feat: update L1 CloudFormation resource definitions

[aws-cdk-automation]

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-accessanalyzer
│ └ resources
│    └[~]  resource AWS::AccessAnalyzer::Analyzer
│       └ types
│          ├[~] type AnalyzerConfiguration
│          │ └ properties
│          │    └[+] InternalAccessConfiguration: InternalAccessConfiguration
│          ├[+]  type InternalAccessAnalysisRule
│          │  ├      documentation: Contains information about analysis rules for the internal access analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.
│          │  │      name: InternalAccessAnalysisRule
│          │  └ properties
│          │     └ Inclusions: Array<InternalAccessAnalysisRuleCriteria>
│          ├[+]  type InternalAccessAnalysisRuleCriteria
│          │  ├      documentation: The criteria for an analysis rule for an internal access analyzer.
│          │  │      name: InternalAccessAnalysisRuleCriteria
│          │  └ properties
│          │     ├ AccountIds: Array<string>
│          │     ├ ResourceArns: Array<string>
│          │     └ ResourceTypes: Array<string>
│          └[+]  type InternalAccessConfiguration
│             ├      documentation: Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates internal access within your AWS environment.
│             │      name: InternalAccessConfiguration
│             └ properties
│                └ InternalAccessAnalysisRule: InternalAccessAnalysisRule
├[~] service aws-amplify
│ └ resources
│    └[~]  resource AWS::Amplify::App
│       ├ properties
│       │  └[+] JobConfig: JobConfig
│       └ types
│          └[+]  type JobConfig
│             ├      documentation: Describes the configuration details that apply to the jobs for an Amplify app.
│             │      Use `JobConfig` to apply configuration to jobs, such as customizing the build instance size when you create or update an Amplify app. For more information about customizable build instances, see [Custom build instances](https://docs.aws.amazon.com/amplify/latest/userguide/custom-build-instance.html) in the *Amplify User Guide* .
│             │      name: JobConfig
│             └ properties
│                └ BuildComputeType: string (required)
├[~] service aws-cleanrooms
│ └ resources
│    └[~]  resource AWS::CleanRooms::Collaboration
│       ├ properties
│       │  ├ CreatorMemberAbilities: - Array<string> (required, immutable)
│       │  │                         + Array<string> (immutable)
│       │  └ Members: - Array<MemberSpecification> (required, immutable)
│       │             + Array<MemberSpecification> (immutable)
│       └ types
│          └[~] type MemberSpecification
│            └ properties
│               └ MemberAbilities: - Array<string> (required, immutable)
│                                  + Array<string> (immutable)
├[~] service aws-connect
│ └ resources
│    └[~]  resource AWS::Connect::EvaluationForm
│       ├ properties
│       │  └[+] AutoEvaluationConfiguration: AutoEvaluationConfiguration
│       └ types
│          ├[+]  type AutoEvaluationConfiguration
│          │  ├      name: AutoEvaluationConfiguration
│          │  └ properties
│          │     └ Enabled: boolean
│          └[~] type EvaluationFormNumericQuestionAutomation
│            └ properties
│               └ PropertyValue: - NumericQuestionPropertyValueAutomation (required)
│                                + NumericQuestionPropertyValueAutomation
├[~] service aws-customerprofiles
│ └ resources
│    ├[~]  resource AWS::CustomerProfiles::CalculatedAttributeDefinition
│    │  └ types
│    │     └[~] type Range
│    │       └ properties
│    │          └ Value: - integer (required)
│    │                   + integer
│    └[~]  resource AWS::CustomerProfiles::SegmentDefinition
│       └ types
│          ├[~] type ProfileAttributes
│          │ └ properties
│          │    └[+] ProfileType: ProfileTypeDimension
│          └[+]  type ProfileTypeDimension
│             ├      documentation: Specifies profile type based criteria for a segment.
│             │      name: ProfileTypeDimension
│             └ properties
│                ├ DimensionType: string (required)
│                └ Values: Array<string> (required)
├[~] service aws-deadline
│ └ resources
│    └[~]  resource AWS::Deadline::Fleet
│       └ types
│          └[~] type AcceleratorSelection
│            └ properties
│               ├ Name: (documentation changed)
│               └ Runtime: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~]  resource AWS::EC2::Subnet
│    │  └ types
│    │     └[~] type BlockPublicAccessStates
│    │       ├      - documentation: undefined
│    │       │      + documentation: The state of VPC Block Public Access (BPA).
│    │       └ properties
│    │          └ InternetGatewayBlockMode: (documentation changed)
│    └[~]  resource AWS::EC2::TrafficMirrorFilter
│       └ attributes
│          └ Id: (documentation changed)
├[~] service aws-ecr
│ └ resources
│    └[~]  resource AWS::ECR::RepositoryCreationTemplate
│       └ properties
│          └ ImageTagMutability: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └      - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
│              + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. > On June 12, 2025, Amazon ECS launched support for updating capacity provider configuration for Amazon ECS services. With this launch, Amazon ECS also aligned the AWS CloudFormation update behavior for `CapacityProviderStrategy` parameter with the standard practice. For more information, see [Amazon ECS adds support for updating capacity provider configuration for ECS services](https://docs.aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecs-capacity-provider-configuration-ecs/) . Previously Amazon ECS ignored the `CapacityProviderStrategy` property if it was set to an empty list for example, `[]` in AWS CloudFormation , because updating capacity provider configuration was not supported. Now, with support for capacity provider updates, customers can remove capacity providers from a service by passing an empty list. When you specify an empty list ( `[]` ) for the `CapacityProviderStrategy` property in your AWS CloudFormation template, Amazon ECS will remove any capacity providers associated with the service, as follows:
│              > 
│              > - For services created with a capacity provider strategy after the launch:
│              > 
│              > - If there's a cluster default strategy set, the service will revert to using that default strategy.
│              > - If no cluster default strategy exists, you will receive the following error:
│              > 
│              > No launch type to fall back to for empty capacity provider strategy. Your service was not created with a launch type.
│              > - For services created with a capacity provider strategy prior to the launch:
│              > 
│              > - If `CapacityProviderStrategy` had `FARGATE_SPOT` or `FARGATE` capacity providers, the launch type will be updated to `FARGATE` and the capacity provider will be removed.
│              > - If the strategy included Auto Scaling group capacity providers, the service will revert to EC2 launch type, and the Auto Scaling group capacity providers will not be used.
│              > 
│              > Recommended Actions
│              > 
│              > If you are currently using `CapacityProviderStrategy: []` in your AWS CloudFormation templates, you should take one of the following actions:
│              > 
│              > - If you do not intend to update the Capacity Provider Strategy:
│              > 
│              > - Remove the `CapacityProviderStrategy` property entirely from your AWS CloudFormation template
│              > - Alternatively, use `!Ref AWS ::NoValue` for the `CapacityProviderStrategy` property in your template
│              > - If you intend to maintain or update the Capacity Provider Strategy, specify the actual Capacity Provider Strategy for the service in your AWS CloudFormation template.
│              > 
│              > If your AWS CloudFormation template had an empty list ([]) for `CapacityProviderStrategy` prior to the aforementioned launch on June 12, and you are using the same template with `CapacityProviderStrategy: []` , you might encounter the following error:
│              > 
│              > Invalid request provided: When switching from launch type to capacity provider strategy on an existing service, or making a change to a capacity provider strategy on a service that is already using one, you must force a new deployment. (Service: Ecs, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx HandlerErrorCode: InvalidRequest)
│              > 
│              > Note that AWS CloudFormation automatically initiates a new deployment when it detects a parameter change, but customers cannot choose to force a deployment through AWS CloudFormation . This is an invalid input scenario that requires one of the remediation actions listed above.
│              > 
│              > If you are experiencing active production issues related to this change, contact AWS Support or your Technical Account Manager.
├[~] service aws-inspectorv2
│ └ resources
│    └[~]  resource AWS::InspectorV2::Filter
│       ├      - tagInformation: undefined
│       │      + tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│       ├ properties
│       │  └[+] Tags: Map<string, string>
│       └ types
│          ├[~] type FilterCriteria
│          │ └ properties
│          │    ├[+] CodeVulnerabilityDetectorName: Array<StringFilter>
│          │    ├[+] CodeVulnerabilityDetectorTags: Array<StringFilter>
│          │    ├[+] CodeVulnerabilityFilePath: Array<StringFilter>
│          │    ├[+] EpssScore: Array<NumberFilter>
│          │    ├[+] ExploitAvailable: Array<StringFilter>
│          │    ├[+] FixAvailable: Array<StringFilter>
│          │    ├[+] LambdaFunctionExecutionRoleArn: Array<StringFilter>
│          │    ├[+] LambdaFunctionLastModifiedAt: Array<DateFilter>
│          │    ├[+] LambdaFunctionLayers: Array<StringFilter>
│          │    ├[+] LambdaFunctionName: Array<StringFilter>
│          │    └[+] LambdaFunctionRuntime: Array<StringFilter>
│          └[~] type PackageFilter
│            └ properties
│               ├[+] FilePath: StringFilter
│               └[+] SourceLambdaLayerArn: StringFilter
├[~] service aws-kms
│ └ resources
│    └[~]  resource AWS::KMS::Key
│       └ properties
│          ├ KeySpec: (documentation changed)
│          ├ KeyUsage: (documentation changed)
│          └ Origin: (documentation changed)
├[~] service aws-lambda
│ └ resources
│    └[~]  resource AWS::Lambda::EventSourceMapping
│       └ types
│          ├[~] type SchemaRegistryAccessConfig
│          │ └ properties
│          │    ├ Type: (documentation changed)
│          │    └ URI: (documentation changed)
│          ├[~] type SchemaRegistryConfig
│          │ └ properties
│          │    ├ AccessConfigs: (documentation changed)
│          │    ├ EventRecordFormat: (documentation changed)
│          │    ├ SchemaRegistryURI: (documentation changed)
│          │    └ SchemaValidationConfigs: (documentation changed)
│          └[~] type SchemaValidationConfig
│            └ properties
│               └ Attribute: (documentation changed)
├[~] service aws-mediatailor
│ └ resources
│    └[~]  resource AWS::MediaTailor::PlaybackConfiguration
│       ├ properties
│       │  └[+] LogConfiguration: LogConfiguration
│       └ types
│          ├[+]  type AdsInteractionLog
│          │  ├      documentation: Settings for customizing what events are included in logs for interactions with the ad decision server (ADS).
│          │  │      For more information about ADS logs, inlcuding descriptions of the event types, see [MediaTailor ADS logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/ads-log-format.html) in AWS Elemental MediaTailor User Guide.
│          │  │      name: AdsInteractionLog
│          │  └ properties
│          │     ├ ExcludeEventTypes: Array<string>
│          │     └ PublishOptInEventTypes: Array<string>
│          ├[+]  type LogConfiguration
│          │  ├      documentation: Defines where AWS Elemental MediaTailor sends logs for the playback configuration.
│          │  │      name: LogConfiguration
│          │  └ properties
│          │     ├ AdsInteractionLog: AdsInteractionLog
│          │     ├ EnabledLoggingStrategies: Array<string>
│          │     ├ ManifestServiceInteractionLog: ManifestServiceInteractionLog
│          │     └ PercentEnabled: integer (required)
│          └[+]  type ManifestServiceInteractionLog
│             ├      documentation: Settings for customizing what events are included in logs for interactions with the origin server.
│             │      For more information about manifest service logs, including descriptions of the event types, see [MediaTailor manifest logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/log-types.html) in AWS Elemental MediaTailor User Guide.
│             │      name: ManifestServiceInteractionLog
│             └ properties
│                └ ExcludeEventTypes: Array<string>
├[+] service aws-mpa
│ ├      capitalized: MPA
│ │      cloudFormationNamespace: AWS::MPA
│ │      name: aws-mpa
│ │      shortName: mpa
│ └ resources
│    ├ resource AWS::MPA::ApprovalTeam
│    │ ├      name: ApprovalTeam
│    │ │      cloudFormationType: AWS::MPA::ApprovalTeam
│    │ │      documentation: Resource Type definition for AWS::MPA::ApprovalTeam.
│    │ │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │ ├ properties
│    │ │  ├ ApprovalStrategy: ApprovalStrategy (required)
│    │ │  ├ Approvers: Array<Approver> (required)
│    │ │  ├ Tags: Array<tag>
│    │ │  ├ Policies: Array<Policy> (required, immutable)
│    │ │  ├ Name: string (required, immutable)
│    │ │  └ Description: string (required)
│    │ ├ attributes
│    │ │  ├ Arn: string
│    │ │  ├ VersionId: string
│    │ │  ├ NumberOfApprovers: integer
│    │ │  ├ UpdateSessionArn: string
│    │ │  ├ CreationTime: string
│    │ │  ├ LastUpdateTime: string
│    │ │  ├ Status: string
│    │ │  ├ StatusCode: string
│    │ │  └ StatusMessage: string
│    │ └ types
│    │    ├ type ApprovalStrategy
│    │    │ ├      name: ApprovalStrategy
│    │    │ └ properties
│    │    │    └ MofN: MofNApprovalStrategy (required)
│    │    ├ type Approver
│    │    │ ├      name: Approver
│    │    │ └ properties
│    │    │    ├ PrimaryIdentityId: string (required)
│    │    │    ├ PrimaryIdentitySourceArn: string (required)
│    │    │    ├ ApproverId: string
│    │    │    ├ ResponseTime: string
│    │    │    └ PrimaryIdentityStatus: string
│    │    ├ type MofNApprovalStrategy
│    │    │ ├      name: MofNApprovalStrategy
│    │    │ └ properties
│    │    │    └ MinApprovalsRequired: integer (required)
│    │    └ type Policy
│    │      ├      name: Policy
│    │      └ properties
│    │         └ PolicyArn: string (required, immutable)
│    └ resource AWS::MPA::IdentitySource
│      ├      name: IdentitySource
│      │      cloudFormationType: AWS::MPA::IdentitySource
│      │      documentation: Resource Type definition for AWS::MPA::IdentitySource.
│      │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├ IdentitySourceParameters: IdentitySourceParameters (required, immutable)
│      │  └ Tags: Array<tag>
│      ├ attributes
│      │  ├ IdentitySourceArn: string
│      │  ├ IdentitySourceType: string
│      │  ├ IdentitySourceParameters.IamIdentityCenter.ApprovalPortalUrl: string
│      │  ├ CreationTime: string
│      │  ├ Status: string
│      │  ├ StatusCode: string
│      │  └ StatusMessage: string
│      └ types
│         ├ type IamIdentityCenter
│         │ ├      name: IamIdentityCenter
│         │ └ properties
│         │    ├ InstanceArn: string (required, immutable)
│         │    ├ Region: string (required, immutable)
│         │    └ ApprovalPortalUrl: string
│         └ type IdentitySourceParameters
│           ├      name: IdentitySourceParameters
│           └ properties
│              └ IamIdentityCenter: IamIdentityCenter (required, immutable)
├[~] service aws-networkfirewall
│ └ resources
│    ├[~]  resource AWS::NetworkFirewall::RuleGroup
│    │  └ types
│    │     └[~] type RuleVariables
│    │       └      - documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined.
│    │              + documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined. See `CreateRuleGroup` or `UpdateRuleGroup` for usage.
│    └[~]  resource AWS::NetworkFirewall::TLSInspectionConfiguration
│       └ types
│          └[~] type ServerCertificateConfiguration
│            └ properties
│               └ CertificateAuthorityArn: (documentation changed)
├[~] service aws-opsworkscm
│ └ resources
│    └[~]  resource AWS::OpsWorksCM::Server
│       ├ properties
│       │  └[+] ServerName: string (immutable)
│       └ attributes
│          └ ServerName: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│    ├[~]  resource AWS::SageMaker::Model
│    │  └ types
│    │     └[~] type S3DataSource
│    │       └ properties
│    │          └ S3DataType: (documentation changed)
│    └[~]  resource AWS::SageMaker::ModelPackage
│       └ types
│          └[~] type S3DataSource
│            └ properties
│               └ S3DataType: (documentation changed)
├[~] service aws-securityhub
│ └ resources
│    ├[+]  resource AWS::SecurityHub::AggregatorV2
│    │  ├      name: AggregatorV2
│    │  │      cloudFormationType: AWS::SecurityHub::AggregatorV2
│    │  │      documentation: The AWS::SecurityHub::AggregatorV2 resource represents the AWS Security Hub AggregatorV2 in your account. One aggregatorv2 resource is created for each account in non opt-in region in which you configure region linking mode.
│    │  │      tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│    │  ├ properties
│    │  │  ├ RegionLinkingMode: string (required)
│    │  │  ├ LinkedRegions: Array<string> (required)
│    │  │  └ Tags: Map<string, string>
│    │  └ attributes
│    │     ├ AggregatorV2Arn: string
│    │     └ AggregationRegion: string
│    ├[~]  resource AWS::SecurityHub::AutomationRule
│    │  └ types
│    │     └[~] type StringFilter
│    │       └ properties
│    │          └ Comparison: (documentation changed)
│    ├[+]  resource AWS::SecurityHub::AutomationRuleV2
│    │  ├      name: AutomationRuleV2
│    │  │      cloudFormationType: AWS::SecurityHub::AutomationRuleV2
│    │  │      documentation: Resource schema for AWS::SecurityHub::AutomationRuleV2
│    │  │      tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│    │  ├ properties
│    │  │  ├ RuleName: string (required)
│    │  │  ├ RuleStatus: string
│    │  │  ├ Description: string (required)
│    │  │  ├ RuleOrder: number (required)
│    │  │  ├ Criteria: Criteria (required)
│    │  │  ├ Actions: Array<AutomationRulesActionV2> (required)
│    │  │  └ Tags: Map<string, string>
│    │  ├ attributes
│    │  │  ├ RuleArn: string
│    │  │  ├ RuleId: string
│    │  │  ├ CreatedAt: string
│    │  │  └ UpdatedAt: string
│    │  └ types
│    │     ├ type AutomationRulesActionV2
│    │     │ ├      documentation: Allows you to configure automated responses
│    │     │ │      name: AutomationRulesActionV2
│    │     │ └ properties
│    │     │    ├ Type: string (required)
│    │     │    ├ FindingFieldsUpdate: AutomationRulesFindingFieldsUpdateV2
│    │     │    └ ExternalIntegrationConfiguration: ExternalIntegrationConfiguration
│    │     ├ type AutomationRulesFindingFieldsUpdateV2
│    │     │ ├      documentation: The changes to be applied to fields in a security finding when an automation rule is triggered
│    │     │ │      name: AutomationRulesFindingFieldsUpdateV2
│    │     │ └ properties
│    │     │    ├ SeverityId: integer
│    │     │    ├ Comment: string
│    │     │    └ StatusId: integer
│    │     ├ type BooleanFilter
│    │     │ ├      documentation: Boolean filter for querying findings
│    │     │ │      name: BooleanFilter
│    │     │ └ properties
│    │     │    └ Value: boolean (required)
│    │     ├ type CompositeFilter
│    │     │ ├      documentation: Enables the creation of filtering criteria for security findings
│    │     │ │      name: CompositeFilter
│    │     │ └ properties
│    │     │    ├ StringFilters: Array<OcsfStringFilter>
│    │     │    ├ DateFilters: Array<OcsfDateFilter>
│    │     │    ├ BooleanFilters: Array<OcsfBooleanFilter>
│    │     │    ├ NumberFilters: Array<OcsfNumberFilter>
│    │     │    ├ MapFilters: Array<OcsfMapFilter>
│    │     │    └ Operator: string
│    │     ├ type Criteria
│    │     │ ├      documentation: Defines the parameters and conditions used to evaluate and filter security findings
│    │     │ │      name: Criteria
│    │     │ └ properties
│    │     │    └ OcsfFindingCriteria: OcsfFindingFilters
│    │     ├ type DateFilter
│    │     │ ├      documentation: A date filter for querying findings
│    │     │ │      name: DateFilter
│    │     │ └ properties
│    │     │    ├ DateRange: DateRange
│    │     │    ├ End: string
│    │     │    └ Start: string
│    │     ├ type DateRange
│    │     │ ├      documentation: A date range for the date filter
│    │     │ │      name: DateRange
│    │     │ └ properties
│    │     │    ├ Unit: string (required)
│    │     │    └ Value: number (required)
│    │     ├ type ExternalIntegrationConfiguration
│    │     │ ├      documentation: The settings for integrating automation rule actions with external systems or service
│    │     │ │      name: ExternalIntegrationConfiguration
│    │     │ └ properties
│    │     │    └ ConnectorArn: string
│    │     ├ type MapFilter
│    │     │ ├      documentation: A map filter for filtering findings
│    │     │ │      name: MapFilter
│    │     │ └ properties
│    │     │    ├ Comparison: string (required)
│    │     │    ├ Key: string (required)
│    │     │    └ Value: string (required)
│    │     ├ type NumberFilter
│    │     │ ├      documentation: A number filter for querying findings
│    │     │ │      name: NumberFilter
│    │     │ └ properties
│    │     │    ├ Eq: number
│    │     │    ├ Gte: number
│    │     │    └ Lte: number
│    │     ├ type OcsfBooleanFilter
│    │     │ ├      documentation: Enables filtering of security findings based on boolean field values in OCSF
│    │     │ │      name: OcsfBooleanFilter
│    │     │ └ properties
│    │     │    ├ FieldName: string (required)
│    │     │    └ Filter: BooleanFilter (required)
│    │     ├ type OcsfDateFilter
│    │     │ ├      documentation: Enables filtering of security findings based on date and timestamp fields in OCSF
│    │     │ │      name: OcsfDateFilter
│    │     │ └ properties
│    │     │    ├ FieldName: string (required)
│    │     │    └ Filter: DateFilter (required)
│    │     ├ type OcsfFindingFilters
│    │     │ ├      documentation: The filtering conditions that align with OCSF standards
│    │     │ │      name: OcsfFindingFilters
│    │     │ └ properties
│    │     │    ├ CompositeFilters: Array<CompositeFilter>
│    │     │    └ CompositeOperator: string
│    │     ├ type OcsfMapFilter
│    │     │ ├      documentation: Enables filtering of security findings based on map field values in OCSF
│    │     │ │      name: OcsfMapFilter
│    │     │ └ properties
│    │     │    ├ FieldName: string (required)
│    │     │    └ Filter: MapFilter (required)
│    │     ├ type OcsfNumberFilter
│    │     │ ├      documentation: Enables filtering of security findings based on numerical field values in OCSF
│    │     │ │      name: OcsfNumberFilter
│    │     │ └ properties
│    │     │    ├ FieldName: string (required)
│    │     │    └ Filter: NumberFilter (required)
│    │     ├ type OcsfStringFilter
│    │     │ ├      documentation: Enables filtering of security findings based on string field values in OCSF
│    │     │ │      name: OcsfStringFilter
│    │     │ └ properties
│    │     │    ├ FieldName: string (required)
│    │     │    └ Filter: StringFilter (required)
│    │     └ type StringFilter
│    │       ├      documentation: A string filter for filtering findings
│    │       │      name: StringFilter
│    │       └ properties
│    │          ├ Value: string (required)
│    │          └ Comparison: string (required)
│    └[~]  resource AWS::SecurityHub::Insight
│       └ types
│          └[~] type StringFilter
│            └ properties
│               └ Comparison: (documentation changed)
├[~] service aws-synthetics
│ └ resources
│    └[~]  resource AWS::Synthetics::Canary
│       └ types
│          └[~] type RunConfig
│            └ properties
│               └[+] EphemeralStorage: integer
└[~] service aws-wafv2
  └ resources
     ├[~]  resource AWS::WAFv2::RuleGroup
     │  └ types
     │     ├[~] type AsnMatchStatement
     │     │ ├      - documentation: undefined
     │     │ │      + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address.
     │     │ │      For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
     │     │ └ properties
     │     │    ├ AsnList: (documentation changed)
     │     │    └ ForwardedIPConfig: (documentation changed)
     │     ├[~] type RateBasedStatementCustomKey
     │     │ └ properties
     │     │    └ ASN: (documentation changed)
     │     └[~] type Statement
     │       └ properties
     │          └ AsnMatchStatement: (documentation changed)
     └[~]  resource AWS::WAFv2::WebACL
        ├ properties
        │  └ OnSourceDDoSProtectionConfig: - OnSourceDDoSProtectionConfig ⇐ json
        │                                  + OnSourceDDoSProtectionConfig
        └ types
           ├[~] type AsnMatchStatement
           │ ├      - documentation: undefined
           │ │      + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address.
           │ │      For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) .
           │ └ properties
           │    ├ AsnList: (documentation changed)
           │    └ ForwardedIPConfig: (documentation changed)
           ├[~] type AWSManagedRulesAntiDDoSRuleSet
           │ ├      - documentation: Configures how to use the AntiDDOS AWS managed rule group in the web ACL
           │ │      + documentation: Configures the use of the anti-DDoS managed rule group, `AWSManagedRulesAntiDDoSRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
           │ │      The configuration that you provide here determines whether and how the rules in the rule group are used.
           │ │      For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
           │ └ properties
           │    ├ ClientSideActionConfig: (documentation changed)
           │    └ SensitivityToBlock: (documentation changed)
           ├[~] type ClientSideAction
           │ ├      - documentation: Client side action config for AntiDDOS AMR.
           │ │      + documentation: This is part of the `AWSManagedRulesAntiDDoSRuleSet` `ClientSideActionConfig` configuration in `ManagedRuleGroupConfig` .
           │ └ properties
           │    ├ ExemptUriRegularExpressions: (documentation changed)
           │    ├ Sensitivity: (documentation changed)
           │    └ UsageOfAction: (documentation changed)
           ├[~] type ClientSideActionConfig
           │ ├      - documentation: Client side action config for AntiDDOS AMR.
           │ │      + documentation: This is part of the configuration for the managed rules `AWSManagedRulesAntiDDoSRuleSet` in `ManagedRuleGroupConfig` .
           │ └ properties
           │    └ Challenge: (documentation changed)
           ├[~] type ManagedRuleGroupConfig
           │ └ properties
           │    └ AWSManagedRulesAntiDDoSRuleSet: (documentation changed)
           ├[~] type OnSourceDDoSProtectionConfig
           │ ├      - documentation: Configures the options for on-source DDoS protection provided by supported resource type.
           │ │      + documentation: Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers.
           │ └ properties
           │    └ ALBLowReputationMode: (documentation changed)
           ├[~] type RateBasedStatementCustomKey
           │ └ properties
           │    └ ASN: (documentation changed)
           ├[~] type Regex
           │ ├      - documentation: Regex
           │ │      + documentation: A single regular expression. This is used in a `RegexPatternSet` and also in the configuration for the AWS Managed Rules rule group `AWSManagedRulesAntiDDoSRuleSet` .
           │ └ properties
           │    └ RegexString: (documentation changed)
           └[~] type Statement
             └ properties
                └ AsnMatchStatement: (documentation changed)

[vishaalmehrishi]

The change looks fine, with the exception of this. Going to check with the team to determine how this impacts CDK customers and if we need a notice.

[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └      - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
│              + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. > On June 12, 2025, Amazon ECS launched support for updating capacity provider configuration for Amazon ECS services. With this launch, Amazon ECS also aligned the AWS CloudFormation update behavior for `CapacityProviderStrategy` parameter with the standard practice. For more information, see [Amazon ECS adds support for updating capacity provider configuration for ECS services](https://docs.aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecs-capacity-provider-configuration-ecs/) . Previously Amazon ECS ignored the `CapacityProviderStrategy` property if it was set to an empty list for example, `[]` in AWS CloudFormation , because updating capacity provider configuration was not supported. Now, with support for capacity provider updates, customers can remove capacity providers from a service by passing an empty list. When you specify an empty list ( `[]` ) for the `CapacityProviderStrategy` property in your AWS CloudFormation template, Amazon ECS will remove any capacity providers associated with the service, as follows:
│              > 
│              > - For services created with a capacity provider strategy after the launch:
│              > 
│              > - If there's a cluster default strategy set, the service will revert to using that default strategy.
│              > - If no cluster default strategy exists, you will receive the following error:
│              > 
│              > No launch type to fall back to for empty capacity provider strategy. Your service was not created with a launch type.
│              > - For services created with a capacity provider strategy prior to the launch:
│              > 
│              > - If `CapacityProviderStrategy` had `FARGATE_SPOT` or `FARGATE` capacity providers, the launch type will be updated to `FARGATE` and the capacity provider will be removed.
│              > - If the strategy included Auto Scaling group capacity providers, the service will revert to EC2 launch type, and the Auto Scaling group capacity providers will not be used.
│              > 
│              > Recommended Actions
│              > 
│              > If you are currently using `CapacityProviderStrategy: []` in your AWS CloudFormation templates, you should take one of the following actions:
│              > 
│              > - If you do not intend to update the Capacity Provider Strategy:
│              > 
│              > - Remove the `CapacityProviderStrategy` property entirely from your AWS CloudFormation template
│              > - Alternatively, use `!Ref AWS ::NoValue` for the `CapacityProviderStrategy` property in your template
│              > - If you intend to maintain or update the Capacity Provider Strategy, specify the actual Capacity Provider Strategy for the service in your AWS CloudFormation template.
│              > 
│              > If your AWS CloudFormation template had an empty list ([]) for `CapacityProviderStrategy` prior to the aforementioned launch on June 12, and you are using the same template with `CapacityProviderStrategy: []` , you might encounter the following error:
│              > 
│              > Invalid request provided: When switching from launch type to capacity provider strategy on an existing service, or making a change to a capacity provider strategy on a service that is already using one, you must force a new deployment. (Service: Ecs, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx HandlerErrorCode: InvalidRequest)
│              > 
│              > Note that AWS CloudFormation automatically initiates a new deployment when it detects a parameter change, but customers cannot choose to force a deployment through AWS CloudFormation . This is an invalid input scenario that requires one of the remediation actions listed above.
│              > 
│              > If you are experiencing active production issues related to this change, contact AWS Support or your Technical Account Manager.

[vishaalmehrishi]

The change looks fine, with the exception of this. Going to check with the team to determine how this impacts CDK customers and if we need a notice.

[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       └      - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
│              + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers.
│              > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. > On June 12, 2025, Amazon ECS launched support for updating capacity provider configuration for Amazon ECS services. With this launch, Amazon ECS also aligned the AWS CloudFormation update behavior for `CapacityProviderStrategy` parameter with the standard practice. For more information, see [Amazon ECS adds support for updating capacity provider configuration for ECS services](https://docs.aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecs-capacity-provider-configuration-ecs/) . Previously Amazon ECS ignored the `CapacityProviderStrategy` property if it was set to an empty list for example, `[]` in AWS CloudFormation , because updating capacity provider configuration was not supported. Now, with support for capacity provider updates, customers can remove capacity providers from a service by passing an empty list. When you specify an empty list ( `[]` ) for the `CapacityProviderStrategy` property in your AWS CloudFormation template, Amazon ECS will remove any capacity providers associated with the service, as follows:
│              > 
│              > - For services created with a capacity provider strategy after the launch:
│              > 
│              > - If there's a cluster default strategy set, the service will revert to using that default strategy.
│              > - If no cluster default strategy exists, you will receive the following error:
│              > 
│              > No launch type to fall back to for empty capacity provider strategy. Your service was not created with a launch type.
│              > - For services created with a capacity provider strategy prior to the launch:
│              > 
│              > - If `CapacityProviderStrategy` had `FARGATE_SPOT` or `FARGATE` capacity providers, the launch type will be updated to `FARGATE` and the capacity provider will be removed.
│              > - If the strategy included Auto Scaling group capacity providers, the service will revert to EC2 launch type, and the Auto Scaling group capacity providers will not be used.
│              > 
│              > Recommended Actions
│              > 
│              > If you are currently using `CapacityProviderStrategy: []` in your AWS CloudFormation templates, you should take one of the following actions:
│              > 
│              > - If you do not intend to update the Capacity Provider Strategy:
│              > 
│              > - Remove the `CapacityProviderStrategy` property entirely from your AWS CloudFormation template
│              > - Alternatively, use `!Ref AWS ::NoValue` for the `CapacityProviderStrategy` property in your template
│              > - If you intend to maintain or update the Capacity Provider Strategy, specify the actual Capacity Provider Strategy for the service in your AWS CloudFormation template.
│              > 
│              > If your AWS CloudFormation template had an empty list ([]) for `CapacityProviderStrategy` prior to the aforementioned launch on June 12, and you are using the same template with `CapacityProviderStrategy: []` , you might encounter the following error:
│              > 
│              > Invalid request provided: When switching from launch type to capacity provider strategy on an existing service, or making a change to a capacity provider strategy on a service that is already using one, you must force a new deployment. (Service: Ecs, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx HandlerErrorCode: InvalidRequest)
│              > 
│              > Note that AWS CloudFormation automatically initiates a new deployment when it detects a parameter change, but customers cannot choose to force a deployment through AWS CloudFormation . This is an invalid input scenario that requires one of the remediation actions listed above.
│              > 
│              > If you are experiencing active production issues related to this change, contact AWS Support or your Technical Account Manager.

Given this is a documentation-only update (i.e. there's no behavioural change being introduced), there is no new risk for CDK customers. Approving.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 887be7f
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.