Skip to content

feat(sources): update documentation #2228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aws-cdk-automation merged 1 commit into from
Nov 20, 2025
Merged

feat(sources): update documentation #2228

aws-cdk-automation merged 1 commit into from
Nov 20, 2025

Conversation

@aws-cdk-automation
Copy link
Contributor

@aws-cdk-automation aws-cdk-automation commented Nov 20, 2025

⚠️ This Pull Request updates daily and will overwrite all manual changes pushed to the branch

Updates the documentation source from upstream. See details in workflow run.

Automatically created by projen via the "update-source-documentation" workflow

@github-actions
feat(sources): update documentation
bc9c4c1 
> ⚠️ This Pull Request updates daily and will overwrite **all** manual changes pushed to the branch

Updates the documentation source from upstream. See details in [workflow run].

[Workflow Run]: https://github.com/cdklabs/awscdk-service-spec/actions/runs/19524636408

------

*Automatically created by projen via the "update-source-documentation" workflow*

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Nov 20, 2025

To work on this Pull Request, please create a new branch and PR. This prevents your work from being deleted by the automation.

Run the following commands inside the repo:

gh co 2228
git switch -c fix-pr-2228 && git push -u origin HEAD
gh pr create -t "fix: PR #2228" --body "Fixes https://github.com/cdklabs/awscdk-service-spec/pull/2228"

@github-actions
Copy link
Contributor

github-actions bot commented Nov 20, 2025

@aws-cdk/aws-service-spec: Model database diff detected
📁 Download full diff

├[~] service aws-aiops
│ └ resources
│    └[~]  resource AWS::AIOps::InvestigationGroup
│       ├ properties
│       │  ├ ChatbotNotificationChannels: (documentation changed)
│       │  └ EncryptionConfig: (documentation changed)
│       └ types
│          ├[~] type ChatbotNotificationChannel
│          │ └ properties
│          │    └ SNSTopicArn: (documentation changed)
│          └[~] type EncryptionConfigMap
│            └      - documentation: Use this structure if you want to use a customer managed AWS KMS key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an AWS key to encrypt the data. For more information, see [Encryption of investigation data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS) .
│                   + documentation: Use this structure if you want to use a customer managed AWS  key to encrypt your investigation data. If you omit this parameter, CloudWatch investigations will use an AWS key to encrypt the data. For more information, see [Encryption of investigation data](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations-Security.html#Investigations-KMS) .
├[~] service aws-amazonmq
│ └ resources
│    └[~]  resource AWS::AmazonMQ::Broker
│       └ types
│          └[~] type EncryptionOptions
│            └ properties
│               ├ KmsKeyId: (documentation changed)
│               └ UseAwsOwnedKey: (documentation changed)
├[~] service aws-apigateway
│ └ resources
│    ├[~]  resource AWS::ApiGateway::DomainName
│    │  └ properties
│    │     └ SecurityPolicy: (documentation changed)
│    └[~]  resource AWS::ApiGateway::DomainNameV2
│       └ properties
│          └ SecurityPolicy: (documentation changed)
├[~] service aws-appconfig
│ └ resources
│    └[~]  resource AWS::AppConfig::ConfigurationProfile
│       └ attributes
│          └ KmsKeyArn: (documentation changed)
├[~] service aws-aps
│ └ resources
│    ├[~]  resource AWS::APS::ResourcePolicy
│    │  └      - documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace.
│    │         Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         If your workspace uses customer-managed AWS KMS keys for encryption, you must grant the principals in your resource-based policy access to those AWS KMS keys. You can do this by creating AWS KMS grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS KMS API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         + documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace.
│    │         Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         If your workspace uses customer-managed AWS  keys for encryption, you must grant the principals in your resource-based policy access to those AWS  keys. You can do this by creating AWS  grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS  API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    │         For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* .
│    └[~]  resource AWS::APS::Workspace
│       └ properties
│          └ KmsKeyArn: (documentation changed)
├[~] service aws-backup
│ └ resources
│    └[~]  resource AWS::Backup::LogicallyAirGappedBackupVault
│       └ properties
│          └ EncryptionKeyArn: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│    ├[~]  resource AWS::Bedrock::Agent
│    │  └ properties
│    │     └ CustomerEncryptionKeyArn: (documentation changed)
│    ├[~]  resource AWS::Bedrock::Blueprint
│    │  └ properties
│    │     └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::Bedrock::DataAutomationProject
│    │  └ properties
│    │     ├ KmsEncryptionContext: (documentation changed)
│    │     └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::Bedrock::DataSource
│    │  └ types
│    │     └[~] type ServerSideEncryptionConfiguration
│    │       └ properties
│    │          └ KmsKeyArn: (documentation changed)
│    └[~]  resource AWS::Bedrock::Guardrail
│       └ properties
│          └ KmsKeyArn: (documentation changed)
├[~] service aws-cloudformation
│ └ resources
│    ├[~]  resource AWS::CloudFormation::CustomResource
│    │  └ properties
│    │     └ ServiceToken: (documentation changed)
│    └[~]  resource AWS::CloudFormation::WaitCondition
│       └      - documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-creationpolicy.html) in the *CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties.
│              > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *CloudFormation User Guide* . > For Amazon EC2 and Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully.
│              + documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-creationpolicy.html) in the *CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties.
│              > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *CloudFormation User Guide* . > For Amazon EC2 and Amazon EC2 Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully.
├[~] service aws-cloudtrail
│ └ resources
│    ├[~]  resource AWS::CloudTrail::EventDataStore
│    │  ├ properties
│    │  │  └ KmsKeyId: (documentation changed)
│    │  └ types
│    │     └[~] type AdvancedFieldSelector
│    │       └ properties
│    │          └ Field: (documentation changed)
│    └[~]  resource AWS::CloudTrail::Trail
│       ├ properties
│       │  └ KMSKeyId: (documentation changed)
│       ├ attributes
│       │  └ SnsTopicArn: (documentation changed)
│       └ types
│          ├[~] type AdvancedFieldSelector
│          │ └ properties
│          │    └ Field: (documentation changed)
│          └[~] type EventSelector
│            └ properties
│               └ ExcludeManagementEventSources: (documentation changed)
├[~] service aws-codedeploy
│ └ resources
│    └[~]  resource AWS::CodeDeploy::DeploymentGroup
│       ├ properties
│       │  ├ AutoScalingGroups: (documentation changed)
│       │  └ LoadBalancerInfo: (documentation changed)
│       └ types
│          ├[~] type ELBInfo
│          │ └      - documentation: The `ELBInfo` property type specifies information about the Elastic Load Balancing load balancer used for an CodeDeploy deployment group.
│          │        If you specify the `ELBInfo` property, the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` for AWS CodeDeploy to route your traffic using the specified load balancers.
│          │        `ELBInfo` is a property of the [AWS CodeDeploy DeploymentGroup LoadBalancerInfo](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-loadbalancerinfo.html) property type.
│          │        + documentation: The `ELBInfo` property type specifies information about the ELB load balancer used for an CodeDeploy deployment group.
│          │        If you specify the `ELBInfo` property, the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` for AWS CodeDeploy to route your traffic using the specified load balancers.
│          │        `ELBInfo` is a property of the [AWS CodeDeploy DeploymentGroup LoadBalancerInfo](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-loadbalancerinfo.html) property type.
│          ├[~] type LoadBalancerInfo
│          │ └      - documentation: The `LoadBalancerInfo` property type specifies information about the load balancer or target group used for an AWS CodeDeploy deployment group. For more information, see [Integrating CodeDeploy with Elastic Load Balancing](https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-elastic-load-balancing.html) in the *AWS CodeDeploy User Guide* .
│          │        For CloudFormation to use the properties specified in `LoadBalancerInfo` , the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` . If `DeploymentStyle.DeploymentOption` is not set to `WITH_TRAFFIC_CONTROL` , CloudFormation ignores any settings specified in `LoadBalancerInfo` .
│          │        > CloudFormation supports blue/green deployments on the AWS Lambda compute platform only. 
│          │        `LoadBalancerInfo` is a property of the [DeploymentGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codedeploy-deploymentgroup.html) resource.
│          │        + documentation: The `LoadBalancerInfo` property type specifies information about the load balancer or target group used for an AWS CodeDeploy deployment group. For more information, see [Integrating CodeDeploy with ELB](https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-elastic-load-balancing.html) in the *AWS CodeDeploy User Guide* .
│          │        For CloudFormation to use the properties specified in `LoadBalancerInfo` , the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` . If `DeploymentStyle.DeploymentOption` is not set to `WITH_TRAFFIC_CONTROL` , CloudFormation ignores any settings specified in `LoadBalancerInfo` .
│          │        > CloudFormation supports blue/green deployments on the AWS Lambda compute platform only. 
│          │        `LoadBalancerInfo` is a property of the [DeploymentGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codedeploy-deploymentgroup.html) resource.
│          └[~] type TargetGroupInfo
│            └      - documentation: The `TargetGroupInfo` property type specifies information about a target group in Elastic Load Balancing to use in a deployment. Instances are registered as targets in a target group, and traffic is routed to the target group. For more information, see [TargetGroupInfo](https://docs.aws.amazon.com/codedeploy/latest/APIReference/API_TargetGroupInfo.html) in the *AWS CodeDeploy API Reference*
│                   If you specify the `TargetGroupInfo` property, the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` for CodeDeploy to route your traffic using the specified target groups.
│                   `TargetGroupInfo` is a property of the [LoadBalancerInfo](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-loadbalancerinfo.html) property type.
│                   + documentation: The `TargetGroupInfo` property type specifies information about a target group in ELB to use in a deployment. Instances are registered as targets in a target group, and traffic is routed to the target group. For more information, see [TargetGroupInfo](https://docs.aws.amazon.com/codedeploy/latest/APIReference/API_TargetGroupInfo.html) in the *AWS CodeDeploy API Reference*
│                   If you specify the `TargetGroupInfo` property, the `DeploymentStyle.DeploymentOption` property must be set to `WITH_TRAFFIC_CONTROL` for CodeDeploy to route your traffic using the specified target groups.
│                   `TargetGroupInfo` is a property of the [LoadBalancerInfo](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-loadbalancerinfo.html) property type.
├[~] service aws-codepipeline
│ └ resources
│    └[~]  resource AWS::CodePipeline::Pipeline
│       └ types
│          └[~] type EncryptionKey
│            └ properties
│               └ Id: (documentation changed)
├[~] service aws-codestarnotifications
│ └ resources
│    └[~]  resource AWS::CodeStarNotifications::NotificationRule
│       └ properties
│          ├ TargetAddress: (documentation changed)
│          └ Targets: (documentation changed)
├[~] service aws-comprehend
│ └ resources
│    ├[~]  resource AWS::Comprehend::DocumentClassifier
│    │  └ properties
│    │     └ ModelKmsKeyId: (documentation changed)
│    └[~]  resource AWS::Comprehend::Flywheel
│       └ types
│          └[~] type DataSecurityConfig
│            └ properties
│               ├ DataLakeKmsKeyId: (documentation changed)
│               ├ ModelKmsKeyId: (documentation changed)
│               └ VolumeKmsKeyId: (documentation changed)
├[~] service aws-config
│ └ resources
│    ├[~]  resource AWS::Config::ConfigurationRecorder
│    │  └      - documentation: The `AWS::Config::ConfigurationRecorder` resource type describes the AWS resource types that AWS Config records for configuration changes.
│    │         The configuration recorder stores the configuration changes of the specified resources in your account as configuration items.
│    │         > To enable AWS Config , you must create a configuration recorder and a delivery channel.
│    │         > 
│    │         > AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket or Amazon SNS topic. For more information, see [AWS::Config::DeliveryChannel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html) . 
│    │         AWS CloudFormation starts the recorder as soon as the delivery channel is available.
│    │         To stop the recorder and delete it, delete the configuration recorder from your stack. To stop the recorder without deleting it, call the [StopConfigurationRecorder](https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html) action of the AWS Config API directly.
│    │         For more information, see [Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-recorder) in the AWS Config Developer Guide.
│    │         + documentation: The `AWS::Config::ConfigurationRecorder` resource type describes the AWS resource types that AWS Config records for configuration changes.
│    │         The configuration recorder stores the configuration changes of the specified resources in your account as configuration items.
│    │         > To enable AWS Config , you must create a configuration recorder and a delivery channel.
│    │         > 
│    │         > AWS Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket or Amazon  topic. For more information, see [AWS::Config::DeliveryChannel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-deliverychannel.html) . 
│    │         AWS CloudFormation starts the recorder as soon as the delivery channel is available.
│    │         To stop the recorder and delete it, delete the configuration recorder from your stack. To stop the recorder without deleting it, call the [StopConfigurationRecorder](https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html) action of the AWS Config API directly.
│    │         For more information, see [Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-recorder) in the AWS Config Developer Guide.
│    └[~]  resource AWS::Config::DeliveryChannel
│       ├      - documentation: Specifies a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic.
│       │      Before you can create a delivery channel, you must create a configuration recorder. You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
│       │      > In the China (Beijing) Region, when you call this action, the Amazon S3 bucket must also be in the China (Beijing) Region. In all the other regions, AWS Config supports cross-region and cross-account delivery channels. 
│       │      You can have only one delivery channel per region per AWS account, and the delivery channel is required to use AWS Config .
│       │      > AWS Config does not support the delivery channel to an Amazon S3 bucket bucket where object lock is enabled. For more information, see [How S3 Object Lock works](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html) . 
│       │      When you create the delivery channel, you can specify; how often AWS Config delivers configuration snapshots to your Amazon S3 bucket (for example, 24 hours), the S3 bucket to which AWS Config sends configuration snapshots and configuration history files, and the Amazon SNS topic to which AWS Config sends notifications about configuration changes, such as updated resources, AWS Config rule evaluations, and when AWS Config delivers the configuration snapshot to your S3 bucket. For more information, see [Deliver Configuration Items](https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html#delivery-channel) in the AWS Config Developer Guide.
│       │      > To enable AWS Config , you must create a configuration recorder and a delivery channel. If you want to create the resources separately, you must create a configuration recorder before you can create a delivery channel. AWS Config uses the configuration recorder to capture configuration changes to your resources. For more information, see [AWS::Config::ConfigurationRecorder](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html) . 
│       │      For more information, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html) in the AWS Config Developer Guide.
│       │      + documentation: Specifies a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon  topic.
│       │      Before you can create a delivery channel, you must create a configuration recorder. You can use this action to change the Amazon S3 bucket or an Amazon  topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon  topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
│       │      > In the China (Beijing) Region, when you call this action, the Amazon S3 bucket must also be in the China (Beijing) Region. In all the other regions, AWS Config supports cross-region and cross-account delivery channels. 
│       │      You can have only one delivery channel per region per AWS account, and the delivery channel is required to use AWS Config .
│       │      > AWS Config does not support the delivery channel to an Amazon S3 bucket bucket where object lock is enabled. For more information, see [How S3 Object Lock works](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html) . 
│       │      When you create the delivery channel, you can specify; how often AWS Config delivers configuration snapshots to your Amazon S3 bucket (for example, 24 hours), the S3 bucket to which AWS Config sends configuration snapshots and configuration history files, and the Amazon  topic to which AWS Config sends notifications about configuration changes, such as updated resources, AWS Config rule evaluations, and when AWS Config delivers the configuration snapshot to your S3 bucket. For more information, see [Deliver Configuration Items](https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html#delivery-channel) in the AWS Config Developer Guide.
│       │      > To enable AWS Config , you must create a configuration recorder and a delivery channel. If you want to create the resources separately, you must create a configuration recorder before you can create a delivery channel. AWS Config uses the configuration recorder to capture configuration changes to your resources. For more information, see [AWS::Config::ConfigurationRecorder](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationrecorder.html) . 
│       │      For more information, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html) in the AWS Config Developer Guide.
│       └ properties
│          └ S3KmsKeyArn: (documentation changed)
├[~] service aws-databrew
│ └ resources
│    └[~]  resource AWS::DataBrew::Job
│       └ properties
│          └ EncryptionMode: (documentation changed)
├[~] service aws-directoryservice
│ └ resources
│    ├[~]  resource AWS::DirectoryService::MicrosoftAD
│    │  ├      - documentation: The `AWS::DirectoryService::MicrosoftAD` resource specifies a Microsoft Active Directory in AWS so that your directory users and groups can access the AWS Management Console and AWS applications using their existing credentials. For more information, see [AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) in the *AWS Directory Service Admin Guide* .
│    │  │      + documentation: The `AWS::DirectoryService::MicrosoftAD` resource specifies a Microsoft Active Directory in AWS so that your directory users and groups can access the the console and AWS applications using their existing credentials. For more information, see [AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) in the *Directory Service Admin Guide* .
│    │  ├ properties
│    │  │  └ Password: (documentation changed)
│    │  └ types
│    │     └[~] type VpcSettings
│    │       └ properties
│    │          └ SubnetIds: (documentation changed)
│    └[~]  resource AWS::DirectoryService::SimpleAD
│       ├      - documentation: The `AWS::DirectoryService::SimpleAD` resource specifies an AWS Directory Service Simple Active Directory ( Simple AD ) in AWS so that your directory users and groups can access the AWS Management Console and AWS applications using their existing credentials. Simple AD is a Microsoft Active Directory–compatible directory. For more information, see [Simple Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html) in the *AWS Directory Service Admin Guide* .
│       │      + documentation: The `AWS::DirectoryService::SimpleAD` resource specifies an Directory Service Simple Active Directory ( Simple AD ) in AWS so that your directory users and groups can access the the console and AWS applications using their existing credentials. Simple AD is a Microsoft Active Directory–compatible directory. For more information, see [Simple Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html) in the *Directory Service Admin Guide* .
│       ├ properties
│       │  ├ Password: (documentation changed)
│       │  └ Size: (documentation changed)
│       └ types
│          └[~] type VpcSettings
│            └ properties
│               └ SubnetIds: (documentation changed)
├[~] service aws-dms
│ └ resources
│    ├[~]  resource AWS::DMS::DataProvider
│    │  └ properties
│    │     └ Engine: (documentation changed)
│    ├[~]  resource AWS::DMS::Endpoint
│    │  ├ properties
│    │  │  └ KmsKeyId: (documentation changed)
│    │  └ types
│    │     ├[~] type RedshiftSettings
│    │     │ └ properties
│    │     │    └ ServerSideEncryptionKmsKeyId: (documentation changed)
│    │     └[~] type S3Settings
│    │       └ properties
│    │          └ ServerSideEncryptionKmsKeyId: (documentation changed)
│    ├[~]  resource AWS::DMS::InstanceProfile
│    │  └ properties
│    │     └ KmsKeyArn: (documentation changed)
│    ├[~]  resource AWS::DMS::ReplicationConfig
│    │  └ types
│    │     └[~] type ComputeConfig
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::DMS::ReplicationInstance
│       └ properties
│          └ KmsKeyId: (documentation changed)
├[~] service aws-docdb
│ └ resources
│    └[~]  resource AWS::DocDB::DBCluster
│       └ properties
│          └ KmsKeyId: (documentation changed)
├[~] service aws-dsql
│ └ resources
│    └[~]  resource AWS::DSQL::Cluster
│       └ types
│          └[~] type EncryptionDetails
│            ├      - documentation: Configuration details about encryption for the cluster including the AWS KMS key ARN, encryption type, and encryption status.
│            │      + documentation: Configuration details about encryption for the cluster including the AWS  key ARN, encryption type, and encryption status.
│            └ properties
│               └ KmsKeyArn: (documentation changed)
├[~] service aws-dynamodb
│ └ resources
│    ├[~]  resource AWS::DynamoDB::GlobalTable
│    │  └ types
│    │     ├[~] type ReplicaSSESpecification
│    │     │ └ properties
│    │     │    └ KMSMasterKeyId: (documentation changed)
│    │     └[~] type SSESpecification
│    │       └ properties
│    │          ├ SSEEnabled: (documentation changed)
│    │          └ SSEType: (documentation changed)
│    └[~]  resource AWS::DynamoDB::Table
│       └ types
│          └[~] type SSESpecification
│            └ properties
│               ├ KMSMasterKeyId: (documentation changed)
│               ├ SSEEnabled: (documentation changed)
│               └ SSEType: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    └[~]  resource AWS::EC2::TransitGateway
│       ├      - documentation: Specifies a transit gateway.
│       │      You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises networks. After the transit gateway enters the `available` state, you can attach your VPCs and VPN connections to the transit gateway.
│       │      To attach your VPCs, use [AWS::EC2::TransitGatewayAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayattachment.html) .
│       │      To attach a VPN connection, use [AWS::EC2::CustomerGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html) to create a customer gateway and specify the ID of the customer gateway and the ID of the transit gateway in a call to [AWS::EC2::VPNConnection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-connection.html) .
│       │      When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. You can use [AWS::EC2::TransitGatewayRouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetable.html) to create additional transit gateway route tables. If you disable automatic route propagation, we do not create a default transit gateway route table. You can use [AWS::EC2::TransitGatewayRouteTablePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetablepropagation.html) to propagate routes from a resource attachment to a transit gateway route table. If you disable automatic associations, you can use [AWS::EC2::TransitGatewayRouteTableAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetableassociation.html) to associate a resource attachment with a transit gateway route table.
│       │      + documentation: Specifies a transit gateway.
│       │      You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises networks. After the transit gateway enters the `available` state, you can attach your VPCs and VPN connections to the transit gateway.
│       │      To attach your VPCs, use [AWS::EC2::TransitGatewayAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayattachment.html) .
│       │      To attach a VPN connection, use [AWS::EC2::CustomerGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html) to create a customer gateway and specify the ID of the customer gateway and the ID of the transit gateway in a call to [AWS::EC2::VPNConnection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-connection.html) .
│       │      When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. You can use [AWS::EC2::TransitGatewayRouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetable.html) to create additional transit gateway route tables. If you disable automatic route propagation, we do not create a default transit gateway route table. You can use [AWS::EC2::TransitGatewayRouteTablePropagation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetablepropagation.html) to propagate routes from a resource attachment to a transit gateway route table. If you disable automatic associations, you can use [AWS::EC2::TransitGatewayRouteTableAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroutetableassociation.html) to associate a resource attachment with a transit gateway route table.
│       │      To create a transit gateway with `EncryptionSupport` enabled through CloudFormation, you will need the `ec2:ModifyTransitGateway` Identity and Access Management (IAM) permission. For more information, see `ModifyTransitGateway` in [Actions, resources, and condition keys for Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-) of the *Identify and Access Management Service Authorization Reference* .
│       └ attributes
│          └ EncryptionSupportState: (documentation changed)
├[~] service aws-ecr
│ └ resources
│    ├[~]  resource AWS::ECR::Repository
│    │  └ types
│    │     └[~] type EncryptionConfiguration
│    │       ├      - documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│    │       │      By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part.
│    │       │      For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│    │       │      + documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│    │       │      By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part.
│    │       │      For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS  ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│    │       └ properties
│    │          ├ EncryptionType: (documentation changed)
│    │          └ KmsKey: (documentation changed)
│    └[~]  resource AWS::ECR::RepositoryCreationTemplate
│       └ types
│          └[~] type EncryptionConfiguration
│            ├      - documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│            │      By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part.
│            │      For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│            │      + documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│            │      By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part.
│            │      For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS  ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│            └ properties
│               ├ EncryptionType: (documentation changed)
│               └ KmsKey: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    ├[~]  resource AWS::ECS::Service
│    │  └ types
│    │     └[~] type DeploymentController
│    │       └ properties
│    │          └ Type: (documentation changed)
│    └[~]  resource AWS::ECS::TaskDefinition
│       └ types
│          └[~] type ContainerDefinition
│            └ properties
│               └ LogConfiguration: (documentation changed)
├[~] service aws-eks
│ └ resources
│    └[~]  resource AWS::EKS::Cluster
│       └ types
│          ├[~] type AccessConfig
│          │ └ properties
│          │    └ AuthenticationMode: (documentation changed)
│          └[~] type Provider
│            └      - documentation: Identifies the AWS Key Management Service ( AWS KMS ) key used to encrypt the secrets.
│                   + documentation: Identifies the AWS Key Management Service ( AWS  ) key used to encrypt the secrets.
├[~] service aws-emr
│ └ resources
│    └[~]  resource AWS::EMR::Studio
│       └ properties
│          └ EncryptionKeyArn: (documentation changed)
├[~] service aws-entityresolution
│ └ resources
│    └[~]  resource AWS::EntityResolution::IdMappingWorkflow
│       └ types
│          └[~] type IdMappingWorkflowOutputSource
│            └ properties
│               └ KMSArn: (documentation changed)
├[~] service aws-events
│ └ resources
│    ├[~]  resource AWS::Events::Archive
│    │  └ properties
│    │     └ KmsKeyIdentifier: (documentation changed)
│    ├[~]  resource AWS::Events::Connection
│    │  └ properties
│    │     └ KmsKeyIdentifier: (documentation changed)
│    ├[~]  resource AWS::Events::EventBus
│    │  └ properties
│    │     └ KmsKeyIdentifier: (documentation changed)
│    └[~]  resource AWS::Events::Rule
│       └ properties
│          └ Targets: (documentation changed)
├[~] service aws-fms
│ └ resources
│    └[~]  resource AWS::FMS::NotificationChannel
│       └ properties
│          └ SnsRoleName: (documentation changed)
├[~] service aws-forecast
│ └ resources
│    └[~]  resource AWS::Forecast::Dataset
│       └ types
│          └[~] type EncryptionConfig
│            └ properties
│               └ RoleArn: (documentation changed)
├[~] service aws-fsx
│ └ resources
│    └[~]  resource AWS::FSx::FileSystem
│       └ properties
│          └ KmsKeyId: (documentation changed)
├[~] service aws-gamelift
│ └ resources
│    └[~]  resource AWS::GameLift::Fleet
│       └ properties
│          ├ InstanceRoleARN: (documentation changed)
│          ├ PeerVpcAwsAccountId: (documentation changed)
│          └ PeerVpcId: (documentation changed)
├[~] service aws-glue
│ └ resources
│    └[~]  resource AWS::Glue::DataCatalogEncryptionSettings
│       └ types
│          ├[~] type ConnectionPasswordEncryption
│          │ ├      - documentation: The data structure used by the Data Catalog to encrypt the password as part of `CreateConnection` or `UpdateConnection` and store it in the `ENCRYPTED_PASSWORD` field in the connection properties. You can enable catalog encryption or only password encryption.
│          │ │      When a `CreationConnection` request arrives containing a password, the Data Catalog first encrypts the password using your AWS KMS key. It then encrypts the whole connection object again if catalog encryption is also enabled.
│          │ │      This encryption requires that you set AWS KMS key permissions to enable or restrict access on the password key according to your security requirements. For example, you might want only administrators to have decrypt permission on the password key.
│          │ │      + documentation: The data structure used by the Data Catalog to encrypt the password as part of `CreateConnection` or `UpdateConnection` and store it in the `ENCRYPTED_PASSWORD` field in the connection properties. You can enable catalog encryption or only password encryption.
│          │ │      When a `CreationConnection` request arrives containing a password, the Data Catalog first encrypts the password using your AWS  key. It then encrypts the whole connection object again if catalog encryption is also enabled.
│          │ │      This encryption requires that you set AWS  key permissions to enable or restrict access on the password key according to your security requirements. For example, you might want only administrators to have decrypt permission on the password key.
│          │ └ properties
│          │    └ KmsKeyId: (documentation changed)
│          └[~] type EncryptionAtRest
│            └ properties
│               └ SseAwsKmsKeyId: (documentation changed)
├[~] service aws-iam
│ └ resources
│    ├[~]  resource AWS::IAM::SAMLProvider
│    │  └      - documentation: Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
│    │         The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS .
│    │         When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
│    │         > This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) . 
│    │         For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .
│    │         + documentation: Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
│    │         The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the the console or one that supports API access to AWS .
│    │         When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
│    │         > This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) . 
│    │         For more information, see [Enabling SAML 2.0 federated users to access the the console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .
│    └[~]  resource AWS::IAM::User
│       ├ properties
│       │  └ LoginProfile: (documentation changed)
│       └ types
│          └[~] type LoginProfile
│            └      - documentation: Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console . For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
│                   + documentation: Creates a password for the specified user, giving the user the ability to access AWS services through the the console . For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
├[~] service aws-imagebuilder
│ └ resources
│    ├[~]  resource AWS::ImageBuilder::ContainerRecipe
│    │  ├ attributes
│    │  │  └ LatestVersion.Arn: (documentation changed)
│    │  └ types
│    │     └[~] type LatestVersion
│    │       └ properties
│    │          └ Arn: (documentation changed)
│    └[~]  resource AWS::ImageBuilder::ImageRecipe
│       ├ attributes
│       │  └ LatestVersion.Arn: (documentation changed)
│       └ types
│          └[~] type LatestVersion
│            └ properties
│               └ Arn: (documentation changed)
├[~] service aws-iot
│ └ resources
│    └[~]  resource AWS::IoT::EncryptionConfiguration
│       ├ properties
│       │  └ KmsAccessRoleArn: (documentation changed)
│       └ types
│          └[~] type ConfigurationDetails
│            ├      - documentation: The encryption configuration details that include the status information of the AWS Key Management Service ( AWS KMS ) key and the AWS KMS access role.
│            │      + documentation: The encryption configuration details that include the status information of the AWS Key Management Service ( AWS  ) key and the AWS  access role.
│            └ properties
│               ├ ConfigurationStatus: (documentation changed)
│               └ ErrorCode: (documentation changed)
├[~] service aws-kendra
│ └ resources
│    └[~]  resource AWS::Kendra::DataSource
│       └ types
│          └[~] type WorkDocsConfiguration
│            └ properties
│               └ OrganizationId: (documentation changed)
├[~] service aws-kinesisvideo
│ └ resources
│    └[~]  resource AWS::KinesisVideo::Stream
│       └ properties
│          └ KmsKeyId: (documentation changed)
├[~] service aws-kms
│ └ resources
│    ├[~]  resource AWS::KMS::Alias
│    │  └      - documentation: The `AWS::KMS::Alias` resource specifies a display name for a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) . You can use an alias to identify a KMS key in the AWS KMS console, in the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation, and in [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) , such as [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) and [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) .
│    │         > Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see [ABAC for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . 
│    │         Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS Regions . For more information, see [Using aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) in the *AWS Key Management Service Developer Guide* .
│    │         When specifying an alias, observe the following rules.
│    │         - Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.
│    │         - The alias and its associated KMS key must be in the same AWS account and Region.
│    │         - The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions . For example, you can have an `alias/projectKey` in multiple Regions, each of which is associated with a KMS key in its Region.
│    │         - Each alias name must begin with `alias/` followed by a name, such as `alias/exampleKey` . The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with `alias/aws/` . That alias name prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .
│    │         *Regions*
│    │         AWS KMS CloudFormation resources are available in all AWS Regions in which AWS KMS and CloudFormation are supported.
│    │         + documentation: The `AWS::KMS::Alias` resource specifies a display name for a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) . You can use an alias to identify a KMS key in the AWS  console, in the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation, and in [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) , such as [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) and [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) .
│    │         > Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see [ABAC for AWS](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *AWS Key Management Service Developer Guide* . 
│    │         Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS Regions . For more information, see [Using aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) in the *AWS Key Management Service Developer Guide* .
│    │         When specifying an alias, observe the following rules.
│    │         - Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.
│    │         - The alias and its associated KMS key must be in the same AWS account and Region.
│    │         - The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions . For example, you can have an `alias/projectKey` in multiple Regions, each of which is associated with a KMS key in its Region.
│    │         - Each alias name must begin with `alias/` followed by a name, such as `alias/exampleKey` . The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with `alias/aws/` . That alias name prefix is reserved for [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) .
│    │         *Regions*
│    │         AWS  CloudFormation resources are available in all AWS Regions in which AWS  and CloudFormation are supported.
│    ├[~]  resource AWS::KMS::Key
│    │  ├      - documentation: The `AWS::KMS::Key` resource specifies an [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in AWS Key Management Service . You can use this resource to create symmetric encryption KMS keys, asymmetric KMS keys for encryption or signing, and symmetric HMAC KMS keys. You can use `AWS::KMS::Key` to create [multi-Region primary keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-primary-key) of all supported types. To replicate a multi-Region key, use the `AWS::KMS::ReplicaKey` resource.
│    │  │      > If you change the value of the `KeySpec` , `KeyUsage` , `Origin` , or `MultiRegion` properties of an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing any of its immutable property values. > AWS KMS replaced the term *customer master key (CMK)* with *AWS KMS key* and *KMS key* . The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. 
│    │  │      You can use symmetric encryption KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use a symmetric encryption KMS key to encrypt data stored in AWS services that are [integrated with AWS KMS](https://docs.aws.amazon.com//kms/features/#AWS_Service_Integration) . For more information, see [Symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric `KeySpec` value and a `KeyUsage` value. For details, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can use HMAC KMS keys (which are also symmetric keys) to generate and verify hash-based message authentication codes. To create an HMAC key, you must specify an HMAC `KeySpec` value and a `KeyUsage` value of `GENERATE_VERIFY_MAC` . For details, see [HMAC keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can also create symmetric encryption, asymmetric, and HMAC multi-Region primary keys. To create a multi-Region primary key, set the `MultiRegion` property to `true` . For information about multi-Region keys, see [Multi-Region keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You cannot use the `AWS::KMS::Key` resource to specify a KMS key with [imported key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) or a KMS key in a [custom key store](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) .
│    │  │      *Regions*
│    │  │      AWS KMS CloudFormation resources are available in all Regions in which AWS KMS and CloudFormation are supported. You can use the `AWS::KMS::Key` resource to create and manage all KMS key types that are supported in a Region.
│    │  │      + documentation: The `AWS::KMS::Key` resource specifies an [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in AWS Key Management Service . You can use this resource to create symmetric encryption KMS keys, asymmetric KMS keys for encryption or signing, and symmetric HMAC KMS keys. You can use `AWS::KMS::Key` to create [multi-Region primary keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-primary-key) of all supported types. To replicate a multi-Region key, use the `AWS::KMS::ReplicaKey` resource.
│    │  │      > If you change the value of the `KeySpec` , `KeyUsage` , `Origin` , or `MultiRegion` properties of an existing KMS key, the update request fails, regardless of the value of the [`UpdateReplacePolicy` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) . This prevents you from accidentally deleting a KMS key by changing any of its immutable property values. > AWS  replaced the term *customer master key (CMK)* with *AWS KMS key* and *KMS key* . The concept has not changed. To prevent breaking changes, AWS  is keeping some variations of this term. 
│    │  │      You can use symmetric encryption KMS keys to encrypt and decrypt small amounts of data, but they are more commonly used to generate data keys and data key pairs. You can also use a symmetric encryption KMS key to encrypt data stored in AWS services that are [integrated with AWS](https://docs.aws.amazon.com//kms/features/#AWS_Service_Integration) . For more information, see [Symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can use asymmetric KMS keys to encrypt and decrypt data or sign messages and verify signatures. To create an asymmetric key, you must specify an asymmetric `KeySpec` value and a `KeyUsage` value. For details, see [Asymmetric keys in AWS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can use HMAC KMS keys (which are also symmetric keys) to generate and verify hash-based message authentication codes. To create an HMAC key, you must specify an HMAC `KeySpec` value and a `KeyUsage` value of `GENERATE_VERIFY_MAC` . For details, see [HMAC keys in AWS](https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You can also create symmetric encryption, asymmetric, and HMAC multi-Region primary keys. To create a multi-Region primary key, set the `MultiRegion` property to `true` . For information about multi-Region keys, see [Multi-Region keys in AWS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .
│    │  │      You cannot use the `AWS::KMS::Key` resource to specify a KMS key with [imported key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) or a KMS key in a [custom key store](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) .
│    │  │      *Regions*
│    │  │      AWS  CloudFormation resources are available in all Regions in which AWS  and CloudFormation are supported. You can use the `AWS::KMS::Key` resource to create and manage all KMS key types that are supported in a Region.
│    │  └ properties
│    │     ├ EnableKeyRotation: (documentation changed)
│    │     ├ KeyPolicy: (documentation changed)
│    │     ├ KeySpec: (documentation changed)
│    │     ├ MultiRegion: (documentation changed)
│    │     ├ Origin: (documentation changed)
│    │     ├ PendingWindowInDays: (documentation changed)
│    │     ├ RotationPeriodInDays: (documentation changed)
│    │     └ Tags: (documentation changed)
│    └[~]  resource AWS::KMS::ReplicaKey
│       ├      - documentation: The `AWS::KMS::ReplicaKey` resource specifies a multi-Region replica key that is based on a multi-Region primary key.
│       │      *Multi-Region keys* are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .
│       │      A multi-Region *primary key* is a fully functional symmetric encryption KMS key, HMAC KMS key, or asymmetric KMS key that is also the model for replica keys in other AWS Regions . To create a multi-Region primary key, add an [AWS::KMS::Key](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) resource to your CloudFormation stack. Set its `MultiRegion` property to true.
│       │      A multi-Region *replica key* is a fully functional KMS key that has the same key ID and key material as a multi-Region primary key, but is located in a different AWS Region of the same AWS partition. There can be multiple replicas of a primary key, but each must be in a different AWS Region .
│       │      When you create a replica key in CloudFormation , the replica key is created in the AWS Region represented by the endpoint you use for the request. If you try to replicate a multi-Region key into a Region in which the key type is not supported, the request will fail.
│       │      A primary key and its replicas have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. These properties are known as *shared properties* . If they change, AWS KMS synchronizes the change to all related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and key state. AWS KMS does not synchronize these properties.
│       │      *Regions*
│       │      AWS KMS CloudFormation resources are available in all AWS Regions in which AWS KMS and CloudFormation are supported. You can use the `AWS::KMS::ReplicaKey` resource to create replica keys in all Regions that support multi-Region KMS keys. For details, see [Multi-Region keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the ** .
│       │      + documentation: The `AWS::KMS::ReplicaKey` resource specifies a multi-Region replica key that is based on a multi-Region primary key.
│       │      *Multi-Region keys* are an AWS  feature that lets you create multiple interoperable KMS keys in different AWS Regions . Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide* .
│       │      A multi-Region *primary key* is a fully functional symmetric encryption KMS key, HMAC KMS key, or asymmetric KMS key that is also the model for replica keys in other AWS Regions . To create a multi-Region primary key, add an [AWS::KMS::Key](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) resource to your CloudFormation stack. Set its `MultiRegion` property to true.
│       │      A multi-Region *replica key* is a fully functional KMS key that has the same key ID and key material as a multi-Region primary key, but is located in a different AWS Region of the same AWS partition. There can be multiple replicas of a primary key, but each must be in a different AWS Region .
│       │      When you create a replica key in CloudFormation , the replica key is created in the AWS Region represented by the endpoint you use for the request. If you try to replicate a multi-Region key into a Region in which the key type is not supported, the request will fail.
│       │      A primary key and its replicas have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. These properties are known as *shared properties* . If they change, AWS  synchronizes the change to all related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and key state. AWS  does not synchronize these properties.
│       │      *Regions*
│       │      AWS  CloudFormation resources are available in all AWS Regions in which AWS  and CloudFormation are supported. You can use the `AWS::KMS::ReplicaKey` resource to create replica keys in all Regions that support multi-Region KMS keys. For details, see [Multi-Region keys in AWS](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the ** .
│       └ properties
│          ├ KeyPolicy: (documentation changed)
│          ├ PendingWindowInDays: (documentation changed)
│          └ Tags: (documentation changed)
├[~] service aws-lambda
│ └ resources
│    ├[~]  resource AWS::Lambda::EventSourceMapping
│    │  └ properties
│    │     └ KmsKeyArn: (documentation changed)
│    └[~]  resource AWS::Lambda::Function
│       ├ properties
│       │  └ KmsKeyArn: (documentation changed)
│       └ types
│          └[~] type Code
│            └ properties
│               └ SourceKMSKeyArn: (documentation changed)
├[~] service aws-lex
│ └ resources
│    └[~]  resource AWS::Lex::Bot
│       └ types
│          └[~] type GrammarSlotTypeSource
│            └ properties
│               └ KmsKeyArn: (documentation changed)
├[~] service aws-lightsail
│ └ resources
│    └[~]  resource AWS::Lightsail::Container
│       ├ properties
│       │  └ PrivateRegistryAccess: (documentation changed)
│       └ types
│          └[~] type PrivateRegistryAccess
│            └      - documentation: Describes the configuration for an Amazon Lightsail container service to access private container image repositories, such as Amazon Elastic Container Registry ( Amazon ECR ) private repositories.
│                   For more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .
│                   + documentation: Describes the configuration for an Amazon Lightsail container service to access private container image repositories, such as  ( Amazon ECR ) private repositories.
│                   For more information, see [Configuring access to an Amazon ECR private repository for an Amazon Lightsail container service](https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-container-service-ecr-private-repo-access) in the *Amazon Lightsail Developer Guide* .
├[~] service aws-logs
│ └ resources
│    ├[~]  resource AWS::Logs::Integration
│    │  └ types
│    │     └[~] type OpenSearchResourceConfig
│    │       └ properties
│    │          └ KmsKeyArn: (documentation changed)
│    ├[~]  resource AWS::Logs::LogAnomalyDetector
│    │  └ properties
│    │     └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::Logs::LogGroup
│    │  └ properties
│    │     └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::Logs::Transformer
│       └ types
│          └[~] type ParseToOCSF
│            └      - documentation: This processor converts logs into [Open Cybersecurity Schema Framework (OCSF)](https://docs.aws.amazon.com/https://ocsf.io) events.
│                   For more information about this processor including examples, see [parseToOSCF](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseToOCSF) in the *CloudWatch Logs User Guide* .
│                   + documentation: This processor converts logs into [Open Cybersecurity Schema Framework (OCSF)](https://docs.aws.amazon.com/https://ocsf.io) events.
│                   For more information about this processor including examples, see [parseToOCSF](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseToOCSF) in the *CloudWatch Logs User Guide* .
├[~] service aws-macie
│ └ resources
│    └[~]  resource AWS::Macie::AllowList
│       └ attributes
│          └ Status: (documentation changed)
├[~] service aws-mediapackagev2
│ └ resources
│    └[~]  resource AWS::MediaPackageV2::OriginEndpointPolicy
│       └ types
│          └[~] type CdnAuthConfiguration
│            └ properties
│               └ SecretsRoleArn: (documentation changed)
├[~] service aws-oam
│ └ resources
│    └[~]  resource AWS::Oam::Link
│       └ types
│          └[~] type LinkFilter
│            └ properties
│               └ Filter: (documentation changed)
├[~] service aws-opensearchservice
│ └ resources
│    └[~]  resource AWS::OpenSearchService::Domain
│       └ properties
│          └ EncryptionAtRestOptions: (documentation changed)
├[~] service aws-opsworks
│ └ resources
│    └[~]  resource AWS::OpsWorks::Stack
│       └ properties
│          └ EcsClusterArn: (documentation changed)
├[~] service aws-pipes
│ └ resources
│    └[~]  resource AWS::Pipes::Pipe
│       └ properties
│          └ KmsKeyIdentifier: (documentation changed)
├[~] service aws-qbusiness
│ └ resources
│    ├[~]  resource AWS::QBusiness::Application
│    │  ├ properties
│    │  │  └ EncryptionConfiguration: (documentation changed)
│    │  └ types
│    │     └[~] type EncryptionConfiguration
│    │       ├      - documentation: Provides the identifier of the AWS KMS key used to encrypt data indexed by Amazon Q Business. Amazon Q Business doesn't support asymmetric keys.
│    │       │      + documentation: Provides the identifier of the AWS  key used to encrypt data indexed by Amazon Q Business. Amazon Q Business doesn't support asymmetric keys.
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::QBusiness::WebExperience
│       └ types
│          └[~] type OpenIDConnectProviderConfiguration
│            └ properties
│               └ SecretsRole: (documentation changed)
├[~] service aws-qldb
│ └ resources
│    └[~]  resource AWS::QLDB::Ledger
│       └ properties
│          └ KmsKey: (documentation changed)
├[~] service aws-refactorspaces
│ └ resources
│    ├[~]  resource AWS::RefactorSpaces::Application
│    │  └ attributes
│    │     ├ ApiGatewayId: (documentation changed)
│    │     ├ ProxyUrl: (documentation changed)
│    │     ├ StageName: (documentation changed)
│    │     └ VpcLinkId: (documentation changed)
│    └[~]  resource AWS::RefactorSpaces::Route
│       ├      - documentation: Creates an AWS Migration Hub Refactor Spaces route. The account owner of the service resource is always the environment owner, regardless of which account creates the route. Routes target a service in the application. If an application does not have any routes, then the first route must be created as a `DEFAULT` `RouteType` .
│       │      When created, the default route defaults to an active state so state is not a required input. However, like all other state values the state of the default route can be updated after creation, but only when all other routes are also inactive. Conversely, no route can be active without the default route also being active.
│       │      > In the `AWS::RefactorSpaces::Route` resource, you can only update the `ActivationState` property, which resides under the `UriPathRoute` and `DefaultRoute` properties. All other properties associated with the `AWS::RefactorSpaces::Route` cannot be updated, even though the property description might indicate otherwise. Updating all other properties will result in the replacement of Route. 
│       │      When you create a route, Refactor Spaces configures the Amazon API Gateway to send traffic to the target service as follows:
│       │      - *URL Endpoints*
│       │      If the service has a URL endpoint, and the endpoint resolves to a private IP address, Refactor Spaces routes traffic using the API Gateway VPC link. If a service endpoint resolves to a public IP address, Refactor Spaces routes traffic over the public internet. Services can have HTTP or HTTPS URL endpoints. For HTTPS URLs, publicly-signed certificates are supported. Private Certificate Authorities (CAs) are permitted only if the CA's domain is also publicly resolvable.
│       │      Refactor Spaces automatically resolves the public Domain Name System (DNS) names that are set in `CreateService:UrlEndpoint` when you create a service. The DNS names resolve when the DNS time-to-live (TTL) expires, or every 60 seconds for TTLs less than 60 seconds. This periodic DNS resolution ensures that the route configuration remains up-to-date.
│       │      *One-time health check*
│       │      A one-time health check is performed on the service when either the route is updated from inactive to active, or when it is created with an active state. If the health check fails, the route transitions the route state to `FAILED` , an error code of `SERVICE_ENDPOINT_HEALTH_CHECK_FAILURE` is provided, and no traffic is sent to the service.
│       │      For private URLs, a target group is created on the Network Load Balancer and the load balancer target group runs default target health checks. By default, the health check is run against the service endpoint URL. Optionally, the health check can be performed against a different protocol, port, and/or path using the [CreateService:UrlEndpoint](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateService.html#migrationhubrefactorspaces-CreateService-request-UrlEndpoint) parameter. All other health check settings for the load balancer use the default values described in the [Health checks for your target groups](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html) in the *Elastic Load Balancing guide* . The health check is considered successful if at least one target within the target group transitions to a healthy state.
│       │      - *AWS Lambda function endpoints*
│       │      If the service has an AWS Lambda function endpoint, then Refactor Spaces configures the Lambda function's resource policy to allow the application's API Gateway to invoke the function.
│       │      The Lambda function state is checked. If the function is not active, the function configuration is updated so that Lambda resources are provisioned. If the Lambda state is `Failed` , then the route creation fails. For more information, see the [GetFunctionConfiguration's State response parameter](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#SSS-GetFunctionConfiguration-response-State) in the *AWS Lambda Developer Guide* .
│       │      A check is performed to determine that a Lambda function with the specified ARN exists. If it does not exist, the health check fails. For public URLs, a connection is opened to the public endpoint. If the URL is not reachable, the health check fails.
│       │      *Environments without a network bridge*
│       │      When you create environments without a network bridge ( [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) is `NONE)` and you use your own networking infrastructure, you need to configure [VPC to VPC connectivity](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html) between your network and the application proxy VPC. Route creation from the application proxy to service endpoints will fail if your network is not configured to connect to the application proxy VPC. For more information, see [Create a route](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/getting-started-create-role.html) in the *Refactor Spaces User Guide* .
│       │      + documentation: Creates an AWS Migration Hub Refactor Spaces route. The account owner of the service resource is always the environment owner, regardless of which account creates the route. Routes target a service in the application. If an application does not have any routes, then the first route must be created as a `DEFAULT` `RouteType` .
│       │      When created, the default route defaults to an active state so state is not a required input. However, like all other state values the state of the default route can be updated after creation, but only when all other routes are also inactive. Conversely, no route can be active without the default route also being active.
│       │      > In the `AWS::RefactorSpaces::Route` resource, you can only update the `ActivationState` property, which resides under the `UriPathRoute` and `DefaultRoute` properties. All other properties associated with the `AWS::RefactorSpaces::Route` cannot be updated, even though the property description might indicate otherwise. Updating all other properties will result in the replacement of Route. 
│       │      When you create a route, Refactor Spaces configures the ABPlong to send traffic to the target service as follows:
│       │      - *URL Endpoints*
│       │      If the service has a URL endpoint, and the endpoint resolves to a private IP address, Refactor Spaces routes traffic using the ABP VPC link. If a service endpoint resolves to a public IP address, Refactor Spaces routes traffic over the public internet. Services can have HTTP or HTTPS URL endpoints. For HTTPS URLs, publicly-signed certificates are supported. Private Certificate Authorities (CAs) are permitted only if the CA's domain is also publicly resolvable.
│       │      Refactor Spaces automatically resolves the public Domain Name System (DNS) names that are set in `CreateService:UrlEndpoint` when you create a service. The DNS names resolve when the DNS time-to-live (TTL) expires, or every 60 seconds for TTLs less than 60 seconds. This periodic DNS resolution ensures that the route configuration remains up-to-date.
│       │      *One-time health check*
│       │      A one-time health check is performed on the service when either the route is updated from inactive to active, or when it is created with an active state. If the health check fails, the route transitions the route state to `FAILED` , an error code of `SERVICE_ENDPOINT_HEALTH_CHECK_FAILURE` is provided, and no traffic is sent to the service.
│       │      For private URLs, a target group is created on the Network Load Balancer and the load balancer target group runs default target health checks. By default, the health check is run against the service endpoint URL. Optionally, the health check can be performed against a different protocol, port, and/or path using the [CreateService:UrlEndpoint](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateService.html#migrationhubrefactorspaces-CreateService-request-UrlEndpoint) parameter. All other health check settings for the load balancer use the default values described in the [Health checks for your target groups](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html) in the *ELB guide* . The health check is considered successful if at least one target within the target group transitions to a healthy state.
│       │      - *AWS Lambda function endpoints*
│       │      If the service has an AWS Lambda function endpoint, then Refactor Spaces configures the Lambda function's resource policy to allow the application's ABP to invoke the function.
│       │      The Lambda function state is checked. If the function is not active, the function configuration is updated so that Lambda resources are provisioned. If the Lambda state is `Failed` , then the route creation fails. For more information, see the [GetFunctionConfiguration's State response parameter](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#SSS-GetFunctionConfiguration-response-State) in the *AWS Lambda Developer Guide* .
│       │      A check is performed to determine that a Lambda function with the specified ARN exists. If it does not exist, the health check fails. For public URLs, a connection is opened to the public endpoint. If the URL is not reachable, the health check fails.
│       │      *Environments without a network bridge*
│       │      When you create environments without a network bridge ( [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) is `NONE)` and you use your own networking infrastructure, you need to configure [VPC to VPC connectivity](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html) between your network and the application proxy VPC. Route creation from the application proxy to service endpoints will fail if your network is not configured to connect to the application proxy VPC. For more information, see [Create a route](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/getting-started-create-role.html) in the *Refactor Spaces User Guide* .
│       └ attributes
│          └ PathResourceToId: (documentation changed)
├[~] service aws-route53
│ └ resources
│    ├[~]  resource AWS::Route53::KeySigningKey
│    │  └ properties
│    │     └ KeyManagementServiceArn: (documentation changed)
│    ├[~]  resource AWS::Route53::RecordSet
│    │  └ types
│    │     └[~] type AliasTarget
│    │       └ properties
│    │          ├ DNSName: (documentation changed)
│    │          └ HostedZoneId: (documentation changed)
│    └[~]  resource AWS::Route53::RecordSetGroup
│       └ types
│          └[~] type AliasTarget
│            └ properties
│               ├ DNSName: (documentation changed)
│               └ HostedZoneId: (documentation changed)
├[~] service aws-s3
│ └ resources
│    ├[~]  resource AWS::S3::Bucket
│    │  └ types
│    │     ├[~] type EncryptionConfiguration
│    │     │ └      - documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│    │     │        > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│    │     │        + documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│    │     │        > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS  resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│    │     ├[~] type MetadataTableEncryptionConfiguration
│    │     │ └ properties
│    │     │    ├ KmsKeyArn: (documentation changed)
│    │     │    └ SseAlgorithm: (documentation changed)
│    │     ├[~] type ServerSideEncryptionByDefault
│    │     │ └ properties
│    │     │    └ KMSMasterKeyID: (documentation changed)
│    │     └[~] type ServerSideEncryptionRule
│    │       └      - documentation: Specifies the default server-side encryption configuration.
│    │              > - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│    │              > - *Directory buckets* - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
│    │              + documentation: Specifies the default server-side encryption configuration.
│    │              > - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS  resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│    │              > - *Directory buckets* - When you specify an [AWS  customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.
│    └[~]  resource AWS::S3::StorageLens
│       └ types
│          └[~] type SSEKMS
│            └ properties
│               └ KeyId: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│    ├[~]  resource AWS::SageMaker::DataQualityJobDefinition
│    │  └ types
│    │     └[~] type MonitoringOutputConfig
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::SageMaker::ModelBiasJobDefinition
│    │  └ types
│    │     └[~] type MonitoringOutputConfig
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::SageMaker::ModelExplainabilityJobDefinition
│    │  └ types
│    │     └[~] type MonitoringOutputConfig
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    ├[~]  resource AWS::SageMaker::ModelQualityJobDefinition
│    │  └ types
│    │     └[~] type MonitoringOutputConfig
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::SageMaker::MonitoringSchedule
│       └ types
│          └[~] type MonitoringOutputConfig
│            └ properties
│               └ KmsKeyId: (documentation changed)
├[~] service aws-secretsmanager
│ └ resources
│    └[~]  resource AWS::SecretsManager::Secret
│       └ properties
│          └ KmsKeyId: (documentation changed)
├[~] service aws-sns
│ └ resources
│    ├[~]  resource AWS::SNS::Subscription
│    │  ├      - documentation: The `AWS::SNS::Subscription` resource subscribes an endpoint to an Amazon SNS topic. For a subscription to be created, the owner of the endpoint must` confirm the subscription.
│    │  │      + documentation: The `AWS::SNS::Subscription` resource subscribes an endpoint to an Amazon  topic. For a subscription to be created, the owner of the endpoint must` confirm the subscription.
│    │  └ properties
│    │     ├ DeliveryPolicy: (documentation changed)
│    │     ├ Endpoint: (documentation changed)
│    │     ├ FilterPolicy: (documentation changed)
│    │     ├ Protocol: (documentation changed)
│    │     ├ RawMessageDelivery: (documentation changed)
│    │     ├ ReplayPolicy: (documentation changed)
│    │     └ SubscriptionRoleArn: (documentation changed)
│    ├[~]  resource AWS::SNS::Topic
│    │  ├      - documentation: The `AWS::SNS::Topic` resource creates a topic to which notifications can be published.
│    │  │      > One account can create a maximum of 100,000 standard topics and 1,000 FIFO topics. For more information, see [Amazon SNS endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html) in the *AWS General Reference* .
│    │  │      + documentation: The `AWS::SNS::Topic` resource creates a topic to which notifications can be published.
│    │  │      > One account can create a maximum of 100,000 standard topics and 1,000 FIFO topics. For more information, see [Amazon  endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html) in the *AWS General Reference* .
│    │  ├ properties
│    │  │  ├ ArchivePolicy: (documentation changed)
│    │  │  ├ ContentBasedDeduplication: (documentation changed)
│    │  │  ├ DisplayName: (documentation changed)
│    │  │  ├ KmsMasterKeyId: (documentation changed)
│    │  │  ├ Subscription: (documentation changed)
│    │  │  └ TracingConfig: (documentation changed)
│    │  ├ attributes
│    │  │  ├ TopicArn: (documentation changed)
│    │  │  └ TopicName: (documentation changed)
│    │  └ types
│    │     └[~] type Subscription
│    │       ├      - documentation: `Subscription` is an embedded property that describes the subscription endpoints of an Amazon SNS topic.
│    │       │      > For full control over subscription behavior (for example, delivery policy, filtering, raw message delivery, and cross-region subscriptions), use the [AWS::SNS::Subscription](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html) resource.
│    │       │      + documentation: `Subscription` is an embedded property that describes the subscription endpoints of an Amazon  topic.
│    │       │      > For full control over subscription behavior (for example, delivery policy, filtering, raw message delivery, and cross-region subscriptions), use the [AWS::SNS::Subscription](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-subscription.html) resource.
│    │       └ properties
│    │          ├ Endpoint: (documentation changed)
│    │          └ Protocol: (documentation changed)
│    ├[~]  resource AWS::SNS::TopicInlinePolicy
│    │  ├      - documentation: The `AWS::SNS::TopicInlinePolicy` resource associates one Amazon SNS topic with one policy.
│    │  │      + documentation: The `AWS::SNS::TopicInlinePolicy` resource associates one Amazon  topic with one policy.
│    │  └ properties
│    │     └ PolicyDocument: (documentation changed)
│    └[~]  resource AWS::SNS::TopicPolicy
│       └      - documentation: The `AWS::SNS::TopicPolicy` resource associates Amazon SNS topics with a policy. For an example snippet, see [Declaring an Amazon SNS policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy) in the *CloudFormation User Guide* .
│              + documentation: The `AWS::SNS::TopicPolicy` resource associates Amazon  topics with a policy. For an example snippet, see [Declaring an Amazon  policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy) in the *CloudFormation User Guide* .
├[~] service aws-sqs
│ └ resources
│    └[~]  resource AWS::SQS::Queue
│       └ properties
│          └ KmsDataKeyReusePeriodSeconds: (documentation changed)
├[~] service aws-ssmguiconnect
│ └ resources
│    └[~]  resource AWS::SSMGuiConnect::Preferences
│       └ types
│          └[~] type ConnectionRecordingPreferences
│            └ properties
│               └ KMSKeyArn: (documentation changed)
├[~] service aws-ssmincidents
│ └ resources
│    ├[~]  resource AWS::SSMIncidents::ReplicationSet
│    │  └      - documentation: The `AWS::SSMIncidents::ReplicationSet` resource specifies a set of AWS Regions that Incident Manager data is replicated to and the AWS Key Management Service ( AWS KMS key used to encrypt the data.
│    │         + documentation: The `AWS::SSMIncidents::ReplicationSet` resource specifies a set of AWS Regions that Incident Manager data is replicated to and the AWS Key Management Service ( AWS  key used to encrypt the data.
│    └[~]  resource AWS::SSMIncidents::ResponsePlan
│       └ types
│          ├[~] type ChatChannel
│          │ └ properties
│          │    └ ChatbotSns: (documentation changed)
│          ├[~] type IncidentTemplate
│          │ └ properties
│          │    └ NotificationTargets: (documentation changed)
│          └[~] type NotificationTargetItem
│            ├      - documentation: The Amazon SNS topic that's used by  to notify the incidents chat channel.
│            │      + documentation: The Amazon  topic that's used by  to notify the incidents chat channel.
│            └ properties
│               └ SnsTopicArn: (documentation changed)
├[~] service aws-sso
│ └ resources
│    └[~]  resource AWS::SSO::Application
│       └      - documentation: Creates an OAuth 2.0 customer managed application in IAM Identity Center for the given application provider.
│              > This API does not support creating SAML 2.0 customer managed applications or AWS managed applications. To learn how to create an AWS managed application, see the application user guide. You can create a SAML 2.0 customer managed application in the AWS Management Console only. See [Setting up customer managed SAML 2.0 applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html) . For more information on these application types, see [AWS managed applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps.html) .
│              + documentation: Creates an OAuth 2.0 customer managed application in IAM Identity Center for the given application provider.
│              > This API does not support creating SAML 2.0 customer managed applications or AWS managed applications. To learn how to create an AWS managed application, see the application user guide. You can create a SAML 2.0 customer managed application in the the console only. See [Setting up customer managed SAML 2.0 applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html) . For more information on these application types, see [AWS managed applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps.html) .
├[~] service aws-stepfunctions
│ └ resources
│    ├[~]  resource AWS::StepFunctions::Activity
│    │  └ types
│    │     └[~] type EncryptionConfiguration
│    │       ├      - documentation: Settings to configure server-side encryption for an activity. By default, Step Functions provides transparent server-side encryption. With this configuration, you can specify a customer managed AWS KMS key for encryption.
│    │       │      + documentation: Settings to configure server-side encryption for an activity. By default, Step Functions provides transparent server-side encryption. With this configuration, you can specify a customer managed AWS  key for encryption.
│    │       └ properties
│    │          └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::StepFunctions::StateMachine
│       └ types
│          └[~] type EncryptionConfiguration
│            ├      - documentation: Settings to configure server-side encryption for a state machine. By default, Step Functions provides transparent server-side encryption. With this configuration, you can specify a customer managed AWS KMS key for encryption.
│            │      + documentation: Settings to configure server-side encryption for a state machine. By default, Step Functions provides transparent server-side encryption. With this configuration, you can specify a customer managed AWS  key for encryption.
│            └ properties
│               └ KmsKeyId: (documentation changed)
├[~] service aws-synthetics
│ └ resources
│    └[~]  resource AWS::Synthetics::Canary
│       └ types
│          └[~] type S3Encryption
│            └ properties
│               ├ EncryptionMode: (documentation changed)
│               └ KmsKeyArn: (documentation changed)
├[~] service aws-timestream
│ └ resources
│    ├[~]  resource AWS::Timestream::Database
│    │  ├      - documentation: Creates a new Timestream database. If the AWS KMS key is not specified, the database will be encrypted with a Timestream managed AWS KMS key located in your account. Refer to [AWS managed AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) for more info. [Service quotas apply](https://docs.aws.amazon.com/timestream/latest/developerguide/ts-limits.html) . See [code sample](https://docs.aws.amazon.com/timestream/latest/developerguide/code-samples.create-db.html) for details.
│    │  │      + documentation: Creates a new Timestream database. If the AWS  key is not specified, the database will be encrypted with a Timestream managed AWS  key located in your account. Refer to [AWS managed AWS  keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) for more info. [Service quotas apply](https://docs.aws.amazon.com/timestream/latest/developerguide/ts-limits.html) . See [code sample](https://docs.aws.amazon.com/timestream/latest/developerguide/code-samples.create-db.html) for details.
│    │  └ properties
│    │     └ KmsKeyId: (documentation changed)
│    └[~]  resource AWS::Timestream::Table
│       └ types
│          └[~] type S3Configuration
│            └ properties
│               └ KmsKeyId: (documentation changed)
├[~] service aws-wafv2
│ └ resources
│    ├[~]  resource AWS::WAFv2::IPSet
│    │  └ properties
│    │     └ Scope: (documentation changed)
│    ├[~]  resource AWS::WAFv2::RegexPatternSet
│    │  └ properties
│    │     └ Scope: (documentation changed)
│    ├[~]  resource AWS::WAFv2::RuleGroup
│    │  └ properties
│    │     └ Scope: (documentation changed)
│    ├[~]  resource AWS::WAFv2::WebACL
│    │  ├      - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
│    │  │      Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
│    │  │      The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
│    │  │      You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│    │  │      For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
│    │  │      *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
│    │  │      If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
│    │  │      When you manage the web ACL through CloudFormation interfaces, you won't see the Shield Advanced rule. CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
│    │  │      Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
│    │  │      For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
│    │  │      + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
│    │  │      Use an `WebACL` to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
│    │  │      The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
│    │  │      You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an  REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│    │  │      For more information, see [Web access control lists (web ACLs)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the *AWS WAF developer guide* .
│    │  │      *Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation*
│    │  │      If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with `ShieldMitigationRuleGroup` . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
│    │  │      When you manage the web ACL through CloudFormation interfaces, you won't see the Shield Advanced rule. CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
│    │  │      Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
│    │  │      For more information, see [Shield Advanced automatic application layer DDoS mitigation](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response.html) in the *AWS Shield Advanced developer guide* .
│    │  └ properties
│    │     └ Scope: (documentation changed)
│    └[~]  resource AWS::WAFv2::WebACLAssociation
│       └      - documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
│              Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│              For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
│              *Required permissions for customer-managed IAM policies*
│              This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
│              *Temporary inconsistencies during updates*
│              When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
│              The following are examples of the temporary inconsistencies that you might notice during change propagation:
│              - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
│              - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
│              - After you change a rule action setting, you might see the old action in some places and the new action in others.
│              - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
│              + documentation: > This is the latest version of *AWS WAF* , named AWS WAF V2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the [AWS WAF developer guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . 
│              Use a web ACL association to define an association between a web ACL and a regional application resource, to protect the resource. A regional application can be an Application Load Balancer (ALB), an  REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.
│              For Amazon CloudFront , don't use this resource. Instead, use your CloudFront distribution configuration. To associate a web ACL with a distribution, provide the Amazon Resource Name (ARN) of the `WebACL` to your CloudFront distribution configuration. To disassociate a web ACL, provide an empty ARN. For information, see [AWS::CloudFront::Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) .
│              *Required permissions for customer-managed IAM policies*
│              This call requires permissions that are specific to the protected resource type. For details, see [Permissions for AssociateWebACL](https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_service-with-iam.html#security_iam_action-AssociateWebACL) in the *AWS WAF Developer Guide* .
│              *Temporary inconsistencies during updates*
│              When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
│              The following are examples of the temporary inconsistencies that you might notice during change propagation:
│              - After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.
│              - After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.
│              - After you change a rule action setting, you might see the old action in some places and the new action in others.
│              - After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
└[~] service aws-workspaces
  └ resources
     └[~]  resource AWS::WorkSpaces::Workspace
        └ properties
           ├ DirectoryId: (documentation changed)
           └ UserName: (documentation changed)

@aws-cdk-automation aws-cdk-automation added this pull request to the merge queue Nov 20, 2025
Merged via the queue into main with commit f3bab81 Nov 20, 2025
13 checks passed
@aws-cdk-automation aws-cdk-automation deleted the update-source/documentation branch November 20, 2025 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

auto-approve

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aws-cdk-automation