aws-cdk-lib 2.95.1__py3-none-any.whl → 2.96.0__py3-none-any.whl

aws_cdk/aws_budgets/__init__.py

@@ -1119,13 +1119,18 @@ class CfnBudget(
         def __init__(self, *, amount: jsii.Number, unit: builtins.str) -> None:
             '''The amount of cost or usage that's measured for a budget.
 
-            For example, a ``Spend`` for ``3 GB`` of S3 usage has the following parameters:
+            *Cost example:* A ``Spend`` for ``3 USD`` of costs has the following parameters:
 
             - An ``Amount`` of ``3``
-            - A ``unit`` of ``GB``
+            - A ``Unit`` of ``USD``
+
+            *Usage example:* A ``Spend`` for ``3 GB`` of S3 usage has the following parameters:
+
+            - An ``Amount`` of ``3``
+            - A ``Unit`` of ``GB``
 
             :param amount: The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.
-            :param unit: The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.
+            :param unit: The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-budgets-budget-spend.html
             :exampleMetadata: fixture=_generated
@@ -1162,7 +1167,7 @@ class CfnBudget(
 
         @builtins.property
         def unit(self) -> builtins.str:
-            '''The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as USD or GBP.
+            '''The unit of measurement that's used for the budget forecast, actual spend, or budget threshold.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-budgets-budget-spend.html#cfn-budgets-budget-spend-unit
             '''

aws_cdk/aws_cloudformation/__init__.py

@@ -1422,7 +1422,7 @@ class CfnModuleDefaultVersion(
 
     The default version of the module will be used in CloudFormation operations for this account and Region.
 
-    To register a module version, use the ``[AWS::CloudFormation::ModuleVersion](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-moduleversion.html)`` resource.
+    To register a module version, use the ``[``AWS::CloudFormation::ModuleVersion``](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-moduleversion.html)`` resource.
 
     For more information using modules, see `Using modules to encapsulate and reuse resource configurations <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html>`_ and `Registering extensions <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-register>`_ in the *AWS CloudFormation User Guide* . For information on developing modules, see `Developing modules <https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/modules.html>`_ in the *AWS CloudFormation CLI User Guide* .
 
@@ -1649,7 +1649,7 @@ class CfnModuleVersion(
 
     Registering a module makes it available for use in CloudFormation templates in your AWS account and Region.
 
-    To specify a module version as the default version, use the ``[AWS::CloudFormation::ModuleDefaultVersion](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-moduledefaultversion.html)`` resource.
+    To specify a module version as the default version, use the ``[``AWS::CloudFormation::ModuleDefaultVersion``](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-moduledefaultversion.html)`` resource.
 
     For more information using modules, see `Using modules to encapsulate and reuse resource configurations <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html>`_ and `Registering extensions <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#registry-register>`_ in the *CloudFormation User Guide* . For information on developing modules, see `Developing modules <https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/modules.html>`_ in the *CloudFormation CLI User Guide* .
 
@@ -3190,7 +3190,39 @@ class CfnStack(
     When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks. For more information, see `CloudFormation stack updates <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html>`_ .
     .. epigraph::
 
-       You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see `Controlling access with AWS Identity and Access Management <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html>`_ .
+       You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify that you have cancel update stack permissions, which is required if an update rolls back. For more information about IAM and CloudFormation , see `Controlling access with AWS Identity and Access Management <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html>`_ . > A subset of ``AWS::CloudFormation::Stack`` resource type properties listed below are available to customers using AWS CloudFormation , AWS CDK , and AWS Cloud Control API to configure.
+
+       - ``NotificationARNs``
+       - ``Parameters``
+       - ``Tags``
+       - ``TemplateURL``
+       - ``TimeoutInMinutes``
+
+       These properties can be configured only when using AWS Cloud Control API . This is because the below properties are set by the parent stack, and thus cannot be configured using AWS CloudFormation or AWS CDK but only AWS Cloud Control API .
+
+       - ``Capabilities``
+       - ``Description``
+       - ``DisableRollback``
+       - ``EnableTerminationProtection``
+       - ``RoleARN``
+       - ``StackName``
+       - ``StackPolicyBody``
+       - ``StackPolicyURL``
+       - ``StackStatusReason``
+       - ``TemplateBody``
+
+       Customers that configure ``AWS::CloudFormation::Stack`` using AWS CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template.
+
+       These read-only properties can be accessed only when using AWS Cloud Control API .
+
+       - ``ChangeSetId``
+       - ``CreationTime``
+       - ``LastUpdateDate``
+       - ``Outputs``
+       - ``ParentId``
+       - ``RootId``
+       - ``StackId``
+       - ``StackStatus``
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-stack.html
     :exampleMetadata: fixture=_generated
@@ -4035,7 +4067,7 @@ class CfnStackSet(
 
             :param account_filter_type: Limit deployment targets to individual accounts or include additional accounts with provided OUs. The following is a list of possible values for the ``AccountFilterType`` operation. - ``INTERSECTION`` : StackSets deploys to the accounts specified in ``Accounts`` parameter. - ``DIFFERENCE`` : StackSets excludes the accounts specified in ``Accounts`` parameter. This enables user to avoid certain accounts within an OU such as suspended accounts. - ``UNION`` : StackSets includes additional accounts deployment targets. This is the default value if ``AccountFilterType`` is not provided. This enables user to update an entire OU and individual accounts from a different OU in one request, which used to be two separate requests. - ``NONE`` : Deploys to all the accounts in specified organizational units (OU).
             :param accounts: The names of one or more AWS accounts for which you want to deploy stack set updates. *Pattern* : ``^[0-9]{12}$``
-            :param accounts_url: 
+            :param accounts_url: Returns the value of the ``AccountsUrl`` property.
             :param organizational_unit_ids: The organization root ID or organizational unit (OU) IDs to which StackSets deploys. *Pattern* : ``^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})$``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-deploymenttargets.html
@@ -4102,7 +4134,8 @@ class CfnStackSet(
 
         @builtins.property
         def accounts_url(self) -> typing.Optional[builtins.str]:
-            '''
+            '''Returns the value of the ``AccountsUrl`` property.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-deploymenttargets.html#cfn-cloudformation-stackset-deploymenttargets-accountsurl
             '''
             result = self._values.get("accounts_url")

aws_cdk/aws_cloudtrail/__init__.py

@@ -1135,7 +1135,7 @@ class CfnEventDataStore(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported. For CloudTrail event records, supported fields include ``readOnly`` , ``eventCategory`` , ``eventSource`` (for management events), ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail event records, the value must be ``Management`` or ``Data`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported. For CloudTrail event records, supported fields include ``readOnly`` , ``eventCategory`` , ``eventSource`` (for management events), ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail event records, the value must be ``Management`` or ``Data`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -1221,10 +1221,12 @@ class CfnEventDataStore(
             - ``AWS::Glue::Table``
             - ``AWS::GuardDuty::Detector``
             - ``AWS::KendraRanking::ExecutionPlan``
+            - ``AWS::KinesisVideo::Stream``
             - ``AWS::ManagedBlockchain::Network``
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
             - ``AWS::S3::AccessPoint``
@@ -1290,6 +1292,10 @@ class CfnEventDataStore(
 
             - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>``
 
+            When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>``
+
             When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:managedblockchain:::networks/<network_name>``
@@ -1306,6 +1312,10 @@ class CfnEventDataStore(
 
             - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
 
+            When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
+
             When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>``
@@ -2419,7 +2429,7 @@ class CfnTrail(
         ) -> None:
             '''A single selector statement in an advanced event selector.
 
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported. For CloudTrail event records, supported fields include ``readOnly`` , ``eventCategory`` , ``eventSource`` (for management events), ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail event records, the value must be ``Management`` or ``Data`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the field is used only for selecting events as filtering is not supported. For CloudTrail event records, supported fields include ``readOnly`` , ``eventCategory`` , ``eventSource`` (for management events), ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for AWS Config configuration items, Audit Manager evidence, or non- AWS events, the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this field, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail event records, the value must be ``Management`` or ``Data`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This field is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore`` You can have only one ``resources.type`` field per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>::workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -2505,10 +2515,12 @@ class CfnTrail(
             - ``AWS::Glue::Table``
             - ``AWS::GuardDuty::Detector``
             - ``AWS::KendraRanking::ExecutionPlan``
+            - ``AWS::KinesisVideo::Stream``
             - ``AWS::ManagedBlockchain::Network``
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
             - ``AWS::S3::AccessPoint``
@@ -2574,6 +2586,10 @@ class CfnTrail(
 
             - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>``
 
+            When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name/<creation_time>``
+
             When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:managedblockchain:::networks/<network_name>``
@@ -2590,6 +2606,10 @@ class CfnTrail(
 
             - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
 
+            When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
+
+            - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
+
             When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
 
             - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>``
@@ -2726,7 +2746,7 @@ class CfnTrail(
             - The ``Invoke`` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
             - The ``Invoke`` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the ``Invoke`` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
 
-            :param type: The resource type in which you want to log data events. You can specify the following *basic* event selector resource types: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` The following resource types are also available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see `AdvancedFieldSelector <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html>`_ . - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore``
+            :param type: The resource type in which you want to log data events. You can specify the following *basic* event selector resource types: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` The following resource types are also available through *advanced* event selectors. Basic event selector resource types are valid in advanced event selectors, but advanced event selector resource types are not valid in basic event selectors. For more information, see `AdvancedFieldSelector <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html>`_ . - ``AWS::CloudTrail::Channel`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GuardDuty::Detector`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::KinesisVideo::Stream`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::VerifiedPermissions::PolicyStore``
             :param values: An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified objects. - To log data events for all objects in all S3 buckets in your AWS account , specify the prefix as ``arn:aws:s3`` . .. epigraph:: This also enables logging of data event activity performed by any user or role in your AWS account , even if that activity is performed on a bucket that belongs to another AWS account . - To log data events for all objects in an S3 bucket, specify the bucket and an empty object prefix such as ``arn:aws:s3:::bucket-1/`` . The trail logs data events for all objects in this S3 bucket. - To log data events for specific objects, specify the S3 bucket and object prefix such as ``arn:aws:s3:::bucket-1/example-images`` . The trail logs data events for objects in this S3 bucket that match the prefix. - To log data events for all Lambda functions in your AWS account , specify the prefix as ``arn:aws:lambda`` . .. epigraph:: This also enables logging of ``Invoke`` activity performed by any user or role in your AWS account , even if that activity is performed on a function that belongs to another AWS account . - To log data events for a specific Lambda function, specify the function ARN. .. epigraph:: Lambda function ARNs are exact. For example, if you specify a function ARN *arn:aws:lambda:us-west-2:111111111111:function:helloworld* , data events will only be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld* . They will not be logged for *arn:aws:lambda:us-west-2:111111111111:function:helloworld2* . - To log data events for all DynamoDB tables in your AWS account , specify the prefix as ``arn:aws:dynamodb`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-dataresource.html
@@ -2777,10 +2797,12 @@ class CfnTrail(
             - ``AWS::Glue::Table``
             - ``AWS::GuardDuty::Detector``
             - ``AWS::KendraRanking::ExecutionPlan``
+            - ``AWS::KinesisVideo::Stream``
             - ``AWS::ManagedBlockchain::Network``
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::PCAConnectorAD::Connector``
+            - ``AWS::SageMaker::Endpoint``
             - ``AWS::SageMaker::ExperimentTrialComponent``
             - ``AWS::SageMaker::FeatureGroup``
             - ``AWS::S3::AccessPoint``

aws_cdk/aws_codepipeline/__init__.py

@@ -1039,7 +1039,7 @@ class Artifact(
                 runtime=lambda_.Runtime.NODEJS_LATEST,
                 handler="index.handler",
                 code=lambda_.Code.from_inline("""
-                            const AWS = require('aws-sdk');
+                            const { CodePipeline } = require('@aws-sdk/client-codepipeline');
         
                             exports.handler = async function(event, context) {
                                 const codepipeline = new AWS.CodePipeline();
@@ -1048,7 +1048,7 @@ class Artifact(
                                     outputVariables: {
                                         MY_VAR: "some value",
                                     },
-                                }).promise();
+                                });
                             }
                         """)
             ),

aws_cdk/aws_codepipeline_actions/__init__.py

@@ -720,7 +720,7 @@ lambda_code = lambda_.Code.from_cfn_parameters()
 lambda_.Function(lambda_stack, "Lambda",
     code=lambda_code,
     handler="index.handler",
-    runtime=lambda_.Runtime.NODEJS_16_X
+    runtime=lambda_.Runtime.NODEJS_LATEST
 )
 # other resources that your Lambda needs, added to the lambdaStack...
 
@@ -1467,7 +1467,7 @@ lambda_invoke_action = codepipeline_actions.LambdaInvokeAction(
         runtime=lambda_.Runtime.NODEJS_LATEST,
         handler="index.handler",
         code=lambda_.Code.from_inline("""
-                    const AWS = require('aws-sdk');
+                    const { CodePipeline } = require('@aws-sdk/client-codepipeline');
 
                     exports.handler = async function(event, context) {
                         const codepipeline = new AWS.CodePipeline();
@@ -1476,7 +1476,7 @@ lambda_invoke_action = codepipeline_actions.LambdaInvokeAction(
                             outputVariables: {
                                 MY_VAR: "some value",
                             },
-                        }).promise();
+                        });
                     }
                 """)
     ),

aws_cdk/aws_config/__init__.py

@@ -2339,7 +2339,7 @@ class CfnConfigurationRecorder(
 
                *Globally recorded resources*
 
-               Unless specifically listed as exclusions, globally recorded resource types ( IAM users, groups, roles, and customer managed policies) will be recorded automatically in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions:
+               Unless specifically listed as exclusions, ``AWS::RDS::GlobalCluster`` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded automatically in all enabled AWS Config Regions where AWS Config was available before February 2022. This list does not include the following Regions:
 
                - Asia Pacific (Hyderabad)
                - Asia Pacific (Melbourne)
@@ -2416,23 +2416,57 @@ class CfnConfigurationRecorder(
 
             In the recording group, you specify whether you want to record all supported resource types or to include or exclude specific types of resources.
 
-            By default, AWS Config records configuration changes for all supported types of *Regional resources* that AWS Config discovers in the AWS Region in which it is running. Regional resources are tied to a Region and can be used only in that Region. Examples of Regional resources are Amazon EC2 instances and Amazon EBS volumes.
+            - ***Regional resources*** - By default, AWS Config records configuration changes for all current and future supported types of *Regional resources* that AWS Config discovers in the AWS Region where it is running. When AWS Config adds support for a new type of Regional resource, AWS Config starts recording resources of that type automatically.
 
-            You can also have AWS Config record supported types of *globally recorded resources* . Globally recorded resource types are not tied to a specific Region and can be used in all Regions. The globally recorded resource types that AWS Config supports are IAM users, groups, roles, and customer managed policies. These resource types are recorded in all enabled AWS Config regions where AWS Config was available before February 2022 (which excludes Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), and Middle East (UAE)). AWS Config also supports some global resources types for Amazon Elastic Container Registry Public , AWS Global Accelerator , and Amazon Route 53 ; however, these resource types are not globally recorded in all enabled AWS Config regions.
+            Regional resources are tied to a Region and can be used only in that Region. You create them in a specified AWS Region , and then they exist in that Region. To see or interact with those resources, you must direct your operations to that Region. For example, to create an Amazon EC2 instance with the AWS Management Console , you `choose the AWS Region <https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/select-region.html>`_ that you want to create the instance in. If you use the AWS Command Line Interface ( AWS CLI ) to create the instance, then you include the ``--region`` parameter. The AWS SDKs each have their own equivalent mechanism to specify the Region that the operation uses.
+
+            There are several reasons for using Regional resources. One reason is to ensure that the resources, and the service endpoints that you use to access them, are as close to the customer as possible. This improves performance by minimizing latency. Another reason is to provide an isolation boundary. This lets you create independent copies of resources in multiple Regions to distribute the load and improve scalability. At the same time, it isolates the resources from each other to improve availability.
+
+            If you specify a different AWS Region in the console or in an AWS CLI command, then you can no longer see or interact with the resources you could see in the previous Region.
+
+            When you look at the `Amazon Resource Name (ARN) <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`_ for a Regional resource, the Region that contains the resource is specified as the fourth field in the ARN. For example, an Amazon EC2 instance is a Regional resource. The following is an example of an ARN for a Amazon Virtual Private Cloud ( Amazon VPC ) that exists in the ``us-east-1`` Region:
+
+            ``arn:aws:ec2:us-east-1:123456789012:instance/i-0a6f30921424d3eee`` .
+
+            - ***Global resources*** - Some AWS services resources are *global resources* , meaning that you can use the resource from **anywhere** . You don't specify an AWS Region in a global service's console. To access a global resource, you don't specify a ``--region`` parameter when using the service's AWS CLI and AWS SDK operations.
+
+            Global resources support cases where it is critical that only one instance of a particular resource can exist at a time. In these scenarios, replication or synchronization between copies in different Regions is not adequate. Having to access a single global endpoint, with the possible increase in latency, is considered acceptable to ensure that any changes are instantaneously visible to consumers of the resource.
+
+            For example, Amazon Aurora global clusters ( ``AWS::RDS::GlobalCluster`` ) are global resources, and therefore not tied to a Region. This means that you can create a global cluster without relying on a regional endpoint. The benefit is that, while the Amazon Relational Database Service ( Amazon RDS ) itself is organized by Regions, the specific Region where a global cluster originates doesn't impact the global cluster. It appears as a single, continuous global cluster across all Regions.
+
+            The `Amazon Resource Name (ARN) <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`_ for a global resource doesn't include a Region. The fourth field is empty, such as in the following example of an ARN for a global cluster:
+
+            ``arn:aws:rds::123456789012:global-cluster:test-global-cluster`` .
             .. epigraph::
 
-               Global resource types onboarded to AWS Config recording after February 2022 will be recorded only in the service's home Region for the commercial partition and AWS GovCloud (US-West) for the AWS GovCloud (US) partition. You can view the Configuration Items for these new global resource types only in their home Region and AWS GovCloud (US-West).
+               Configuration changes for global resources are recorded by AWS Config in two different ways: 1) *regionally recorded* in only in the home Region of the global resource or 2) *globally recorded* in all enabled Regions.
+
+            - ***Regionally recorded*** - Global resources for the following services are only recorded in the home Region of the global resource type: Amazon Elastic Container Registry Public , AWS Global Accelerator , and Amazon Route 53 . For these global resources, the same instance of the resource type can be used in multiple AWS Regions, but the configuration items are only recorded in the home Region for the commercial partition or AWS GovCloud (US-West) for the AWS GovCloud (US) partition.
 
-            If you don't want AWS Config to record all resources, you can specify which types of resources AWS Config records with the ``resourceTypes`` parameter.
+            For a table of the Home Regions for Global Resource Types, see `Selecting Which Resources AWS Config Records <https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html>`_ in the *AWS Config developer guide* .
+
+            - ***Globally recorded*** - Globally recorded resource types are recorded in all supported AWS Config Regions where the configuration recorder is enabled. Currently, there are two types of globally recorded resources: Aurora global clusters and IAM resources.
+
+            *Aurora global clusters*
+
+            ``AWS::RDS::GlobalCluster`` is a globally recorded resource type. It is recorded in all supported Amazon RDS Regions where the configuration recorder is enabled.
+
+            *IAM resources*
+
+            The following IAM resource types are also globally recorded: IAM users, groups, roles, and customer managed policies. However, these resource types are only recorded in all supported Amazon RDS Regions where the configuration recorder is enabled and that were supported by AWS Config ; *before* February 2022. This list does not include the following Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), and Middle East (UAE).
+            .. epigraph::
+
+               When you select *Include globally recorded resource types* in the AWS Config console, or input ``includeGlobalResourceTypes=true`` using the API or CLI, this option only applies to globally recorded resources. This option does *not* apply to global resources recorded only in a home Region.
 
             For a list of supported resource types, see `Supported Resource Types <https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources>`_ in the *AWS Config developer guide* .
+            .. epigraph::
 
-            For more information and a table of the Home Regions for Global Resource Types Onboarded after February 2022, see `Selecting Which Resources AWS Config Records <https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html>`_ in the *AWS Config developer guide* .
+               If you don't want AWS Config to record all resources, you can specify which types of resources AWS Config records with the ``resourceTypes`` parameter.
 
             :param all_supported: Specifies whether AWS Config records configuration changes for all supported regional resource types. If you set this field to ``true`` , when AWS Config adds support for a new type of regional resource, AWS Config starts recording resources of that type automatically. If you set this field to ``true`` , you cannot enumerate specific resource types to record in the ``resourceTypes`` field of `RecordingGroup <https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingGroup.html>`_ , or to exclude in the ``resourceTypes`` field of `ExclusionByResourceTypes <https://docs.aws.amazon.com/config/latest/APIReference/API_ExclusionByResourceTypes.html>`_ .
             :param exclusion_by_resource_types: An object that specifies how AWS Config excludes resource types from being recorded by the configuration recorder. To use this option, you must set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``EXCLUSION_BY_RESOURCE_TYPES`` .
-            :param include_global_resource_types: Specifies whether AWS Config records configuration changes for globally recorded resource types ( IAM users, groups, roles, and customer managed policies). These resource types are recorded in all enabled AWS Config regions where AWS Config was available before February 2022 (which excludes Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), and Middle East (UAE)). Before you set this field to ``true`` , set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . Optionally, you can set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``ALL_SUPPORTED_RESOURCE_TYPES`` . If you set this field to ``true`` , when AWS Config adds support for a new type of global resource in the Region where you set up the configuration recorder, AWS Config starts recording resources of that type automatically. .. epigraph:: If you set this field to ``false`` but list global resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the ``includeGlobalResourceTypes`` field to false. If you do not want to record configuration changes to global resource types, make sure to not list them in the ``resourceTypes`` field in addition to setting the ``includeGlobalResourceTypes`` field to false.
-            :param recording_strategy: An object that specifies the recording strategy for the configuration recorder. - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``ALL_SUPPORTED_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported regional resource types. You also must set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . When AWS Config adds support for a new type of regional resource, AWS Config automatically starts recording resources of that type. - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``INCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for only the resource types you specify in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``EXCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . .. epigraph:: *Required and optional fields* The ``recordingStrategy`` field is optional when you set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . The ``recordingStrategy`` field is optional when you list resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . The ``recordingStrategy`` field is required if you list resource types to exclude from recording in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . > *Overriding fields* If you choose ``EXCLUSION_BY_RESOURCE_TYPES`` for the recording strategy, the ``exclusionByResourceTypes`` field will override other properties in the request. For example, even if you set ``includeGlobalResourceTypes`` to false, global resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the ``resourceTypes`` field of ``exclusionByResourceTypes`` . > *Global resource types and the exclusion recording strategy* By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. In addition, unless specifically listed as exclusions, globally recorded resource types ( IAM users, groups, roles, and customer managed policies) will be recorded automatically in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions: - Asia Pacific (Hyderabad) - Asia Pacific (Melbourne) - Europe (Spain) - Europe (Zurich) - Israel (Tel Aviv) - Middle East (UAE)
+            :param include_global_resource_types: Specifies whether AWS Config records configuration changes for globally recorded resource types ( ``AWS::RDS::GlobalCluster`` and IAM users, groups, roles, and customer managed policies). If you select this option, ``AWS::RDS::GlobalCluster`` will be recorded in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions: - Asia Pacific (Hyderabad) - Asia Pacific (Melbourne) - Europe (Spain) - Europe (Zurich) - Israel (Tel Aviv) - Middle East (UAE) Before you set this field to ``true`` , set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . Optionally, you can set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``ALL_SUPPORTED_RESOURCE_TYPES`` . If you set this field to ``true`` , when AWS Config adds support for a new type of global resource in the Region where you set up the configuration recorder, AWS Config starts recording resources of that type automatically. .. epigraph:: If you set this field to ``false`` but list global resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ , AWS Config will still record configuration changes for those specified resource types *regardless* of if you set the ``includeGlobalResourceTypes`` field to false. If you do not want to record configuration changes to global resource types, make sure to not list them in the ``resourceTypes`` field in addition to setting the ``includeGlobalResourceTypes`` field to false.
+            :param recording_strategy: An object that specifies the recording strategy for the configuration recorder. - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``ALL_SUPPORTED_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported regional resource types. You also must set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . When AWS Config adds support for a new type of regional resource, AWS Config automatically starts recording resources of that type. - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``INCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for only the resource types you specify in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . - If you set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``EXCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . .. epigraph:: *Required and optional fields* The ``recordingStrategy`` field is optional when you set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . The ``recordingStrategy`` field is optional when you list resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . The ``recordingStrategy`` field is required if you list resource types to exclude from recording in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . > *Overriding fields* If you choose ``EXCLUSION_BY_RESOURCE_TYPES`` for the recording strategy, the ``exclusionByResourceTypes`` field will override other properties in the request. For example, even if you set ``includeGlobalResourceTypes`` to false, global resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the ``resourceTypes`` field of ``exclusionByResourceTypes`` . > *Global resource types and the exclusion recording strategy* By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. In addition, unless specifically listed as exclusions, ``AWS::RDS::GlobalCluster`` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded automatically in all enabled AWS Config Regions where AWS Config was available before February 2022. This list does not include the following Regions: - Asia Pacific (Hyderabad) - Asia Pacific (Melbourne) - Europe (Spain) - Europe (Zurich) - Israel (Tel Aviv) - Middle East (UAE)
             :param resource_types: A comma-separated list that specifies which resource types AWS Config records. Optionally, you can set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``INCLUSION_BY_RESOURCE_TYPES`` . To record all configuration changes, set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` , and either omit this field or don't specify any resource types in this field. If you set the ``allSupported`` field to ``false`` and specify values for ``resourceTypes`` , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group. For a list of valid ``resourceTypes`` values, see the *Resource Type Value* column in `Supported AWS resource Types <https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources>`_ in the *AWS Config developer guide* . .. epigraph:: *Region Availability* Before specifying a resource type for AWS Config to track, check `Resource Coverage by Region Availability <https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html>`_ to see if the resource type is supported in the AWS Region where you set up AWS Config . If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config , even if the specified resource type is not supported in the AWS Region where you set up AWS Config .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html
@@ -2507,9 +2541,16 @@ class CfnConfigurationRecorder(
         def include_global_resource_types(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''Specifies whether AWS Config records configuration changes for globally recorded resource types ( IAM users, groups, roles, and customer managed policies).
+            '''Specifies whether AWS Config records configuration changes for globally recorded resource types ( ``AWS::RDS::GlobalCluster`` and IAM users, groups, roles, and customer managed policies).
+
+            If you select this option, ``AWS::RDS::GlobalCluster`` will be recorded in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions:
 
-            These resource types are recorded in all enabled AWS Config regions where AWS Config was available before February 2022 (which excludes Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), Israel (Tel Aviv), and Middle East (UAE)).
+            - Asia Pacific (Hyderabad)
+            - Asia Pacific (Melbourne)
+            - Europe (Spain)
+            - Europe (Zurich)
+            - Israel (Tel Aviv)
+            - Middle East (UAE)
 
             Before you set this field to ``true`` , set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . Optionally, you can set the ``useOnly`` field of `AWS::Config::ConfigurationRecorder RecordingStrategy <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html>`_ to ``ALL_SUPPORTED_RESOURCE_TYPES`` .
 
@@ -2551,7 +2592,7 @@ class CfnConfigurationRecorder(
 
                By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.
 
-               In addition, unless specifically listed as exclusions, globally recorded resource types ( IAM users, groups, roles, and customer managed policies) will be recorded automatically in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions:
+               In addition, unless specifically listed as exclusions, ``AWS::RDS::GlobalCluster`` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded automatically in all enabled AWS Config Regions where AWS Config was available before February 2022. This list does not include the following Regions:
 
                - Asia Pacific (Hyderabad)
                - Asia Pacific (Melbourne)
@@ -2607,7 +2648,7 @@ class CfnConfigurationRecorder(
 
             Valid values include: ``ALL_SUPPORTED_RESOURCE_TYPES`` , ``INCLUSION_BY_RESOURCE_TYPES`` , and ``EXCLUSION_BY_RESOURCE_TYPES`` .
 
-            :param use_only: The recording strategy for the configuration recorder. - If you set this option to ``ALL_SUPPORTED_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported regional resource types. You also must set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . When AWS Config adds support for a new type of regional resource, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see `Supported Resource Types <https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources>`_ in the *AWS Config developer guide* . - If you set this option to ``INCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for only the resource types that you specify in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . - If you set this option to ``EXCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . .. epigraph:: *Required and optional fields* The ``recordingStrategy`` field is optional when you set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . The ``recordingStrategy`` field is optional when you list resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . The ``recordingStrategy`` field is required if you list resource types to exclude from recording in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . > *Overriding fields* If you choose ``EXCLUSION_BY_RESOURCE_TYPES`` for the recording strategy, the ``exclusionByResourceTypes`` field will override other properties in the request. For example, even if you set ``includeGlobalResourceTypes`` to false, global resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the ``resourceTypes`` field of ``exclusionByResourceTypes`` . > *Global resource types and the exclusion recording strategy* By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. In addition, unless specifically listed as exclusions, globally recorded resource types ( IAM users, groups, roles, and customer managed policies) will be recorded automatically in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions: - Asia Pacific (Hyderabad) - Asia Pacific (Melbourne) - Europe (Spain) - Europe (Zurich) - Israel (Tel Aviv) - Middle East (UAE)
+            :param use_only: The recording strategy for the configuration recorder. - If you set this option to ``ALL_SUPPORTED_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported regional resource types. You also must set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . When AWS Config adds support for a new type of regional resource, AWS Config automatically starts recording resources of that type. For a list of supported resource types, see `Supported Resource Types <https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources>`_ in the *AWS Config developer guide* . - If you set this option to ``INCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for only the resource types that you specify in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . - If you set this option to ``EXCLUSION_BY_RESOURCE_TYPES`` , AWS Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . .. epigraph:: *Required and optional fields* The ``recordingStrategy`` field is optional when you set the ``allSupported`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ to ``true`` . The ``recordingStrategy`` field is optional when you list resource types in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder RecordingGroup <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordinggroup.html>`_ . The ``recordingStrategy`` field is required if you list resource types to exclude from recording in the ``resourceTypes`` field of `AWS::Config::ConfigurationRecorder ExclusionByResourceTypes <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-exclusionbyresourcetypes.html>`_ . > *Overriding fields* If you choose ``EXCLUSION_BY_RESOURCE_TYPES`` for the recording strategy, the ``exclusionByResourceTypes`` field will override other properties in the request. For example, even if you set ``includeGlobalResourceTypes`` to false, global resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the ``resourceTypes`` field of ``exclusionByResourceTypes`` . > *Global resource types and the exclusion recording strategy* By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically. In addition, unless specifically listed as exclusions, ``AWS::RDS::GlobalCluster`` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded automatically in all enabled AWS Config Regions where AWS Config was available before February 2022. This list does not include the following Regions: - Asia Pacific (Hyderabad) - Asia Pacific (Melbourne) - Europe (Spain) - Europe (Zurich) - Israel (Tel Aviv) - Middle East (UAE)
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-config-configurationrecorder-recordingstrategy.html
             :exampleMetadata: fixture=_generated
@@ -2656,7 +2697,7 @@ class CfnConfigurationRecorder(
 
                By default, if you choose the ``EXCLUSION_BY_RESOURCE_TYPES`` recording strategy, when AWS Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, AWS Config starts recording resources of that type automatically.
 
-               In addition, unless specifically listed as exclusions, globally recorded resource types ( IAM users, groups, roles, and customer managed policies) will be recorded automatically in all enabled AWS Config regions where AWS Config was available before February 2022. This list does not include the following Regions:
+               In addition, unless specifically listed as exclusions, ``AWS::RDS::GlobalCluster`` will be recorded automatically in all supported AWS Config Regions were the configuration recorder is enabled. IAM users, groups, roles, and customer managed policies will be recorded automatically in all enabled AWS Config Regions where AWS Config was available before February 2022. This list does not include the following Regions:
 
                - Asia Pacific (Hyderabad)
                - Asia Pacific (Melbourne)