feat: update L1 CloudFormation resource definitions (#34792)

aws-cdk-automation · web-flow · commit 074cb8c85024 · 2025-06-23T15:54:49.000Z
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-accessanalyzer │ └ resources │ └[~] resource AWS::AccessAnalyzer::Analyzer │ └ types │ ├[~] type AnalyzerConfiguration │ │ └ properties │ │ └[+] InternalAccessConfiguration: InternalAccessConfiguration │ ├[+] type InternalAccessAnalysisRule │ │ ├ documentation: Contains information about analysis rules for the internal access analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule. │ │ │ name: InternalAccessAnalysisRule │ │ └ properties │ │ └ Inclusions: Array<InternalAccessAnalysisRuleCriteria> │ ├[+] type InternalAccessAnalysisRuleCriteria │ │ ├ documentation: The criteria for an analysis rule for an internal access analyzer. │ │ │ name: InternalAccessAnalysisRuleCriteria │ │ └ properties │ │ ├ AccountIds: Array<string> │ │ ├ ResourceArns: Array<string> │ │ └ ResourceTypes: Array<string> │ └[+] type InternalAccessConfiguration │ ├ documentation: Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates internal access within your AWS environment. │ │ name: InternalAccessConfiguration │ └ properties │ └ InternalAccessAnalysisRule: InternalAccessAnalysisRule ├[~] service aws-amplify │ └ resources │ └[~] resource AWS::Amplify::App │ ├ properties │ │ └[+] JobConfig: JobConfig │ └ types │ └[+] type JobConfig │ ├ documentation: Describes the configuration details that apply to the jobs for an Amplify app. │ │ Use `JobConfig` to apply configuration to jobs, such as customizing the build instance size when you create or update an Amplify app. For more information about customizable build instances, see [Custom build instances](https://docs.aws.amazon.com/amplify/latest/userguide/custom-build-instance.html) in the *Amplify User Guide* . │ │ name: JobConfig │ └ properties │ └ BuildComputeType: string (required) ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::Collaboration │ ├ properties │ │ ├ CreatorMemberAbilities: - Array<string> (required, immutable) │ │ │ + Array<string> (immutable) │ │ └ Members: - Array<MemberSpecification> (required, immutable) │ │ + Array<MemberSpecification> (immutable) │ └ types │ └[~] type MemberSpecification │ └ properties │ └ MemberAbilities: - Array<string> (required, immutable) │ + Array<string> (immutable) ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::EvaluationForm │ ├ properties │ │ └[+] AutoEvaluationConfiguration: AutoEvaluationConfiguration │ └ types │ ├[+] type AutoEvaluationConfiguration │ │ ├ name: AutoEvaluationConfiguration │ │ └ properties │ │ └ Enabled: boolean │ └[~] type EvaluationFormNumericQuestionAutomation │ └ properties │ └ PropertyValue: - NumericQuestionPropertyValueAutomation (required) │ + NumericQuestionPropertyValueAutomation ├[~] service aws-customerprofiles │ └ resources │ ├[~] resource AWS::CustomerProfiles::CalculatedAttributeDefinition │ │ └ types │ │ └[~] type Range │ │ └ properties │ │ └ Value: - integer (required) │ │ + integer │ └[~] resource AWS::CustomerProfiles::SegmentDefinition │ └ types │ ├[~] type ProfileAttributes │ │ └ properties │ │ └[+] ProfileType: ProfileTypeDimension │ └[+] type ProfileTypeDimension │ ├ documentation: Specifies profile type based criteria for a segment. │ │ name: ProfileTypeDimension │ └ properties │ ├ DimensionType: string (required) │ └ Values: Array<string> (required) ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ └[~] type AcceleratorSelection │ └ properties │ ├ Name: (documentation changed) │ └ Runtime: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Subnet │ │ └ types │ │ └[~] type BlockPublicAccessStates │ │ ├ - documentation: undefined │ │ │ + documentation: The state of VPC Block Public Access (BPA). │ │ └ properties │ │ └ InternetGatewayBlockMode: (documentation changed) │ └[~] resource AWS::EC2::TrafficMirrorFilter │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-ecr │ └ resources │ └[~] resource AWS::ECR::RepositoryCreationTemplate │ └ properties │ └ ImageTagMutability: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ └ - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. │ + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. > On June 12, 2025, Amazon ECS launched support for updating capacity provider configuration for Amazon ECS services. With this launch, Amazon ECS also aligned the AWS CloudFormation update behavior for `CapacityProviderStrategy` parameter with the standard practice. For more information, see [Amazon ECS adds support for updating capacity provider configuration for ECS services](https://docs.aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecs-capacity-provider-configuration-ecs/) . Previously Amazon ECS ignored the `CapacityProviderStrategy` property if it was set to an empty list for example, `[]` in AWS CloudFormation , because updating capacity provider configuration was not supported. Now, with support for capacity provider updates, customers can remove capacity providers from a service by passing an empty list. When you specify an empty list ( `[]` ) for the `CapacityProviderStrategy` property in your AWS CloudFormation template, Amazon ECS will remove any capacity providers associated with the service, as follows: │ > │ > - For services created with a capacity provider strategy after the launch: │ > │ > - If there's a cluster default strategy set, the service will revert to using that default strategy. │ > - If no cluster default strategy exists, you will receive the following error: │ > │ > No launch type to fall back to for empty capacity provider strategy. Your service was not created with a launch type. │ > - For services created with a capacity provider strategy prior to the launch: │ > │ > - If `CapacityProviderStrategy` had `FARGATE_SPOT` or `FARGATE` capacity providers, the launch type will be updated to `FARGATE` and the capacity provider will be removed. │ > - If the strategy included Auto Scaling group capacity providers, the service will revert to EC2 launch type, and the Auto Scaling group capacity providers will not be used. │ > │ > Recommended Actions │ > │ > If you are currently using `CapacityProviderStrategy: []` in your AWS CloudFormation templates, you should take one of the following actions: │ > │ > - If you do not intend to update the Capacity Provider Strategy: │ > │ > - Remove the `CapacityProviderStrategy` property entirely from your AWS CloudFormation template │ > - Alternatively, use `!Ref AWS ::NoValue` for the `CapacityProviderStrategy` property in your template │ > - If you intend to maintain or update the Capacity Provider Strategy, specify the actual Capacity Provider Strategy for the service in your AWS CloudFormation template. │ > │ > If your AWS CloudFormation template had an empty list ([]) for `CapacityProviderStrategy` prior to the aforementioned launch on June 12, and you are using the same template with `CapacityProviderStrategy: []` , you might encounter the following error: │ > │ > Invalid request provided: When switching from launch type to capacity provider strategy on an existing service, or making a change to a capacity provider strategy on a service that is already using one, you must force a new deployment. (Service: Ecs, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx HandlerErrorCode: InvalidRequest) │ > │ > Note that AWS CloudFormation automatically initiates a new deployment when it detects a parameter change, but customers cannot choose to force a deployment through AWS CloudFormation . This is an invalid input scenario that requires one of the remediation actions listed above. │ > │ > If you are experiencing active production issues related to this change, contact AWS Support or your Technical Account Manager. ├[~] service aws-inspectorv2 │ └ resources │ └[~] resource AWS::InspectorV2::Filter │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ └[+] Tags: Map<string, string> │ └ types │ ├[~] type FilterCriteria │ │ └ properties │ │ ├[+] CodeVulnerabilityDetectorName: Array<StringFilter> │ │ ├[+] CodeVulnerabilityDetectorTags: Array<StringFilter> │ │ ├[+] CodeVulnerabilityFilePath: Array<StringFilter> │ │ ├[+] EpssScore: Array<NumberFilter> │ │ ├[+] ExploitAvailable: Array<StringFilter> │ │ ├[+] FixAvailable: Array<StringFilter> │ │ ├[+] LambdaFunctionExecutionRoleArn: Array<StringFilter> │ │ ├[+] LambdaFunctionLastModifiedAt: Array<DateFilter> │ │ ├[+] LambdaFunctionLayers: Array<StringFilter> │ │ ├[+] LambdaFunctionName: Array<StringFilter> │ │ └[+] LambdaFunctionRuntime: Array<StringFilter> │ └[~] type PackageFilter │ └ properties │ ├[+] FilePath: StringFilter │ └[+] SourceLambdaLayerArn: StringFilter ├[~] service aws-kms │ └ resources │ └[~] resource AWS::KMS::Key │ └ properties │ ├ KeySpec: (documentation changed) │ ├ KeyUsage: (documentation changed) │ └ Origin: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::EventSourceMapping │ └ types │ ├[~] type SchemaRegistryAccessConfig │ │ └ properties │ │ ├ Type: (documentation changed) │ │ └ URI: (documentation changed) │ ├[~] type SchemaRegistryConfig │ │ └ properties │ │ ├ AccessConfigs: (documentation changed) │ │ ├ EventRecordFormat: (documentation changed) │ │ ├ SchemaRegistryURI: (documentation changed) │ │ └ SchemaValidationConfigs: (documentation changed) │ └[~] type SchemaValidationConfig │ └ properties │ └ Attribute: (documentation changed) ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration │ ├ properties │ │ └[+] LogConfiguration: LogConfiguration │ └ types │ ├[+] type AdsInteractionLog │ │ ├ documentation: Settings for customizing what events are included in logs for interactions with the ad decision server (ADS). │ │ │ For more information about ADS logs, inlcuding descriptions of the event types, see [MediaTailor ADS logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/ads-log-format.html) in AWS Elemental MediaTailor User Guide. │ │ │ name: AdsInteractionLog │ │ └ properties │ │ ├ ExcludeEventTypes: Array<string> │ │ └ PublishOptInEventTypes: Array<string> │ ├[+] type LogConfiguration │ │ ├ documentation: Defines where AWS Elemental MediaTailor sends logs for the playback configuration. │ │ │ name: LogConfiguration │ │ └ properties │ │ ├ AdsInteractionLog: AdsInteractionLog │ │ ├ EnabledLoggingStrategies: Array<string> │ │ ├ ManifestServiceInteractionLog: ManifestServiceInteractionLog │ │ └ PercentEnabled: integer (required) │ └[+] type ManifestServiceInteractionLog │ ├ documentation: Settings for customizing what events are included in logs for interactions with the origin server. │ │ For more information about manifest service logs, including descriptions of the event types, see [MediaTailor manifest logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/log-types.html) in AWS Elemental MediaTailor User Guide. │ │ name: ManifestServiceInteractionLog │ └ properties │ └ ExcludeEventTypes: Array<string> ├[+] service aws-mpa │ ├ capitalized: MPA │ │ cloudFormationNamespace: AWS::MPA │ │ name: aws-mpa │ │ shortName: mpa │ └ resources │ ├ resource AWS::MPA::ApprovalTeam │ │ ├ name: ApprovalTeam │ │ │ cloudFormationType: AWS::MPA::ApprovalTeam │ │ │ documentation: Resource Type definition for AWS::MPA::ApprovalTeam. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├ ApprovalStrategy: ApprovalStrategy (required) │ │ │ ├ Approvers: Array<Approver> (required) │ │ │ ├ Tags: Array<tag> │ │ │ ├ Policies: Array<Policy> (required, immutable) │ │ │ ├ Name: string (required, immutable) │ │ │ └ Description: string (required) │ │ ├ attributes │ │ │ ├ Arn: string │ │ │ ├ VersionId: string │ │ │ ├ NumberOfApprovers: integer │ │ │ ├ UpdateSessionArn: string │ │ │ ├ CreationTime: string │ │ │ ├ LastUpdateTime: string │ │ │ ├ Status: string │ │ │ ├ StatusCode: string │ │ │ └ StatusMessage: string │ │ └ types │ │ ├ type ApprovalStrategy │ │ │ ├ name: ApprovalStrategy │ │ │ └ properties │ │ │ └ MofN: MofNApprovalStrategy (required) │ │ ├ type Approver │ │ │ ├ name: Approver │ │ │ └ properties │ │ │ ├ PrimaryIdentityId: string (required) │ │ │ ├ PrimaryIdentitySourceArn: string (required) │ │ │ ├ ApproverId: string │ │ │ ├ ResponseTime: string │ │ │ └ PrimaryIdentityStatus: string │ │ ├ type MofNApprovalStrategy │ │ │ ├ name: MofNApprovalStrategy │ │ │ └ properties │ │ │ └ MinApprovalsRequired: integer (required) │ │ └ type Policy │ │ ├ name: Policy │ │ └ properties │ │ └ PolicyArn: string (required, immutable) │ └ resource AWS::MPA::IdentitySource │ ├ name: IdentitySource │ │ cloudFormationType: AWS::MPA::IdentitySource │ │ documentation: Resource Type definition for AWS::MPA::IdentitySource. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ IdentitySourceParameters: IdentitySourceParameters (required, immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ IdentitySourceArn: string │ │ ├ IdentitySourceType: string │ │ ├ IdentitySourceParameters.IamIdentityCenter.ApprovalPortalUrl: string │ │ ├ CreationTime: string │ │ ├ Status: string │ │ ├ StatusCode: string │ │ └ StatusMessage: string │ └ types │ ├ type IamIdentityCenter │ │ ├ name: IamIdentityCenter │ │ └ properties │ │ ├ InstanceArn: string (required, immutable) │ │ ├ Region: string (required, immutable) │ │ └ ApprovalPortalUrl: string │ └ type IdentitySourceParameters │ ├ name: IdentitySourceParameters │ └ properties │ └ IamIdentityCenter: IamIdentityCenter (required, immutable) ├[~] service aws-networkfirewall │ └ resources │ ├[~] resource AWS::NetworkFirewall::RuleGroup │ │ └ types │ │ └[~] type RuleVariables │ │ └ - documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined. │ │ + documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined. See `CreateRuleGroup` or `UpdateRuleGroup` for usage. │ └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration │ └ types │ └[~] type ServerCertificateConfiguration │ └ properties │ └ CertificateAuthorityArn: (documentation changed) ├[~] service aws-opsworkscm │ └ resources │ └[~] resource AWS::OpsWorksCM::Server │ ├ properties │ │ └[+] ServerName: string (immutable) │ └ attributes │ └ ServerName: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::Model │ │ └ types │ │ └[~] type S3DataSource │ │ └ properties │ │ └ S3DataType: (documentation changed) │ └[~] resource AWS::SageMaker::ModelPackage │ └ types │ └[~] type S3DataSource │ └ properties │ └ S3DataType: (documentation changed) ├[~] service aws-securityhub │ └ resources │ ├[+] resource AWS::SecurityHub::AggregatorV2 │ │ ├ name: AggregatorV2 │ │ │ cloudFormationType: AWS::SecurityHub::AggregatorV2 │ │ │ documentation: The AWS::SecurityHub::AggregatorV2 resource represents the AWS Security Hub AggregatorV2 in your account. One aggregatorv2 resource is created for each account in non opt-in region in which you configure region linking mode. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ RegionLinkingMode: string (required) │ │ │ ├ LinkedRegions: Array<string> (required) │ │ │ └ Tags: Map<string, string> │ │ └ attributes │ │ ├ AggregatorV2Arn: string │ │ └ AggregationRegion: string │ ├[~] resource AWS::SecurityHub::AutomationRule │ │ └ types │ │ └[~] type StringFilter │ │ └ properties │ │ └ Comparison: (documentation changed) │ ├[+] resource AWS::SecurityHub::AutomationRuleV2 │ │ ├ name: AutomationRuleV2 │ │ │ cloudFormationType: AWS::SecurityHub::AutomationRuleV2 │ │ │ documentation: Resource schema for AWS::SecurityHub::AutomationRuleV2 │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ RuleName: string (required) │ │ │ ├ RuleStatus: string │ │ │ ├ Description: string (required) │ │ │ ├ RuleOrder: number (required) │ │ │ ├ Criteria: Criteria (required) │ │ │ ├ Actions: Array<AutomationRulesActionV2> (required) │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ RuleArn: string │ │ │ ├ RuleId: string │ │ │ ├ CreatedAt: string │ │ │ └ UpdatedAt: string │ │ └ types │ │ ├ type AutomationRulesActionV2 │ │ │ ├ documentation: Allows you to configure automated responses │ │ │ │ name: AutomationRulesActionV2 │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ ├ FindingFieldsUpdate: AutomationRulesFindingFieldsUpdateV2 │ │ │ └ ExternalIntegrationConfiguration: ExternalIntegrationConfiguration │ │ ├ type AutomationRulesFindingFieldsUpdateV2 │ │ │ ├ documentation: The changes to be applied to fields in a security finding when an automation rule is triggered │ │ │ │ name: AutomationRulesFindingFieldsUpdateV2 │ │ │ └ properties │ │ │ ├ SeverityId: integer │ │ │ ├ Comment: string │ │ │ └ StatusId: integer │ │ ├ type BooleanFilter │ │ │ ├ documentation: Boolean filter for querying findings │ │ │ │ name: BooleanFilter │ │ │ └ properties │ │ │ └ Value: boolean (required) │ │ ├ type CompositeFilter │ │ │ ├ documentation: Enables the creation of filtering criteria for security findings │ │ │ │ name: CompositeFilter │ │ │ └ properties │ │ │ ├ StringFilters: Array<OcsfStringFilter> │ │ │ ├ DateFilters: Array<OcsfDateFilter> │ │ │ ├ BooleanFilters: Array<OcsfBooleanFilter> │ │ │ ├ NumberFilters: Array<OcsfNumberFilter> │ │ │ ├ MapFilters: Array<OcsfMapFilter> │ │ │ └ Operator: string │ │ ├ type Criteria │ │ │ ├ documentation: Defines the parameters and conditions used to evaluate and filter security findings │ │ │ │ name: Criteria │ │ │ └ properties │ │ │ └ OcsfFindingCriteria: OcsfFindingFilters │ │ ├ type DateFilter │ │ │ ├ documentation: A date filter for querying findings │ │ │ │ name: DateFilter │ │ │ └ properties │ │ │ ├ DateRange: DateRange │ │ │ ├ End: string │ │ │ └ Start: string │ │ ├ type DateRange │ │ │ ├ documentation: A date range for the date filter │ │ │ │ name: DateRange │ │ │ └ properties │ │ │ ├ Unit: string (required) │ │ │ └ Value: number (required) │ │ ├ type ExternalIntegrationConfiguration │ │ │ ├ documentation: The settings for integrating automation rule actions with external systems or service │ │ │ │ name: ExternalIntegrationConfiguration │ │ │ └ properties │ │ │ └ ConnectorArn: string │ │ ├ type MapFilter │ │ │ ├ documentation: A map filter for filtering findings │ │ │ │ name: MapFilter │ │ │ └ properties │ │ │ ├ Comparison: string (required) │ │ │ ├ Key: string (required) │ │ │ └ Value: string (required) │ │ ├ type NumberFilter │ │ │ ├ documentation: A number filter for querying findings │ │ │ │ name: NumberFilter │ │ │ └ properties │ │ │ ├ Eq: number │ │ │ ├ Gte: number │ │ │ └ Lte: number │ │ ├ type OcsfBooleanFilter │ │ │ ├ documentation: Enables filtering of security findings based on boolean field values in OCSF │ │ │ │ name: OcsfBooleanFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: BooleanFilter (required) │ │ ├ type OcsfDateFilter │ │ │ ├ documentation: Enables filtering of security findings based on date and timestamp fields in OCSF │ │ │ │ name: OcsfDateFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: DateFilter (required) │ │ ├ type OcsfFindingFilters │ │ │ ├ documentation: The filtering conditions that align with OCSF standards │ │ │ │ name: OcsfFindingFilters │ │ │ └ properties │ │ │ ├ CompositeFilters: Array<CompositeFilter> │ │ │ └ CompositeOperator: string │ │ ├ type OcsfMapFilter │ │ │ ├ documentation: Enables filtering of security findings based on map field values in OCSF │ │ │ │ name: OcsfMapFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: MapFilter (required) │ │ ├ type OcsfNumberFilter │ │ │ ├ documentation: Enables filtering of security findings based on numerical field values in OCSF │ │ │ │ name: OcsfNumberFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: NumberFilter (required) │ │ ├ type OcsfStringFilter │ │ │ ├ documentation: Enables filtering of security findings based on string field values in OCSF │ │ │ │ name: OcsfStringFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: StringFilter (required) │ │ └ type StringFilter │ │ ├ documentation: A string filter for filtering findings │ │ │ name: StringFilter │ │ └ properties │ │ ├ Value: string (required) │ │ └ Comparison: string (required) │ └[~] resource AWS::SecurityHub::Insight │ └ types │ └[~] type StringFilter │ └ properties │ └ Comparison: (documentation changed) ├[~] service aws-synthetics │ └ resources │ └[~] resource AWS::Synthetics::Canary │ └ types │ └[~] type RunConfig │ └ properties │ └[+] EphemeralStorage: integer └[~] service aws-wafv2 └ resources ├[~] resource AWS::WAFv2::RuleGroup │ └ types │ ├[~] type AsnMatchStatement │ │ ├ - documentation: undefined │ │ │ + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address. │ │ │ For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . │ │ └ properties │ │ ├ AsnList: (documentation changed) │ │ └ ForwardedIPConfig: (documentation changed) │ ├[~] type RateBasedStatementCustomKey │ │ └ properties │ │ └ ASN: (documentation changed) │ └[~] type Statement │ └ properties │ └ AsnMatchStatement: (documentation changed) └[~] resource AWS::WAFv2::WebACL ├ properties │ └ OnSourceDDoSProtectionConfig: - OnSourceDDoSProtectionConfig ⇐ json │ + OnSourceDDoSProtectionConfig └ types ├[~] type AsnMatchStatement │ ├ - documentation: undefined │ │ + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address. │ │ For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . │ └ properties │ ├ AsnList: (documentation changed) │ └ ForwardedIPConfig: (documentation changed) ├[~] type AWSManagedRulesAntiDDoSRuleSet │ ├ - documentation: Configures how to use the AntiDDOS AWS managed rule group in the web ACL │ │ + documentation: Configures the use of the anti-DDoS managed rule group, `AWSManagedRulesAntiDDoSRuleSet` . This configuration is used in `ManagedRuleGroupConfig` . │ │ The configuration that you provide here determines whether and how the rules in the rule group are used. │ │ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* . │ └ properties │ ├ ClientSideActionConfig: (documentation changed) │ └ SensitivityToBlock: (documentation changed) ├[~] type ClientSideAction │ ├ - documentation: Client side action config for AntiDDOS AMR. │ │ + documentation: This is part of the `AWSManagedRulesAntiDDoSRuleSet` `ClientSideActionConfig` configuration in `ManagedRuleGroupConfig` . │ └ properties │ ├ ExemptUriRegularExpressions: (documentation changed) │ ├ Sensitivity: (documentation changed) │ └ UsageOfAction: (documentation changed) ├[~] type ClientSideActionConfig │ ├ - documentation: Client side action config for AntiDDOS AMR. │ │ + documentation: This is part of the configuration for the managed rules `AWSManagedRulesAntiDDoSRuleSet` in `ManagedRuleGroupConfig` . │ └ properties │ └ Challenge: (documentation changed) ├[~] type ManagedRuleGroupConfig │ └ properties │ └ AWSManagedRulesAntiDDoSRuleSet: (documentation changed) ├[~] type OnSourceDDoSProtectionConfig │ ├ - documentation: Configures the options for on-source DDoS protection provided by supported resource type. │ │ + documentation: Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers. │ └ properties │ └ ALBLowReputationMode: (documentation changed) ├[~] type RateBasedStatementCustomKey │ └ properties │ └ ASN: (documentation changed) ├[~] type Regex │ ├ - documentation: Regex │ │ + documentation: A single regular expression. This is used in a `RegexPatternSet` and also in the configuration for the AWS Managed Rules rule group `AWSManagedRulesAntiDDoSRuleSet` . │ └ properties │ └ RegexString: (documentation changed) └[~] type Statement └ properties └ AsnMatchStatement: (documentation changed) ```
diff --git a/packages/aws-cdk-lib/aws-mpa/.jsiirc.json b/packages/aws-cdk-lib/aws-mpa/.jsiirc.json
@@ -0,0 +1,13 @@
+{
+  "targets": {
+    "java": {
+      "package": "software.amazon.awscdk.services.mpa"
+    },
+    "dotnet": {
+      "package": "Amazon.CDK.AWS.MPA"
+    },
+    "python": {
+      "module": "aws_cdk.aws_mpa"
+    }
+  }
+}
diff --git a/packages/aws-cdk-lib/aws-mpa/README.md b/packages/aws-cdk-lib/aws-mpa/README.md
@@ -0,0 +1,39 @@
+# AWS::MPA Construct Library
+<!--BEGIN STABILITY BANNER-->
+
+---
+
+![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)
+
+> All classes with the `Cfn` prefix in this module ([CFN Resources]) are always stable and safe to use.
+>
+> [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib
+
+---
+
+<!--END STABILITY BANNER-->
+
+This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
+
+```ts nofixture
+import * as mpa from 'aws-cdk-lib/aws-mpa';
+```
+
+<!--BEGIN CFNONLY DISCLAIMER-->
+
+There are no official hand-written ([L2](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) constructs for this service yet. Here are some suggestions on how to proceed:
+
+- Search [Construct Hub for MPA construct libraries](https://constructs.dev/search?q=mpa)
+- Use the automatically generated [L1](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_l1_using) constructs, in the same way you would use [the CloudFormation AWS::MPA resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MPA.html) directly.
+
+
+<!--BEGIN CFNONLY DISCLAIMER-->
+
+There are no hand-written ([L2](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) constructs for this service yet. 
+However, you can still use the automatically generated [L1](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_l1_using) constructs, and use this service exactly as you would using CloudFormation directly.
+
+For more information on the resources and properties available for this service, see the [CloudFormation documentation for AWS::MPA](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MPA.html).
+
+(Read the [CDK Contributing Guide](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and submit an RFC if you are interested in contributing to this construct library.)
+
+<!--END CFNONLY DISCLAIMER-->
diff --git a/packages/aws-cdk-lib/aws-mpa/index.ts b/packages/aws-cdk-lib/aws-mpa/index.ts
@@ -0,0 +1 @@
+export * from './lib';
diff --git a/packages/aws-cdk-lib/aws-mpa/lib/index.ts b/packages/aws-cdk-lib/aws-mpa/lib/index.ts
@@ -0,0 +1,2 @@
+// AWS::MPA Cloudformation Resources
+export * from './mpa.generated';
diff --git a/packages/aws-cdk-lib/index.ts b/packages/aws-cdk-lib/index.ts
@@ -183,6 +183,7 @@ export * as aws_mediapackagev2 from './aws-mediapackagev2';
 export * as aws_mediastore from './aws-mediastore';
 export * as aws_mediatailor from './aws-mediatailor';
 export * as aws_memorydb from './aws-memorydb';
+export * as aws_mpa from './aws-mpa';
 export * as aws_msk from './aws-msk';
 export * as aws_mwaa from './aws-mwaa';
 export * as aws_neptune from './aws-neptune';
diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json
@@ -136,7 +136,7 @@
   },
   "devDependencies": {
     "@aws-cdk/lambda-layer-kubectl-v31": "^2.1.0",
-    "@aws-cdk/aws-service-spec": "^0.1.82",
+    "@aws-cdk/aws-service-spec": "^0.1.83",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/custom-resource-handlers": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
@@ -399,6 +399,7 @@
     "./aws-mediastore": "./aws-mediastore/index.js",
     "./aws-mediatailor": "./aws-mediatailor/index.js",
     "./aws-memorydb": "./aws-memorydb/index.js",
+    "./aws-mpa": "./aws-mpa/index.js",
     "./aws-msk": "./aws-msk/index.js",
     "./aws-mwaa": "./aws-mwaa/index.js",
     "./aws-neptune": "./aws-neptune/index.js",
diff --git a/packages/aws-cdk-lib/scripts/scope-map.json b/packages/aws-cdk-lib/scripts/scope-map.json
@@ -495,6 +495,9 @@
   "aws-memorydb": [
     "AWS::MemoryDB"
   ],
+  "aws-mpa": [
+    "AWS::MPA"
+  ],
   "aws-msk": [
     "AWS::MSK"
   ],
diff --git a/tools/@aws-cdk/spec2cdk/package.json b/tools/@aws-cdk/spec2cdk/package.json
@@ -32,9 +32,9 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-cdk/aws-service-spec": "^0.1.82",
+    "@aws-cdk/aws-service-spec": "^0.1.83",
     "@aws-cdk/service-spec-importers": "^0.0.82",
-    "@aws-cdk/service-spec-types": "^0.0.148",
+    "@aws-cdk/service-spec-types": "^0.0.149",
     "@cdklabs/tskb": "^0.0.3",
     "@cdklabs/typewriter": "^0.0.5",
     "camelcase": "^6",
diff --git a/yarn.lock b/yarn.lock
@@ -66,12 +66,12 @@
     "@aws-cdk/service-spec-types" "^0.0.145"
     "@cdklabs/tskb" "^0.0.3"
 
-"@aws-cdk/aws-service-spec@^0.1.82":
-  version "0.1.82"
-  resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.82.tgz#d9d0b9e918daea01912de11e670e29e669b0f718"
-  integrity sha512-Vn0qMU00ozjmzxMgAluhS8V8H+/tk0Zk8VwKKf4kDJ3i1uFp15mfQM5vch8JwNs5Tn/xAOCX7jIavh1PiKfKYg==
+"@aws-cdk/aws-service-spec@^0.1.83":
+  version "0.1.83"
+  resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.83.tgz#fba5aa14fd4ca476db91fdfb0521ce05207a879b"
+  integrity sha512-N3Em28zPdSg5GPORsK8QAD+J6P1qs9E/QwiSU0lnOGXw4lXWo/kbmyx0J50gJlIOSSKu5yHrCtozqJox51F2oA==
   dependencies:
-    "@aws-cdk/service-spec-types" "^0.0.148"
+    "@aws-cdk/service-spec-types" "^0.0.149"
     "@cdklabs/tskb" "^0.0.3"
 
 "@aws-cdk/cloud-assembly-schema@^44.2.0":
@@ -152,10 +152,10 @@
   dependencies:
     "@cdklabs/tskb" "^0.0.3"
 
-"@aws-cdk/service-spec-types@^0.0.148":
-  version "0.0.148"
-  resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.148.tgz#8ec4fa34d4bbb7e9542bce09da0641a20795f771"
-  integrity sha512-efHu3o1r/OWpwtz0415EEyXOLtxq7Wd4m7vb+bSg/QybNK9wwwlmYqDQaA8bDzygGJr4Kyq6losvGZhiBuYkiA==
+"@aws-cdk/service-spec-types@^0.0.149":
+  version "0.0.149"
+  resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.149.tgz#30d0ed92cc1f94a5daea25354c61b77cd2365469"
+  integrity sha512-floRx9TBqiPa37EtZTW5uMhRmJDYdq+HJpCswQz9CsOIPIimkZXUeb6+/1g3+zsJVsb3pIj0kzCE+9civSUwKA==
   dependencies:
     "@cdklabs/tskb" "^0.0.3"
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// AWS::MPA Cloudformation Resources`
	`2`	`+export * from './mpa.generated';`