Package-level declarations

Specifies the transfer acceleration status of the bucket.

This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see Controlling object ownership in the Amazon S3 User Guide. A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACL in the Amazon S3 User Guide. S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the AWS::S3::OwnershipControls property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see AWS::S3::BucketPolicy. For examples of common policy configurations, including S3 Server Access Logs buckets and more, see Bucket policy examples in the Amazon S3 User Guide.

Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition.

Status of the Addon

Property value

Property value

The type of app.

Architectures enum

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Determines whether to use the Amazon ECS task role defined in a task definition when mounting the Amazon EFS file system. If it is turned on, transit encryption must be turned on in the `EFSVolumeConfiguration`. If this parameter is omitted, the default value of `DISABLED` is used. For more information, see Using Amazon EFS access points in the Amazon Elastic Container Service Developer Guide.

Property value

Property value

Whether the task's elastic network interface receives a public IP address. The default value is `DISABLED`.

Set the backup policy status for the file system. + ENABLED - Turns automatic backups on for the file system. + DISABLED - Turns automatic backups off for the file system.

Property value

Property value

Property value

CacheMode enum

Property value

Specifies the AWS account that you are acting from. By default, SELF is specified. For self-managed permissions, specify SELF; for service-managed permissions, if you are signed in to the organization's management account, specify SELF. If you are signed in to a delegated administrator account, specify DELEGATED_ADMIN.

Capabilities enum

Property value

Property value

Property value

Property status

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

CorsRuleAllowedMethods enum

Property value

Property value

The data type of the parameter, such as `text` or `aws:ec2:image`. The default is `text`.

Property value

Default handling for logs that don't match any of the specified filtering conditions.

The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. If Object Lock is turned on, you must specify `Mode` and specify either `Days` or `Years`.

Indicates whether to replicate delete markers. Disabled by default.

The deployment controller type to use. There are three deployment controller types available: + ECS The rolling update (ECS) deployment type involves replacing the current running version of the container with the latest version. The number of containers Amazon ECS adds or removes from the service during a rolling update is controlled by adjusting the minimum and maximum number of healthy tasks allowed during a service deployment, as specified in the DeploymentConfiguration. + CODE_DEPLOY The blue/green (CODE_DEPLOY) deployment type uses the blue/green deployment model powered by , which allows you to verify a new deployment of a service before sending production traffic to it. + EXTERNAL The external (EXTERNAL) deployment type enables you to use any third-party deployment controller for full control over the deployment process for an Amazon ECS service.

Property value

The filter type you want to apply on organizational units and accounts.

Specifies the file format used when exporting data to Amazon S3. Allowed values: `CSV` | `ORC` | `Parquet`

Property value

The method used to distribute log data to the destination, which can be either random or grouped by log stream.

Property value

Property value

Determines whether to propagate the tags from the task definition to the Amazon EBS volume. Tags can only propagate to a `SERVICE` specified in `ServiceVolumeConfiguration`. If no value is specified, the tags aren't propagated.

Determines whether to use encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be turned on if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of `DISABLED` is used. For more information, see Encrypting data in transit in the Amazon Elastic File System User Guide.

The encryption type to use. If you use the `KMS` encryption type, the contents of the repository will be encrypted using server-side encryption with KMSlong key stored in KMS. When you use KMS to encrypt your data, you can either use the default AWS managed KMS key for Amazon ECR, or specify your own KMS key, which you already created. For more information, see Protecting data using server-side encryption with an key stored in (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide. If you use the `AES256` encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES-256 encryption algorithm. For more information, see Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) in the *Ama The encryption type to use.

Property value

Property value

Property value

Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 GetConsoleOutput is a read-only API operation and RunInstances is a write-only API operation.

Property value

ExtendedKeyUsageName enum

Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.

Property value

Property fileFormat

The status of the file system's replication overwrite protection. + `ENABLED` – The file system cannot be used as the destination file system in a replication configuration. The file system is writeable. Replication overwrite protection is `ENABLED` by default. + `DISABLED` – The file system can be used as the destination file system in a replication configuration. The file system is read-only and can only be modified by EFS replication. + `REPLICATING` – The file system is being used as the destination file system in a replication configuration. The file system is read-only and is only modified only by EFS replication. If the replication configuration is deleted, the file system's replication overwrite protection is re-enabled, the file system becomes writeable.

Property value

How to handle logs that satisfy the filter's conditions and requirement.

Logic to apply to the filtering conditions. You can specify that, in order to satisfy the filter, a log must match all conditions or must match at least one condition.

Property value

Property value

Property value

Property direction

Property protocol

Property value

Property value

Property value

Property value

Property value

The tag mutability setting for the repository. If this parameter is omitted, the default setting of `MUTABLE` will be used which will allow image tags to be overwritten. If `IMMUTABLE` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Property value

Specifies the status of the configuration.

Object versions to include in the inventory list. If set to `All`, the list includes all the object versions, which adds the version-related fields `VersionId`, `IsLatest`, and `DeleteMarker` to the list. If set to `Current`, the list does not contain these version-related fields.

InventoryConfigurationOptionalFields enum

Specifies the schedule for generating inventory results.

Property value

Property value

Property value

Property value

Property value

Property value

Property value

The method by which the account joined the organization.

Property value

The format of the key pair. Default: `pem`

Specifies the type of KMS key to create. The default value, `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, `SYMMETRIC_DEFAULT` creates a 128-bit symmetric key that uses SM4 encryption. You can't change the `KeySpec` value after the KMS key is created. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Developer Guide. The `KeySpec` property determines the type of key material in the KMS key and the algorithms that the KMS key supports. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see condition keys in the Developer Guide. If you change the value of the `KeySpec` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. services that are integrated with use symmetric encryption KMS keys to protect your data. These services do not support encryption with asymmetric KMS keys. For help determining whether a KMS key is asymmetric, see Identifying asymmetric KMS keys in the Developer Guide. KMS supports the following key specs for KMS keys: + Symmetric encryption key (default) + `SYMMETRIC_DEFAULT` (AES-256-GCM) + HMAC keys (symmetric) + `HMAC_224` + `HMAC_256` + `HMAC_384` + `HMAC_512` + Asymmetric RSA key pairs + `RSA_2048` + `RSA_3072` + `RSA_4096` + Asymmetric NIST-recommended elliptic curve key pairs + `ECC_NIST_P256` (secp256r1) + `ECC_NIST_P384` (secp384r1) + `ECC_NIST_P521` (secp521r1) + Other asymmetric elliptic curve key pairs + `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies. + SM2 key pairs (China Regions only) + `SM2`

The type of key pair. Note that ED25519 keys are not supported for Windows instances. If the `PublicKeyMaterial` property is specified, the `KeyType` property is ignored, and the key type is inferred from the `PublicKeyMaterial` value. Default: `rsa`

Determines the cryptographic operations for which you can use the KMS key. The default value is `ENCRYPT_DECRYPT`. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the `KeyUsage` value after the KMS key is created. If you change the value of the `KeyUsage` property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Select only one valid value. + For symmetric encryption KMS keys, omit the property or specify `ENCRYPT_DECRYPT`. + For asymmetric KMS keys with RSA key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. + For asymmetric KMS keys with ECC key material, specify `SIGN_VERIFY`. + For asymmetric KMS keys with SM2 (China Regions only) key material, specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. + For HMAC KMS keys, specify `GENERATE_VERIFY_MAC`.

KeyUsageName enum

The precision for the time and date that the stream was created.

Property value

The launch type on which to run your service. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.

Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.

Set this property to filter the application logs for your function that Lambda sends to CloudWatch. Lambda only sends application logs at the selected level of detail and lower, where `TRACE` is the highest level and `FATAL` is the lowest.

The format in which Lambda sends your function's application and system logs to CloudWatch. Select between plain text and structured JSON.

Property protocol

Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level of detail and lower, where `DEBUG` is the highest level and `WARN` is the lowest.

Specifies the log group class for this log group. There are two classes: + The `Standard` log class supports all CWL features. + The `Infrequent Access` log class supports a subset of CWL features and incurs lower costs. For details about the features supported by each class, see Log classes

Property value

LogType enum

Property value

Specifies whether the replication metrics are enabled.

The unit to assign to the metric. If you omit this, the unit is set as `None`.

Property value

Property value

Property value

Indicates whether this Access Point allows access from the public Internet. If VpcConfiguration is specified for this Access Point, then NetworkOrigin is VPC, and the Access Point doesn't allow access from the public Internet. Otherwise, NetworkOrigin is Internet, and the Access Point allows access from the public Internet, subject to the Access Point and bucket access policies.

The class of storage used to store the object.

Property value

Property value

Property value

Property value

The concurrency type of deploying StackSets operations in regions, could be in parallel or one region at a time

The source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is `AWS_KMS`, which means that KMS creates the key material. To create a KMS key with no key material (for imported key material), set this value to `EXTERNAL`. For more information about importing key material into KMS, see Importing Key Material in the Developer Guide. You can ignore `ENABLED` when Origin is `EXTERNAL`. When a KMS key with Origin `EXTERNAL` is created, the key state is `PENDING_IMPORT` and `ENABLED` is `false`. After you import the key material, `ENABLED` updated to `true`. The KMS key can then be used for Cryptographic Operations. CFN doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.

Specifies an object ownership rule.

The type of deployment package. Set to `Image` for container image and set `Zip` for .zip file archive.

Specifies the partition date source for the partitioned prefix. PartitionDateSource can be EventTime or DeliveryTime.

Property value

Describes how the IAM roles required for stack set operations are created. By default, SELF-MANAGED is specified.

Property value

The type of constraint. Use `distinctInstance` to ensure that each task in a particular group is running on a different container instance. Use `memberOf` to restrict the selection to a group of valid candidates.

Property value

The type of placement strategy. The `random` placement strategy randomly places tasks on available candidates. The `spread` placement strategy spreads placement across available candidates evenly based on the `field` parameter. The `binpack` strategy places tasks on available candidates that have the least available amount of the resource that's specified with the `field` parameter. For example, if you binpack on memory, a task is placed on the instance with the least amount of remaining memory but still enough to run the task.

Property value

Property value

Property value

The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch. If you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP. `appProtocol` is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment. Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see Service Connect in the Amazon Elastic Container Service Developer Guide.

The name of the processor feature. Valid names are `coreCount` and `threadsPerCore`.

Property value

Property value

Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags aren't propagated. Tags can only be propagated to the task during task creation. To add tags to a task after task creation, use the TagResource API action. The default is `NONE`.

Property value

Property value

Property value

Property value

Protocol to use when redirecting requests. The default is the protocol that is used in the original request.

Protocol to use when redirecting requests. The default is the protocol that is used in the original request.

Property value

Specifies whether Amazon S3 replicates modifications on replicas. Allowed values: `Enabled` | `Disabled`

The storage class to use when replicating objects, such as S3 Standard or reduced redundancy. By default, Amazon S3 uses the storage class of the source object to create the object replica. For valid values, see the `StorageClass` element of the PUT Bucket replication action in the Amazon S3 API Reference.

Specifies whether the rule is enabled.

Specifies whether the replication time is enabled.

Property value

Property value

Property value

Property value

The instance type that the image version runs on.

Property value

Property value

Property generatedRulesType

If `Enabled`, the rule is currently being applied. If `Disabled`, the rule is not currently being applied.

Specify the runtime update mode. + Auto (default) - Automatically update to the most recent and secure runtime version using a Two-phase runtime version rollout. This is the best choice for most customers to ensure they always benefit from runtime updates. + FunctionUpdate - LAM updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date. + Manual - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see Roll back a runtime version. Valid Values: `Auto` | `FunctionUpdate` | `Manual`

Property value

Property value

The scheduling strategy to use for the service. For more information, see Services. There are two service scheduler strategies available: + `REPLICA`-The replica scheduling strategy places and maintains the desired number of tasks across your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use task placement strategies and constraints to customize task placement decisions. This scheduler strategy is required if the service uses the `CODE_DEPLOY` or `EXTERNAL` deployment controller types. + `DAEMON`-The daemon scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that you specify in your cluster. The service scheduler also evaluates the task placement constraints for running tasks and will stop tasks that don't meet the placement constraints. When you're using this strategy, you don't need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. Tasks using the Fargate launch type or the `CODE_DEPLOY` or `EXTERNAL` deployment controller types don't support the `DAEMON` scheduling strategy.

Server-side encryption algorithm to use for the default encryption.

Property value

Property value

Property value

Set `ApplyOn` to `PublishedVersions` to create a snapshot of the initialized execution environment when you publish a function version.

Property value

Property value

Specifies whether Amazon S3 replicates objects created with server-side encryption using an AWS KMS key stored in AWS Key Management Service.

Property value

Property value

Property stackStatus

Property ruleOrder

Property streamExceptionPolicy

Property action

Property action

Property ruleOrder

The status of the account in the organization.

Property value

Property value

Property value

Property value

Property value

Property value

Property value

The parameter tier.

S3 Intelligent-Tiering access tier. See Storage class for automatically optimizing frequently and infrequently accessed objects for a list of access tiers in the S3 Intelligent-Tiering storage class.

Property value

Property value

The tracing mode.

The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.

The storage class to which you want the object to transition.

The type of parameter.

The versioning state of the bucket.

Property value

Property value

The type of endpoint. Default: Gateway

Property value

Property value