector, you can disable it by using the ``UpdateConnector`` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication: ``update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'``
             :param compression: Specifies whether the AS2 file is compressed.
             :param encryption_algorithm: The algorithm that is used to encrypt the file. .. epigraph:: You can only specify ``NONE`` if the URL for your connector uses HTTPS. This ensures that no traffic is sent in clear text.
             :param local_profile_id: A unique identifier for the AS2 local profile.
@@ -1270,9 +1270,26 @@ class CfnConnector(
 
         @builtins.property
         def basic_auth_secret_id(self) -> typing.Optional[builtins.str]:
-            '''ARN or name of the secret in AWS Secrets Manager which contains the credentials for Basic authentication.
+            '''Provides Basic authentication support to the AS2 Connectors API.
 
-            If empty, Basic authentication is disabled for the AS2 connector
+            To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .
+
+            The default value for this parameter is ``null`` , which indicates that Basic authentication is not enabled for the connector.
+
+            If the connector should use Basic authentication, the secret needs to be in the following format:
+
+            ``{ "Username": "user-name", "Password": "user-password" }``
+
+            Replace ``user-name`` and ``user-password`` with the credentials for the actual user that is being authenticated.
+
+            Note the following:
+
+            - You are storing these credentials in Secrets Manager, *not passing them directly* into this API.
+            - If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.
+
+            If you have previously enabled Basic authentication for a connector, you can disable it by using the ``UpdateConnector`` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:
+
+            ``update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-as2config.html#cfn-transfer-connector-as2config-basicauthsecretid
             '''
@@ -1390,10 +1407,10 @@ class CfnConnector(
             trusted_host_keys: typing.Optional[typing.Sequence[builtins.str]] = None,
             user_secret_id: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''Configuration for an SFTP connector.
+            '''A structure that contains the parameters for an SFTP connector object.
 
-            :param trusted_host_keys: List of public host keys, for the external server to which you are connecting.
-            :param user_secret_id: ARN or name of the secret in AWS Secrets Manager which contains the SFTP user's private keys or passwords.
+            :param trusted_host_keys: The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting. You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key. The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element. For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys. - For RSA keys, the key type is ``ssh-rsa`` . - For ECDSA keys, the key type is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated.
+            :param user_secret_id: The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier can be either the Amazon Resource Name (ARN) or the name of the secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html
             :exampleMetadata: fixture=_generated
@@ -1421,7 +1438,16 @@ class CfnConnector(
 
         @builtins.property
         def trusted_host_keys(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''List of public host keys, for the external server to which you are connecting.
+            '''The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting.
+
+            You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key.
+
+            The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element.
+
+            For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.
+
+            - For RSA keys, the key type is ``ssh-rsa`` .
+            - For ECDSA keys, the key type is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html#cfn-transfer-connector-sftpconfig-trustedhostkeys
             '''
@@ -1430,7 +1456,9 @@ class CfnConnector(
 
         @builtins.property
         def user_secret_id(self) -> typing.Optional[builtins.str]:
-            '''ARN or name of the secret in AWS Secrets Manager which contains the SFTP user's private keys or passwords.
+            '''The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both.
+
+            The identifier can be either the Amazon Resource Name (ARN) or the name of the secret.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html#cfn-transfer-connector-sftpconfig-usersecretid
             '''
@@ -1478,7 +1506,7 @@ class CfnConnectorProps:
         :param url: The URL of the partner's AS2 or SFTP endpoint.
         :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
-        :param sftp_config: Configuration for an SFTP connector.
+        :param sftp_config: A structure that contains the parameters for an SFTP connector object.
         :param tags: Key-value pairs that can be used to group and search for connectors.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html
@@ -1586,7 +1614,7 @@ class CfnConnectorProps:
     def sftp_config(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConnector.SftpConfigProperty]]:
-        '''Configuration for an SFTP connector.
+        '''A structure that contains the parameters for an SFTP connector object.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-sftpconfig
         '''

aws_cdk/aws_vpclattice/__init__.py

@@ -2756,7 +2756,7 @@ class CfnService(
         :param auth_type: The type of IAM policy. - ``NONE`` : The resource does not use an IAM policy. This is the default. - ``AWS_IAM`` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required. Default: - "NONE"
         :param certificate_arn: The Amazon Resource Name (ARN) of the certificate.
         :param custom_domain_name: The custom domain name of the service.
-        :param dns_entry: 
+        :param dns_entry: The DNS information of the service.
         :param name: The name of the service. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen. If you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.
         :param tags: The tags for the service.
         '''
@@ -2923,6 +2923,7 @@ class CfnService(
     def dns_entry(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnService.DnsEntryProperty"]]:
+        '''The DNS information of the service.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnService.DnsEntryProperty"]], jsii.get(self, "dnsEntry"))
 
     @dns_entry.setter
@@ -3352,7 +3353,7 @@ class CfnServiceNetworkServiceAssociation(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param dns_entry: 
+        :param dns_entry: The DNS information of the service.
         :param service_identifier: The ID or Amazon Resource Name (ARN) of the service.
         :param service_network_identifier: The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN if the resources specified in the operation are in different accounts.
         :param tags: The tags for the association.
@@ -3524,6 +3525,7 @@ class CfnServiceNetworkServiceAssociation(
     def dns_entry(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnServiceNetworkServiceAssociation.DnsEntryProperty"]]:
+        '''The DNS information of the service.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnServiceNetworkServiceAssociation.DnsEntryProperty"]], jsii.get(self, "dnsEntry"))
 
     @dns_entry.setter
@@ -3667,7 +3669,7 @@ class CfnServiceNetworkServiceAssociationProps:
     ) -> None:
         '''Properties for defining a ``CfnServiceNetworkServiceAssociation``.
 
-        :param dns_entry: 
+        :param dns_entry: The DNS information of the service.
         :param service_identifier: The ID or Amazon Resource Name (ARN) of the service.
         :param service_network_identifier: The ID or Amazon Resource Name (ARN) of the service network. You must use the ARN if the resources specified in the operation are in different accounts.
         :param tags: The tags for the association.
@@ -3714,7 +3716,8 @@ class CfnServiceNetworkServiceAssociationProps:
     def dns_entry(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnServiceNetworkServiceAssociation.DnsEntryProperty]]:
-        '''
+        '''The DNS information of the service.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-vpclattice-servicenetworkserviceassociation.html#cfn-vpclattice-servicenetworkserviceassociation-dnsentry
         '''
         result = self._values.get("dns_entry")
@@ -4138,7 +4141,7 @@ class CfnServiceProps:
         :param auth_type: The type of IAM policy. - ``NONE`` : The resource does not use an IAM policy. This is the default. - ``AWS_IAM`` : The resource uses an IAM policy. When this type is used, auth is enabled and an auth policy is required. Default: - "NONE"
         :param certificate_arn: The Amazon Resource Name (ARN) of the certificate.
         :param custom_domain_name: The custom domain name of the service.
-        :param dns_entry: 
+        :param dns_entry: The DNS information of the service.
         :param name: The name of the service. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen. If you don't specify a name, CloudFormation generates one. However, if you specify a name, and later want to replace the resource, you must specify a new name.
         :param tags: The tags for the service.
 
@@ -4224,7 +4227,8 @@ class CfnServiceProps:
     def dns_entry(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnService.DnsEntryProperty]]:
-        '''
+        '''The DNS information of the service.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-vpclattice-service.html#cfn-vpclattice-service-dnsentry
         '''
         result = self._values.get("dns_entry")