From 8fdf015fdc310d6d62cec31b6d89e1ff1decb8b6 Mon Sep 17 00:00:00 2001
From: Xia Zhao <78883180+xazhao@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:46:07 -0700
Subject: [PATCH 01/10] revert: feat(ecs): add validation checks to memory cpu
 combinations of FARGATE compatible task definitions (#31110)

Revert https://github.com/aws/aws-cdk/pull/30166

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 ...efaultTestDeployAssertD76B1D35.assets.json |  19 --
 ...aultTestDeployAssertD76B1D35.template.json |  36 ----
 .../aws-ecs-fargate-task-def.assets.json      |  19 --
 .../aws-ecs-fargate-task-def.template.json    |  87 --------
 .../cdk.out                                   |   1 -
 .../integ.json                                |  12 --
 .../manifest.json                             | 122 -----------
 .../tree.json                                 | 202 -----------------
 .../aws-ecs/test/integ.fargate-task-def.ts    |  25 ---
 ...efaultTestDeployAssertF13B2133.assets.json |  19 --
 ...aultTestDeployAssertF13B2133.template.json |  36 ----
 .../aws-ecs-task-def.assets.json              |  19 --
 .../aws-ecs-task-def.template.json            |  88 --------
 .../test/integ.task-def.js.snapshot/cdk.out   |   1 -
 .../integ.task-def.js.snapshot/integ.json     |  12 --
 .../integ.task-def.js.snapshot/manifest.json  | 119 ----------
 .../test/integ.task-def.js.snapshot/tree.json | 203 ------------------
 .../test/aws-ecs/test/integ.task-def.ts       |  26 ---
 ...servicecatalog-deploy-action-beta1.test.ts |   2 +-
 .../load-balanced-fargate-service-v2.test.ts  |   3 +-
 .../load-balanced-fargate-service.test.ts     |   4 +-
 .../fargate/scheduled-fargate-task.test.ts    |   2 +-
 packages/aws-cdk-lib/aws-ecs/README.md        |   2 +-
 .../aws-ecs/lib/base/task-definition.ts       |  72 ++-----
 .../fargate/fargate-task-definition.test.ts   |  34 +--
 .../aws-ecs/test/task-definition.test.ts      |  42 +---
 .../api/cloudformation-deployments.test.ts    |   2 +-
 27 files changed, 32 insertions(+), 1177 deletions(-)
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json
 delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts

diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json
deleted file mode 100644
index a2587e6d528bd..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "version": "36.0.0",
-  "files": {
-    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
-      "source": {
-        "path": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    }
-  },
-  "dockerImages": {}
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json
deleted file mode 100644
index ad9d0fb73d1dd..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
- "Parameters": {
-  "BootstrapVersion": {
-   "Type": "AWS::SSM::Parameter::Value<String>",
-   "Default": "/cdk-bootstrap/hnb659fds/version",
-   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
-  }
- },
- "Rules": {
-  "CheckBootstrapVersion": {
-   "Assertions": [
-    {
-     "Assert": {
-      "Fn::Not": [
-       {
-        "Fn::Contains": [
-         [
-          "1",
-          "2",
-          "3",
-          "4",
-          "5"
-         ],
-         {
-          "Ref": "BootstrapVersion"
-         }
-        ]
-       }
-      ]
-     },
-     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
-    }
-   ]
-  }
- }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json
deleted file mode 100644
index 47920c3666a13..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.assets.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "version": "36.0.0",
-  "files": {
-    "9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436": {
-      "source": {
-        "path": "aws-ecs-fargate-task-def.template.json",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    }
-  },
-  "dockerImages": {}
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json
deleted file mode 100644
index 17d20d29f57ef..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/aws-ecs-fargate-task-def.template.json
+++ /dev/null
@@ -1,87 +0,0 @@
-{
- "Resources": {
-  "TaskDefTaskRole1EDB4A67": {
-   "Type": "AWS::IAM::Role",
-   "Properties": {
-    "AssumeRolePolicyDocument": {
-     "Statement": [
-      {
-       "Action": "sts:AssumeRole",
-       "Effect": "Allow",
-       "Principal": {
-        "Service": "ecs-tasks.amazonaws.com"
-       }
-      }
-     ],
-     "Version": "2012-10-17"
-    }
-   }
-  },
-  "TaskDef54694570": {
-   "Type": "AWS::ECS::TaskDefinition",
-   "Properties": {
-    "ContainerDefinitions": [
-     {
-      "Essential": true,
-      "Image": "amazon/amazon-ecs-sample",
-      "Name": "SampleContainer",
-      "PortMappings": [
-       {
-        "ContainerPort": 80,
-        "HostPort": 80,
-        "Protocol": "tcp"
-       }
-      ]
-     }
-    ],
-    "Cpu": "256",
-    "Family": "awsecsfargatetaskdefTaskDef69F258AC",
-    "Memory": "512",
-    "NetworkMode": "awsvpc",
-    "RequiresCompatibilities": [
-     "FARGATE"
-    ],
-    "TaskRoleArn": {
-     "Fn::GetAtt": [
-      "TaskDefTaskRole1EDB4A67",
-      "Arn"
-     ]
-    }
-   }
-  }
- },
- "Parameters": {
-  "BootstrapVersion": {
-   "Type": "AWS::SSM::Parameter::Value<String>",
-   "Default": "/cdk-bootstrap/hnb659fds/version",
-   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
-  }
- },
- "Rules": {
-  "CheckBootstrapVersion": {
-   "Assertions": [
-    {
-     "Assert": {
-      "Fn::Not": [
-       {
-        "Fn::Contains": [
-         [
-          "1",
-          "2",
-          "3",
-          "4",
-          "5"
-         ],
-         {
-          "Ref": "BootstrapVersion"
-         }
-        ]
-       }
-      ]
-     },
-     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
-    }
-   ]
-  }
- }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out
deleted file mode 100644
index 1f0068d32659a..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/cdk.out
+++ /dev/null
@@ -1 +0,0 @@
-{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json
deleted file mode 100644
index 1a97105790686..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/integ.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "version": "36.0.0",
-  "testCases": {
-    "FargateTaskDefinition/DefaultTest": {
-      "stacks": [
-        "aws-ecs-fargate-task-def"
-      ],
-      "assertionStack": "FargateTaskDefinition/DefaultTest/DeployAssert",
-      "assertionStackName": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35"
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json
deleted file mode 100644
index 11f65944a28fc..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/manifest.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
-  "version": "36.0.0",
-  "artifacts": {
-    "aws-ecs-fargate-task-def.assets": {
-      "type": "cdk:asset-manifest",
-      "properties": {
-        "file": "aws-ecs-fargate-task-def.assets.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-      }
-    },
-    "aws-ecs-fargate-task-def": {
-      "type": "aws:cloudformation:stack",
-      "environment": "aws://unknown-account/unknown-region",
-      "properties": {
-        "templateFile": "aws-ecs-fargate-task-def.template.json",
-        "terminationProtection": false,
-        "validateOnSynth": false,
-        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
-        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9cc4d79897c01e0d9dc06bb0648af4d1d360aea0fd4d556081bed713d96d2436.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
-        "additionalDependencies": [
-          "aws-ecs-fargate-task-def.assets"
-        ],
-        "lookupRole": {
-          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
-          "requiresBootstrapStackVersion": 8,
-          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-        }
-      },
-      "dependencies": [
-        "aws-ecs-fargate-task-def.assets"
-      ],
-      "metadata": {
-        "/aws-ecs-fargate-task-def/TaskDef/TaskRole/Resource": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "TaskDefTaskRole1EDB4A67"
-          }
-        ],
-        "/aws-ecs-fargate-task-def/TaskDef/Resource": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "TaskDef54694570",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_REPLACE"
-            ]
-          }
-        ],
-        "/aws-ecs-fargate-task-def/BootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "BootstrapVersion"
-          }
-        ],
-        "/aws-ecs-fargate-task-def/CheckBootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "CheckBootstrapVersion"
-          }
-        ]
-      },
-      "displayName": "aws-ecs-fargate-task-def"
-    },
-    "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets": {
-      "type": "cdk:asset-manifest",
-      "properties": {
-        "file": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-      }
-    },
-    "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35": {
-      "type": "aws:cloudformation:stack",
-      "environment": "aws://unknown-account/unknown-region",
-      "properties": {
-        "templateFile": "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.template.json",
-        "terminationProtection": false,
-        "validateOnSynth": false,
-        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
-        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
-        "additionalDependencies": [
-          "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets"
-        ],
-        "lookupRole": {
-          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
-          "requiresBootstrapStackVersion": 8,
-          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-        }
-      },
-      "dependencies": [
-        "FargateTaskDefinitionDefaultTestDeployAssertD76B1D35.assets"
-      ],
-      "metadata": {
-        "/FargateTaskDefinition/DefaultTest/DeployAssert/BootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "BootstrapVersion"
-          }
-        ],
-        "/FargateTaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "CheckBootstrapVersion"
-          }
-        ]
-      },
-      "displayName": "FargateTaskDefinition/DefaultTest/DeployAssert"
-    },
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json
deleted file mode 100644
index 063f35b7938f7..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.js.snapshot/tree.json
+++ /dev/null
@@ -1,202 +0,0 @@
-{
-  "version": "tree-0.1",
-  "tree": {
-    "id": "App",
-    "path": "",
-    "children": {
-      "aws-ecs-fargate-task-def": {
-        "id": "aws-ecs-fargate-task-def",
-        "path": "aws-ecs-fargate-task-def",
-        "children": {
-          "TaskDef": {
-            "id": "TaskDef",
-            "path": "aws-ecs-fargate-task-def/TaskDef",
-            "children": {
-              "TaskRole": {
-                "id": "TaskRole",
-                "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole",
-                "children": {
-                  "ImportTaskRole": {
-                    "id": "ImportTaskRole",
-                    "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole/ImportTaskRole",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
-                    }
-                  },
-                  "Resource": {
-                    "id": "Resource",
-                    "path": "aws-ecs-fargate-task-def/TaskDef/TaskRole/Resource",
-                    "attributes": {
-                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
-                      "aws:cdk:cloudformation:props": {
-                        "assumeRolePolicyDocument": {
-                          "Statement": [
-                            {
-                              "Action": "sts:AssumeRole",
-                              "Effect": "Allow",
-                              "Principal": {
-                                "Service": "ecs-tasks.amazonaws.com"
-                              }
-                            }
-                          ],
-                          "Version": "2012-10-17"
-                        }
-                      }
-                    },
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
-                      "version": "0.0.0"
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.Role",
-                  "version": "0.0.0"
-                }
-              },
-              "Resource": {
-                "id": "Resource",
-                "path": "aws-ecs-fargate-task-def/TaskDef/Resource",
-                "attributes": {
-                  "aws:cdk:cloudformation:type": "AWS::ECS::TaskDefinition",
-                  "aws:cdk:cloudformation:props": {
-                    "containerDefinitions": [
-                      {
-                        "essential": true,
-                        "image": "amazon/amazon-ecs-sample",
-                        "name": "SampleContainer",
-                        "portMappings": [
-                          {
-                            "containerPort": 80,
-                            "hostPort": 80,
-                            "protocol": "tcp"
-                          }
-                        ]
-                      }
-                    ],
-                    "cpu": "256",
-                    "family": "awsecsfargatetaskdefTaskDef69F258AC",
-                    "memory": "512",
-                    "networkMode": "awsvpc",
-                    "requiresCompatibilities": [
-                      "FARGATE"
-                    ],
-                    "taskRoleArn": {
-                      "Fn::GetAtt": [
-                        "TaskDefTaskRole1EDB4A67",
-                        "Arn"
-                      ]
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition",
-                  "version": "0.0.0"
-                }
-              },
-              "SampleContainer": {
-                "id": "SampleContainer",
-                "path": "aws-ecs-fargate-task-def/TaskDef/SampleContainer",
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition",
-                  "version": "0.0.0"
-                }
-              }
-            },
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ecs.FargateTaskDefinition",
-              "version": "0.0.0"
-            }
-          },
-          "BootstrapVersion": {
-            "id": "BootstrapVersion",
-            "path": "aws-ecs-fargate-task-def/BootstrapVersion",
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
-            }
-          },
-          "CheckBootstrapVersion": {
-            "id": "CheckBootstrapVersion",
-            "path": "aws-ecs-fargate-task-def/CheckBootstrapVersion",
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnRule",
-              "version": "0.0.0"
-            }
-          }
-        },
-        "constructInfo": {
-          "fqn": "aws-cdk-lib.Stack",
-          "version": "0.0.0"
-        }
-      },
-      "FargateTaskDefinition": {
-        "id": "FargateTaskDefinition",
-        "path": "FargateTaskDefinition",
-        "children": {
-          "DefaultTest": {
-            "id": "DefaultTest",
-            "path": "FargateTaskDefinition/DefaultTest",
-            "children": {
-              "Default": {
-                "id": "Default",
-                "path": "FargateTaskDefinition/DefaultTest/Default",
-                "constructInfo": {
-                  "fqn": "constructs.Construct",
-                  "version": "10.3.0"
-                }
-              },
-              "DeployAssert": {
-                "id": "DeployAssert",
-                "path": "FargateTaskDefinition/DefaultTest/DeployAssert",
-                "children": {
-                  "BootstrapVersion": {
-                    "id": "BootstrapVersion",
-                    "path": "FargateTaskDefinition/DefaultTest/DeployAssert/BootstrapVersion",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnParameter",
-                      "version": "0.0.0"
-                    }
-                  },
-                  "CheckBootstrapVersion": {
-                    "id": "CheckBootstrapVersion",
-                    "path": "FargateTaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnRule",
-                      "version": "0.0.0"
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.Stack",
-                  "version": "0.0.0"
-                }
-              }
-            },
-            "constructInfo": {
-              "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase",
-              "version": "0.0.0"
-            }
-          }
-        },
-        "constructInfo": {
-          "fqn": "@aws-cdk/integ-tests-alpha.IntegTest",
-          "version": "0.0.0"
-        }
-      },
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.3.0"
-        }
-      }
-    },
-    "constructInfo": {
-      "fqn": "aws-cdk-lib.App",
-      "version": "0.0.0"
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts
deleted file mode 100644
index 46be63397f340..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.fargate-task-def.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-import * as cdk from 'aws-cdk-lib';
-import * as ecs from 'aws-cdk-lib/aws-ecs';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
-
-const app = new cdk.App();
-const stack = new cdk.Stack(app, 'aws-ecs-fargate-task-def');
-
-const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef', {
-  cpu: 256,
-  memoryLimitMiB: 512,
-});
-
-taskDefinition.addContainer('SampleContainer', {
-  image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
-  essential: true,
-  portMappings: [
-    { containerPort: 80, hostPort: 80, protocol: ecs.Protocol.TCP },
-  ],
-});
-
-new IntegTest(app, 'FargateTaskDefinition', {
-  testCases: [stack],
-});
-
-app.synth();
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json
deleted file mode 100644
index c36858976d347..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "version": "36.0.0",
-  "files": {
-    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
-      "source": {
-        "path": "TaskDefinitionDefaultTestDeployAssertF13B2133.template.json",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    }
-  },
-  "dockerImages": {}
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json
deleted file mode 100644
index ad9d0fb73d1dd..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/TaskDefinitionDefaultTestDeployAssertF13B2133.template.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
- "Parameters": {
-  "BootstrapVersion": {
-   "Type": "AWS::SSM::Parameter::Value<String>",
-   "Default": "/cdk-bootstrap/hnb659fds/version",
-   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
-  }
- },
- "Rules": {
-  "CheckBootstrapVersion": {
-   "Assertions": [
-    {
-     "Assert": {
-      "Fn::Not": [
-       {
-        "Fn::Contains": [
-         [
-          "1",
-          "2",
-          "3",
-          "4",
-          "5"
-         ],
-         {
-          "Ref": "BootstrapVersion"
-         }
-        ]
-       }
-      ]
-     },
-     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
-    }
-   ]
-  }
- }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json
deleted file mode 100644
index 0c6a62c1ef756..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.assets.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "version": "36.0.0",
-  "files": {
-    "69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da": {
-      "source": {
-        "path": "aws-ecs-task-def.template.json",
-        "packaging": "file"
-      },
-      "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
-        }
-      }
-    }
-  },
-  "dockerImages": {}
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json
deleted file mode 100644
index 9b0e24807ea39..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/aws-ecs-task-def.template.json
+++ /dev/null
@@ -1,88 +0,0 @@
-{
- "Resources": {
-  "TaskDefTaskRole1EDB4A67": {
-   "Type": "AWS::IAM::Role",
-   "Properties": {
-    "AssumeRolePolicyDocument": {
-     "Statement": [
-      {
-       "Action": "sts:AssumeRole",
-       "Effect": "Allow",
-       "Principal": {
-        "Service": "ecs-tasks.amazonaws.com"
-       }
-      }
-     ],
-     "Version": "2012-10-17"
-    }
-   }
-  },
-  "TaskDef54694570": {
-   "Type": "AWS::ECS::TaskDefinition",
-   "Properties": {
-    "ContainerDefinitions": [
-     {
-      "Essential": true,
-      "Image": "amazon/amazon-ecs-sample",
-      "Name": "SampleContainer",
-      "PortMappings": [
-       {
-        "ContainerPort": 80,
-        "HostPort": 80,
-        "Protocol": "tcp"
-       }
-      ]
-     }
-    ],
-    "Cpu": "256",
-    "Family": "awsecstaskdefTaskDefDBCEF036",
-    "Memory": "512",
-    "NetworkMode": "awsvpc",
-    "RequiresCompatibilities": [
-     "EC2",
-     "FARGATE"
-    ],
-    "TaskRoleArn": {
-     "Fn::GetAtt": [
-      "TaskDefTaskRole1EDB4A67",
-      "Arn"
-     ]
-    }
-   }
-  }
- },
- "Parameters": {
-  "BootstrapVersion": {
-   "Type": "AWS::SSM::Parameter::Value<String>",
-   "Default": "/cdk-bootstrap/hnb659fds/version",
-   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
-  }
- },
- "Rules": {
-  "CheckBootstrapVersion": {
-   "Assertions": [
-    {
-     "Assert": {
-      "Fn::Not": [
-       {
-        "Fn::Contains": [
-         [
-          "1",
-          "2",
-          "3",
-          "4",
-          "5"
-         ],
-         {
-          "Ref": "BootstrapVersion"
-         }
-        ]
-       }
-      ]
-     },
-     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
-    }
-   ]
-  }
- }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out
deleted file mode 100644
index 1f0068d32659a..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/cdk.out
+++ /dev/null
@@ -1 +0,0 @@
-{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json
deleted file mode 100644
index d996244d1508f..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/integ.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "version": "36.0.0",
-  "testCases": {
-    "TaskDefinition/DefaultTest": {
-      "stacks": [
-        "aws-ecs-task-def"
-      ],
-      "assertionStack": "TaskDefinition/DefaultTest/DeployAssert",
-      "assertionStackName": "TaskDefinitionDefaultTestDeployAssertF13B2133"
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json
deleted file mode 100644
index ead60c3c0ea88..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/manifest.json
+++ /dev/null
@@ -1,119 +0,0 @@
-{
-  "version": "36.0.0",
-  "artifacts": {
-    "aws-ecs-task-def.assets": {
-      "type": "cdk:asset-manifest",
-      "properties": {
-        "file": "aws-ecs-task-def.assets.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-      }
-    },
-    "aws-ecs-task-def": {
-      "type": "aws:cloudformation:stack",
-      "environment": "aws://unknown-account/unknown-region",
-      "properties": {
-        "templateFile": "aws-ecs-task-def.template.json",
-        "terminationProtection": false,
-        "validateOnSynth": false,
-        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
-        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/69e8cabd26b07a22fe937a35822c9447fa44ce785d99d44da971c9f953f701da.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
-        "additionalDependencies": [
-          "aws-ecs-task-def.assets"
-        ],
-        "lookupRole": {
-          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
-          "requiresBootstrapStackVersion": 8,
-          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-        }
-      },
-      "dependencies": [
-        "aws-ecs-task-def.assets"
-      ],
-      "metadata": {
-        "/aws-ecs-task-def/TaskDef/TaskRole/Resource": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "TaskDefTaskRole1EDB4A67"
-          }
-        ],
-        "/aws-ecs-task-def/TaskDef/Resource": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "TaskDef54694570"
-          }
-        ],
-        "/aws-ecs-task-def/BootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "BootstrapVersion"
-          }
-        ],
-        "/aws-ecs-task-def/CheckBootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "CheckBootstrapVersion"
-          }
-        ]
-      },
-      "displayName": "aws-ecs-task-def"
-    },
-    "TaskDefinitionDefaultTestDeployAssertF13B2133.assets": {
-      "type": "cdk:asset-manifest",
-      "properties": {
-        "file": "TaskDefinitionDefaultTestDeployAssertF13B2133.assets.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-      }
-    },
-    "TaskDefinitionDefaultTestDeployAssertF13B2133": {
-      "type": "aws:cloudformation:stack",
-      "environment": "aws://unknown-account/unknown-region",
-      "properties": {
-        "templateFile": "TaskDefinitionDefaultTestDeployAssertF13B2133.template.json",
-        "terminationProtection": false,
-        "validateOnSynth": false,
-        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
-        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
-        "requiresBootstrapStackVersion": 6,
-        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
-        "additionalDependencies": [
-          "TaskDefinitionDefaultTestDeployAssertF13B2133.assets"
-        ],
-        "lookupRole": {
-          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
-          "requiresBootstrapStackVersion": 8,
-          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
-        }
-      },
-      "dependencies": [
-        "TaskDefinitionDefaultTestDeployAssertF13B2133.assets"
-      ],
-      "metadata": {
-        "/TaskDefinition/DefaultTest/DeployAssert/BootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "BootstrapVersion"
-          }
-        ],
-        "/TaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "CheckBootstrapVersion"
-          }
-        ]
-      },
-      "displayName": "TaskDefinition/DefaultTest/DeployAssert"
-    },
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json
deleted file mode 100644
index e2a89e9602c30..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.js.snapshot/tree.json
+++ /dev/null
@@ -1,203 +0,0 @@
-{
-  "version": "tree-0.1",
-  "tree": {
-    "id": "App",
-    "path": "",
-    "children": {
-      "aws-ecs-task-def": {
-        "id": "aws-ecs-task-def",
-        "path": "aws-ecs-task-def",
-        "children": {
-          "TaskDef": {
-            "id": "TaskDef",
-            "path": "aws-ecs-task-def/TaskDef",
-            "children": {
-              "TaskRole": {
-                "id": "TaskRole",
-                "path": "aws-ecs-task-def/TaskDef/TaskRole",
-                "children": {
-                  "ImportTaskRole": {
-                    "id": "ImportTaskRole",
-                    "path": "aws-ecs-task-def/TaskDef/TaskRole/ImportTaskRole",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.Resource",
-                      "version": "0.0.0"
-                    }
-                  },
-                  "Resource": {
-                    "id": "Resource",
-                    "path": "aws-ecs-task-def/TaskDef/TaskRole/Resource",
-                    "attributes": {
-                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
-                      "aws:cdk:cloudformation:props": {
-                        "assumeRolePolicyDocument": {
-                          "Statement": [
-                            {
-                              "Action": "sts:AssumeRole",
-                              "Effect": "Allow",
-                              "Principal": {
-                                "Service": "ecs-tasks.amazonaws.com"
-                              }
-                            }
-                          ],
-                          "Version": "2012-10-17"
-                        }
-                      }
-                    },
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
-                      "version": "0.0.0"
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_iam.Role",
-                  "version": "0.0.0"
-                }
-              },
-              "Resource": {
-                "id": "Resource",
-                "path": "aws-ecs-task-def/TaskDef/Resource",
-                "attributes": {
-                  "aws:cdk:cloudformation:type": "AWS::ECS::TaskDefinition",
-                  "aws:cdk:cloudformation:props": {
-                    "containerDefinitions": [
-                      {
-                        "essential": true,
-                        "image": "amazon/amazon-ecs-sample",
-                        "name": "SampleContainer",
-                        "portMappings": [
-                          {
-                            "containerPort": 80,
-                            "hostPort": 80,
-                            "protocol": "tcp"
-                          }
-                        ]
-                      }
-                    ],
-                    "cpu": "256",
-                    "family": "awsecstaskdefTaskDefDBCEF036",
-                    "memory": "512",
-                    "networkMode": "awsvpc",
-                    "requiresCompatibilities": [
-                      "EC2",
-                      "FARGATE"
-                    ],
-                    "taskRoleArn": {
-                      "Fn::GetAtt": [
-                        "TaskDefTaskRole1EDB4A67",
-                        "Arn"
-                      ]
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition",
-                  "version": "0.0.0"
-                }
-              },
-              "SampleContainer": {
-                "id": "SampleContainer",
-                "path": "aws-ecs-task-def/TaskDef/SampleContainer",
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition",
-                  "version": "0.0.0"
-                }
-              }
-            },
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.aws_ecs.TaskDefinition",
-              "version": "0.0.0"
-            }
-          },
-          "BootstrapVersion": {
-            "id": "BootstrapVersion",
-            "path": "aws-ecs-task-def/BootstrapVersion",
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnParameter",
-              "version": "0.0.0"
-            }
-          },
-          "CheckBootstrapVersion": {
-            "id": "CheckBootstrapVersion",
-            "path": "aws-ecs-task-def/CheckBootstrapVersion",
-            "constructInfo": {
-              "fqn": "aws-cdk-lib.CfnRule",
-              "version": "0.0.0"
-            }
-          }
-        },
-        "constructInfo": {
-          "fqn": "aws-cdk-lib.Stack",
-          "version": "0.0.0"
-        }
-      },
-      "TaskDefinition": {
-        "id": "TaskDefinition",
-        "path": "TaskDefinition",
-        "children": {
-          "DefaultTest": {
-            "id": "DefaultTest",
-            "path": "TaskDefinition/DefaultTest",
-            "children": {
-              "Default": {
-                "id": "Default",
-                "path": "TaskDefinition/DefaultTest/Default",
-                "constructInfo": {
-                  "fqn": "constructs.Construct",
-                  "version": "10.3.0"
-                }
-              },
-              "DeployAssert": {
-                "id": "DeployAssert",
-                "path": "TaskDefinition/DefaultTest/DeployAssert",
-                "children": {
-                  "BootstrapVersion": {
-                    "id": "BootstrapVersion",
-                    "path": "TaskDefinition/DefaultTest/DeployAssert/BootstrapVersion",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnParameter",
-                      "version": "0.0.0"
-                    }
-                  },
-                  "CheckBootstrapVersion": {
-                    "id": "CheckBootstrapVersion",
-                    "path": "TaskDefinition/DefaultTest/DeployAssert/CheckBootstrapVersion",
-                    "constructInfo": {
-                      "fqn": "aws-cdk-lib.CfnRule",
-                      "version": "0.0.0"
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "aws-cdk-lib.Stack",
-                  "version": "0.0.0"
-                }
-              }
-            },
-            "constructInfo": {
-              "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase",
-              "version": "0.0.0"
-            }
-          }
-        },
-        "constructInfo": {
-          "fqn": "@aws-cdk/integ-tests-alpha.IntegTest",
-          "version": "0.0.0"
-        }
-      },
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.3.0"
-        }
-      }
-    },
-    "constructInfo": {
-      "fqn": "aws-cdk-lib.App",
-      "version": "0.0.0"
-    }
-  }
-}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts
deleted file mode 100644
index e9f4780343816..0000000000000
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.task-def.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import * as cdk from 'aws-cdk-lib';
-import * as ecs from 'aws-cdk-lib/aws-ecs';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
-
-const app = new cdk.App();
-const stack = new cdk.Stack(app, 'aws-ecs-task-def');
-
-const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', {
-  compatibility: ecs.Compatibility.EC2_AND_FARGATE,
-  cpu: '256',
-  memoryMiB: '512',
-});
-
-taskDefinition.addContainer('SampleContainer', {
-  image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
-  essential: true,
-  portMappings: [
-    { containerPort: 80, hostPort: 80, protocol: ecs.Protocol.TCP },
-  ],
-});
-
-new IntegTest(app, 'TaskDefinition', {
-  testCases: [stack],
-});
-
-app.synth();
\ No newline at end of file
diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts
index 30388c7801783..cee8f139e117f 100644
--- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts
+++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/servicecatalog/servicecatalog-deploy-action-beta1.test.ts
@@ -7,7 +7,7 @@ import * as cpactions from '../../lib';
 /* eslint-disable quote-props */
 
 describe('ServiceCatalog Deploy Action', () => {
-  test('addAction successfully leads to creation of codepipeline service catalog action with properly formatted TemplateFilePath', () => {
+  test('addAction succesfully leads to creation of codepipeline service catalog action with properly formatted TemplateFilePath', () => {
     // GIVEN
     const stack = new TestFixture();
     // WHEN
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts
index 5700a62b58b15..3068e9a8e4e29 100644
--- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service-v2.test.ts
@@ -642,8 +642,7 @@ describe('Application Load Balancer', () => {
       // WHEN
       new ApplicationMultipleTargetGroupsFargateService(stack, 'myService', {
         cluster: new ecs.Cluster(stack, 'EcsCluster', { vpc }),
-        cpu: 256,
-        memoryLimitMiB: 512,
+        memoryLimitMiB: 256,
         taskImageOptions: {
           image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
         },
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts
index bf60714822fcd..18b6b929f76f6 100644
--- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts
@@ -554,7 +554,7 @@ describe('ApplicationLoadBalancedFargateService', () => {
     // WHEN
     const taskDef = new ecs.FargateTaskDefinition(stack1, 'TaskDef', {
       cpu: 1024,
-      memoryLimitMiB: 2048,
+      memoryLimitMiB: 1024,
     });
     const container = taskDef.addContainer('Container', {
       image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
@@ -1816,7 +1816,7 @@ describe('NetworkLoadBalancedFargateService', () => {
     });
     const taskDef = new ecs.FargateTaskDefinition(stack2, 'TaskDef', {
       cpu: 1024,
-      memoryLimitMiB: 2048,
+      memoryLimitMiB: 1024,
     });
     const container = taskDef.addContainer('myContainer', {
       image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts
index 28d881b8f7d92..7300f3c16e908 100644
--- a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/scheduled-fargate-task.test.ts
@@ -91,7 +91,7 @@ test('Can create a scheduled Fargate Task - with optional props', () => {
     scheduledFargateTaskImageOptions: {
       image: ecs.ContainerImage.fromRegistry('henk'),
       memoryLimitMiB: 512,
-      cpu: 256,
+      cpu: 2,
       ephemeralStorageGiB: 100,
       environment: { TRIGGER: 'CloudWatch Events' },
     },
diff --git a/packages/aws-cdk-lib/aws-ecs/README.md b/packages/aws-cdk-lib/aws-ecs/README.md
index 6198c3f8f05c6..f0669e3adcc66 100644
--- a/packages/aws-cdk-lib/aws-ecs/README.md
+++ b/packages/aws-cdk-lib/aws-ecs/README.md
@@ -505,7 +505,7 @@ To grant a principal permission to run your `TaskDefinition`, you can use the `T
 ```ts
 declare const role: iam.IGrantable;
 const taskDef = new ecs.TaskDefinition(this, 'TaskDef', {
-  cpu: '256',
+  cpu: '512',
   memoryMiB: '512',
   compatibility: ecs.Compatibility.EC2_AND_FARGATE,
 });
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts
index c3896e1113811..7ab075ae777ce 100644
--- a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts
+++ b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts
@@ -432,9 +432,23 @@ export class TaskDefinition extends TaskDefinitionBase {
     }
 
     this.networkMode = props.networkMode ?? (this.isFargateCompatible ? NetworkMode.AWS_VPC : NetworkMode.BRIDGE);
+    if (this.isFargateCompatible && this.networkMode !== NetworkMode.AWS_VPC) {
+      throw new Error(`Fargate tasks can only have AwsVpc network mode, got: ${this.networkMode}`);
+    }
     if (props.proxyConfiguration && this.networkMode !== NetworkMode.AWS_VPC) {
       throw new Error(`ProxyConfiguration can only be used with AwsVpc network mode, got: ${this.networkMode}`);
     }
+    if (props.placementConstraints && props.placementConstraints.length > 0 && this.isFargateCompatible) {
+      throw new Error('Cannot set placement constraints on tasks that run on Fargate');
+    }
+
+    if (this.isFargateCompatible && (!props.cpu || !props.memoryMiB)) {
+      throw new Error(`Fargate-compatible tasks require both CPU (${props.cpu}) and memory (${props.memoryMiB}) specifications`);
+    }
+
+    if (props.inferenceAccelerators && props.inferenceAccelerators.length > 0 && this.isFargateCompatible) {
+      throw new Error('Cannot use inference accelerators on tasks that run on Fargate');
+    }
 
     if (this.isExternalCompatible && ![NetworkMode.BRIDGE, NetworkMode.HOST, NetworkMode.NONE].includes(this.networkMode)) {
       throw new Error(`External tasks can only have Bridge, Host or None network mode, got: ${this.networkMode}`);
@@ -444,30 +458,6 @@ export class TaskDefinition extends TaskDefinitionBase {
       throw new Error('Cannot specify runtimePlatform in non-Fargate compatible tasks');
     }
 
-    //FARGATE compatible tasks pre-checks
-    if (this.isFargateCompatible) {
-      if (this.networkMode !== NetworkMode.AWS_VPC) {
-        throw new Error(`Fargate tasks can only have AwsVpc network mode, got: ${this.networkMode}`);
-      }
-
-      if (props.placementConstraints && props.placementConstraints.length > 0) {
-        throw new Error('Cannot set placement constraints on tasks that run on Fargate');
-      }
-
-      if (!props.cpu || !props.memoryMiB) {
-        throw new Error(`Fargate-compatible tasks require both CPU (${props.cpu}) and memory (${props.memoryMiB}) specifications`);
-      }
-
-      if (props.inferenceAccelerators && props.inferenceAccelerators.length > 0) {
-        throw new Error('Cannot use inference accelerators on tasks that run on Fargate');
-      }
-
-      // Check the combination as per doc https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html
-      this.node.addValidation({
-        validate: () => this.validateFargateTaskDefinitionMemoryCpu(props.cpu!, props.memoryMiB!),
-      });
-    }
-
     this._executionRole = props.executionRole;
 
     this.taskRole = props.taskRole || new iam.Role(this, 'TaskRole', {
@@ -909,40 +899,6 @@ export class TaskDefinition extends TaskDefinitionBase {
       throw new Error(`If operatingSystemFamily is ${runtimePlatform.operatingSystemFamily!._operatingSystemFamily}, then cpu must be in 1024 (1 vCPU), 2048 (2 vCPU), or 4096 (4 vCPU). Provided value was: ${cpu}`);
     }
   };
-
-  private validateFargateTaskDefinitionMemoryCpu(cpu: string, memory: string): string[] {
-    const ret = new Array<string>();
-    const resolvedCpu = this.stack.resolve(cpu) as string;
-    const resolvedMemoryMiB = this.stack.resolve(memory) as string;
-    const validCpuMemoryCombinations = [
-      { cpu: '256', memory: ['512', '1024', '2048'] },
-      { cpu: '512', memory: this.range(1024, 4096, 1024) },
-      { cpu: '1024', memory: this.range(2048, 8192, 1024) },
-      { cpu: '2048', memory: this.range(4096, 16384, 1024) },
-      { cpu: '4096', memory: this.range(8192, 30720, 1024) },
-      { cpu: '8192', memory: this.range(16384, 61440, 4096) },
-      { cpu: '16384', memory: this.range(32768, 122880, 8192) },
-    ];
-
-    const isValidCombination = validCpuMemoryCombinations.some((combo) => {
-      return combo.cpu === resolvedCpu && combo.memory.includes(resolvedMemoryMiB);
-    });
-
-    if (!isValidCombination) {
-      ret.push('Invalid CPU and memory combinations for FARGATE compatible task definition - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html');
-    }
-
-    return ret;
-  }
-
-  private range(start: number, end: number, step: number): string[] {
-    const result = [];
-    for (let i = start; i <= end; i += step) {
-      result.push(String(i));
-    }
-    return result;
-  }
-
 }
 
 /**
diff --git a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts
index 9d7c03c4a877f..be93c76e2b65e 100644
--- a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts
@@ -26,13 +26,13 @@ describe('fargate task definition', () => {
       const stack = new cdk.Stack();
 
       new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', {
-        cpu: cdk.Lazy.number({ produce: () => 512 }),
+        cpu: cdk.Lazy.number({ produce: () => 128 }),
         memoryLimitMiB: cdk.Lazy.number({ produce: () => 1024 }),
       });
 
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', {
-        Cpu: '512',
+        Cpu: '128',
         Memory: '1024',
       });
 
@@ -42,7 +42,7 @@ describe('fargate task definition', () => {
       // GIVEN
       const stack = new cdk.Stack();
       const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', {
-        cpu: 256,
+        cpu: 128,
         executionRole: new iam.Role(stack, 'ExecutionRole', {
           path: '/',
           assumedBy: new iam.CompositePrincipal(
@@ -72,7 +72,7 @@ describe('fargate task definition', () => {
 
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', {
-        Cpu: '256',
+        Cpu: '128',
         ExecutionRoleArn: {
           'Fn::GetAtt': [
             'ExecutionRole605A040B',
@@ -216,32 +216,6 @@ describe('fargate task definition', () => {
         });
       }).toThrow(/'pidMode' can only be set to 'task' for Linux Fargate containers, got: 'host'./);
     });
-
-    test('throws error when invalid CPU and memory combination is provided', () => {
-      const stack = new cdk.Stack();
-
-      new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', {
-        cpu: 256,
-        memoryLimitMiB: 125,
-      });
-
-      expect(() => {
-        Template.fromStack(stack);
-      }).toThrow(/Invalid CPU and memory combinations for FARGATE compatible task definition/);
-    });
-
-    test('successful when valid CPU and memory combination is provided', () => {
-      const stack = new cdk.Stack();
-      new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', {
-        cpu: 256,
-        memoryLimitMiB: 512,
-      });
-
-      Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', {
-        Cpu: '256',
-        Memory: '512',
-      });
-    });
   });
   describe('When configuredAtLaunch in the Volume', ()=> {
     test('do not throw when configuredAtLaunch is false', () => {
diff --git a/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts
index 2347ded71b363..f098b3e89afcb 100644
--- a/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs/test/task-definition.test.ts
@@ -14,7 +14,7 @@ describe('task definition', () => {
 
       // WHEN
       new ecs.TaskDefinition(stack, 'TD', {
-        cpu: '256',
+        cpu: '512',
         memoryMiB: '512',
         compatibility: ecs.Compatibility.EC2_AND_FARGATE,
       });
@@ -51,7 +51,7 @@ describe('task definition', () => {
         assumedBy: new iam.AccountRootPrincipal(),
       });
       const taskDef = new ecs.TaskDefinition(stack, 'TD', {
-        cpu: '256',
+        cpu: '512',
         memoryMiB: '512',
         compatibility: ecs.Compatibility.EC2_AND_FARGATE,
       });
@@ -96,7 +96,7 @@ describe('task definition', () => {
         assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       });
       const taskDef = new ecs.TaskDefinition(stack, 'TD', {
-        cpu: '256',
+        cpu: '512',
         memoryMiB: '512',
         compatibility: ecs.Compatibility.EC2_AND_FARGATE,
         executionRole: executionRole,
@@ -154,7 +154,7 @@ describe('task definition', () => {
         },
       );
       const taskDef = new ecs.TaskDefinition(stack, 'TD', {
-        cpu: '256',
+        cpu: '512',
         memoryMiB: '512',
         compatibility: ecs.Compatibility.EC2_AND_FARGATE,
       });
@@ -387,7 +387,7 @@ describe('task definition', () => {
         },
       );
       const taskDef = new ecs.TaskDefinition(stack, 'TD', {
-        cpu: '256',
+        cpu: '512',
         memoryMiB: '512',
         compatibility: ecs.Compatibility.EC2_AND_FARGATE,
       });
@@ -457,34 +457,6 @@ describe('task definition', () => {
         Template.fromStack(stack);
       }).toThrow("ECS Container Container must have at least one of 'memoryLimitMiB' or 'memoryReservationMiB' specified");
     });
-
-    test('throws error when invalid CPU and memory combination is provided with Fargate compatibilities', () => {
-      const stack = new cdk.Stack();
-
-      new ecs.TaskDefinition(stack, 'TaskDef', {
-        compatibility: ecs.Compatibility.EC2_AND_FARGATE,
-        cpu: '122',
-        memoryMiB: '513',
-      });
-
-      expect(() => {
-        Template.fromStack(stack);
-      }).toThrow(/Invalid CPU and memory combinations for FARGATE compatible task definition/);
-    });
-
-    test('successful when valid CPU and memory combination is provided with Fargate compatibilities', () => {
-      const stack = new cdk.Stack();
-      new ecs.TaskDefinition(stack, 'TaskDef', {
-        compatibility: ecs.Compatibility.EC2_AND_FARGATE,
-        cpu: '256',
-        memoryMiB: '512',
-      });
-
-      Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', {
-        Cpu: '256',
-        Memory: '512',
-      });
-    });
   });
 
   describe('When importing from an existing Task definition', () => {
@@ -588,7 +560,7 @@ describe('task definition', () => {
         const stack = new cdk.Stack();
         const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', {
           cpu: '512',
-          memoryMiB: '1024',
+          memoryMiB: '512',
           compatibility: ecs.Compatibility.FARGATE,
         });
 
@@ -638,7 +610,7 @@ describe('task definition', () => {
         const stack = new cdk.Stack();
         const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', {
           cpu: '512',
-          memoryMiB: '1024',
+          memoryMiB: '512',
           compatibility: ecs.Compatibility.FARGATE,
         });
 
diff --git a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
index 7d6288ba10249..cbaf7c3d8746c 100644
--- a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
+++ b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
@@ -756,7 +756,7 @@ test('readCurrentTemplateWithNestedStacks() caches calls to listStackResources()
   expect(numberOfTimesListStackResourcesWasCalled).toEqual(1);
 });
 
-test('readCurrentTemplateWithNestedStacks() successfully ignores stacks without metadata', async () => {
+test('readCurrentTemplateWithNestedStacks() succesfully ignores stacks without metadata', async () => {
   // GIVEN
   const cfnStack = new FakeCloudformationStack({
     stackName: 'MetadataRoot',

From 92b7cb0e2268e9b170d4aa025bfc4a33e0411503 Mon Sep 17 00:00:00 2001
From: Xia Zhao <xazhao@amazon.com>
Date: Wed, 14 Aug 2024 11:17:08 -0700
Subject: [PATCH 02/10] chore(release): 2.151.1

---
 CHANGELOG.v2.alpha.md | 2 ++
 CHANGELOG.v2.md       | 7 +++++++
 version.v2.json       | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index 94457cf9680b6..2b94b810d0131 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.151.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.0-alpha.0...v2.151.1-alpha.0) (2024-08-14)
+
 ## [2.151.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.150.0-alpha.0...v2.151.0-alpha.0) (2024-08-01)
 
 
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 267f5ddf5f99a..01e2f4e4d8e71 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.151.1](https://github.com/aws/aws-cdk/compare/v2.151.0...v2.151.1) (2024-08-14)
+
+
+### Reverts
+
+* feat(ecs): add validation checks to memory cpu combinations of FARGATE compatible task definitions ([#31110](https://github.com/aws/aws-cdk/issues/31110)) ([8fdf015](https://github.com/aws/aws-cdk/commit/8fdf015fdc310d6d62cec31b6d89e1ff1decb8b6))
+
 ## [2.151.0](https://github.com/aws/aws-cdk/compare/v2.150.0...v2.151.0) (2024-08-01)
 
 
diff --git a/version.v2.json b/version.v2.json
index 6c3bf4ed415f0..443e45a11be1d 100644
--- a/version.v2.json
+++ b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.151.0",
-  "alphaVersion": "2.151.0-alpha.0"
+  "version": "2.151.1",
+  "alphaVersion": "2.151.1-alpha.0"
 }
\ No newline at end of file

From 537d3b2f1bf9c56da9dd09c97cbb7f1bb408300e Mon Sep 17 00:00:00 2001
From: Kazuho Cryer-Shinozuka <malaysia.cryer@gmail.com>
Date: Thu, 15 Aug 2024 05:24:29 +0900
Subject: [PATCH 03/10] chore(ec2): add `mac2-m1ultra` instance type (#30817)

### Issue # (if applicable)

None

### Reason for this change

EC2 instance supports `mac2-m1ultra` instance type but `InstanceType` class does not support it.

### Description of changes

Add `MAC2_M1ULTRA` instance type

### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts   | 12 ++++++++++++
 .../aws-cdk-lib/aws-ec2/test/instance-type.test.ts   |  8 ++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts

diff --git a/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts b/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts
index 4a09f956145f7..f5fa84835d910 100644
--- a/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts
+++ b/packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts
@@ -1170,6 +1170,16 @@ export enum InstanceClass {
    */
   MAC2_M2PRO = 'mac2-m2pro',
 
+  /**
+   * Macintosh instances built on 2022 Mac Studio hardware powered by Apple silicon M1 Ultra processors
+   */
+  MACINTOSH2_M1_ULTRA = 'macintosh2-m1-ultra',
+
+  /**
+   * Macintosh instances built on 2022 Mac Studio hardware powered by Apple silicon M1 Ultra processors
+   */
+  MAC2_M1ULTRA = 'mac2-m1ultra',
+
   /**
    * Multi-stream video transcoding instances for resolutions up to 4K UHD, 1st generation
    */
@@ -1632,6 +1642,8 @@ export class InstanceType {
       [InstanceClass.MAC2_M2]: 'mac2-m2',
       [InstanceClass.MACINTOSH2_M2_PRO]: 'mac2-m2pro',
       [InstanceClass.MAC2_M2PRO]: 'mac2-m2pro',
+      [InstanceClass.MACINTOSH2_M1_ULTRA]: 'mac2-m1ultra',
+      [InstanceClass.MAC2_M1ULTRA]: 'mac2-m1ultra',
       [InstanceClass.VIDEO_TRANSCODING1]: 'vt1',
       [InstanceClass.VT1]: 'vt1',
       [InstanceClass.HIGH_PERFORMANCE_COMPUTING6_AMD]: 'hpc6a',
diff --git a/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts b/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts
new file mode 100644
index 0000000000000..97dee37418cc2
--- /dev/null
+++ b/packages/aws-cdk-lib/aws-ec2/test/instance-type.test.ts
@@ -0,0 +1,8 @@
+import { InstanceClass, InstanceSize, InstanceType } from '../lib';
+
+describe('InstanceType', () => {
+  test('mac2 m1 ultra', () => {
+    const instanceType = InstanceType.of(InstanceClass.MAC2_M1ULTRA, InstanceSize.METAL);
+    expect(instanceType.toString()).toEqual('mac2-m1ultra.metal');
+  });
+});
\ No newline at end of file

From 768145c356f0d7bd248f9c814f4ae6b9e8f41fb0 Mon Sep 17 00:00:00 2001
From: AWS CDK Automation
 <43080478+aws-cdk-automation@users.noreply.github.com>
Date: Thu, 15 Aug 2024 00:05:14 +0300
Subject: [PATCH 04/10] chore: update Contributors File (#30995)

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action
---
 CONTRIBUTORS.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 5d85f5628d34b..a85d24901e71d 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -12,11 +12,11 @@ Shout out to our top contributors!
 - [shivlaks](https://github.com/shivlaks)
 - [otaviomacedo](https://github.com/otaviomacedo)
 - [mrgrain](https://github.com/mrgrain)
-- [madeline-k](https://github.com/madeline-k)
 - [pahud](https://github.com/pahud)
+- [madeline-k](https://github.com/madeline-k)
 - [comcalvi](https://github.com/comcalvi)
-- [NetaNir](https://github.com/NetaNir)
 - [TheRealAmazonKendra](https://github.com/TheRealAmazonKendra)
+- [NetaNir](https://github.com/NetaNir)
 - [robertd](https://github.com/robertd)
 - [MrArnoldPalmer](https://github.com/MrArnoldPalmer)
 - [go-to-k](https://github.com/go-to-k)
@@ -24,9 +24,9 @@ Shout out to our top contributors!
 - [peterwoodworth](https://github.com/peterwoodworth)
 - [colifran](https://github.com/colifran)
 - [msambol](https://github.com/msambol)
-- [nija-at](https://github.com/nija-at)
 - [watany-dev](https://github.com/watany-dev)
+- [nija-at](https://github.com/nija-at)
 - [hoegertn](https://github.com/hoegertn)
 
 
-_Last updated: Mon, 01 Jul 24 00:11:02 +0000_
\ No newline at end of file
+_Last updated: Thu, 01 Aug 24 00:10:57 +0000_
\ No newline at end of file

From 8d767786fe88d0ed60104ea6f48176e8981dd0fa Mon Sep 17 00:00:00 2001
From: mazyu36 <yiyth.fcb6@gmail.com>
Date: Thu, 15 Aug 2024 07:25:41 +0900
Subject: [PATCH 05/10] feat(amplify): support custom certificate (#30791)

### Issue # (if applicable)

Closes #30594.

### Reason for this change
To use custom domain for Amplify by setting custom certificate.


### Description of changes
Add `customCertificate` property.


### Description of how you validated changes
Add unit test and integ test.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/@aws-cdk/aws-amplify-alpha/README.md |  11 +
 .../@aws-cdk/aws-amplify-alpha/lib/domain.ts  |  12 +
 .../rosetta/default.ts-fixture                |   1 +
 .../aws-amplify-alpha/test/domain.test.ts     |  73 +++
 ...efaultTestDeployAssert5F8CD1EB.assets.json |  19 +
 ...aultTestDeployAssert5F8CD1EB.template.json |  36 ++
 .../cdk-amplify-app-custom-domain.assets.json |  19 +
 ...dk-amplify-app-custom-domain.template.json | 210 +++++++++
 .../cdk.out                                   |   1 +
 .../integ.json                                |  14 +
 .../manifest.json                             | 158 +++++++
 .../tree.json                                 | 433 ++++++++++++++++++
 .../test/integ.app-custom-domain.ts           |  75 +++
 13 files changed, 1062 insertions(+)
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json
 create mode 100644 packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts

diff --git a/packages/@aws-cdk/aws-amplify-alpha/README.md b/packages/@aws-cdk/aws-amplify-alpha/README.md
index 0aa1e72e37726..d543b4090faff 100644
--- a/packages/@aws-cdk/aws-amplify-alpha/README.md
+++ b/packages/@aws-cdk/aws-amplify-alpha/README.md
@@ -138,6 +138,17 @@ domain.mapSubDomain(main, 'www');
 domain.mapSubDomain(dev); // sub domain prefix defaults to branch name
 ```
 
+To specify a custom certificate for your custom domain use the `customCertificate` property:
+
+```ts
+declare const customCertificate: acm.Certificate;
+declare const amplifyApp: amplify.App;
+
+const domain = amplifyApp.addDomain('example.com', {
+  customCertificate, // set your custom certificate
+});
+```
+
 ## Restricting access
 
 Password protect the app with basic auth by specifying the `basicAuth` prop.
diff --git a/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts b/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts
index 6075d2b2a1a52..c90d2ed78a46b 100644
--- a/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts
+++ b/packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts
@@ -1,3 +1,4 @@
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { Lazy, Resource, IResolvable } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
@@ -36,6 +37,13 @@ export interface DomainOptions {
    * @default - all repository branches ['*', 'pr*']
    */
   readonly autoSubdomainCreationPatterns?: string[];
+
+  /**
+   * The type of SSL/TLS certificate to use for your custom domain
+   *
+   * @default - Amplify uses the default certificate that it provisions and manages for you
+   */
+  readonly customCertificate?: acm.ICertificate;
 }
 
 /**
@@ -130,6 +138,10 @@ export class Domain extends Resource {
       enableAutoSubDomain: !!props.enableAutoSubdomain,
       autoSubDomainCreationPatterns: props.autoSubdomainCreationPatterns || ['*', 'pr*'],
       autoSubDomainIamRole: props.autoSubDomainIamRole?.roleArn,
+      certificateSettings: props.customCertificate ? {
+        certificateType: 'CUSTOM',
+        customCertificateArn: props.customCertificate.certificateArn,
+      } : undefined,
     });
 
     this.arn = domain.attrArn;
diff --git a/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture
index dd27e406b3985..85e3aab9ce9f6 100644
--- a/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture
+++ b/packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture
@@ -2,6 +2,7 @@
 import { SecretValue, Stack } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as amplify from '@aws-cdk/aws-amplify-alpha';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts b/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts
index 4ed31051277e6..cbf8d9d9a42d2 100644
--- a/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts
@@ -1,4 +1,5 @@
 import { Template } from 'aws-cdk-lib/assertions';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { App, SecretValue, Stack } from 'aws-cdk-lib';
 import * as amplify from '../lib';
@@ -64,6 +65,78 @@ test('create a domain', () => {
   });
 });
 
+test('create a domain with custom certificate', () => {
+  // GIVEN
+  const stack = new Stack();
+  const app = new amplify.App(stack, 'App', {
+    sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+      owner: 'aws',
+      repository: 'aws-cdk',
+      oauthToken: SecretValue.unsafePlainText('secret'),
+    }),
+  });
+  const prodBranch = app.addBranch('main');
+  const devBranch = app.addBranch('dev');
+
+  const customCertificate = new acm.Certificate(stack, 'Cert', {
+    domainName: '*.example.com',
+  });
+
+  // WHEN
+  const domain = app.addDomain('example.com', {
+    subDomains: [
+      {
+        branch: prodBranch,
+        prefix: 'prod',
+      },
+    ],
+    customCertificate,
+  });
+  domain.mapSubDomain(devBranch);
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Amplify::Domain', {
+    AppId: {
+      'Fn::GetAtt': [
+        'AppF1B96344',
+        'AppId',
+      ],
+    },
+    DomainName: 'example.com',
+    CertificateSettings: {
+      CertificateType: 'CUSTOM',
+      CustomCertificateArn: {
+        Ref: 'Cert5C9FAEC1',
+      },
+    },
+    SubDomainSettings: [
+      {
+        BranchName: {
+          'Fn::GetAtt': [
+            'AppmainF505BAED',
+            'BranchName',
+          ],
+        },
+        Prefix: 'prod',
+      },
+      {
+        BranchName: {
+          'Fn::GetAtt': [
+            'AppdevB328DAFC',
+            'BranchName',
+          ],
+        },
+        Prefix: {
+          'Fn::GetAtt': [
+            'AppdevB328DAFC',
+            'BranchName',
+          ],
+        },
+      },
+    ],
+  });
+});
+
 test('map a branch to the domain root', () => {
   // GIVEN
   const stack = new Stack();
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json
new file mode 100644
index 0000000000000..f02a474074771
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "36.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json
new file mode 100644
index 0000000000000..ad9d0fb73d1dd
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json
new file mode 100644
index 0000000000000..f1c3c1e152115
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "36.0.0",
+  "files": {
+    "5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87": {
+      "source": {
+        "path": "cdk-amplify-app-custom-domain.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json
new file mode 100644
index 0000000000000..5909af114f54a
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk-amplify-app-custom-domain.template.json
@@ -0,0 +1,210 @@
+{
+ "Resources": {
+  "Repo02AC86CF": {
+   "Type": "AWS::CodeCommit::Repository",
+   "Properties": {
+    "RepositoryName": "integ-amplify-app"
+   }
+  },
+  "AppRole1AF9B530": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "amplify.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "AppRoleDefaultPolicy9CADBAA1": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "codecommit:GitPull",
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "Repo02AC86CF",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "AppRoleDefaultPolicy9CADBAA1",
+    "Roles": [
+     {
+      "Ref": "AppRole1AF9B530"
+     }
+    ]
+   }
+  },
+  "AppF1B96344": {
+   "Type": "AWS::Amplify::App",
+   "Properties": {
+    "BasicAuthConfig": {
+     "EnableBasicAuth": false
+    },
+    "IAMServiceRole": {
+     "Fn::GetAtt": [
+      "AppRole1AF9B530",
+      "Arn"
+     ]
+    },
+    "Name": "App",
+    "Platform": "WEB",
+    "Repository": {
+     "Fn::GetAtt": [
+      "Repo02AC86CF",
+      "CloneUrlHttp"
+     ]
+    }
+   }
+  },
+  "AppmainF505BAED": {
+   "Type": "AWS::Amplify::Branch",
+   "Properties": {
+    "AppId": {
+     "Fn::GetAtt": [
+      "AppF1B96344",
+      "AppId"
+     ]
+    },
+    "BranchName": "main",
+    "EnableAutoBuild": true,
+    "EnablePullRequestPreview": true
+   }
+  },
+  "AppdevB328DAFC": {
+   "Type": "AWS::Amplify::Branch",
+   "Properties": {
+    "AppId": {
+     "Fn::GetAtt": [
+      "AppF1B96344",
+      "AppId"
+     ]
+    },
+    "BranchName": "dev",
+    "EnableAutoBuild": true,
+    "EnablePullRequestPreview": true
+   }
+  },
+  "Appexamplecom6AF1A3AD": {
+   "Type": "AWS::Amplify::Domain",
+   "Properties": {
+    "AppId": {
+     "Fn::GetAtt": [
+      "AppF1B96344",
+      "AppId"
+     ]
+    },
+    "AutoSubDomainCreationPatterns": [
+     "*",
+     "pr*"
+    ],
+    "AutoSubDomainIAMRole": {
+     "Fn::GetAtt": [
+      "AppRole1AF9B530",
+      "Arn"
+     ]
+    },
+    "CertificateSettings": {
+     "CertificateType": "CUSTOM",
+     "CustomCertificateArn": {
+      "Ref": "Certificate4E7ABB08"
+     }
+    },
+    "DomainName": "*.example.com",
+    "EnableAutoSubDomain": false,
+    "SubDomainSettings": [
+     {
+      "BranchName": {
+       "Fn::GetAtt": [
+        "AppmainF505BAED",
+        "BranchName"
+       ]
+      },
+      "Prefix": "prod"
+     },
+     {
+      "BranchName": {
+       "Fn::GetAtt": [
+        "AppdevB328DAFC",
+        "BranchName"
+       ]
+      },
+      "Prefix": {
+       "Fn::GetAtt": [
+        "AppdevB328DAFC",
+        "BranchName"
+       ]
+      }
+     }
+    ]
+   }
+  },
+  "Certificate4E7ABB08": {
+   "Type": "AWS::CertificateManager::Certificate",
+   "Properties": {
+    "DomainName": "*.*.example.com",
+    "DomainValidationOptions": [
+     {
+      "DomainName": "*.*.example.com",
+      "HostedZoneId": "Z23ABC4XYZL05B"
+     }
+    ],
+    "Tags": [
+     {
+      "Key": "Name",
+      "Value": "cdk-amplify-app-custom-domain/Certificate"
+     }
+    ],
+    "ValidationMethod": "DNS"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out
new file mode 100644
index 0000000000000..1f0068d32659a
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json
new file mode 100644
index 0000000000000..b8c953f413ca9
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/integ.json
@@ -0,0 +1,14 @@
+{
+  "enableLookups": true,
+  "version": "36.0.0",
+  "testCases": {
+    "amplify-app-custom-domain-integ/DefaultTest": {
+      "stacks": [
+        "cdk-amplify-app-custom-domain"
+      ],
+      "stackUpdateWorkflow": false,
+      "assertionStack": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert",
+      "assertionStackName": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB"
+    }
+  }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json
new file mode 100644
index 0000000000000..1586bbb9fed72
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/manifest.json
@@ -0,0 +1,158 @@
+{
+  "version": "36.0.0",
+  "artifacts": {
+    "cdk-amplify-app-custom-domain.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "cdk-amplify-app-custom-domain.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "cdk-amplify-app-custom-domain": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "cdk-amplify-app-custom-domain.template.json",
+        "terminationProtection": false,
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5314d52dac3409b06902f1cf40df3d58dceb16146ad8cf66843edee0096d1d87.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "cdk-amplify-app-custom-domain.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "cdk-amplify-app-custom-domain.assets"
+      ],
+      "metadata": {
+        "/cdk-amplify-app-custom-domain/Repo/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "Repo02AC86CF"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/Role/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AppRole1AF9B530"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/Role/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AppRoleDefaultPolicy9CADBAA1"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AppF1B96344"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/main/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AppmainF505BAED"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/dev/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AppdevB328DAFC"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/App/*.example.com/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "Appexamplecom6AF1A3AD"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/Certificate/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "Certificate4E7ABB08",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_REPLACE"
+            ]
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/cdk-amplify-app-custom-domain/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "cdk-amplify-app-custom-domain"
+    },
+    "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.template.json",
+        "terminationProtection": false,
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "amplifyappcustomdomainintegDefaultTestDeployAssert5F8CD1EB.assets"
+      ],
+      "metadata": {
+        "/amplify-app-custom-domain-integ/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/amplify-app-custom-domain-integ/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json
new file mode 100644
index 0000000000000..d91f03344d460
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.js.snapshot/tree.json
@@ -0,0 +1,433 @@
+{
+  "version": "tree-0.1",
+  "tree": {
+    "id": "App",
+    "path": "",
+    "children": {
+      "cdk-amplify-app-custom-domain": {
+        "id": "cdk-amplify-app-custom-domain",
+        "path": "cdk-amplify-app-custom-domain",
+        "children": {
+          "Repo": {
+            "id": "Repo",
+            "path": "cdk-amplify-app-custom-domain/Repo",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "cdk-amplify-app-custom-domain/Repo/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::CodeCommit::Repository",
+                  "aws:cdk:cloudformation:props": {
+                    "repositoryName": "integ-amplify-app"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_codecommit.CfnRepository",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_codecommit.Repository",
+              "version": "0.0.0"
+            }
+          },
+          "App": {
+            "id": "App",
+            "path": "cdk-amplify-app-custom-domain/App",
+            "children": {
+              "Role": {
+                "id": "Role",
+                "path": "cdk-amplify-app-custom-domain/App/Role",
+                "children": {
+                  "ImportRole": {
+                    "id": "ImportRole",
+                    "path": "cdk-amplify-app-custom-domain/App/Role/ImportRole",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "cdk-amplify-app-custom-domain/App/Role/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                      "aws:cdk:cloudformation:props": {
+                        "assumeRolePolicyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "sts:AssumeRole",
+                              "Effect": "Allow",
+                              "Principal": {
+                                "Service": "amplify.amazonaws.com"
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "DefaultPolicy": {
+                    "id": "DefaultPolicy",
+                    "path": "cdk-amplify-app-custom-domain/App/Role/DefaultPolicy",
+                    "children": {
+                      "Resource": {
+                        "id": "Resource",
+                        "path": "cdk-amplify-app-custom-domain/App/Role/DefaultPolicy/Resource",
+                        "attributes": {
+                          "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                          "aws:cdk:cloudformation:props": {
+                            "policyDocument": {
+                              "Statement": [
+                                {
+                                  "Action": "codecommit:GitPull",
+                                  "Effect": "Allow",
+                                  "Resource": {
+                                    "Fn::GetAtt": [
+                                      "Repo02AC86CF",
+                                      "Arn"
+                                    ]
+                                  }
+                                }
+                              ],
+                              "Version": "2012-10-17"
+                            },
+                            "policyName": "AppRoleDefaultPolicy9CADBAA1",
+                            "roles": [
+                              {
+                                "Ref": "AppRole1AF9B530"
+                              }
+                            ]
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                          "version": "0.0.0"
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.Policy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Role",
+                  "version": "0.0.0"
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "cdk-amplify-app-custom-domain/App/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::Amplify::App",
+                  "aws:cdk:cloudformation:props": {
+                    "basicAuthConfig": {
+                      "enableBasicAuth": false
+                    },
+                    "iamServiceRole": {
+                      "Fn::GetAtt": [
+                        "AppRole1AF9B530",
+                        "Arn"
+                      ]
+                    },
+                    "name": "App",
+                    "platform": "WEB",
+                    "repository": {
+                      "Fn::GetAtt": [
+                        "Repo02AC86CF",
+                        "CloneUrlHttp"
+                      ]
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_amplify.CfnApp",
+                  "version": "0.0.0"
+                }
+              },
+              "main": {
+                "id": "main",
+                "path": "cdk-amplify-app-custom-domain/App/main",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "cdk-amplify-app-custom-domain/App/main/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Amplify::Branch",
+                      "aws:cdk:cloudformation:props": {
+                        "appId": {
+                          "Fn::GetAtt": [
+                            "AppF1B96344",
+                            "AppId"
+                          ]
+                        },
+                        "branchName": "main",
+                        "enableAutoBuild": true,
+                        "enablePullRequestPreview": true
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_amplify.CfnBranch",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              },
+              "dev": {
+                "id": "dev",
+                "path": "cdk-amplify-app-custom-domain/App/dev",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "cdk-amplify-app-custom-domain/App/dev/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Amplify::Branch",
+                      "aws:cdk:cloudformation:props": {
+                        "appId": {
+                          "Fn::GetAtt": [
+                            "AppF1B96344",
+                            "AppId"
+                          ]
+                        },
+                        "branchName": "dev",
+                        "enableAutoBuild": true,
+                        "enablePullRequestPreview": true
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_amplify.CfnBranch",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              },
+              "*.example.com": {
+                "id": "*.example.com",
+                "path": "cdk-amplify-app-custom-domain/App/*.example.com",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "cdk-amplify-app-custom-domain/App/*.example.com/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Amplify::Domain",
+                      "aws:cdk:cloudformation:props": {
+                        "appId": {
+                          "Fn::GetAtt": [
+                            "AppF1B96344",
+                            "AppId"
+                          ]
+                        },
+                        "autoSubDomainCreationPatterns": [
+                          "*",
+                          "pr*"
+                        ],
+                        "autoSubDomainIamRole": {
+                          "Fn::GetAtt": [
+                            "AppRole1AF9B530",
+                            "Arn"
+                          ]
+                        },
+                        "certificateSettings": {
+                          "certificateType": "CUSTOM",
+                          "customCertificateArn": {
+                            "Ref": "Certificate4E7ABB08"
+                          }
+                        },
+                        "domainName": "*.example.com",
+                        "enableAutoSubDomain": false,
+                        "subDomainSettings": [
+                          {
+                            "branchName": {
+                              "Fn::GetAtt": [
+                                "AppmainF505BAED",
+                                "BranchName"
+                              ]
+                            },
+                            "prefix": "prod"
+                          },
+                          {
+                            "branchName": {
+                              "Fn::GetAtt": [
+                                "AppdevB328DAFC",
+                                "BranchName"
+                              ]
+                            },
+                            "prefix": {
+                              "Fn::GetAtt": [
+                                "AppdevB328DAFC",
+                                "BranchName"
+                              ]
+                            }
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_amplify.CfnDomain",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.Resource",
+              "version": "0.0.0"
+            }
+          },
+          "HostedZone": {
+            "id": "HostedZone",
+            "path": "cdk-amplify-app-custom-domain/HostedZone",
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.Resource",
+              "version": "0.0.0"
+            }
+          },
+          "Certificate": {
+            "id": "Certificate",
+            "path": "cdk-amplify-app-custom-domain/Certificate",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "cdk-amplify-app-custom-domain/Certificate/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::CertificateManager::Certificate",
+                  "aws:cdk:cloudformation:props": {
+                    "domainName": "*.*.example.com",
+                    "domainValidationOptions": [
+                      {
+                        "domainName": "*.*.example.com",
+                        "hostedZoneId": "Z23ABC4XYZL05B"
+                      }
+                    ],
+                    "tags": [
+                      {
+                        "key": "Name",
+                        "value": "cdk-amplify-app-custom-domain/Certificate"
+                      }
+                    ],
+                    "validationMethod": "DNS"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_certificatemanager.CfnCertificate",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_certificatemanager.Certificate",
+              "version": "0.0.0"
+            }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "cdk-amplify-app-custom-domain/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "cdk-amplify-app-custom-domain/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.CfnRule",
+              "version": "0.0.0"
+            }
+          }
+        },
+        "constructInfo": {
+          "fqn": "aws-cdk-lib.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "amplify-app-custom-domain-integ": {
+        "id": "amplify-app-custom-domain-integ",
+        "path": "amplify-app-custom-domain-integ",
+        "children": {
+          "DefaultTest": {
+            "id": "DefaultTest",
+            "path": "amplify-app-custom-domain-integ/DefaultTest",
+            "children": {
+              "Default": {
+                "id": "Default",
+                "path": "amplify-app-custom-domain-integ/DefaultTest/Default",
+                "constructInfo": {
+                  "fqn": "constructs.Construct",
+                  "version": "10.3.0"
+                }
+              },
+              "DeployAssert": {
+                "id": "DeployAssert",
+                "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert",
+                "children": {
+                  "BootstrapVersion": {
+                    "id": "BootstrapVersion",
+                    "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert/BootstrapVersion",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.CfnParameter",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "CheckBootstrapVersion": {
+                    "id": "CheckBootstrapVersion",
+                    "path": "amplify-app-custom-domain-integ/DefaultTest/DeployAssert/CheckBootstrapVersion",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.CfnRule",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Stack",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase",
+              "version": "0.0.0"
+            }
+          }
+        },
+        "constructInfo": {
+          "fqn": "@aws-cdk/integ-tests-alpha.IntegTest",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
+        "constructInfo": {
+          "fqn": "constructs.Construct",
+          "version": "10.3.0"
+        }
+      }
+    },
+    "constructInfo": {
+      "fqn": "aws-cdk-lib.App",
+      "version": "0.0.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts
new file mode 100644
index 0000000000000..2d38147cb0475
--- /dev/null
+++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-custom-domain.ts
@@ -0,0 +1,75 @@
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+import * as codecommit from 'aws-cdk-lib/aws-codecommit';
+import * as route53 from 'aws-cdk-lib/aws-route53';
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as amplify from '../lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+interface TestStackProps extends StackProps {
+  hostedZoneId: string;
+  hostedZoneName: string;
+  domainName: string;
+}
+
+class TestStack extends Stack {
+  constructor(scope: Construct, id: string, props: TestStackProps) {
+    super(scope, id, props);
+
+    const repository = new codecommit.Repository(this, 'Repo', {
+      repositoryName: 'integ-amplify-app',
+    });
+
+    const app = new amplify.App(this, 'App', {
+      sourceCodeProvider: new amplify.CodeCommitSourceCodeProvider({ repository }),
+    });
+
+    const prodBranch = app.addBranch('main');
+    const devBranch = app.addBranch('dev');
+
+    const hostedZone = route53.PublicHostedZone.fromHostedZoneAttributes(this, 'HostedZone', {
+      hostedZoneId: props.hostedZoneId,
+      zoneName: props.hostedZoneName,
+    });
+
+    const customCertificate = new acm.Certificate(this, 'Certificate', {
+      domainName: `*.${props.domainName}`,
+      validation: acm.CertificateValidation.fromDns(hostedZone),
+    });
+
+    const domain = app.addDomain(props.domainName, {
+      subDomains: [
+        {
+          branch: prodBranch,
+          prefix: 'prod',
+        },
+      ],
+      customCertificate,
+    });
+    domain.mapSubDomain(devBranch);
+  }
+}
+
+/**
+ * In order to test this you need to have a valid public hosted zone that you can use
+ * to request certificates for.
+*/
+const hostedZoneId = process.env.CDK_INTEG_HOSTED_ZONE_ID ?? process.env.HOSTED_ZONE_ID;
+if (!hostedZoneId) throw new Error('For this test you must provide your own HostedZoneId as an env var "HOSTED_ZONE_ID". See framework-integ/README.md for details.');
+const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME;
+if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.');
+const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME;
+if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.');
+
+const app = new App();
+const stack = new TestStack(app, 'cdk-amplify-app-custom-domain', {
+  hostedZoneId,
+  hostedZoneName,
+  domainName,
+});
+
+new IntegTest(app, 'amplify-app-custom-domain-integ', {
+  testCases: [stack],
+  enableLookups: true,
+  stackUpdateWorkflow: false,
+});

From 6aa72a215859ab96e9fd8b4ccee0d40bda753200 Mon Sep 17 00:00:00 2001
From: Xia Zhao <xazhao@amazon.com>
Date: Wed, 14 Aug 2024 16:48:08 -0700
Subject: [PATCH 06/10] feat(lambda): support filter criteria encryption

---
 ...efaultTestDeployAssert448231D5.assets.json |   2 +-
 .../cdk.out                                   |   2 +-
 .../integ.json                                |   2 +-
 ...ource-filter-criteria-dynamodb.assets.json |   6 +-
 ...rce-filter-criteria-dynamodb.template.json | 160 +++++++
 .../manifest.json                             |  36 +-
 .../tree.json                                 | 258 ++++++++++-
 .../integ.dynamodb-with-filter-criteria.ts    |  27 ++
 ...efaultTestDeployAssertAF78BD0F.assets.json |   2 +-
 .../cdk.out                                   |   2 +-
 .../integ.json                                |   2 +-
 ...vent-source-kafka-self-managed.assets.json |   6 +-
 ...nt-source-kafka-self-managed.template.json | 179 ++++++++
 .../manifest.json                             |  36 +-
 .../tree.json                                 | 275 +++++++++++-
 .../test/integ.kafka-selfmanaged.ts           |  27 ++
 ...efaultTestDeployAssert70A9A808.assets.json |   2 +-
 .../cdk.out                                   |   2 +-
 .../integ.json                                |   2 +-
 ...ent-source-filter-criteria-sqs.assets.json |   6 +-
 ...t-source-filter-criteria-sqs.template.json | 156 +++++++
 .../manifest.json                             |  45 +-
 .../tree.json                                 | 254 ++++++++++-
 .../test/integ.sqs-with-filter-criteria.ts    |  21 +
 .../aws-lambda-event-sources/README.md        |  33 ++
 .../aws-lambda-event-sources/lib/kafka.ts     |  13 +
 .../aws-lambda-event-sources/lib/sqs.ts       |  12 +
 .../aws-lambda-event-sources/lib/stream.ts    |  13 +
 .../test/dynamo.test.ts                       | 123 ++++++
 .../test/kafka.test.ts                        | 153 +++++++
 .../aws-lambda-event-sources/test/sqs.test.ts |  87 ++++
 packages/aws-cdk-lib/aws-lambda/README.md     |  47 ++
 .../aws-lambda/lib/event-source-mapping.ts    |  30 ++
 .../test/event-source-mapping.test.ts         |  69 +++
 .../aws-lambda-eventsourcemapping.json        | 409 ++++++++++++++++++
 35 files changed, 2467 insertions(+), 32 deletions(-)
 create mode 100644 tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json

diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json
index a9f8c01bbffc7..042d7b3416bbf 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out
index 2313ab5436501..1f0068d32659a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"34.0.0"}
\ No newline at end of file
+{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json
index 9e170621e743b..f4a60fafc3e3e 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "testCases": {
     "DynamoDBFilterCriteria/DefaultTest": {
       "stacks": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json
index f67fb7e688555..60c69bab59474 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.assets.json
@@ -1,7 +1,7 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
-    "12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b": {
+    "635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7": {
       "source": {
         "path": "lambda-event-source-filter-criteria-dynamodb.template.json",
         "packaging": "file"
@@ -9,7 +9,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b.json",
+          "objectKey": "635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json
index 51ecc3d8a5a7f..08858d9a49aef 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-dynamodb.template.json
@@ -134,6 +134,166 @@
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "fctestkeyname524AF060": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "Description": "KMS key for test fc encryption",
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": "kms:Decrypt",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PendingWindowInDays": 7
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "F5ServiceRole2E897519": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "F5ServiceRoleDefaultPolicyF3745DE6": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "dynamodb:ListStreams",
+       "Effect": "Allow",
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "dynamodb:DescribeStream",
+        "dynamodb:GetRecords",
+        "dynamodb:GetShardIterator"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "TD925BC7E",
+         "StreamArn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "F5ServiceRoleDefaultPolicyF3745DE6",
+    "Roles": [
+     {
+      "Ref": "F5ServiceRole2E897519"
+     }
+    ]
+   }
+  },
+  "F5B560B5F9": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "F5ServiceRole2E897519",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs18.x"
+   },
+   "DependsOn": [
+    "F5ServiceRoleDefaultPolicyF3745DE6",
+    "F5ServiceRole2E897519"
+   ]
+  },
+  "F5DynamoDBEventSourcelambdaeventsourcefiltercriteriadynamodbT9CFE7D0688700B50": {
+   "Type": "AWS::Lambda::EventSourceMapping",
+   "Properties": {
+    "BatchSize": 5,
+    "EventSourceArn": {
+     "Fn::GetAtt": [
+      "TD925BC7E",
+      "StreamArn"
+     ]
+    },
+    "FilterCriteria": {
+     "Filters": [
+      {
+       "Pattern": "{\"eventName\":[\"INSERT\"],\"dynamodb\":{\"Keys\":{\"id\":{\"S\":[{\"exists\":true}]}}}}"
+      }
+     ]
+    },
+    "FunctionName": {
+     "Ref": "F5B560B5F9"
+    },
+    "KmsKeyArn": {
+     "Fn::GetAtt": [
+      "fctestkeyname524AF060",
+      "Arn"
+     ]
+    },
+    "StartingPosition": "LATEST"
+   }
   }
  },
  "Parameters": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json
index 4bb3cd7d7c817..0b300d7ca1f56 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "artifacts": {
     "lambda-event-source-filter-criteria-dynamodb.assets": {
       "type": "cdk:asset-manifest",
@@ -14,10 +14,11 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "lambda-event-source-filter-criteria-dynamodb.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/12820430413ecb3acc272c29391ccb7d4852423d6630831ad3a1816e5ba6a66b.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/635e0224ecca17d5512ed1bef8cfa79b63a3d53803e96c4382c47fe9408eb0c7.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -63,6 +64,36 @@
             "data": "TD925BC7E"
           }
         ],
+        "/lambda-event-source-filter-criteria-dynamodb/fc-test-key-name/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "fctestkeyname524AF060"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F5ServiceRole2E897519"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F5ServiceRoleDefaultPolicyF3745DE6"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-dynamodb/F5/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F5B560B5F9"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F5DynamoDBEventSourcelambdaeventsourcefiltercriteriadynamodbT9CFE7D0688700B50"
+          }
+        ],
         "/lambda-event-source-filter-criteria-dynamodb/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",
@@ -91,6 +122,7 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "DynamoDBFilterCriteriaDefaultTestDeployAssert448231D5.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json
index 4674ff49a526f..757ace67fce4e 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.js.snapshot/tree.json
@@ -183,7 +183,7 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping",
+                  "fqn": "aws-cdk-lib.Resource",
                   "version": "0.0.0"
                 }
               }
@@ -243,6 +243,258 @@
               "version": "0.0.0"
             }
           },
+          "fc-test-key-name": {
+            "id": "fc-test-key-name",
+            "path": "lambda-event-source-filter-criteria-dynamodb/fc-test-key-name",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-filter-criteria-dynamodb/fc-test-key-name/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::KMS::Key",
+                  "aws:cdk:cloudformation:props": {
+                    "description": "KMS key for test fc encryption",
+                    "keyPolicy": {
+                      "Statement": [
+                        {
+                          "Action": "kms:*",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "AWS": {
+                              "Fn::Join": [
+                                "",
+                                [
+                                  "arn:",
+                                  {
+                                    "Ref": "AWS::Partition"
+                                  },
+                                  ":iam::",
+                                  {
+                                    "Ref": "AWS::AccountId"
+                                  },
+                                  ":root"
+                                ]
+                              ]
+                            }
+                          },
+                          "Resource": "*"
+                        },
+                        {
+                          "Action": "kms:Decrypt",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "Service": "lambda.amazonaws.com"
+                          },
+                          "Resource": "*"
+                        }
+                      ],
+                      "Version": "2012-10-17"
+                    },
+                    "pendingWindowInDays": 7
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_kms.CfnKey",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_kms.Key",
+              "version": "0.0.0"
+            }
+          },
+          "F5": {
+            "id": "F5",
+            "path": "lambda-event-source-filter-criteria-dynamodb/F5",
+            "children": {
+              "ServiceRole": {
+                "id": "ServiceRole",
+                "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole",
+                "children": {
+                  "ImportServiceRole": {
+                    "id": "ImportServiceRole",
+                    "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/ImportServiceRole",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                      "aws:cdk:cloudformation:props": {
+                        "assumeRolePolicyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "sts:AssumeRole",
+                              "Effect": "Allow",
+                              "Principal": {
+                                "Service": "lambda.amazonaws.com"
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "managedPolicyArns": [
+                          {
+                            "Fn::Join": [
+                              "",
+                              [
+                                "arn:",
+                                {
+                                  "Ref": "AWS::Partition"
+                                },
+                                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+                              ]
+                            ]
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "DefaultPolicy": {
+                    "id": "DefaultPolicy",
+                    "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy",
+                    "children": {
+                      "Resource": {
+                        "id": "Resource",
+                        "path": "lambda-event-source-filter-criteria-dynamodb/F5/ServiceRole/DefaultPolicy/Resource",
+                        "attributes": {
+                          "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                          "aws:cdk:cloudformation:props": {
+                            "policyDocument": {
+                              "Statement": [
+                                {
+                                  "Action": "dynamodb:ListStreams",
+                                  "Effect": "Allow",
+                                  "Resource": "*"
+                                },
+                                {
+                                  "Action": [
+                                    "dynamodb:DescribeStream",
+                                    "dynamodb:GetRecords",
+                                    "dynamodb:GetShardIterator"
+                                  ],
+                                  "Effect": "Allow",
+                                  "Resource": {
+                                    "Fn::GetAtt": [
+                                      "TD925BC7E",
+                                      "StreamArn"
+                                    ]
+                                  }
+                                }
+                              ],
+                              "Version": "2012-10-17"
+                            },
+                            "policyName": "F5ServiceRoleDefaultPolicyF3745DE6",
+                            "roles": [
+                              {
+                                "Ref": "F5ServiceRole2E897519"
+                              }
+                            ]
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                          "version": "0.0.0"
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.Policy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Role",
+                  "version": "0.0.0"
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-filter-criteria-dynamodb/F5/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                  "aws:cdk:cloudformation:props": {
+                    "code": {
+                      "zipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+                    },
+                    "handler": "index.handler",
+                    "role": {
+                      "Fn::GetAtt": [
+                        "F5ServiceRole2E897519",
+                        "Arn"
+                      ]
+                    },
+                    "runtime": "nodejs18.x"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                  "version": "0.0.0"
+                }
+              },
+              "DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06": {
+                "id": "DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06",
+                "path": "lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-filter-criteria-dynamodb/F5/DynamoDBEventSource:lambdaeventsourcefiltercriteriadynamodbT9CFE7D06/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping",
+                      "aws:cdk:cloudformation:props": {
+                        "batchSize": 5,
+                        "eventSourceArn": {
+                          "Fn::GetAtt": [
+                            "TD925BC7E",
+                            "StreamArn"
+                          ]
+                        },
+                        "filterCriteria": {
+                          "filters": [
+                            {
+                              "pattern": "{\"eventName\":[\"INSERT\"],\"dynamodb\":{\"Keys\":{\"id\":{\"S\":[{\"exists\":true}]}}}}"
+                            }
+                          ]
+                        },
+                        "functionName": {
+                          "Ref": "F5B560B5F9"
+                        },
+                        "kmsKeyArn": {
+                          "Fn::GetAtt": [
+                            "fctestkeyname524AF060",
+                            "Arn"
+                          ]
+                        },
+                        "startingPosition": "LATEST"
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_lambda.Function",
+              "version": "0.0.0"
+            }
+          },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "lambda-event-source-filter-criteria-dynamodb/BootstrapVersion",
@@ -278,7 +530,7 @@
                 "path": "DynamoDBFilterCriteria/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.2.70"
+                  "version": "10.3.0"
                 }
               },
               "DeployAssert": {
@@ -324,7 +576,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.2.70"
+          "version": "10.3.0"
         }
       }
     },
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts
index 544290074e7f6..fcc180a696a81 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.dynamodb-with-filter-criteria.ts
@@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import { TestFunction } from './test-function';
 import { DynamoEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
+import { Key } from 'aws-cdk-lib/aws-kms';
 
 const app = new cdk.App();
 
@@ -36,6 +37,32 @@ fn.addEventSource(new DynamoEventSource(table, {
   ],
 }));
 
+const myKey = new Key(stack, 'fc-test-key-name', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  pendingWindow: cdk.Duration.days(7),
+  description: 'KMS key for test fc encryption',
+});
+
+const fn2 = new TestFunction(stack, 'F5');
+
+fn2.addEventSource(new DynamoEventSource(table, {
+  batchSize: 5,
+  startingPosition: lambda.StartingPosition.LATEST,
+  filters: [
+    lambda.FilterCriteria.filter({
+      eventName: lambda.FilterRule.isEqual('INSERT'),
+      dynamodb: {
+        Keys: {
+          id: {
+            S: lambda.FilterRule.exists(),
+          },
+        },
+      },
+    }),
+  ],
+  filterEncryption: myKey,
+}));
+
 new integ.IntegTest(app, 'DynamoDBFilterCriteria', {
   testCases: [stack],
 });
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json
index 2f132e5215478..a01ffb4d5f4c8 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out
index 2313ab5436501..1f0068d32659a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"34.0.0"}
\ No newline at end of file
+{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json
index be64da9864e1b..eb53722c5afaf 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "testCases": {
     "LambdaEventSourceKafkaSelfManagedTest/DefaultTest": {
       "stacks": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json
index d67485e3551c0..cb4ec6e990114 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.assets.json
@@ -1,7 +1,7 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
-    "138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0": {
+    "4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f": {
       "source": {
         "path": "lambda-event-source-kafka-self-managed.template.json",
         "packaging": "file"
@@ -9,7 +9,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0.json",
+          "objectKey": "4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json
index 88cf96bcf5d69..dd921a80f1344 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/lambda-event-source-kafka-self-managed.template.json
@@ -143,6 +143,185 @@
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "fctestkeyname524AF060": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "Description": "KMS key for test fc encryption",
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": "kms:Decrypt",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PendingWindowInDays": 7
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "F2ServiceRole7F7C6006": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "F2ServiceRoleDefaultPolicy999D30A8": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue"
+       ],
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Ref": "S509448A1"
+        },
+        {
+         "Ref": "SC0855C491"
+        }
+       ]
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "F2ServiceRoleDefaultPolicy999D30A8",
+    "Roles": [
+     {
+      "Ref": "F2ServiceRole7F7C6006"
+     }
+    ]
+   }
+  },
+  "F23BAC7B9C": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "F2ServiceRole7F7C6006",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs18.x"
+   },
+   "DependsOn": [
+    "F2ServiceRoleDefaultPolicy999D30A8",
+    "F2ServiceRole7F7C6006"
+   ]
+  },
+  "F2KafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic20A678189": {
+   "Type": "AWS::Lambda::EventSourceMapping",
+   "Properties": {
+    "BatchSize": 100,
+    "FilterCriteria": {
+     "Filters": [
+      {
+       "Pattern": "{\"numericEquals\":[{\"numeric\":[\"=\",2]}]}"
+      }
+     ]
+    },
+    "FunctionName": {
+     "Ref": "F23BAC7B9C"
+    },
+    "KmsKeyArn": {
+     "Fn::GetAtt": [
+      "fctestkeyname524AF060",
+      "Arn"
+     ]
+    },
+    "SelfManagedEventSource": {
+     "Endpoints": {
+      "KafkaBootstrapServers": [
+       "my-self-hosted-kafka-broker-1:9092",
+       "my-self-hosted-kafka-broker-2:9092",
+       "my-self-hosted-kafka-broker-3:9092"
+      ]
+     }
+    },
+    "SelfManagedKafkaEventSourceConfig": {
+     "ConsumerGroupId": "myTestConsumerGroup2"
+    },
+    "SourceAccessConfigurations": [
+     {
+      "Type": "CLIENT_CERTIFICATE_TLS_AUTH",
+      "URI": {
+       "Ref": "SC0855C491"
+      }
+     },
+     {
+      "Type": "SERVER_ROOT_CA_CERTIFICATE",
+      "URI": {
+       "Ref": "S509448A1"
+      }
+     }
+    ],
+    "StartingPosition": "TRIM_HORIZON",
+    "Topics": [
+     "my-test-topic2"
+    ]
+   }
   }
  },
  "Parameters": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json
index 87b62f798b18b..06655a65cd8cb 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "artifacts": {
     "lambda-event-source-kafka-self-managed.assets": {
       "type": "cdk:asset-manifest",
@@ -14,10 +14,11 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "lambda-event-source-kafka-self-managed.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/138a217a9e2d3bad4739ea506408a27aca8886a97c0fbacffcba80f39d2d26b0.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4bf07b5cad381e52a796b0a42748934cce430e155ffe31f0366eef200d40356f.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -69,6 +70,36 @@
             "data": "SC0855C491"
           }
         ],
+        "/lambda-event-source-kafka-self-managed/fc-test-key-name/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "fctestkeyname524AF060"
+          }
+        ],
+        "/lambda-event-source-kafka-self-managed/F2/ServiceRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2ServiceRole7F7C6006"
+          }
+        ],
+        "/lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2ServiceRoleDefaultPolicy999D30A8"
+          }
+        ],
+        "/lambda-event-source-kafka-self-managed/F2/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F23BAC7B9C"
+          }
+        ],
+        "/lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2KafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic20A678189"
+          }
+        ],
         "/lambda-event-source-kafka-self-managed/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",
@@ -97,6 +128,7 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json
index 9bdb89aea6878..54543d8610b3a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.js.snapshot/tree.json
@@ -260,6 +260,277 @@
               "version": "0.0.0"
             }
           },
+          "fc-test-key-name": {
+            "id": "fc-test-key-name",
+            "path": "lambda-event-source-kafka-self-managed/fc-test-key-name",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-kafka-self-managed/fc-test-key-name/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::KMS::Key",
+                  "aws:cdk:cloudformation:props": {
+                    "description": "KMS key for test fc encryption",
+                    "keyPolicy": {
+                      "Statement": [
+                        {
+                          "Action": "kms:*",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "AWS": {
+                              "Fn::Join": [
+                                "",
+                                [
+                                  "arn:",
+                                  {
+                                    "Ref": "AWS::Partition"
+                                  },
+                                  ":iam::",
+                                  {
+                                    "Ref": "AWS::AccountId"
+                                  },
+                                  ":root"
+                                ]
+                              ]
+                            }
+                          },
+                          "Resource": "*"
+                        },
+                        {
+                          "Action": "kms:Decrypt",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "Service": "lambda.amazonaws.com"
+                          },
+                          "Resource": "*"
+                        }
+                      ],
+                      "Version": "2012-10-17"
+                    },
+                    "pendingWindowInDays": 7
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_kms.CfnKey",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_kms.Key",
+              "version": "0.0.0"
+            }
+          },
+          "F2": {
+            "id": "F2",
+            "path": "lambda-event-source-kafka-self-managed/F2",
+            "children": {
+              "ServiceRole": {
+                "id": "ServiceRole",
+                "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole",
+                "children": {
+                  "ImportServiceRole": {
+                    "id": "ImportServiceRole",
+                    "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/ImportServiceRole",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                      "aws:cdk:cloudformation:props": {
+                        "assumeRolePolicyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "sts:AssumeRole",
+                              "Effect": "Allow",
+                              "Principal": {
+                                "Service": "lambda.amazonaws.com"
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "managedPolicyArns": [
+                          {
+                            "Fn::Join": [
+                              "",
+                              [
+                                "arn:",
+                                {
+                                  "Ref": "AWS::Partition"
+                                },
+                                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+                              ]
+                            ]
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "DefaultPolicy": {
+                    "id": "DefaultPolicy",
+                    "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy",
+                    "children": {
+                      "Resource": {
+                        "id": "Resource",
+                        "path": "lambda-event-source-kafka-self-managed/F2/ServiceRole/DefaultPolicy/Resource",
+                        "attributes": {
+                          "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                          "aws:cdk:cloudformation:props": {
+                            "policyDocument": {
+                              "Statement": [
+                                {
+                                  "Action": [
+                                    "secretsmanager:DescribeSecret",
+                                    "secretsmanager:GetSecretValue"
+                                  ],
+                                  "Effect": "Allow",
+                                  "Resource": [
+                                    {
+                                      "Ref": "S509448A1"
+                                    },
+                                    {
+                                      "Ref": "SC0855C491"
+                                    }
+                                  ]
+                                }
+                              ],
+                              "Version": "2012-10-17"
+                            },
+                            "policyName": "F2ServiceRoleDefaultPolicy999D30A8",
+                            "roles": [
+                              {
+                                "Ref": "F2ServiceRole7F7C6006"
+                              }
+                            ]
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                          "version": "0.0.0"
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.Policy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Role",
+                  "version": "0.0.0"
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-kafka-self-managed/F2/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                  "aws:cdk:cloudformation:props": {
+                    "code": {
+                      "zipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+                    },
+                    "handler": "index.handler",
+                    "role": {
+                      "Fn::GetAtt": [
+                        "F2ServiceRole7F7C6006",
+                        "Arn"
+                      ]
+                    },
+                    "runtime": "nodejs18.x"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                  "version": "0.0.0"
+                }
+              },
+              "KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2": {
+                "id": "KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2",
+                "path": "lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-kafka-self-managed/F2/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic2/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping",
+                      "aws:cdk:cloudformation:props": {
+                        "batchSize": 100,
+                        "filterCriteria": {
+                          "filters": [
+                            {
+                              "pattern": "{\"numericEquals\":[{\"numeric\":[\"=\",2]}]}"
+                            }
+                          ]
+                        },
+                        "functionName": {
+                          "Ref": "F23BAC7B9C"
+                        },
+                        "kmsKeyArn": {
+                          "Fn::GetAtt": [
+                            "fctestkeyname524AF060",
+                            "Arn"
+                          ]
+                        },
+                        "selfManagedEventSource": {
+                          "endpoints": {
+                            "kafkaBootstrapServers": [
+                              "my-self-hosted-kafka-broker-1:9092",
+                              "my-self-hosted-kafka-broker-2:9092",
+                              "my-self-hosted-kafka-broker-3:9092"
+                            ]
+                          }
+                        },
+                        "selfManagedKafkaEventSourceConfig": {
+                          "consumerGroupId": "myTestConsumerGroup2"
+                        },
+                        "sourceAccessConfigurations": [
+                          {
+                            "type": "CLIENT_CERTIFICATE_TLS_AUTH",
+                            "uri": {
+                              "Ref": "SC0855C491"
+                            }
+                          },
+                          {
+                            "type": "SERVER_ROOT_CA_CERTIFICATE",
+                            "uri": {
+                              "Ref": "S509448A1"
+                            }
+                          }
+                        ],
+                        "startingPosition": "TRIM_HORIZON",
+                        "topics": [
+                          "my-test-topic2"
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_lambda.Function",
+              "version": "0.0.0"
+            }
+          },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "lambda-event-source-kafka-self-managed/BootstrapVersion",
@@ -295,7 +566,7 @@
                 "path": "LambdaEventSourceKafkaSelfManagedTest/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.2.70"
+                  "version": "10.3.0"
                 }
               },
               "DeployAssert": {
@@ -341,7 +612,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.2.70"
+          "version": "10.3.0"
         }
       }
     },
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts
index 2ddbece1eee21..3af619c6f8bc2 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts
@@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import { TestFunction } from './test-function';
 import { AuthenticationMethod, SelfManagedKafkaEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
+import { Key } from 'aws-cdk-lib/aws-kms';
 
 class KafkaSelfManagedEventSourceTest extends cdk.Stack {
   constructor(scope: cdk.App, id: string) {
@@ -60,6 +61,32 @@ zp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA==
         ],
       }),
     );
+
+    const myKey = new Key(this, 'fc-test-key-name', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      pendingWindow: cdk.Duration.days(7),
+      description: 'KMS key for test fc encryption',
+    });
+
+    const fn2 = new TestFunction(this, 'F2');
+    rootCASecret.grantRead(fn2);
+    clientCertificatesSecret.grantRead(fn2);
+
+    fn2.addEventSource(new SelfManagedKafkaEventSource({
+      bootstrapServers,
+      topic: 'my-test-topic2',
+      consumerGroupId: 'myTestConsumerGroup2',
+      secret: clientCertificatesSecret,
+      authenticationMethod: AuthenticationMethod.CLIENT_CERTIFICATE_TLS_AUTH,
+      rootCACertificate: rootCASecret,
+      startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+      filters: [
+        lambda.FilterCriteria.filter({
+          numericEquals: lambda.FilterRule.isEqual(2),
+        }),
+      ],
+      filterEncryption: myKey,
+    }));
   }
 }
 
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json
index 29409e5062689..316f67625c262 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/SQSFilterCriteriaDefaultTestDeployAssert70A9A808.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out
index 2313ab5436501..1f0068d32659a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"34.0.0"}
\ No newline at end of file
+{"version":"36.0.0"}
\ No newline at end of file
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json
index cc01f8e83d5e0..4d9d3a1966196 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "testCases": {
     "SQSFilterCriteria/DefaultTest": {
       "stacks": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json
index 0a297a763dd0f..0491d75417637 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.assets.json
@@ -1,7 +1,7 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "files": {
-    "68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda": {
+    "b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7": {
       "source": {
         "path": "lambda-event-source-filter-criteria-sqs.template.json",
         "packaging": "file"
@@ -9,7 +9,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda.json",
+          "objectKey": "b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json
index f34c9cf70ac42..bbe7eda0090d2 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/lambda-event-source-filter-criteria-sqs.template.json
@@ -109,6 +109,162 @@
    "Type": "AWS::SQS::Queue",
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "fctestkeyname524AF060": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "Description": "KMS key for test fc encryption",
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": "kms:Decrypt",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PendingWindowInDays": 7
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "F2ServiceRole7F7C6006": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "F2ServiceRoleDefaultPolicy999D30A8": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "sqs:ChangeMessageVisibility",
+        "sqs:DeleteMessage",
+        "sqs:GetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:ReceiveMessage"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "Q63C6E3AB",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "F2ServiceRoleDefaultPolicy999D30A8",
+    "Roles": [
+     {
+      "Ref": "F2ServiceRole7F7C6006"
+     }
+    ]
+   }
+  },
+  "F23BAC7B9C": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "F2ServiceRole7F7C6006",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs18.x"
+   },
+   "DependsOn": [
+    "F2ServiceRoleDefaultPolicy999D30A8",
+    "F2ServiceRole7F7C6006"
+   ]
+  },
+  "F2SqsEventSourcelambdaeventsourcefiltercriteriasqsQA0FC5C9369D735ED": {
+   "Type": "AWS::Lambda::EventSourceMapping",
+   "Properties": {
+    "BatchSize": 5,
+    "EventSourceArn": {
+     "Fn::GetAtt": [
+      "Q63C6E3AB",
+      "Arn"
+     ]
+    },
+    "FilterCriteria": {
+     "Filters": [
+      {
+       "Pattern": "{\"body\":{\"id\":[{\"exists\":true}]}}"
+      }
+     ]
+    },
+    "FunctionName": {
+     "Ref": "F23BAC7B9C"
+    },
+    "KmsKeyArn": {
+     "Fn::GetAtt": [
+      "fctestkeyname524AF060",
+      "Arn"
+     ]
+    }
+   }
   }
  },
  "Parameters": {
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json
index 80e8bb91a4194..ab4927fa81244 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "34.0.0",
+  "version": "36.0.0",
   "artifacts": {
     "lambda-event-source-filter-criteria-sqs.assets": {
       "type": "cdk:asset-manifest",
@@ -14,10 +14,11 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "lambda-event-source-filter-criteria-sqs.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/68d6842ea4469781d0a31e238982e6e384917b532b01a55bda819955e7d3beda.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b13ae7c9fc3e3d5e6921b00ac79b3ec76c7b8006a622b9b14fc849181dbce1e7.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -63,6 +64,36 @@
             "data": "Q63C6E3AB"
           }
         ],
+        "/lambda-event-source-filter-criteria-sqs/fc-test-key-name/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "fctestkeyname524AF060"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-sqs/F2/ServiceRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2ServiceRole7F7C6006"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2ServiceRoleDefaultPolicy999D30A8"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-sqs/F2/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F23BAC7B9C"
+          }
+        ],
+        "/lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "F2SqsEventSourcelambdaeventsourcefiltercriteriasqsQA0FC5C9369D735ED"
+          }
+        ],
         "/lambda-event-source-filter-criteria-sqs/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",
@@ -74,6 +105,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
+        ],
+        "fctestkeynameAliasEF6099A0": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "fctestkeynameAliasEF6099A0",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
+            ]
+          }
         ]
       },
       "displayName": "lambda-event-source-filter-criteria-sqs"
@@ -91,6 +131,7 @@
       "environment": "aws://unknown-account/unknown-region",
       "properties": {
         "templateFile": "SQSFilterCriteriaDefaultTestDeployAssert70A9A808.template.json",
+        "terminationProtection": false,
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json
index b0b978a2f835c..df8b30717c630 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.js.snapshot/tree.json
@@ -179,7 +179,7 @@
                   }
                 },
                 "constructInfo": {
-                  "fqn": "aws-cdk-lib.aws_lambda.EventSourceMapping",
+                  "fqn": "aws-cdk-lib.Resource",
                   "version": "0.0.0"
                 }
               }
@@ -211,6 +211,254 @@
               "version": "0.0.0"
             }
           },
+          "fc-test-key-name": {
+            "id": "fc-test-key-name",
+            "path": "lambda-event-source-filter-criteria-sqs/fc-test-key-name",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-filter-criteria-sqs/fc-test-key-name/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::KMS::Key",
+                  "aws:cdk:cloudformation:props": {
+                    "description": "KMS key for test fc encryption",
+                    "keyPolicy": {
+                      "Statement": [
+                        {
+                          "Action": "kms:*",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "AWS": {
+                              "Fn::Join": [
+                                "",
+                                [
+                                  "arn:",
+                                  {
+                                    "Ref": "AWS::Partition"
+                                  },
+                                  ":iam::",
+                                  {
+                                    "Ref": "AWS::AccountId"
+                                  },
+                                  ":root"
+                                ]
+                              ]
+                            }
+                          },
+                          "Resource": "*"
+                        },
+                        {
+                          "Action": "kms:Decrypt",
+                          "Effect": "Allow",
+                          "Principal": {
+                            "Service": "lambda.amazonaws.com"
+                          },
+                          "Resource": "*"
+                        }
+                      ],
+                      "Version": "2012-10-17"
+                    },
+                    "pendingWindowInDays": 7
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_kms.CfnKey",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_kms.Key",
+              "version": "0.0.0"
+            }
+          },
+          "F2": {
+            "id": "F2",
+            "path": "lambda-event-source-filter-criteria-sqs/F2",
+            "children": {
+              "ServiceRole": {
+                "id": "ServiceRole",
+                "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole",
+                "children": {
+                  "ImportServiceRole": {
+                    "id": "ImportServiceRole",
+                    "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/ImportServiceRole",
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Role",
+                      "aws:cdk:cloudformation:props": {
+                        "assumeRolePolicyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "sts:AssumeRole",
+                              "Effect": "Allow",
+                              "Principal": {
+                                "Service": "lambda.amazonaws.com"
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "managedPolicyArns": [
+                          {
+                            "Fn::Join": [
+                              "",
+                              [
+                                "arn:",
+                                {
+                                  "Ref": "AWS::Partition"
+                                },
+                                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+                              ]
+                            ]
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.CfnRole",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "DefaultPolicy": {
+                    "id": "DefaultPolicy",
+                    "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy",
+                    "children": {
+                      "Resource": {
+                        "id": "Resource",
+                        "path": "lambda-event-source-filter-criteria-sqs/F2/ServiceRole/DefaultPolicy/Resource",
+                        "attributes": {
+                          "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                          "aws:cdk:cloudformation:props": {
+                            "policyDocument": {
+                              "Statement": [
+                                {
+                                  "Action": [
+                                    "sqs:ChangeMessageVisibility",
+                                    "sqs:DeleteMessage",
+                                    "sqs:GetQueueAttributes",
+                                    "sqs:GetQueueUrl",
+                                    "sqs:ReceiveMessage"
+                                  ],
+                                  "Effect": "Allow",
+                                  "Resource": {
+                                    "Fn::GetAtt": [
+                                      "Q63C6E3AB",
+                                      "Arn"
+                                    ]
+                                  }
+                                }
+                              ],
+                              "Version": "2012-10-17"
+                            },
+                            "policyName": "F2ServiceRoleDefaultPolicy999D30A8",
+                            "roles": [
+                              {
+                                "Ref": "F2ServiceRole7F7C6006"
+                              }
+                            ]
+                          }
+                        },
+                        "constructInfo": {
+                          "fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
+                          "version": "0.0.0"
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_iam.Policy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_iam.Role",
+                  "version": "0.0.0"
+                }
+              },
+              "Resource": {
+                "id": "Resource",
+                "path": "lambda-event-source-filter-criteria-sqs/F2/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::Lambda::Function",
+                  "aws:cdk:cloudformation:props": {
+                    "code": {
+                      "zipFile": "exports.handler = async function handler(event) {\n    console.log('event:', JSON.stringify(event, undefined, 2));\n    return { event };\n}"
+                    },
+                    "handler": "index.handler",
+                    "role": {
+                      "Fn::GetAtt": [
+                        "F2ServiceRole7F7C6006",
+                        "Arn"
+                      ]
+                    },
+                    "runtime": "nodejs18.x"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.aws_lambda.CfnFunction",
+                  "version": "0.0.0"
+                }
+              },
+              "SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93": {
+                "id": "SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93",
+                "path": "lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "lambda-event-source-filter-criteria-sqs/F2/SqsEventSource:lambdaeventsourcefiltercriteriasqsQA0FC5C93/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::Lambda::EventSourceMapping",
+                      "aws:cdk:cloudformation:props": {
+                        "batchSize": 5,
+                        "eventSourceArn": {
+                          "Fn::GetAtt": [
+                            "Q63C6E3AB",
+                            "Arn"
+                          ]
+                        },
+                        "filterCriteria": {
+                          "filters": [
+                            {
+                              "pattern": "{\"body\":{\"id\":[{\"exists\":true}]}}"
+                            }
+                          ]
+                        },
+                        "functionName": {
+                          "Ref": "F23BAC7B9C"
+                        },
+                        "kmsKeyArn": {
+                          "Fn::GetAtt": [
+                            "fctestkeyname524AF060",
+                            "Arn"
+                          ]
+                        }
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "aws-cdk-lib.aws_lambda.CfnEventSourceMapping",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "aws-cdk-lib.Resource",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "aws-cdk-lib.aws_lambda.Function",
+              "version": "0.0.0"
+            }
+          },
           "BootstrapVersion": {
             "id": "BootstrapVersion",
             "path": "lambda-event-source-filter-criteria-sqs/BootstrapVersion",
@@ -246,7 +494,7 @@
                 "path": "SQSFilterCriteria/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.2.70"
+                  "version": "10.3.0"
                 }
               },
               "DeployAssert": {
@@ -292,7 +540,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.2.70"
+          "version": "10.3.0"
         }
       }
     },
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts
index 3890428a70ff8..98d536b52e49f 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda-event-sources/test/integ.sqs-with-filter-criteria.ts
@@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import { TestFunction } from './test-function';
 import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
+import { Key } from 'aws-cdk-lib/aws-kms';
 
 const app = new cdk.App();
 
@@ -23,6 +24,26 @@ fn.addEventSource(new SqsEventSource(queue, {
   ],
 }));
 
+const myKey = new Key(stack, 'fc-test-key-name', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  pendingWindow: cdk.Duration.days(7),
+  description: 'KMS key for test fc encryption',
+});
+
+const fn2 = new TestFunction(stack, 'F2');
+
+fn2.addEventSource(new SqsEventSource(queue, {
+  batchSize: 5,
+  filters: [
+    lambda.FilterCriteria.filter({
+      body: {
+        id: lambda.FilterRule.exists(),
+      },
+    }),
+  ],
+  filterEncryption: myKey,
+}));
+
 new integ.IntegTest(app, 'SQSFilterCriteria', {
   testCases: [stack],
 });
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/README.md b/packages/aws-cdk-lib/aws-lambda-event-sources/README.md
index c7fe6791f4df6..8c88ae99bc8b8 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/README.md
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/README.md
@@ -313,6 +313,39 @@ myFunction.addEventSource(new ManagedKafkaEventSource({
 }));
 ```
 
+By default, Lambda will encrypt Filter Criteria using AWS managed keys. But if you want to use a self managed KMS key to encrypt the filters, You can specify the self managed key using the `filterEncryption` property.
+
+```ts
+import { ManagedKafkaEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
+import { Key } from 'aws-cdk-lib/aws-kms';
+
+// Your MSK cluster arn
+const clusterArn = 'arn:aws:kafka:us-east-1:0123456789019:cluster/SalesCluster/abcd1234-abcd-cafe-abab-9876543210ab-4';
+
+// The Kafka topic you want to subscribe to
+const topic = 'some-cool-topic';
+
+// Your self managed KMS key
+const myKey = Key.fromKeyArn(
+  this,
+  'SourceBucketEncryptionKey',
+  'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+);
+
+declare const myFunction: lambda.Function;
+myFunction.addEventSource(new ManagedKafkaEventSource({
+  clusterArn,
+  topic,
+  startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+  filters: [
+    lambda.FilterCriteria.filter({
+      stringEquals: lambda.FilterRule.isEqual('test'),
+    }),
+  ],
+  filterEncryption: myKey,
+}));
+```
+
 You can also specify an S3 bucket as an "on failure" destination:
 
 ```ts
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts
index d9d03988a19a3..3c75a45a51447 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/kafka.ts
@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { StreamEventSource, BaseStreamEventSourceProps } from './stream';
 import { ISecurityGroup, IVpc, SubnetSelection } from '../../aws-ec2';
 import * as iam from '../../aws-iam';
+import { IKey } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import * as secretsmanager from '../../aws-secretsmanager';
 import { Stack, Names } from '../../core';
@@ -38,6 +39,16 @@ export interface KafkaEventSourceProps extends BaseStreamEventSourceProps {
    */
   readonly filters?: Array<{[key: string]: any}>;
 
+  /**
+   * Add Customer managed KMS key to encrypt Filter Criteria.
+   * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html
+   * By default, Lambda will encrypt Filter Criteria using AWS managed keys
+   * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+   *
+   * @default - none
+   */
+  readonly filterEncryption?: IKey;
+
   /**
    * Add an on Failure Destination for this Kafka event. SNS/SQS/S3 are supported
    *
@@ -146,6 +157,7 @@ export class ManagedKafkaEventSource extends StreamEventSource {
       this.enrichMappingOptions({
         eventSourceArn: this.innerProps.clusterArn,
         filters: this.innerProps.filters,
+        filterEncryption: this.innerProps.filterEncryption,
         startingPosition: this.innerProps.startingPosition,
         sourceAccessConfigurations: this.sourceAccessConfigurations(),
         kafkaTopic: this.innerProps.topic,
@@ -236,6 +248,7 @@ export class SelfManagedKafkaEventSource extends StreamEventSource {
       this.mappingId(target),
       this.enrichMappingOptions({
         filters: this.innerProps.filters,
+        filterEncryption: this.innerProps.filterEncryption,
         kafkaBootstrapServers: this.innerProps.bootstrapServers,
         kafkaTopic: this.innerProps.topic,
         kafkaConsumerGroupId: this.innerProps.consumerGroupId,
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts
index 6b175bc18cd25..bcf6f4adf573d 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/sqs.ts
@@ -1,3 +1,4 @@
+import { IKey } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import * as sqs from '../../aws-sqs';
 import { Duration, Names, Token, Annotations } from '../../core';
@@ -47,6 +48,16 @@ export interface SqsEventSourceProps {
    */
   readonly filters?: Array<{[key: string]: any}>;
 
+  /**
+   * Add Customer managed KMS key to encrypt Filter Criteria.
+   * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html
+   * By default, Lambda will encrypt Filter Criteria using AWS managed keys
+   * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+   *
+   * @default - none
+   */
+  readonly filterEncryption?: IKey;
+
   /**
    * The maximum concurrency setting limits the number of concurrent instances of the function that an Amazon SQS event source can invoke.
    *
@@ -94,6 +105,7 @@ export class SqsEventSource implements lambda.IEventSource {
       enabled: this.props.enabled,
       eventSourceArn: this.queue.queueArn,
       filters: this.props.filters,
+      filterEncryption: this.props.filterEncryption,
     });
     this._eventSourceMappingId = eventSourceMapping.eventSourceMappingId;
     this._eventSourceMappingArn = eventSourceMapping.eventSourceMappingArn;
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts
index 46b20d01e1787..414de7472f0e5 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/lib/stream.ts
@@ -1,4 +1,5 @@
 import { S3OnFailureDestination } from './s3-onfailuire-destination';
+import { IKey } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import { Duration } from '../../core';
 
@@ -125,6 +126,17 @@ export interface StreamEventSourceProps extends BaseStreamEventSourceProps {
    * @default - None
    */
   readonly filters?: Array<{[key: string]: any}>;
+
+  /**
+   * Add Customer managed KMS key to encrypt Filter Criteria.
+   * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html
+   * By default, Lambda will encrypt Filter Criteria using AWS managed keys
+   * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+   *
+   * @default - none
+   */
+  readonly filterEncryption?: IKey;
+
 }
 
 /**
@@ -155,6 +167,7 @@ export abstract class StreamEventSource implements lambda.IEventSource {
       tumblingWindow: this.props.tumblingWindow,
       enabled: this.props.enabled,
       filters: this.props.filters,
+      filterEncryption: this.props.filterEncryption,
     };
   }
 }
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts
index f93e002170452..eb331b0de8972 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/dynamo.test.ts
@@ -1,6 +1,7 @@
 import { TestFunction } from './test-function';
 import { Template } from '../../assertions';
 import * as dynamodb from '../../aws-dynamodb';
+import { Key } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import { Bucket } from '../../aws-s3';
 import * as sqs from '../../aws-sqs';
@@ -288,6 +289,128 @@ describe('DynamoEventSource', () => {
     });
   });
 
+  test('adding filter criteria encryption', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new TestFunction(stack, 'Fn');
+    const table = new dynamodb.Table(stack, 'T', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      stream: dynamodb.StreamViewType.NEW_IMAGE,
+    });
+
+    const myKey = Key.fromKeyArn(
+      stack,
+      'SourceBucketEncryptionKey',
+      'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    );
+
+    // WHEN
+    fn.addEventSource(new sources.DynamoEventSource(table, {
+      startingPosition: lambda.StartingPosition.LATEST,
+      filters: [
+        lambda.FilterCriteria.filter({
+          eventName: lambda.FilterRule.isEqual('INSERT'),
+          dynamodb: {
+            Keys: {
+              id: {
+                S: lambda.FilterRule.exists(),
+              },
+            },
+          },
+        }),
+      ],
+      filterEncryption: myKey,
+    }));
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', {
+      'EventSourceArn': {
+        'Fn::GetAtt': [
+          'TD925BC7E',
+          'StreamArn',
+        ],
+      },
+      'FunctionName': {
+        'Ref': 'Fn9270CBC0',
+      },
+      'FilterCriteria': {
+        'Filters': [
+          {
+            'Pattern': '{"eventName":["INSERT"],"dynamodb":{"Keys":{"id":{"S":[{"exists":true}]}}}}',
+          },
+        ],
+      },
+      KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+      'StartingPosition': 'LATEST',
+    });
+  });
+
+  test('adding filter criteria encryption with stack key', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new TestFunction(stack, 'Fn');
+    const table = new dynamodb.Table(stack, 'T', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      stream: dynamodb.StreamViewType.NEW_IMAGE,
+    });
+
+    const myKey = new Key(stack, 'fc-test-key-name', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      pendingWindow: cdk.Duration.days(7),
+      description: 'KMS key for test fc encryption',
+    });
+
+    // WHEN
+    fn.addEventSource(new sources.DynamoEventSource(table, {
+      startingPosition: lambda.StartingPosition.LATEST,
+      filters: [
+        lambda.FilterCriteria.filter({
+          eventName: lambda.FilterRule.isEqual('INSERT'),
+          dynamodb: {
+            Keys: {
+              id: {
+                S: lambda.FilterRule.exists(),
+              },
+            },
+          },
+        }),
+      ],
+      filterEncryption: myKey,
+    }));
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', {
+      KeyPolicy: {
+        Statement: [
+          {
+            Action: 'kms:*',
+            Effect: 'Allow',
+            Principal: {
+              AWS: {
+                'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']],
+              },
+            },
+            Resource: '*',
+          },
+          {
+            Action: 'kms:Decrypt',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'lambda.amazonaws.com',
+            },
+            Resource: '*',
+          },
+        ],
+      },
+    });
+  });
+
   test('specific maxBatchingWindow', () => {
     // GIVEN
     const stack = new cdk.Stack();
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts
index cee9ca715e0f2..d5b1df2c9a657 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/kafka.test.ts
@@ -1,6 +1,7 @@
 import { TestFunction } from './test-function';
 import { Template, Match } from '../../assertions';
 import { SecurityGroup, SubnetType, Vpc } from '../../aws-ec2';
+import { Key } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import { Bucket } from '../../aws-s3';
 import { Secret } from '../../aws-secretsmanager';
@@ -173,6 +174,110 @@ describe('KafkaEventSource', () => {
       });
     });
 
+    test('adding filter criteria encryption', () => {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const fn = new TestFunction(stack, 'Fn');
+      const clusterArn = 'some-arn';
+      const kafkaTopic = 'some-topic';
+      const myKey = Key.fromKeyArn(
+        stack,
+        'SourceBucketEncryptionKey',
+        'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+      );
+
+      // WHEN
+      fn.addEventSource(new sources.ManagedKafkaEventSource(
+        {
+          clusterArn,
+          topic: kafkaTopic,
+          startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+          filters: [
+            lambda.FilterCriteria.filter({
+              orFilter: lambda.FilterRule.or('one', 'two'),
+              stringEquals: lambda.FilterRule.isEqual('test'),
+            }),
+            lambda.FilterCriteria.filter({
+              numericEquals: lambda.FilterRule.isEqual(1),
+            }),
+          ],
+          filterEncryption: myKey,
+        }));
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', {
+        FilterCriteria: {
+          Filters: [
+            {
+              Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}',
+            },
+            {
+              Pattern: '{"numericEquals":[{"numeric":["=",1]}]}',
+            },
+          ],
+        },
+        KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+      });
+    });
+
+    test('adding filter criteria encryption with stack key', () => {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const fn = new TestFunction(stack, 'Fn');
+      const clusterArn = 'some-arn';
+      const kafkaTopic = 'some-topic';
+
+      const myKey = new Key(stack, 'fc-test-key-name', {
+        removalPolicy: cdk.RemovalPolicy.DESTROY,
+        pendingWindow: cdk.Duration.days(7),
+        description: 'KMS key for test fc encryption',
+      });
+
+      // WHEN
+      fn.addEventSource(new sources.ManagedKafkaEventSource(
+        {
+          clusterArn,
+          topic: kafkaTopic,
+          startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+          filters: [
+            lambda.FilterCriteria.filter({
+              orFilter: lambda.FilterRule.or('one', 'two'),
+              stringEquals: lambda.FilterRule.isEqual('test'),
+            }),
+            lambda.FilterCriteria.filter({
+              numericEquals: lambda.FilterRule.isEqual(1),
+            }),
+          ],
+          filterEncryption: myKey,
+        }));
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', {
+        KeyPolicy: {
+          Statement: [
+            {
+              Action: 'kms:*',
+              Effect: 'Allow',
+              Principal: {
+                AWS: {
+                  'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']],
+                },
+              },
+              Resource: '*',
+            },
+            {
+              Action: 'kms:Decrypt',
+              Effect: 'Allow',
+              Principal: {
+                Service: 'lambda.amazonaws.com',
+              },
+              Resource: '*',
+            },
+          ],
+        },
+      });
+    });
+
     test('with s3 onfailure destination', () => {
       // GIVEN
       const stack = new cdk.Stack();
@@ -315,6 +420,54 @@ describe('KafkaEventSource', () => {
       });
     });
 
+    test('adding filter criteria encryption', () => {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const fn = new TestFunction(stack, 'Fn');
+      const kafkaTopic = 'some-topic';
+      const secret = new Secret(stack, 'Secret', { secretName: 'AmazonMSK_KafkaSecret' });
+      const bootstrapServers = ['kafka-broker:9092'];
+      const myKey = Key.fromKeyArn(
+        stack,
+        'SourceBucketEncryptionKey',
+        'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+      );
+
+      // WHEN
+      fn.addEventSource(new sources.SelfManagedKafkaEventSource(
+        {
+          bootstrapServers: bootstrapServers,
+          topic: kafkaTopic,
+          secret: secret,
+          startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+          filters: [
+            lambda.FilterCriteria.filter({
+              orFilter: lambda.FilterRule.or('one', 'two'),
+              stringEquals: lambda.FilterRule.isEqual('test'),
+            }),
+            lambda.FilterCriteria.filter({
+              numericEquals: lambda.FilterRule.isEqual(1),
+            }),
+          ],
+          filterEncryption: myKey,
+        }));
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', {
+        FilterCriteria: {
+          Filters: [
+            {
+              Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}',
+            },
+            {
+              Pattern: '{"numericEquals":[{"numeric":["=",1]}]}',
+            },
+          ],
+        },
+        KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+      });
+    });
+
     test('without vpc, secret must be set', () => {
       const stack = new cdk.Stack();
       const fn = new TestFunction(stack, 'Fn');
diff --git a/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts b/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts
index 48e09e24bbf8b..3865e02f63039 100644
--- a/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda-event-sources/test/sqs.test.ts
@@ -1,6 +1,7 @@
 import { TestFunction } from './test-function';
 import { Template } from '../../assertions';
 import * as iam from '../../aws-iam';
+import { Key } from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import * as sqs from '../../aws-sqs';
 import * as cdk from '../../core';
@@ -439,6 +440,92 @@ describe('SQSEventSource', () => {
     });
   });
 
+  test('adding filter criteria encryption', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new TestFunction(stack, 'Fn');
+    const q = new sqs.Queue(stack, 'Q');
+    const myKey = Key.fromKeyArn(
+      stack,
+      'SourceBucketEncryptionKey',
+      'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    );
+
+    // WHEN
+    fn.addEventSource(new sources.SqsEventSource(q, {
+      filters: [
+        lambda.FilterCriteria.filter({
+          body: {
+            id: lambda.FilterRule.exists(),
+          },
+        }),
+      ],
+      filterEncryption: myKey,
+    }));
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', {
+      'FilterCriteria': {
+        'Filters': [
+          {
+            'Pattern': '{"body":{"id":[{"exists":true}]}}',
+          },
+        ],
+      },
+      KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    });
+  });
+
+  test('adding filter criteria encryption with stack key', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new TestFunction(stack, 'Fn');
+    const q = new sqs.Queue(stack, 'Q');
+    const myKey = new Key(stack, 'fc-test-key-name', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      pendingWindow: cdk.Duration.days(7),
+      description: 'KMS key for test fc encryption',
+    });
+
+    // WHEN
+    fn.addEventSource(new sources.SqsEventSource(q, {
+      filters: [
+        lambda.FilterCriteria.filter({
+          body: {
+            id: lambda.FilterRule.exists(),
+          },
+        }),
+      ],
+      filterEncryption: myKey,
+    }));
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', {
+      KeyPolicy: {
+        Statement: [
+          {
+            Action: 'kms:*',
+            Effect: 'Allow',
+            Principal: {
+              AWS: {
+                'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root']],
+              },
+            },
+            Resource: '*',
+          },
+          {
+            Action: 'kms:Decrypt',
+            Effect: 'Allow',
+            Principal: {
+              Service: 'lambda.amazonaws.com',
+            },
+            Resource: '*',
+          },
+        ],
+      },
+    });
+  });
+
   test('fails if maxConcurrency < 2', () => {
     // GIVEN
     const stack = new cdk.Stack();
diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md
index 58dc34ef74d53..160f9296c6242 100644
--- a/packages/aws-cdk-lib/aws-lambda/README.md
+++ b/packages/aws-cdk-lib/aws-lambda/README.md
@@ -780,6 +780,53 @@ fn.addEventSource(new eventsources.DynamoEventSource(table, {
 }));
 ```
 
+By default, Lambda will encrypt Filter Criteria using AWS managed keys. But if you want to use a self managed KMS key to encrypt the filters, You can specify the self managed key using the `filterEncryption` property.
+
+```ts
+import * as eventsources from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import { Key } from 'aws-cdk-lib/aws-kms';
+
+declare const fn: lambda.Function;
+const table = new dynamodb.Table(this, 'Table', {
+  partitionKey: {
+    name: 'id',
+    type: dynamodb.AttributeType.STRING,
+  },
+  stream: dynamodb.StreamViewType.NEW_IMAGE,
+});
+// Your self managed KMS key
+const myKey = Key.fromKeyArn(
+  this,
+  'SourceBucketEncryptionKey',
+  'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+);
+
+fn.addEventSource(new eventsources.DynamoEventSource(table, {
+  startingPosition: lambda.StartingPosition.LATEST,
+  filters: [lambda.FilterCriteria.filter({ eventName: lambda.FilterRule.isEqual('INSERT') })],
+  filterEncryption: myKey,
+}));
+```
+
+> Lambda requires allow `kms:Decrypt` on Lambda principal `lambda.amazonaws.com` to use the key for Filter Criteria Encryption. If you create the KMS key in the stack, CDK will automatically add this permission to the Key when you creates eventSourceMapping. However, if you import the key using function like `Key.fromKeyArn` then you need to add the following permission to the KMS key before using it to encrypt Filter Criteria
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "lambda.amazonaws.com"
+            },
+            "Action": "kms:Decrypt",
+            "Resource": "*"
+        }
+    ]
+}
+```
+
 See the documentation for the __@aws-cdk/aws-lambda-event-sources__ module for more details.
 
 ## Imported Lambdas
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts b/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts
index 1f49011ca1bd5..a441ce148788a 100644
--- a/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts
+++ b/packages/aws-cdk-lib/aws-lambda/lib/event-source-mapping.ts
@@ -2,6 +2,8 @@ import { Construct } from 'constructs';
 import { IEventSourceDlq } from './dlq';
 import { IFunction } from './function-base';
 import { CfnEventSourceMapping } from './lambda.generated';
+import * as iam from '../../aws-iam';
+import { IKey } from '../../aws-kms';
 import * as cdk from '../../core';
 
 /**
@@ -251,6 +253,16 @@ export interface EventSourceMappingOptions {
    */
   readonly filters?: Array<{[key: string]: any}>;
 
+  /**
+   * Add Customer managed KMS key to encrypt Filter Criteria.
+   * @see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html
+   * By default, Lambda will encrypt Filter Criteria using AWS managed keys
+   * @see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+   *
+   * @default - none
+   */
+  readonly filterEncryption?: IKey;
+
   /**
    * Check if support S3 onfailure destination(ODF). Currently only MSK and self managed kafka event support S3 ODF
    *
@@ -388,6 +400,23 @@ export class EventSourceMapping extends cdk.Resource implements IEventSourceMapp
       this.validateKafkaConsumerGroupIdOrThrow(props.kafkaConsumerGroupId);
     }
 
+    if (props.filterEncryption !== undefined && props.filters == undefined) {
+      throw new Error('filter criteria must be provided to enable setting filter criteria encryption');
+    }
+
+    /**
+     * Grants the Lambda function permission to decrypt data using the specified KMS key.
+     * This step is necessary for setting up encrypted filter criteria.
+     *
+     * If the KMS key was created within this CloudFormation stack (via `new Key`), a Key policy
+     * will be attached to the key to allow the Lambda function to access it. However, if the
+     * Key is imported from an existing ARN (`Key.fromKeyArn`), no action will be taken.
+     */
+    if (props.filterEncryption !== undefined) {
+      const lambdaPrincipal = new iam.ServicePrincipal('lambda.amazonaws.com');
+      props.filterEncryption.grantDecrypt(lambdaPrincipal);
+    }
+
     let destinationConfig;
 
     if (props.onFailure) {
@@ -423,6 +452,7 @@ export class EventSourceMapping extends cdk.Resource implements IEventSourceMapp
       sourceAccessConfigurations: props.sourceAccessConfigurations?.map((o) => {return { type: o.type.type, uri: o.uri };}),
       selfManagedEventSource,
       filterCriteria: props.filters ? { filters: props.filters }: undefined,
+      kmsKeyArn: props.filterEncryption?.keyArn,
       selfManagedKafkaEventSourceConfig: props.kafkaBootstrapServers ? consumerGroupConfig : undefined,
       amazonManagedKafkaEventSourceConfig: props.eventSourceArn ? consumerGroupConfig : undefined,
     });
diff --git a/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts b/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts
index 8182a15406db7..6eafc9267471d 100644
--- a/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda/test/event-source-mapping.test.ts
@@ -1,4 +1,5 @@
 import { Match, Template } from '../../assertions';
+import { Key } from '../../aws-kms';
 import * as cdk from '../../core';
 import * as lambda from '../lib';
 import { Code, EventSourceMapping, Function, Runtime, Alias, StartingPosition, FilterRule, FilterCriteria } from '../lib';
@@ -323,6 +324,74 @@ describe('event source mapping', () => {
     });
   });
 
+  test('adding filter criteria encryption', () => {
+    const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', {
+      type: 'String',
+    });
+
+    let eventSourceArn = 'some-arn';
+
+    const myKey = Key.fromKeyArn(
+      stack,
+      'SourceBucketEncryptionKey',
+      'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    );
+
+    // WHEN
+    new EventSourceMapping(stack, 'test', {
+      target: fn,
+      eventSourceArn: eventSourceArn,
+      kafkaTopic: topicNameParam.valueAsString,
+      filters: [
+        FilterCriteria.filter({
+          orFilter: FilterRule.or('one', 'two'),
+          stringEquals: FilterRule.isEqual('test'),
+        }),
+        FilterCriteria.filter({
+          numericEquals: FilterRule.isEqual(1),
+        }),
+      ],
+      filterEncryption: myKey,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::EventSourceMapping', {
+      FilterCriteria: {
+        Filters: [
+          {
+            Pattern: '{"orFilter":["one","two"],"stringEquals":["test"]}',
+          },
+          {
+            Pattern: '{"numericEquals":[{"numeric":["=",1]}]}',
+          },
+        ],
+      },
+      KmsKeyArn: 'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    });
+
+  });
+
+  test('adding filter criteria encryption without filter criteria', () => {
+    const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', {
+      type: 'String',
+    });
+
+    let eventSourceArn = 'some-arn';
+
+    const myKey = Key.fromKeyArn(
+      stack,
+      'SourceBucketEncryptionKey',
+      'arn:aws:kms:us-east-1:123456789012:key/<key-id>',
+    );
+
+    expect(() => new EventSourceMapping(stack, 'test', {
+      target: fn,
+      eventSourceArn: eventSourceArn,
+      kafkaTopic: topicNameParam.valueAsString,
+      filterEncryption: myKey,
+    })).toThrow(/filter criteria must be provided to enable setting filter criteria encryption/);
+  });
+
   test('kafkaBootstrapServers appears in stack', () => {
     const topicNameParam = new cdk.CfnParameter(stack, 'TopicNameParam', {
       type: 'String',
diff --git a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json
new file mode 100644
index 0000000000000..965ef4c491c1a
--- /dev/null
+++ b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-eventsourcemapping.json
@@ -0,0 +1,409 @@
+{
+    "typeName" : "AWS::Lambda::EventSourceMapping",
+    "description" : "Resource Type definition for AWS::Lambda::EventSourceMapping",
+    "nonPublicProperties": ["/properties/KmsKeyArn"],
+    "additionalProperties" : false,
+    "properties" : {
+        "Id": {
+            "description": "Event Source Mapping Identifier UUID.",
+            "type": "string",
+            "pattern": "[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}",
+            "minLength": 36,
+            "maxLength": 36
+        },
+        "BatchSize": {
+            "description": "The maximum number of items to retrieve in a single batch.",
+            "type": "integer",
+            "minimum": 1,
+            "maximum": 10000
+        },
+        "BisectBatchOnFunctionError": {
+            "description": "(Streams) If the function returns an error, split the batch in two and retry.",
+            "type": "boolean"
+        },
+        "DestinationConfig": {
+            "description": "(Kinesis, DynamoDB, Amazon MSK, and self-managed Kafka event sources only) A configuration object that specifies the destination of an event after Lambda processes it.",
+            "$ref": "#/definitions/DestinationConfig"
+        },
+        "Enabled": {
+            "description": "Disables the event source mapping to pause polling and invocation.",
+            "type": "boolean"
+        },
+        "EventSourceArn": {
+            "description": "The Amazon Resource Name (ARN) of the event source.",
+            "type": "string",
+            "pattern": "arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)",
+            "minLength": 12,
+            "maxLength": 1024
+        },
+        "FilterCriteria": {
+            "description": "The filter criteria to control event filtering.",
+            "$ref": "#/definitions/FilterCriteria"
+        },
+        "KmsKeyArn": {
+            "description": "The Amazon Resource Name (ARN) of the KMS key.",
+            "type": "string",
+            "pattern": "(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()",
+            "minLength": 12,
+            "maxLength": 2048
+        },
+        "FunctionName": {
+            "description": "The name of the Lambda function.",
+            "type": "string",
+            "pattern": "(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?",
+            "minLength": 1,
+            "maxLength": 140
+        },
+        "MaximumBatchingWindowInSeconds": {
+            "description": "(Streams) The maximum amount of time to gather records before invoking the function, in seconds.",
+            "type": "integer",
+            "minimum": 0,
+            "maximum": 300
+        },
+        "MaximumRecordAgeInSeconds": {
+            "description": "(Streams) The maximum age of a record that Lambda sends to a function for processing.",
+            "type": "integer",
+            "minimum": -1,
+            "maximum": 604800
+        },
+        "MaximumRetryAttempts": {
+            "description": "(Streams) The maximum number of times to retry when the function returns an error.",
+            "type": "integer",
+            "minimum": -1,
+            "maximum": 10000
+        },
+        "ParallelizationFactor": {
+            "description": "(Streams) The number of batches to process from each shard concurrently.",
+            "type": "integer",
+            "minimum": 1,
+            "maximum": 10
+        },
+        "StartingPosition": {
+            "description": "The position in a stream from which to start reading. Required for Amazon Kinesis and Amazon DynamoDB Streams sources.",
+            "type": "string",
+            "pattern": "(LATEST|TRIM_HORIZON|AT_TIMESTAMP)+",
+            "minLength": 6,
+            "maxLength": 12
+        },
+        "StartingPositionTimestamp": {
+            "description": "With StartingPosition set to AT_TIMESTAMP, the time from which to start reading, in Unix time seconds.",
+            "type": "number"
+        },
+        "Topics": {
+            "description": "(Kafka) A list of Kafka topics.",
+            "type": "array",
+            "uniqueItems": true,
+            "items": {
+                "type": "string",
+                "pattern": "^[^.]([a-zA-Z0-9\\-_.]+)",
+                "minLength": 1,
+                "maxLength": 249
+            },
+            "minItems": 1,
+            "maxItems": 1
+        },
+        "Queues": {
+            "description": "(ActiveMQ) A list of ActiveMQ queues.",
+            "type": "array",
+            "uniqueItems": true,
+            "items": {
+                "type": "string",
+                "pattern": "[\\s\\S]*",
+                "minLength": 1,
+                "maxLength": 1000
+            },
+            "minItems": 1,
+            "maxItems": 1
+        },
+        "SourceAccessConfigurations": {
+            "description": "A list of SourceAccessConfiguration.",
+            "type": "array",
+            "uniqueItems": true,
+            "items": {
+                "$ref": "#/definitions/SourceAccessConfiguration"
+            },
+            "minItems": 1,
+            "maxItems": 22
+        },
+        "TumblingWindowInSeconds": {
+            "description": "(Streams) Tumbling window (non-overlapping time window) duration to perform aggregations.",
+            "type": "integer",
+            "minimum": 0,
+            "maximum": 900
+        },
+        "FunctionResponseTypes": {
+            "description": "(Streams) A list of response types supported by the function.",
+            "type": "array",
+            "uniqueItems": true,
+            "items": {
+                "type": "string",
+                "enum": [
+                    "ReportBatchItemFailures"
+                ]
+            },
+            "minLength": 0,
+            "maxLength": 1
+        },
+        "SelfManagedEventSource": {
+            "description": "Self-managed event source endpoints.",
+            "$ref": "#/definitions/SelfManagedEventSource"
+        },
+        "AmazonManagedKafkaEventSourceConfig": {
+            "description": "Specific configuration settings for an MSK event source.",
+            "$ref": "#/definitions/AmazonManagedKafkaEventSourceConfig"
+        },
+        "SelfManagedKafkaEventSourceConfig": {
+            "description": "Specific configuration settings for a Self-Managed Apache Kafka event source.",
+            "$ref": "#/definitions/SelfManagedKafkaEventSourceConfig"
+        },
+        "ScalingConfig": {
+            "description": "The scaling configuration for the event source.",
+            "$ref": "#/definitions/ScalingConfig"
+        },
+        "DocumentDBEventSourceConfig": {
+            "description": "Document db event source config.",
+            "$ref": "#/definitions/DocumentDBEventSourceConfig"
+        }
+    },
+    "definitions" : {
+        "DestinationConfig" : {
+            "type" : "object",
+            "additionalProperties" : false,
+            "description": "A configuration object that specifies the destination of an event after Lambda processes it.",
+            "properties" : {
+                "OnFailure": {
+                    "description": "A destination for records of invocations that failed processing.",
+                    "$ref": "#/definitions/OnFailure"
+                }
+            }
+        },
+        "FilterCriteria": {
+            "type": "object",
+            "description": "The filter criteria to control event filtering.",
+            "additionalProperties" : false,
+            "properties": {
+                "Filters": {
+                    "description": "List of filters of this FilterCriteria",
+                    "type": "array",
+                    "uniqueItems": true,
+                    "items": {
+                        "$ref": "#/definitions/Filter"
+                    },
+                    "minItems": 1,
+                    "maxItems": 20
+                }
+            }
+        },
+        "Filter": {
+            "type": "object",
+            "description": "The filter object that defines parameters for ESM filtering.",
+            "additionalProperties" : false,
+            "properties": {
+                "Pattern": {
+                    "type": "string",
+                    "description": "The filter pattern that defines which events should be passed for invocations.",
+                    "pattern": ".*",
+                    "minLength": 0,
+                    "maxLength": 4096
+                }
+            }
+        },
+        "OnFailure": {
+            "type" : "object",
+            "description" : "A destination for records of invocations that failed processing.",
+            "additionalProperties" : false,
+            "properties" : {
+                "Destination": {
+                    "description": "The Amazon Resource Name (ARN) of the destination resource.",
+                    "type": "string",
+                    "pattern": "arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}(-gov)?(-iso([a-z])?)?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)",
+                    "minLength": 12,
+                    "maxLength": 1024
+                }
+            }
+        },
+        "SourceAccessConfiguration" : {
+            "type" : "object",
+            "additionalProperties" : false,
+            "description": "The configuration used by AWS Lambda to access event source",
+            "properties" : {
+                "Type" : {
+                    "description": "The type of source access configuration.",
+                    "enum": [
+                        "BASIC_AUTH",
+                        "VPC_SUBNET",
+                        "VPC_SECURITY_GROUP",
+                        "SASL_SCRAM_512_AUTH",
+                        "SASL_SCRAM_256_AUTH",
+                        "VIRTUAL_HOST",
+                        "CLIENT_CERTIFICATE_TLS_AUTH",
+                        "SERVER_ROOT_CA_CERTIFICATE"
+                    ],
+                    "type": "string"
+                },
+                "URI" : {
+                    "description": "The URI for the source access configuration resource.",
+                    "type": "string",
+                    "pattern": "[a-zA-Z0-9-\\/*:_+=.@-]*",
+                    "minLength": 1,
+                    "maxLength": 200
+                }
+            }
+        },
+        "SelfManagedEventSource" : {
+            "type": "object",
+            "additionalProperties": false,
+            "description": "The configuration used by AWS Lambda to access a self-managed event source.",
+            "properties": {
+                "Endpoints": {
+                    "description": "The endpoints for a self-managed event source.",
+                    "$ref": "#/definitions/Endpoints"
+                }
+            }
+        },
+        "Endpoints" : {
+            "type": "object",
+            "additionalProperties": false,
+            "description": "The endpoints used by AWS Lambda to access a self-managed event source.",
+            "properties": {
+                "KafkaBootstrapServers": {
+                    "type": "array",
+                    "description": "A list of Kafka server endpoints.",
+                    "uniqueItems": true,
+                    "items": {
+                        "type": "string",
+                        "description": "The URL of a Kafka server.",
+                        "pattern": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]):[0-9]{1,5}",
+                        "minLength": 1,
+                        "maxLength": 300
+                    },
+                    "minItems": 1,
+                    "maxItems": 10
+                }
+            }
+        },
+        "ConsumerGroupId": {
+            "description": "The identifier for the Kafka Consumer Group to join.",
+            "type": "string",
+            "pattern": "[a-zA-Z0-9-\\/*:_+=.@-]*",
+            "minLength": 1,
+            "maxLength": 200
+        },
+        "AmazonManagedKafkaEventSourceConfig": {
+            "description": "Specific configuration settings for an MSK event source.",
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "ConsumerGroupId": {
+                    "description": "The identifier for the Kafka Consumer Group to join.",
+                    "$ref": "#/definitions/ConsumerGroupId"
+                }
+            }
+        },
+        "SelfManagedKafkaEventSourceConfig": {
+            "description": "Specific configuration settings for a Self-Managed Apache Kafka event source.",
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "ConsumerGroupId": {
+                    "description": "The identifier for the Kafka Consumer Group to join.",
+                    "$ref": "#/definitions/ConsumerGroupId"
+                }
+            }
+        },
+        "MaximumConcurrency": {
+            "description": "The maximum number of concurrent functions that an event source can invoke.",
+            "type": "integer",
+            "minimum": 2,
+            "maximum": 1000
+        },
+        "ScalingConfig": {
+            "description": "The scaling configuration for the event source.",
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "MaximumConcurrency": {
+                    "description": "The maximum number of concurrent functions that the event source can invoke.",
+                    "$ref": "#/definitions/MaximumConcurrency"
+                }
+            }
+        },
+        "DocumentDBEventSourceConfig": {
+            "description": "Document db event source config.",
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "DatabaseName": {
+                    "description": "The database name to connect to.",
+                    "type": "string",
+                    "minLength": 1,
+                    "maxLength": 63
+                },
+                "CollectionName": {
+                    "description": "The collection name to connect to.",
+                    "type": "string",
+                    "minLength": 1,
+                    "maxLength": 57
+                },
+                "FullDocument": {
+                    "description": "Include full document in change stream response. The default option will only send the changes made to documents to Lambda. If you want the complete document sent to Lambda, set this to UpdateLookup.",
+                    "type": "string",
+                    "enum": [
+                        "UpdateLookup",
+                        "Default"
+                    ]
+                }
+            }
+        }
+    },
+    "required" : [ "FunctionName" ],
+    "createOnlyProperties" : [
+        "/properties/EventSourceArn",
+        "/properties/StartingPosition",
+        "/properties/StartingPositionTimestamp",
+        "/properties/SelfManagedEventSource",
+        "/properties/AmazonManagedKafkaEventSourceConfig",
+        "/properties/SelfManagedKafkaEventSourceConfig"
+    ],
+    "readOnlyProperties" : [ "/properties/Id" ],
+    "primaryIdentifier" : [ "/properties/Id" ],
+    "propertyTransform" : {
+        "/properties/StartingPositionTimestamp": "StartingPositionTimestamp * 1000"
+    },
+    "handlers": {
+        "create": {
+            "permissions": [
+                "lambda:CreateEventSourceMapping",
+                "lambda:GetEventSourceMapping"
+            ]
+        },
+        "delete": {
+            "permissions": [
+                "lambda:DeleteEventSourceMapping",
+                "lambda:GetEventSourceMapping"
+            ]
+        },
+        "list": {
+            "permissions": [
+                "lambda:ListEventSourceMappings"
+            ]
+        },
+        "read": {
+            "permissions": [
+                "lambda:GetEventSourceMapping"
+            ]
+        },
+        "update": {
+            "permissions": [
+                "lambda:UpdateEventSourceMapping",
+                "lambda:GetEventSourceMapping"
+            ]
+        }
+    },
+    "tagging": {
+        "taggable": false,
+        "tagOnCreate": false,
+        "tagUpdatable": false,
+        "cloudFormationSystemTags": false
+    }
+}
\ No newline at end of file

From a1fbe5072b7b211c3314fea9534ab287a5c9d938 Mon Sep 17 00:00:00 2001
From: Xia Zhao <xazhao@amazon.com>
Date: Wed, 14 Aug 2024 16:51:07 -0700
Subject: [PATCH 07/10] chore(release): 2.152.0

---
 CHANGELOG.v2.alpha.md | 2 ++
 CHANGELOG.v2.md       | 7 +++++++
 version.v2.json       | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index 2b94b810d0131..47daad06b72ef 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.152.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.1-alpha.0...v2.152.0-alpha.0) (2024-08-14)
+
 ## [2.151.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.0-alpha.0...v2.151.1-alpha.0) (2024-08-14)
 
 ## [2.151.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.150.0-alpha.0...v2.151.0-alpha.0) (2024-08-01)
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 01e2f4e4d8e71..072c1c8adad4b 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.152.0](https://github.com/aws/aws-cdk/compare/v2.151.1...v2.152.0) (2024-08-14)
+
+
+### Features
+
+* **lambda:** support filter criteria encryption ([6aa72a2](https://github.com/aws/aws-cdk/commit/6aa72a215859ab96e9fd8b4ccee0d40bda753200))
+
 ## [2.151.1](https://github.com/aws/aws-cdk/compare/v2.151.0...v2.151.1) (2024-08-14)
 
 
diff --git a/version.v2.json b/version.v2.json
index 443e45a11be1d..21304aecb929a 100644
--- a/version.v2.json
+++ b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.151.1",
-  "alphaVersion": "2.151.1-alpha.0"
+  "version": "2.152.0",
+  "alphaVersion": "2.152.0-alpha.0"
 }
\ No newline at end of file

From ad1b7977768430da0ce262103e8a91f0e632ffe2 Mon Sep 17 00:00:00 2001
From: Tietew <tietew@gmail.com>
Date: Thu, 15 Aug 2024 09:27:08 +0900
Subject: [PATCH 08/10] fix(cognito-identitypool-alpha): validation error if
 provided id is a token (#30882)

### Issue # (if applicable)

Closes #29780.
Closes #28184.

### Description of changes

Skips validations if provided id is an unresolved token.

### Description of how you validated changes

Added unit tests not to throw errors even if the resolved value is incorrect.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/identitypool.ts                       | 13 ++++++++++---
 .../test/identitypool.test.ts                 | 19 +++++++++++++++++--
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts
index 9e65131f5cae8..1277bd682013f 100644
--- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts
+++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts
@@ -16,6 +16,7 @@ import {
   Stack,
   ArnFormat,
   Lazy,
+  Token,
 } from 'aws-cdk-lib/core';
 import {
   Construct,
@@ -329,9 +330,15 @@ export class IdentityPool extends Resource implements IIdentityPool {
     if (!res) {
       throw new Error('Invalid Identity Pool ARN');
     }
-    const idParts = res.split(':');
-    if (!(idParts.length === 2)) throw new Error('Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>');
-    if (idParts[0] !== pool.region) throw new Error('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region');
+    if (!Token.isUnresolved(res)) {
+      const idParts = res.split(':');
+      if (!(idParts.length === 2)) {
+        throw new Error('Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>');
+      }
+      if (!Token.isUnresolved(pool.region) && idParts[0] !== pool.region) {
+        throw new Error('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region');
+      }
+    }
     class ImportedIdentityPool extends Resource implements IIdentityPool {
       public readonly identityPoolId = res;
       public readonly identityPoolArn = identityPoolArn;
diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts
index 3bacbeeb104ea..417c848c4407f 100644
--- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts
+++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts
@@ -19,6 +19,7 @@ import {
 } from 'aws-cdk-lib/aws-iam';
 import {
   Fn,
+  Lazy,
   Stack,
 } from 'aws-cdk-lib';
 import {
@@ -203,14 +204,28 @@ describe('identity pool', () => {
         account: '1234567891011',
       },
     });
-    expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdError', 'idPool')).toThrowError('Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>');
-    expect(() => IdentityPool.fromIdentityPoolArn(stack, 'idPoolArnError', 'arn:aws:cognito-identity:my-region:1234567891011:identitypool\/your-region:idPool/')).toThrowError('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region');
+    expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdError', 'idPool')).toThrow('Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>');
+    expect(() => IdentityPool.fromIdentityPoolId(stack, 'idPoolIdRegionError', 'your-region:idPool')).toThrow('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region');
+    expect(() => IdentityPool.fromIdentityPoolArn(stack, 'idPoolArnError', 'arn:aws:cognito-identity:my-region:1234567891011:identitypool\/your-region:idPool/')).toThrow('Invalid Identity Pool Id: Region in Identity Pool Id must match stack region');
     const idPool = IdentityPool.fromIdentityPoolId(stack, 'staticIdPool', 'my-region:idPool');
 
     expect(idPool.identityPoolId).toEqual('my-region:idPool');
     expect(idPool.identityPoolArn).toMatch(/cognito-identity:my-region:1234567891011:identitypool\/my-region:idPool/);
   });
 
+  test('fromIdentityPoolId accept token', () => {
+    const stack = new Stack();
+    expect(() => IdentityPool.fromIdentityPoolId(stack, 'IdPool1', Lazy.string({ produce: () => 'lazy-id' }))).not.toThrow();
+    expect(() => IdentityPool.fromIdentityPoolId(stack, 'IdPool2', 'id-region:pool-id')).not.toThrow();
+  });
+
+  test('fromIdentityPoolArn accepts token', () => {
+    const stack = new Stack();
+    expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool1', Lazy.string({ produce: () => 'lazy-arn' }))).not.toThrow();
+    expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool2', `arn:aws:cognito-identity:${stack.region}:${stack.account}:identitypool/id-region:pool-id`)).not.toThrow();
+    expect(() => IdentityPool.fromIdentityPoolArn(stack, 'IdPool3', `arn:aws:cognito-identity:arn-region:${stack.account}:identitypool/${Lazy.string({ produce: () => 'lazy-region' })}:pool-id`)).not.toThrow();
+  });
+
   test('user pools are properly configured', () => {
     const stack = new Stack();
     const poolProvider = UserPoolIdentityProvider.fromProviderName(stack, 'poolProvider', 'poolProvider');

From 931ebba02ca43b173cb7770e9cb703f05646683b Mon Sep 17 00:00:00 2001
From: AWS CDK Automation
 <43080478+aws-cdk-automation@users.noreply.github.com>
Date: Thu, 15 Aug 2024 18:06:36 +0300
Subject: [PATCH 09/10] feat: update L1 CloudFormation resource definitions
 (#31120)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-acmpca
│ └ resources
│    └[~] resource AWS::ACMPCA::CertificateAuthority
│      └ types
│         └[~] type CrlConfiguration
│           └ properties
│              └[-] MaxPartitionSizeMB: integer
├[~] service aws-bedrock
│ └ resources
│    └[~] resource AWS::Bedrock::DataSource
│      ├ properties
│      │  ├[-] DataSourceConfiguration: DataSourceConfiguration (required)
│      │  └ VectorIngestionConfiguration: - VectorIngestionConfiguration (immutable)
│      │                                  + VectorIngestionConfiguration
│      └ types
│         ├[+] type BedrockFoundationModelConfiguration
│         │ ├  documentation: Settings for a foundation model used to parse documents for a data source.
│         │ │  name: BedrockFoundationModelConfiguration
│         │ └ properties
│         │    ├ModelArn: string (required)
│         │    └ParsingPrompt: ParsingPrompt
│         ├[~] type ChunkingConfiguration
│         │ └ properties
│         │    ├[+] HierarchicalChunkingConfiguration: HierarchicalChunkingConfiguration
│         │    └[+] SemanticChunkingConfiguration: SemanticChunkingConfiguration
│         ├[+] type CustomTransformationConfiguration
│         │ ├  documentation: Settings for customizing steps in the data source content ingestion pipeline.
│         │ │  name: CustomTransformationConfiguration
│         │ └ properties
│         │    ├IntermediateStorage: IntermediateStorage (required)
│         │    └Transformations: Array<Transformation> (required)
│         ├[-] type DataSourceConfiguration
│         │ ├  documentation: The connection configuration for the data source.
│         │ │  name: DataSourceConfiguration
│         │ └ properties
│         │    ├Type: string (required)
│         │    └S3Configuration: S3DataSourceConfiguration (required)
│         ├[+] type HierarchicalChunkingConfiguration
│         │ ├  documentation: Configurations for when you choose hierarchical chunking. If you set the chunkingStrategy as NONE, exclude this field.
│         │ │  name: HierarchicalChunkingConfiguration
│         │ └ properties
│         │    ├LevelConfigurations: Array<HierarchicalChunkingLevelConfiguration> (required)
│         │    └OverlapTokens: integer (required)
│         ├[+] type HierarchicalChunkingLevelConfiguration
│         │ ├  documentation: Token settings for a layer in a hierarchical chunking configuration.
│         │ │  name: HierarchicalChunkingLevelConfiguration
│         │ └ properties
│         │    └MaxTokens: integer (required)
│         ├[+] type IntermediateStorage
│         │ ├  documentation: A location for storing content from data sources temporarily as it is processed by custom components in the ingestion pipeline.
│         │ │  name: IntermediateStorage
│         │ └ properties
│         │    └S3Location: S3Location (required)
│         ├[+] type ParsingConfiguration
│         │ ├  documentation: Settings for parsing document contents
│         │ │  name: ParsingConfiguration
│         │ └ properties
│         │    ├ParsingStrategy: string (required)
│         │    └BedrockFoundationModelConfiguration: BedrockFoundationModelConfiguration
│         ├[+] type ParsingPrompt
│         │ ├  documentation: Instructions for interpreting the contents of a document.
│         │ │  name: ParsingPrompt
│         │ └ properties
│         │    └ParsingPromptText: string (required)
│         ├[-] type S3DataSourceConfiguration
│         │ ├  documentation: The configuration information to connect to Amazon S3 as your data source.
│         │ │  name: S3DataSourceConfiguration
│         │ └ properties
│         │    ├BucketArn: string (required)
│         │    ├InclusionPrefixes: Array<string>
│         │    └BucketOwnerAccountId: string
│         ├[+] type S3Location
│         │ ├  documentation: An Amazon S3 location.
│         │ │  name: S3Location
│         │ └ properties
│         │    └URI: string (required)
│         ├[+] type SemanticChunkingConfiguration
│         │ ├  documentation: Configurations for when you choose semantic chunking. If you set the chunkingStrategy as NONE, exclude this field.
│         │ │  name: SemanticChunkingConfiguration
│         │ └ properties
│         │    ├BreakpointPercentileThreshold: integer (required)
│         │    ├BufferSize: integer (required)
│         │    └MaxTokens: integer (required)
│         ├[+] type Transformation
│         │ ├  documentation: A Lambda function that processes documents.
│         │ │  name: Transformation
│         │ └ properties
│         │    ├StepToApply: string (required)
│         │    └TransformationFunction: TransformationFunction (required)
│         ├[+] type TransformationFunction
│         │ ├  documentation: A Lambda function that processes documents.
│         │ │  name: TransformationFunction
│         │ └ properties
│         │    └TransformationLambdaConfiguration: TransformationLambdaConfiguration (required)
│         ├[+] type TransformationLambdaConfiguration
│         │ ├  documentation: A Lambda function that processes documents.
│         │ │  name: TransformationLambdaConfiguration
│         │ └ properties
│         │    └LambdaArn: string (required)
│         └[~] type VectorIngestionConfiguration
│           └ properties
│              ├ ChunkingConfiguration: - ChunkingConfiguration
│              │                        + ChunkingConfiguration (immutable)
│              ├[+] CustomTransformationConfiguration: CustomTransformationConfiguration
│              └[+] ParsingConfiguration: ParsingConfiguration (immutable)
├[~] service aws-cognito
│ └ resources
│    ├[~] resource AWS::Cognito::IdentityPool
│    │ ├  - tagInformation: undefined
│    │ │  + tagInformation: {"tagPropertyName":"IdentityPoolTags","variant":"standard"}
│    │ └ properties
│    │    └[+] IdentityPoolTags: Array<tag>
│    ├[~] resource AWS::Cognito::LogDeliveryConfiguration
│    │ └ types
│    │    ├[~] type FirehoseConfiguration
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.
│    │    │ └ properties
│    │    │    └ StreamArn: (documentation changed)
│    │    ├[~] type LogConfiguration
│    │    │ └ properties
│    │    │    ├ FirehoseConfiguration: (documentation changed)
│    │    │    └ S3Configuration: (documentation changed)
│    │    └[~] type S3Configuration
│    │      ├  - documentation: undefined
│    │      │  + documentation: Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.
│    │      └ properties
│    │         └ BucketArn: (documentation changed)
│    └[~] resource AWS::Cognito::UserPool
│      └ types
│         ├[+] type AdvancedSecurityAdditionalFlows
│         │ ├  name: AdvancedSecurityAdditionalFlows
│         │ └ properties
│         │    └CustomAuthMode: string
│         ├[~] type PasswordPolicy
│         │ └ properties
│         │    └ PasswordHistorySize: (documentation changed)
│         └[~] type UserPoolAddOns
│           └ properties
│              ├[+] AdvancedSecurityAdditionalFlows: AdvancedSecurityAdditionalFlows
│              └ AdvancedSecurityMode: (documentation changed)
├[~] service aws-datasync
│ └ resources
│    ├[~] resource AWS::DataSync::LocationHDFS
│    │ └ properties
│    │    └ AgentArns: (documentation changed)
│    ├[~] resource AWS::DataSync::LocationNFS
│    │ ├ properties
│    │ │  └ OnPremConfig: (documentation changed)
│    │ └ types
│    │    └[~] type OnPremConfig
│    │      ├  - documentation: The AWS DataSync agents that are connecting to a Network File System (NFS) location.
│    │      │  + documentation: The AWS DataSync agents that can connect to your Network File System (NFS) file server.
│    │      └ properties
│    │         └ AgentArns: (documentation changed)
│    └[~] resource AWS::DataSync::LocationObjectStorage
│      └ properties
│         └ AgentArns: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::SubnetCidrBlock
│    │ └ attributes
│    │    ├[+] IpSource: string
│    │    └[+] Ipv6AddressAttribute: string
│    ├[~] resource AWS::EC2::TransitGatewayMulticastGroupMember
│    │ └ attributes
│    │    └ SourceType: (documentation changed)
│    ├[~] resource AWS::EC2::TransitGatewayMulticastGroupSource
│    │ └ attributes
│    │    └ MemberType: (documentation changed)
│    └[~] resource AWS::EC2::VPNConnection
│      └ properties
│         └ EnableAcceleration: (documentation changed)
├[~] service aws-glue
│ └ resources
│    └[~] resource AWS::Glue::Connection
│      └ types
│         └[~] type ConnectionInput
│           └ properties
│              └ ConnectionType: (documentation changed)
├[~] service aws-guardduty
│ └ resources
│    └[~] resource AWS::GuardDuty::MalwareProtectionPlan
│      └ types
│         └[~] type CFNTagging
│           └ properties
│              └ Status: (documentation changed)
├[~] service aws-lambda
│ └ resources
│    └[~] resource AWS::Lambda::EventSourceMapping
│      └ properties
│         └[+] KmsKeyArn: string
├[~] service aws-route53
│ └ resources
│    └[~] resource AWS::Route53::HostedZone
│      └  - tagInformation: undefined
│         + tagInformation: {"tagPropertyName":"HostedZoneTags","variant":"standard"}
├[~] service aws-securityhub
│ └ resources
│    └[~] resource AWS::SecurityHub::ConfigurationPolicy
│      └ types
│         ├[~] type SecurityControlsConfiguration
│         │ ├  - documentation: An object that defines which security controls are enabled in an AWS Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│         │ │  + documentation: An object that defines which security controls are enabled in an AWS Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│         │ │  This property is required only if `ServiceEnabled` is set to `true` in your configuration policy.
│         │ └ properties
│         │    ├ DisabledSecurityControlIdentifiers: (documentation changed)
│         │    └ EnabledSecurityControlIdentifiers: (documentation changed)
│         └[~] type SecurityHubPolicy
│           └ properties
│              ├ EnabledStandardIdentifiers: (documentation changed)
│              └ SecurityControlsConfiguration: (documentation changed)
├[~] service aws-securitylake
│ └ resources
│    └[~] resource AWS::SecurityLake::Subscriber
│      ├ properties
│      │  └[+] Sources: Array<Source> (required)
│      └ types
│         ├[+] type AwsLogSource
│         │ ├  documentation: Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│         │ │  name: AwsLogSource
│         │ └ properties
│         │    ├SourceName: string
│         │    └SourceVersion: string
│         ├[+] type CustomLogSource
│         │ ├  documentation: Third-party custom log source that meets the requirements to be added to Amazon Security Lake . For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide* .
│         │ │  name: CustomLogSource
│         │ └ properties
│         │    ├SourceName: string
│         │    └SourceVersion: string
│         └[+] type Source
│           ├  documentation: Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources.
│           │  name: Source
│           └ properties
│              ├AwsLogSource: AwsLogSource
│              └CustomLogSource: CustomLogSource
└[~] service aws-systemsmanagersap
  └ resources
     └[~] resource AWS::SystemsManagerSAP::Application
       └ properties
          └[+] DatabaseArn: string (immutable)
```
---
 package.json                                    |  2 +-
 .../@aws-cdk/cloudformation-diff/package.json   |  4 ++--
 packages/@aws-cdk/integ-runner/package.json     |  2 +-
 packages/aws-cdk-lib/package.json               |  2 +-
 tools/@aws-cdk/spec2cdk/package.json            |  4 ++--
 yarn.lock                                       | 17 ++++++++++++-----
 6 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/package.json b/package.json
index 6e7b4575961f2..b9ab630da3ba0 100644
--- a/package.json
+++ b/package.json
@@ -177,4 +177,4 @@
   "dependencies": {
     "string-width": "^4.2.3"
   }
-}
\ No newline at end of file
+}
diff --git a/packages/@aws-cdk/cloudformation-diff/package.json b/packages/@aws-cdk/cloudformation-diff/package.json
index 2ec6a62fd0000..fbd982a36bc25 100644
--- a/packages/@aws-cdk/cloudformation-diff/package.json
+++ b/packages/@aws-cdk/cloudformation-diff/package.json
@@ -23,8 +23,8 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-cdk/aws-service-spec": "^0.1.16",
-    "@aws-cdk/service-spec-types": "^0.0.84",
+    "@aws-cdk/aws-service-spec": "^0.1.17",
+    "@aws-cdk/service-spec-types": "^0.0.85",
     "chalk": "^4",
     "diff": "^5.2.0",
     "fast-deep-equal": "^3.1.3",
diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json
index d73be4ecb3111..b8e62b4add0ac 100644
--- a/packages/@aws-cdk/integ-runner/package.json
+++ b/packages/@aws-cdk/integ-runner/package.json
@@ -74,7 +74,7 @@
     "@aws-cdk/cloud-assembly-schema": "^36.0.5",
     "@aws-cdk/cloudformation-diff": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "@aws-cdk/aws-service-spec": "^0.1.16",
+    "@aws-cdk/aws-service-spec": "^0.1.17",
     "cdk-assets": "0.0.0",
     "@aws-cdk/cdk-cli-wrapper": "0.0.0",
     "aws-cdk": "0.0.0",
diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json
index b364698e5381f..d9240053a5c44 100644
--- a/packages/aws-cdk-lib/package.json
+++ b/packages/aws-cdk-lib/package.json
@@ -136,7 +136,7 @@
     "mime-types": "^2.1.35"
   },
   "devDependencies": {
-    "@aws-cdk/aws-service-spec": "^0.1.16",
+    "@aws-cdk/aws-service-spec": "^0.1.17",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/custom-resource-handlers": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
diff --git a/tools/@aws-cdk/spec2cdk/package.json b/tools/@aws-cdk/spec2cdk/package.json
index ee14350a750e6..e27ceb30eeb88 100644
--- a/tools/@aws-cdk/spec2cdk/package.json
+++ b/tools/@aws-cdk/spec2cdk/package.json
@@ -32,9 +32,9 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-cdk/aws-service-spec": "^0.1.16",
+    "@aws-cdk/aws-service-spec": "^0.1.17",
     "@aws-cdk/service-spec-importers": "^0.0.44",
-    "@aws-cdk/service-spec-types": "^0.0.84",
+    "@aws-cdk/service-spec-types": "^0.0.85",
     "@cdklabs/tskb": "^0.0.3",
     "@cdklabs/typewriter": "^0.0.3",
     "camelcase": "^6",
diff --git a/yarn.lock b/yarn.lock
index 8f0c3f4ac727f..cff2ff5435696 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -51,12 +51,12 @@
   resolved "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.3.tgz#9b5d213b5ce5ad4461f6a4720195ff8de72e6523"
   integrity sha512-twhuEG+JPOYCYPx/xy5uH2+VUsIEhPTzDY0F1KuB+ocjWWB/KEDiOVL19nHvbPCB6fhWnkykXEMJ4HHcKvjtvg==
 
-"@aws-cdk/aws-service-spec@^0.1.16":
-  version "0.1.16"
-  resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.16.tgz#2cb1f7b1783c4dc362492296ebf61c7fd5cc88c7"
-  integrity sha512-9NX+04puH6zkTQY2shOzSWa8Ge1sdz0M4sqZw/UI9mgHbflfhxgSkjTwz6Fe/B3FH3ZA1RXl/wW6ThEqeAb3fw==
+"@aws-cdk/aws-service-spec@^0.1.17":
+  version "0.1.17"
+  resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.1.17.tgz#8d3cf28223e8d43caf37cb28b96e1185c190bfbe"
+  integrity sha512-QCrkR16/gbWoQJiDdP8JhnMWcRCHkhslnRXMg8q3GfEFZ9p0SD3dqrXBCjT4imQQJUn1jrfWWufo5yz4KpbP7w==
   dependencies:
-    "@aws-cdk/service-spec-types" "^0.0.84"
+    "@aws-cdk/service-spec-types" "^0.0.85"
     "@cdklabs/tskb" "^0.0.3"
 
 "@aws-cdk/cloud-assembly-schema@^36.0.5":
@@ -105,6 +105,13 @@
   dependencies:
     "@cdklabs/tskb" "^0.0.3"
 
+"@aws-cdk/service-spec-types@^0.0.85":
+  version "0.0.85"
+  resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.85.tgz#6d1d8d6720c50d44f0519a50b519dbcb33962203"
+  integrity sha512-cqTOKSy4ASJISezk4c3dv4AxGt1C8UfUdux9r58jmuNwNROjPfVTuAnSweACbmG18A1/rVvfyTUt5E72otYqgQ==
+  dependencies:
+    "@cdklabs/tskb" "^0.0.3"
+
 "@aws-crypto/crc32@3.0.0":
   version "3.0.0"
   resolved "https://registry.npmjs.org/@aws-crypto/crc32/-/crc32-3.0.0.tgz#07300eca214409c33e3ff769cd5697b57fdd38fa"

From 277d5b9088cb28d83adc7d8591dbf63b474196e9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 15 Aug 2024 15:41:57 +0000
Subject: [PATCH 10/10] chore(deps): bump axios from 1.7.2 to 1.7.4 (#31126)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [axios](https://github.com/axios/axios) from 1.7.2 to 1.7.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p>
<blockquote>
<h2>Release v1.7.4</h2>
<h2>Release notes:</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>sec:</strong> CVE-2024-39338 (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>) (<a href="https://redirect.github.com/axios/axios/issues/6543">#6543</a>) (<a href="https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a">6b6b605</a>)</li>
<li><strong>sec:</strong> disregard protocol-relative URL to remediate SSRF (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>) (<a href="https://github.com/axios/axios/commit/07a661a2a6b9092c4aa640dcc7f724ec5e65bdda">07a661a</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li> <a href="https://github.com/levpachmanov" title="+47/-11 ([#6543](https://github.com/axios/axios/issues/6543) )">Lev Pachmanov</a></li>
<li> <a href="https://github.com/hainenber" title="+49/-4 ([#6539](https://github.com/axios/axios/issues/6539) )">Đỗ Trọng Hải</a></li>
</ul>
<h2>Release v1.7.3</h2>
<h2>Release notes:</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>adapter:</strong> fix progress event emitting; (<a href="https://redirect.github.com/axios/axios/issues/6518">#6518</a>) (<a href="https://github.com/axios/axios/commit/e3c76fc9bdd03aa4d98afaf211df943e2031453f">e3c76fc</a>)</li>
<li><strong>fetch:</strong> fix withCredentials request config (<a href="https://redirect.github.com/axios/axios/issues/6505">#6505</a>) (<a href="https://github.com/axios/axios/commit/85d4d0ea0aae91082f04e303dec46510d1b4e787">85d4d0e</a>)</li>
<li><strong>xhr:</strong> return original config on errors from XHR adapter (<a href="https://redirect.github.com/axios/axios/issues/6515">#6515</a>) (<a href="https://github.com/axios/axios/commit/8966ee7ea62ecbd6cfb39a905939bcdab5cf6388">8966ee7</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li> <a href="https://github.com/DigitalBrainJS" title="+211/-159 ([#6518](https://github.com/axios/axios/issues/6518) [#6519](https://github.com/axios/axios/issues/6519) )">Dmitriy Mozgovoy</a></li>
<li> <a href="https://github.com/ValeraS" title="+3/-3 ([#6515](https://github.com/axios/axios/issues/6515) )">Valerii Sidorenko</a></li>
<li> <a href="https://github.com/prianyu" title="+2/-2 ([#6505](https://github.com/axios/axios/issues/6505) )">prianYu</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p>
<blockquote>
<h2><a href="https://github.com/axios/axios/compare/v1.7.3...v1.7.4">1.7.4</a> (2024-08-13)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>sec:</strong> CVE-2024-39338 (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>) (<a href="https://redirect.github.com/axios/axios/issues/6543">#6543</a>) (<a href="https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a">6b6b605</a>)</li>
<li><strong>sec:</strong> disregard protocol-relative URL to remediate SSRF (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>) (<a href="https://github.com/axios/axios/commit/07a661a2a6b9092c4aa640dcc7f724ec5e65bdda">07a661a</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li> <a href="https://github.com/levpachmanov" title="+47/-11 ([#6543](https://github.com/axios/axios/issues/6543) )">Lev Pachmanov</a></li>
<li> <a href="https://github.com/hainenber" title="+49/-4 ([#6539](https://github.com/axios/axios/issues/6539) )">Đỗ Trọng Hải</a></li>
</ul>
<h2><a href="https://github.com/axios/axios/compare/v1.7.2...v1.7.3">1.7.3</a> (2024-08-01)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>adapter:</strong> fix progress event emitting; (<a href="https://redirect.github.com/axios/axios/issues/6518">#6518</a>) (<a href="https://github.com/axios/axios/commit/e3c76fc9bdd03aa4d98afaf211df943e2031453f">e3c76fc</a>)</li>
<li><strong>fetch:</strong> fix withCredentials request config (<a href="https://redirect.github.com/axios/axios/issues/6505">#6505</a>) (<a href="https://github.com/axios/axios/commit/85d4d0ea0aae91082f04e303dec46510d1b4e787">85d4d0e</a>)</li>
<li><strong>xhr:</strong> return original config on errors from XHR adapter (<a href="https://redirect.github.com/axios/axios/issues/6515">#6515</a>) (<a href="https://github.com/axios/axios/commit/8966ee7ea62ecbd6cfb39a905939bcdab5cf6388">8966ee7</a>)</li>
</ul>
<h3>Contributors to this release</h3>
<ul>
<li> <a href="https://github.com/DigitalBrainJS" title="+211/-159 ([#6518](https://github.com/axios/axios/issues/6518) [#6519](https://github.com/axios/axios/issues/6519) )">Dmitriy Mozgovoy</a></li>
<li> <a href="https://github.com/ValeraS" title="+3/-3 ([#6515](https://github.com/axios/axios/issues/6515) )">Valerii Sidorenko</a></li>
<li> <a href="https://github.com/prianyu" title="+2/-2 ([#6505](https://github.com/axios/axios/issues/6505) )">prianYu</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/axios/axios/commit/abd24a7367726616e60dfc04cb394b4be37cf597"><code>abd24a7</code></a> chore(release): v1.7.4 (<a href="https://redirect.github.com/axios/axios/issues/6544">#6544</a>)</li>
<li><a href="https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a"><code>6b6b605</code></a> fix(sec): CVE-2024-39338 (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>) (<a href="https://redirect.github.com/axios/axios/issues/6543">#6543</a>)</li>
<li><a href="https://github.com/axios/axios/commit/07a661a2a6b9092c4aa640dcc7f724ec5e65bdda"><code>07a661a</code></a> fix(sec): disregard protocol-relative URL to remediate SSRF (<a href="https://redirect.github.com/axios/axios/issues/6539">#6539</a>)</li>
<li><a href="https://github.com/axios/axios/commit/c6cce43cd94489f655f4488c5a50ecaf781c94f2"><code>c6cce43</code></a> chore(release): v1.7.3 (<a href="https://redirect.github.com/axios/axios/issues/6521">#6521</a>)</li>
<li><a href="https://github.com/axios/axios/commit/e3c76fc9bdd03aa4d98afaf211df943e2031453f"><code>e3c76fc</code></a> fix(adapter): fix progress event emitting; (<a href="https://redirect.github.com/axios/axios/issues/6518">#6518</a>)</li>
<li><a href="https://github.com/axios/axios/commit/85d4d0ea0aae91082f04e303dec46510d1b4e787"><code>85d4d0e</code></a> fix(fetch): fix withCredentials request config (<a href="https://redirect.github.com/axios/axios/issues/6505">#6505</a>)</li>
<li><a href="https://github.com/axios/axios/commit/92cd8ed94362f929d3d0ed85ca84296c0ac8fd6d"><code>92cd8ed</code></a> chore(github): update ISSUE_TEMPLATE.md (<a href="https://redirect.github.com/axios/axios/issues/6519">#6519</a>)</li>
<li><a href="https://github.com/axios/axios/commit/8966ee7ea62ecbd6cfb39a905939bcdab5cf6388"><code>8966ee7</code></a> fix(xhr): return original config on errors from XHR adapter (<a href="https://redirect.github.com/axios/axios/issues/6515">#6515</a>)</li>
<li>See full diff in <a href="https://github.com/axios/axios/compare/v1.7.2...v1.7.4">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.7.2&new-version=1.7.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index cff2ff5435696..572fbcdc1ccab 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7278,9 +7278,9 @@ axios@^0.27.2:
     form-data "^4.0.0"
 
 axios@^1.6.0, axios@^1.7.2:
-  version "1.7.2"
-  resolved "https://registry.npmjs.org/axios/-/axios-1.7.2.tgz#b625db8a7051fbea61c35a3cbb3a1daa7b9c7621"
-  integrity sha512-2A8QhOMrbomlDuiLeK9XibIBzuHeRcqqNOHp0Cyp5EoJ1IFDh+XZH3A6BkXtv0K4gFGCI0Y4BM7B1wOEi0Rmgw==
+  version "1.7.4"
+  resolved "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz#4c8ded1b43683c8dd362973c393f3ede24052aa2"
+  integrity sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==
   dependencies:
     follow-redirects "^1.15.6"
     form-data "^4.0.0"