Skip to content

feat: update L1 CloudFormation resource definitions #35994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 13, 2025
Merged

feat: update L1 CloudFormation resource definitions #35994

merged 2 commits into from
Nov 13, 2025

Conversation

@aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Nov 10, 2025
edited by ozelalisen
Loading

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-rtbfabric
│ └ resources
│    ├[~]  resource AWS::RTBFabric::Link
│    │  ├      - documentation: Resource Type definition for AWS::RTBFabric::Link Resource Type
│    │  │      + documentation: Creates a new link between gateways.
│    │  │      Establishes a connection that allows gateways to communicate and exchange bid requests and responses.
│    │  ├ properties
│    │  │  ├ GatewayId: (documentation changed)
│    │  │  ├ HttpResponderAllowed: (documentation changed)
│    │  │  ├ LinkAttributes: (documentation changed)
│    │  │  ├ LinkLogSettings: (documentation changed)
│    │  │  ├ PeerGatewayId: (documentation changed)
│    │  │  └ Tags: (documentation changed)
│    │  ├ attributes
│    │  │  └ LinkId: (documentation changed)
│    │  └ types
│    │     ├[~] type Action
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes a bid action.
│    │     │ └ properties
│    │     │    ├ HeaderTag: (documentation changed)
│    │     │    └ NoBid: (documentation changed)
│    │     ├[~] type ApplicationLogs
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the configuration of a link application log.
│    │     │ └ properties
│    │     │    └ LinkApplicationLogSampling: (documentation changed)
│    │     ├[~] type Filter
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the configuration of a filter.
│    │     │ └ properties
│    │     │    └ Criteria: (documentation changed)
│    │     ├[~] type FilterCriterion
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the criteria for a filter.
│    │     │ └ properties
│    │     │    ├ Path: (documentation changed)
│    │     │    └ Values: (documentation changed)
│    │     ├[~] type HeaderTagAction
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the header tag for a bid action.
│    │     │ └ properties
│    │     │    ├ Name: (documentation changed)
│    │     │    └ Value: (documentation changed)
│    │     ├[~] type LinkApplicationLogSampling
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes a link application log sample.
│    │     │ └ properties
│    │     │    ├ ErrorLog: (documentation changed)
│    │     │    └ FilterLog: (documentation changed)
│    │     ├[~] type LinkAttributes
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the attributes of a link.
│    │     │ └ properties
│    │     │    ├ CustomerProvidedId: (documentation changed)
│    │     │    └ ResponderErrorMasking: (documentation changed)
│    │     ├[~] type LinkLogSettings
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the settings for a link log.
│    │     │ └ properties
│    │     │    └ ApplicationLogs: (documentation changed)
│    │     ├[~] type ModuleConfiguration
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the configuration of a module.
│    │     │ └ properties
│    │     │    ├ DependsOn: (documentation changed)
│    │     │    ├ ModuleParameters: (documentation changed)
│    │     │    ├ Name: (documentation changed)
│    │     │    └ Version: (documentation changed)
│    │     ├[~] type ModuleParameters
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the parameters of a module.
│    │     │ └ properties
│    │     │    ├ NoBid: (documentation changed)
│    │     │    └ OpenRtbAttribute: (documentation changed)
│    │     ├[~] type NoBidAction
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes a no bid action.
│    │     │ └ properties
│    │     │    └ NoBidReasonCode: (documentation changed)
│    │     ├[~] type NoBidModuleParameters
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the parameters of a no bid module.
│    │     │ └ properties
│    │     │    ├ PassThroughPercentage: (documentation changed)
│    │     │    ├ Reason: (documentation changed)
│    │     │    └ ReasonCode: (documentation changed)
│    │     ├[~] type OpenRtbAttributeModuleParameters
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: Describes the parameters of an open RTB attribute module.
│    │     │ └ properties
│    │     │    ├ Action: (documentation changed)
│    │     │    ├ FilterConfiguration: (documentation changed)
│    │     │    ├ FilterType: (documentation changed)
│    │     │    └ HoldbackPercentage: (documentation changed)
│    │     └[~] type ResponderErrorMaskingForHttpCode
│    │       ├      - documentation: undefined
│    │       │      + documentation: Describes the masking for HTTP error codes.
│    │       └ properties
│    │          ├ Action: (documentation changed)
│    │          ├ HttpCode: (documentation changed)
│    │          ├ LoggingTypes: (documentation changed)
│    │          └ ResponseLoggingPercentage: (documentation changed)
│    ├[~]  resource AWS::RTBFabric::RequesterGateway
│    │  ├      - documentation: Resource Type definition for AWS::RTBFabric::RequesterGateway Resource Type.
│    │  │      + documentation: Creates a requester gateway.
│    │  └ properties
│    │     ├ Description: (documentation changed)
│    │     ├ SecurityGroupIds: (documentation changed)
│    │     ├ SubnetIds: (documentation changed)
│    │     ├ Tags: (documentation changed)
│    │     └ VpcId: (documentation changed)
│    └[~]  resource AWS::RTBFabric::ResponderGateway
│       ├      - documentation: Resource Type definition for AWS::RTBFabric::ResponderGateway Resource Type
│       │      + documentation: Creates a responder gateway.
│       │      > A domain name or managed endpoint is required.
│       ├ properties
│       │  ├ Description: (documentation changed)
│       │  ├ DomainName: (documentation changed)
│       │  ├ ManagedEndpointConfiguration: (documentation changed)
│       │  ├ Port: (documentation changed)
│       │  ├ Protocol: (documentation changed)
│       │  ├ SecurityGroupIds: (documentation changed)
│       │  ├ SubnetIds: (documentation changed)
│       │  ├ Tags: (documentation changed)
│       │  ├ TrustStoreConfiguration: (documentation changed)
│       │  └ VpcId: (documentation changed)
│       └ types
│          ├[~] type AutoScalingGroupsConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Describes the configuration of an auto scaling group.
│          │ └ properties
│          │    ├ AutoScalingGroupNameList: (documentation changed)
│          │    └ RoleArn: (documentation changed)
│          ├[~] type EksEndpointsConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Describes the configuration of an Amazon Elastic Kubernetes Service endpoint.
│          │ └ properties
│          │    ├ ClusterApiServerCaCertificateChain: (documentation changed)
│          │    ├ ClusterApiServerEndpointUri: (documentation changed)
│          │    ├ ClusterName: (documentation changed)
│          │    ├ EndpointsResourceName: (documentation changed)
│          │    ├ EndpointsResourceNamespace: (documentation changed)
│          │    └ RoleArn: (documentation changed)
│          ├[~] type ManagedEndpointConfiguration
│          │ ├      - documentation: undefined
│          │ │      + documentation: Describes the configuration of a managed endpoint.
│          │ └ properties
│          │    ├ AutoScalingGroupsConfiguration: (documentation changed)
│          │    └ EksEndpointsConfiguration: (documentation changed)
│          └[~] type TrustStoreConfiguration
│            ├      - documentation: undefined
│            │      + documentation: Describes the configuration of a trust store.
│            └ properties
│               └ CertificateAuthorityCertificates: (documentation changed)
├[~] service aws-s3tables
│ └ resources
│    ├[~]  resource AWS::S3Tables::Table
│    │  ├      - tagInformation: undefined
│    │  │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │  └ properties
│    │     └[+] Tags: Array<tag>
│    └[~]  resource AWS::S3Tables::TableBucket
│       ├      - tagInformation: undefined
│       │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       └ properties
│          └[+] Tags: Array<tag>
├[~] service aws-s3vectors
│ └ resources
│    ├[~]  resource AWS::S3Vectors::Index
│    │  ├      - documentation: Resource Type definition for AWS::S3Vectors::Index
│    │  │      + documentation: The `AWS::S3Vectors::Index` resource defines a vector index within an Amazon S3 vector bucket. For more information, see [Creating a vector index in a vector bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-create-index.html) in the *Amazon Simple Storage Service User Guide* .
│    │  │      You must specify either `VectorBucketName` or `VectorBucketArn` to identify the bucket that contains the index.
│    │  │      To control how AWS CloudFormation handles the vector index when the stack is deleted, you can set a deletion policy for your index. You can choose to *retain* the index or to *delete* the index. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│    │  │      - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│    │  │      - Create
│    │  │      - s3vectors:CreateIndex
│    │  │      - s3vectors:GetIndex
│    │  │      - Read
│    │  │      - s3vectors:GetIndex
│    │  │      - Delete
│    │  │      - s3vectors:DeleteIndex
│    │  │      - s3vectors:GetIndex
│    │  │      - List
│    │  │      - s3vectors:ListIndexes
│    │  ├ properties
│    │  │  ├ DataType: (documentation changed)
│    │  │  ├ Dimension: (documentation changed)
│    │  │  ├ DistanceMetric: (documentation changed)
│    │  │  ├ IndexName: (documentation changed)
│    │  │  └ VectorBucketArn: (documentation changed)
│    │  ├ attributes
│    │  │  ├ CreationTime: (documentation changed)
│    │  │  └ IndexArn: (documentation changed)
│    │  └ types
│    │     └[~] type MetadataConfiguration
│    │       ├      - documentation: The metadata configuration for the vector index.
│    │       │      + documentation: The metadata configuration for the vector index. This configuration allows you to specify which metadata keys should be treated as non-filterable.
│    │       └ properties
│    │          └ NonFilterableMetadataKeys: (documentation changed)
│    ├[~]  resource AWS::S3Vectors::VectorBucket
│    │  ├      - documentation: Resource Type definition for AWS::S3Vectors::VectorBucket
│    │  │      + documentation: Defines an Amazon S3 vector bucket in the same AWS Region where you create the AWS CloudFormation stack.
│    │  │      Vector buckets are specialized storage containers designed for storing and managing vector data used in machine learning and AI applications. They provide optimized storage and retrieval capabilities for high-dimensional vector data.
│    │  │      To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│    │  │      > You can only delete empty vector buckets. Deletion fails for buckets that have contents. 
│    │  │      - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│    │  │      - Create
│    │  │      - s3vectors:CreateVectorBucket
│    │  │      - s3vectors:GetVectorBucket
│    │  │      - kms:GenerateDataKey (if using KMS encryption)
│    │  │      - Read
│    │  │      - s3vectors:GetVectorBucket
│    │  │      - kms:GenerateDataKey (if using KMS encryption)
│    │  │      - Delete
│    │  │      - s3vectors:DeleteVectorBucket
│    │  │      - s3vectors:GetVectorBucket
│    │  │      - kms:GenerateDataKey (if using KMS encryption)
│    │  │      - List
│    │  │      - s3vectors:ListVectorBuckets
│    │  │      - kms:GenerateDataKey (if using KMS encryption)
│    │  │      - arnTemplate: undefined
│    │  │      + arnTemplate: arn:${Partition}:s3vectors:${Region}:${Account}:bucket/${BucketName}
│    │  ├ properties
│    │  │  └ VectorBucketName: (documentation changed)
│    │  ├ attributes
│    │  │  ├ CreationTime: (documentation changed)
│    │  │  └ VectorBucketArn: (documentation changed)
│    │  └ types
│    │     └[~] type EncryptionConfiguration
│    │       ├      - documentation: The encryption configuration for the vector bucket.
│    │       │      + documentation: Specifies the encryption configuration for the vector bucket. By default, all new vectors in Amazon S3 vector buckets use server-side encryption with Amazon S3 managed keys (SSE-S3), specifically AES256.
│    │       └ properties
│    │          ├ KmsKeyArn: (documentation changed)
│    │          └ SseType: (documentation changed)
│    └[~]  resource AWS::S3Vectors::VectorBucketPolicy
│       ├      - documentation: Resource Type definition for AWS::S3Vectors::VectorBucketPolicy
│       │      + documentation: The `AWS::S3Vectors::VectorBucketPolicy` resource defines an Amazon S3 vector bucket policy to control access to an Amazon S3 vector bucket.
│       │      Vector bucket policies are written in JSON and allow you to grant or deny permissions across all (or a subset of) objects within a vector bucket.
│       │      You must specify either `VectorBucketName` or `VectorBucketArn` to identify the target bucket.
│       │      To control how AWS CloudFormation handles the vector bucket policy when the stack is deleted, you can set a deletion policy for your policy. You can choose to *retain* the policy or to *delete* the policy. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│       │      - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│       │      - Create
│       │      - s3vectors:GetVectorBucketPolicy
│       │      - s3vectors:PutVectorBucketPolicy
│       │      - Read
│       │      - s3vectors:GetVectorBucketPolicy
│       │      - Update
│       │      - s3vectors:GetVectorBucketPolicy
│       │      - s3vectors:PutVectorBucketPolicy
│       │      - Delete
│       │      - s3vectors:GetVectorBucketPolicy
│       │      - s3vectors:DeleteVectorBucketPolicy
│       │      - List
│       │      - s3vectors:GetVectorBucketPolicy
│       │      - s3vectors:ListVectorBuckets
│       └ properties
│          ├ Policy: (documentation changed)
│          ├ VectorBucketArn: (documentation changed)
│          └ VectorBucketName: (documentation changed)
├[~] service aws-securityhub
│ └ resources
│    ├[~]  resource AWS::SecurityHub::AutomationRule
│    │  ├      - documentation: The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .
│    │  │      + documentation: The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *Security Hub User Guide* .
│    │  └ types
│    │     ├[~] type AutomationRulesAction
│    │     │ └      - documentation: One or more actions that AWS Security Hub takes when a finding matches the defined criteria of a rule.
│    │     │        + documentation: One or more actions that Security Hub takes when a finding matches the defined criteria of a rule.
│    │     ├[~] type AutomationRulesFindingFilters
│    │     │ └ properties
│    │     │    ├ Confidence: (documentation changed)
│    │     │    ├ CreatedAt: (documentation changed)
│    │     │    ├ Criticality: (documentation changed)
│    │     │    ├ FirstObservedAt: (documentation changed)
│    │     │    ├ LastObservedAt: (documentation changed)
│    │     │    ├ NoteUpdatedAt: (documentation changed)
│    │     │    ├ Type: (documentation changed)
│    │     │    └ UpdatedAt: (documentation changed)
│    │     ├[~] type DateFilter
│    │     │ └ properties
│    │     │    ├ End: (documentation changed)
│    │     │    └ Start: (documentation changed)
│    │     ├[~] type MapFilter
│    │     │ ├      - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ │      + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ └ properties
│    │     │    └ Comparison: (documentation changed)
│    │     └[~] type StringFilter
│    │       ├      - documentation: A string filter for filtering AWS Security Hub findings.
│    │       │      + documentation: A string filter for filtering Security Hub findings.
│    │       └ properties
│    │          └ Comparison: (documentation changed)
│    ├[~]  resource AWS::SecurityHub::AutomationRuleV2
│    │  └ types
│    │     ├[~] type DateFilter
│    │     │ └ properties
│    │     │    ├ End: (documentation changed)
│    │     │    └ Start: (documentation changed)
│    │     ├[~] type MapFilter
│    │     │ ├      - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ │      + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ └ properties
│    │     │    └ Comparison: (documentation changed)
│    │     └[~] type StringFilter
│    │       ├      - documentation: A string filter for filtering AWS Security Hub findings.
│    │       │      + documentation: A string filter for filtering Security Hub findings.
│    │       └ properties
│    │          └ Comparison: (documentation changed)
│    ├[~]  resource AWS::SecurityHub::ConfigurationPolicy
│    │  ├      - documentation: The `AWS::SecurityHub::ConfigurationPolicy` resource creates a central configuration policy with the defined settings. Only the AWS Security Hub delegated administrator can create this resource in the home Region. For more information, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in the *AWS Security Hub User Guide* .
│    │  │      + documentation: The `AWS::SecurityHub::ConfigurationPolicy` resource creates a central configuration policy with the defined settings. Only the Security Hub delegated administrator can create this resource in the home Region. For more information, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in the *Security Hub User Guide* .
│    │  ├ properties
│    │  │  ├ ConfigurationPolicy: (documentation changed)
│    │  │  └ Tags: (documentation changed)
│    │  └ types
│    │     ├[~] type ParameterConfiguration
│    │     │ └ properties
│    │     │    └ ValueType: (documentation changed)
│    │     ├[~] type Policy
│    │     │ └      - documentation: An object that defines how AWS Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│    │     │        + documentation: An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│    │     ├[~] type SecurityControlsConfiguration
│    │     │ └      - documentation: An object that defines which security controls are enabled in an AWS Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│    │     │        This property is required only if `ServiceEnabled` is set to `true` in your configuration policy.
│    │     │        + documentation: An object that defines which security controls are enabled in an Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│    │     │        This property is required only if `ServiceEnabled` is set to `true` in your configuration policy.
│    │     └[~] type SecurityHubPolicy
│    │       └      - documentation: An object that defines how AWS Security Hub is configured. The configuration policy includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│    │              + documentation: An object that defines how Security Hub is configured. The configuration policy includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│    ├[~]  resource AWS::SecurityHub::DelegatedAdmin
│    │  └      - documentation: The `AWS::SecurityHub::DelegatedAdmin` resource designates the delegated AWS Security Hub administrator account for an organization. You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see [Designating the delegated Security Hub administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions) in the *AWS Security Hub User Guide* .
│    │         To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
│    │         To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using [AWS CloudFormation mappings](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html) .
│    │         Tags aren't supported for this resource.
│    │         + documentation: The `AWS::SecurityHub::DelegatedAdmin` resource designates the delegated Security Hub administrator account for an organization. You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see [Designating the delegated Security Hub administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions) in the *Security Hub User Guide* .
│    │         To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
│    │         To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using [AWS CloudFormation mappings](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html) .
│    │         Tags aren't supported for this resource.
│    ├[~]  resource AWS::SecurityHub::FindingAggregator
│    │  └      - documentation: The `AWS::SecurityHub::FindingAggregator` resource enables cross-Region aggregation. When cross-Region aggregation is enabled, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from one or more linked Regions to a single aggregation Region. You can then view and manage all of this data from the aggregation Region. For more details about cross-Region aggregation, see [Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the *AWS Security Hub User Guide*
│    │         This resource must be created in the Region that you want to designate as your aggregation Region.
│    │         Cross-Region aggregation is also a prerequisite for using [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in Security Hub .
│    │         + documentation: The `AWS::SecurityHub::FindingAggregator` resource enables cross-Region aggregation. When cross-Region aggregation is enabled, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from one or more linked Regions to a single aggregation Region. You can then view and manage all of this data from the aggregation Region. For more details about cross-Region aggregation, see [Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the *Security Hub User Guide*
│    │         This resource must be created in the Region that you want to designate as your aggregation Region.
│    │         Cross-Region aggregation is also a prerequisite for using [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in Security Hub .
│    ├[~]  resource AWS::SecurityHub::Hub
│    │  └      - documentation: The `AWS::SecurityHub::Hub` resource specifies the enablement of the AWS Security Hub service in your AWS account . The service is enabled in the current AWS Region or the specified Region. You create a separate `Hub` resource in each Region in which you want to enable Security Hub .
│    │         When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the `EnableDefaultStandards` property to `false` . You can use the [`AWS::SecurityHub::Standard`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html) resource to enable additional standards.
│    │         When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the `AutoEnableControls` property to `false` .
│    │         You must create an `AWS::SecurityHub::Hub` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) , such as `"DependsOn": "Hub"` , to ensure that you've created an `AWS::SecurityHub::Hub` resource before creating other Security Hub resources for an account.
│    │         + documentation: The `AWS::SecurityHub::Hub` resource specifies the enablement of the Security Hub service in your AWS account . The service is enabled in the current AWS Region or the specified Region. You create a separate `Hub` resource in each Region in which you want to enable Security Hub .
│    │         When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the `EnableDefaultStandards` property to `false` . You can use the [`AWS::SecurityHub::Standard`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html) resource to enable additional standards.
│    │         When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the `AutoEnableControls` property to `false` .
│    │         You must create an `AWS::SecurityHub::Hub` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) , such as `"DependsOn": "Hub"` , to ensure that you've created an `AWS::SecurityHub::Hub` resource before creating other Security Hub resources for an account.
│    ├[~]  resource AWS::SecurityHub::Insight
│    │  ├      - documentation: The `AWS::SecurityHub::Insight` resource creates a custom insight in AWS Security Hub . An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see [Insights in AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html) in the *AWS Security Hub User Guide* .
│    │  │      Tags aren't supported for this resource.
│    │  │      + documentation: The `AWS::SecurityHub::Insight` resource creates a custom insight in Security Hub . An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see [Insights in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html) in the *Security Hub User Guide* .
│    │  │      Tags aren't supported for this resource.
│    │  └ types
│    │     ├[~] type AwsSecurityFindingFilters
│    │     │ ├      - documentation: A collection of filters that are applied to all active findings aggregated by AWS Security Hub .
│    │     │ │      You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
│    │     │ │      + documentation: A collection of filters that are applied to all active findings aggregated by Security Hub .
│    │     │ │      You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
│    │     │ └ properties
│    │     │    ├ CreatedAt: (documentation changed)
│    │     │    ├ FirstObservedAt: (documentation changed)
│    │     │    ├ LastObservedAt: (documentation changed)
│    │     │    ├ ProcessLaunchedAt: (documentation changed)
│    │     │    ├ ProcessTerminatedAt: (documentation changed)
│    │     │    ├ ResourceContainerLaunchedAt: (documentation changed)
│    │     │    ├ ThreatIntelIndicatorLastObservedAt: (documentation changed)
│    │     │    └ UpdatedAt: (documentation changed)
│    │     ├[~] type DateFilter
│    │     │ └ properties
│    │     │    ├ End: (documentation changed)
│    │     │    └ Start: (documentation changed)
│    │     ├[~] type MapFilter
│    │     │ ├      - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ │      + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│    │     │ └ properties
│    │     │    └ Comparison: (documentation changed)
│    │     └[~] type StringFilter
│    │       ├      - documentation: A string filter for filtering AWS Security Hub findings.
│    │       │      + documentation: A string filter for filtering Security Hub findings.
│    │       └ properties
│    │          └ Comparison: (documentation changed)
│    ├[~]  resource AWS::SecurityHub::OrganizationConfiguration
│    │  └      - documentation: The `AWS::SecurityHub::OrganizationConfiguration` resource specifies the way that your AWS organization is configured in AWS Security Hub . Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) in the *AWS Security Hub User Guide* .
│    │         + documentation: The `AWS::SecurityHub::OrganizationConfiguration` resource specifies the way that your AWS organization is configured in Security Hub . Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) in the *Security Hub User Guide* .
│    ├[~]  resource AWS::SecurityHub::PolicyAssociation
│    │  ├      - documentation: The `AWS::SecurityHub::PolicyAssociation` resource specifies associations for a configuration policy or a self-managed configuration. You can associate a AWS Security Hub configuration policy or self-managed configuration with the organization root, organizational units (OUs), or AWS accounts . After a successful association, the configuration policy takes effect in the specified targets. For more information, see [Creating and associating Security Hub configuration policies](https://docs.aws.amazon.com/securityhub/latest/userguide/create-associate-policy.html) in the *AWS Security Hub User Guide* .
│    │  │      + documentation: The `AWS::SecurityHub::PolicyAssociation` resource specifies associations for a configuration policy or a self-managed configuration. You can associate a Security Hub configuration policy or self-managed configuration with the organization root, organizational units (OUs), or AWS accounts . After a successful association, the configuration policy takes effect in the specified targets. For more information, see [Creating and associating Security Hub configuration policies](https://docs.aws.amazon.com/securityhub/latest/userguide/create-associate-policy.html) in the *Security Hub User Guide* .
│    │  └ attributes
│    │     └ AssociationType: (documentation changed)
│    ├[~]  resource AWS::SecurityHub::ProductSubscription
│    │  └      - documentation: The `AWS::SecurityHub::ProductSubscription` resource creates a subscription to a third-party product that generates findings that you want to receive in AWS Security Hub . For a list of integrations to third-party products, see [Available third-party partner product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) in the *AWS Security Hub User Guide* .
│    │         To change a product subscription, remove the current product subscription resource, and then create a new one.
│    │         Tags aren't supported for this resource.
│    │         + documentation: The `AWS::SecurityHub::ProductSubscription` resource creates a subscription to a third-party product that generates findings that you want to receive in Security Hub . For a list of integrations to third-party products, see [Available third-party partner product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) in the *Security Hub User Guide* .
│    │         To change a product subscription, remove the current product subscription resource, and then create a new one.
│    │         Tags aren't supported for this resource.
│    ├[~]  resource AWS::SecurityHub::SecurityControl
│    │  ├      - documentation: The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an AWS Security Hub control. For a list of controls that support custom parameters, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) . You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *AWS Security Hub User Guide* .
│    │  │      Tags aren't supported for this resource.
│    │  │      + documentation: The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an Security Hub control. For a list of controls that support custom parameters, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) . You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *Security Hub User Guide* .
│    │  │      Tags aren't supported for this resource.
│    │  └ types
│    │     └[~] type ParameterConfiguration
│    │       └ properties
│    │          └ ValueType: (documentation changed)
│    └[~]  resource AWS::SecurityHub::Standard
│       ├      - documentation: The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. The standard is identified by the `StandardsArn` property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
│       │      You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable.
│       │      For more information about Security Hub standards, see [Security Hub standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *AWS Security Hub User Guide* .
│       │      + documentation: The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. The standard is identified by the `StandardsArn` property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
│       │      You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable.
│       │      For more information about Security Hub standards, see [Security Hub standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *Security Hub User Guide* .
│       └ types
│          └[~] type StandardsControl
│            └      - documentation: Provides details about an individual security control. For a list of Security Hub controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) in the *AWS Security Hub User Guide* .
│                   + documentation: Provides details about an individual security control. For a list of Security Hub controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) in the *Security Hub User Guide* .
├[~] service aws-servicecatalog
│ └ resources
│    ├[~]  resource AWS::ServiceCatalog::CloudFormationProduct
│    │  ├ attributes
│    │  │  └ Id: (documentation changed)
│    │  └ types
│    │     ├[+]  type Info
│    │     │  ├      documentation: Specify the template source with one of the following options, but not both. Keys accepted: [ LoadTemplateFromURL, ImportFromPhysicalId ] The URL of the AWS CloudFormation template in Amazon S3 in JSON format. Specify the URL in JSON format as follows:
│    │     │  │      "LoadTemplateFromURL": "https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/..."
│    │     │  │      ImportFromPhysicalId: The physical id of the resource that contains the template. Currently only supports AWS CloudFormation stack arn. Specify the physical id in JSON format as follows: ImportFromPhysicalId: "arn:aws:cloudformation:[us-east-1]:[accountId]:stack/[StackName]/[resourceId]
│    │     │  │      name: Info
│    │     │  └ properties
│    │     │     ├ LoadTemplateFromURL: string
│    │     │     └ ImportFromPhysicalId: string
│    │     └[~] type ProvisioningArtifactProperties
│    │       └ properties
│    │          └ Info: - json (required)
│    │                  + Info ⇐ json (required)
│    └[~]  resource AWS::ServiceCatalog::PortfolioPrincipalAssociation
│       └ attributes
│          └[-] Id: string
├[~] service aws-ses
│ └ resources
│    └[+]  resource AWS::SES::MultiRegionEndpoint
│       ├      name: MultiRegionEndpoint
│       │      cloudFormationType: AWS::SES::MultiRegionEndpoint
│       │      documentation: Creates a multi-region endpoint (global-endpoint).
│       │      The primary region is going to be the AWS-Region where the operation is executed. The secondary region has to be provided in request's parameters. From the data flow standpoint there is no difference between primary and secondary regions - sending traffic will be split equally between the two. The primary region is the region where the resource has been created and where it can be managed.
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       ├ properties
│       │  ├ EndpointName: string (required, immutable)
│       │  ├ Tags: Array<tag>
│       │  └ Details: Details (required, immutable)
│       └ types
│          ├ type Details
│          │ ├      documentation: An object that contains configuration details of multi-region endpoint (global-endpoint).
│          │ │      name: Details
│          │ └ properties
│          │    └ RouteDetails: Array<RouteDetailsItems> (required)
│          └ type RouteDetailsItems
│            ├      name: RouteDetailsItems
│            └ properties
│               └ Region: string (required)
├[~] service aws-vpclattice
│ └ resources
│    └[~]  resource AWS::VpcLattice::ServiceNetworkVpcAssociation
│       ├ properties
│       │  ├[+] DnsOptions: DnsOptions (immutable)
│       │  └[+] PrivateDnsEnabled: boolean (immutable)
│       └ types
│          └[+]  type DnsOptions
│             ├      name: DnsOptions
│             └ properties
│                ├ PrivateDnsPreference: string (immutable)
│                └ PrivateDnsSpecifiedDomains: Array<string> (immutable)
├[~] service aws-wafv2
│ └ resources
│    └[~]  resource AWS::WAFv2::WebACL
│       ├ properties
│       │  └[+] ApplicationConfig: ApplicationConfig
│       └ types
│          ├[+]  type ApplicationAttribute
│          │  ├      documentation: Application details defined during the web ACL creation process. Application attributes help AWS WAF give recommendations for protection packs.
│          │  │      name: ApplicationAttribute
│          │  └ properties
│          │     ├ Name: string (required)
│          │     └ Values: Array<string> (required)
│          └[+]  type ApplicationConfig
│             ├      documentation: A list of `ApplicationAttribute` s that contains information about the application.
│             │      name: ApplicationConfig
│             └ properties
│                └ Attributes: Array<ApplicationAttribute> (required)
└[~] service aws-workspacesthinclient
  └ resources
     └[~]  resource AWS::WorkSpacesThinClient::Environment
        └ properties
           ├ DesktopArn: (documentation changed)
           └ DesktopEndpoint: (documentation changed)

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-opensearchserverless: AWS::OpenSearchServerless::Collection: StandbyReplicas property is now immutable.
aws-servicecatalog: AWS::ServiceCatalog::PortfolioPrincipalAssociation: Id attribute removed.

@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Nov 10, 2025
@aws-cdk-automation aws-cdk-automation requested review from a team November 10, 2025 10:28
@github-actions github-actions bot added the p2 label Nov 10, 2025
@ozelalisen ozelalisen self-assigned this Nov 12, 2025
@mergify
Copy link
Contributor

mergify bot commented Nov 12, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Nov 12, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

merge conflict between base and head.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@ozelalisen ozelalisen removed their assignment Nov 12, 2025
@pahud pahud mentioned this pull request Nov 12, 2025
Open
@aws-cdk-automation @github-actions
feat: update L1 CloudFormation resource definitions
ce7ab9f 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@aws-cdk-automation aws-cdk-automation requested a review from a team November 13, 2025 09:54
@ozelalisen ozelalisen added pr/do-not-merge This PR should not be merged at this time. and removed pr/do-not-merge This PR should not be merged at this time. labels Nov 13, 2025
@ozelalisen ozelalisen self-assigned this Nov 13, 2025
@mergify
Copy link
Contributor

mergify bot commented Nov 13, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Nov 13, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 47a9a20 into main Nov 13, 2025
18 of 19 checks passed
@mergify mergify bot deleted the automation/spec-update branch November 13, 2025 11:12
@github-actions
Copy link
Contributor

github-actions bot commented Nov 13, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ozelalisen ozelalisen ozelalisen approved these changes

Assignees

@ozelalisen ozelalisen

Labels

contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aws-cdk-automation @ozelalisen