…rty to the BedrockInvokeModel (#30426)

### Issue # (if applicable)

Closes #30425 

### Reason for this change
In the current [BedrockInvokeModel](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions_tasks.BedrockInvokeModel.html), guardrail configuration and trace for the invocation are not supported.



### Description of changes
Add `gurdrailConfiguration` and `trace` property to the `BedrockInvokeModel`



### Description of how you validated changes
Add unit tests and integ tests.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.148.0/CHANGELOG.md)

…s-cdk/aws-lambda-python-alpha/test/lambda-handler (#30767)

Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"><code>bd81538</code></a> 2024.07.04 (<a href="https://redirect.github.com/certifi/python-certifi/issues/295">#295</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/06a2cbf21f345563dde6c28b60e29d57e9b210b3"><code>06a2cbf</code></a> Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/294">#294</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/13bba02b72bac97c432c277158bc04b4d2a6bc23"><code>13bba02</code></a> Bump actions/checkout from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/293">#293</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/e8abcd0e62b334c164b95d49fcabdc9ecbca0554"><code>e8abcd0</code></a> Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/292">#292</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/124f4adf171e15cd9a91a8b6e0325ecc97be8fe1"><code>124f4ad</code></a> 2024.06.02 (<a href="https://redirect.github.com/certifi/python-certifi/issues/291">#291</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/c2196ce5d6ee675b27755a19948480a7823e2c6a"><code>c2196ce</code></a> --- (<a href="https://redirect.github.com/certifi/python-certifi/issues/290">#290</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/fefdeec7588ff1c05214b85a552afcad5fdb51b2"><code>fefdeec</code></a> Bump actions/checkout from 4.1.4 to 4.1.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/289">#289</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/3c5fb1560b826a7f83f1f9750173ff766492c9cf"><code>3c5fb15</code></a> Bump actions/download-artifact from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/286">#286</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/4a9569a3eb58db8548536fc16c5c5c7af946a5b1"><code>4a9569a</code></a> Bump actions/checkout from 4.1.2 to 4.1.4 (<a href="https://redirect.github.com/certifi/python-certifi/issues/287">#287</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/1fc808626a895a916b1e4c2b63abae6c5eafdbe3"><code>1fc8086</code></a> Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=certifi&package-manager=pip&previous-version=2023.7.22&new-version=2024.7.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

…-cdk/aws-lambda-python-alpha/test/lambda-handler-dockercopy (#30768)

Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.2.2 to 2024.7.4.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"><code>bd81538</code></a> 2024.07.04 (<a href="https://redirect.github.com/certifi/python-certifi/issues/295">#295</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/06a2cbf21f345563dde6c28b60e29d57e9b210b3"><code>06a2cbf</code></a> Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/294">#294</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/13bba02b72bac97c432c277158bc04b4d2a6bc23"><code>13bba02</code></a> Bump actions/checkout from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/293">#293</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/e8abcd0e62b334c164b95d49fcabdc9ecbca0554"><code>e8abcd0</code></a> Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/292">#292</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/124f4adf171e15cd9a91a8b6e0325ecc97be8fe1"><code>124f4ad</code></a> 2024.06.02 (<a href="https://redirect.github.com/certifi/python-certifi/issues/291">#291</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/c2196ce5d6ee675b27755a19948480a7823e2c6a"><code>c2196ce</code></a> --- (<a href="https://redirect.github.com/certifi/python-certifi/issues/290">#290</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/fefdeec7588ff1c05214b85a552afcad5fdb51b2"><code>fefdeec</code></a> Bump actions/checkout from 4.1.4 to 4.1.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/289">#289</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/3c5fb1560b826a7f83f1f9750173ff766492c9cf"><code>3c5fb15</code></a> Bump actions/download-artifact from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/286">#286</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/4a9569a3eb58db8548536fc16c5c5c7af946a5b1"><code>4a9569a</code></a> Bump actions/checkout from 4.1.2 to 4.1.4 (<a href="https://redirect.github.com/certifi/python-certifi/issues/287">#287</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/1fc808626a895a916b1e4c2b63abae6c5eafdbe3"><code>1fc8086</code></a> Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/certifi/python-certifi/compare/2024.02.02...2024.07.04">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=certifi&package-manager=pip&previous-version=2024.2.2&new-version=2024.7.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-applicationautoscaling
│ └ resources
│    ├[~] resource AWS::ApplicationAutoScaling::ScalableTarget
│    │ └ properties
│    │    ├ ResourceId: (documentation changed)
│    │    └ ScalableDimension: (documentation changed)
│    └[~] resource AWS::ApplicationAutoScaling::ScalingPolicy
│      └ properties
│         ├ ResourceId: (documentation changed)
│         └ ScalableDimension: (documentation changed)
├[~] service aws-codebuild
│ └ resources
│    └[~] resource AWS::CodeBuild::Project
│      └ types
│         ├[~] type ProjectTriggers
│         │ └ properties
│         │    └ ScopeConfiguration: (documentation changed)
│         └[~] type ScopeConfiguration
│           ├  - documentation: undefined
│           │  + documentation: Contains configuration information about the scope for a webhook.
│           └ properties
│              └ Name: (documentation changed)
├[~] service aws-deadline
│ └ resources
│    └[~] resource AWS::Deadline::MeteredProduct
│      └ properties
│         ├ Family: (documentation changed)
│         ├ Port: (documentation changed)
│         └ Vendor: (documentation changed)
├[~] service aws-dms
│ └ resources
│    └[~] resource AWS::DMS::Endpoint
│      └ types
│         └[~] type OracleSettings
│           └ properties
│              ├ ArchivedLogsOnly: (documentation changed)
│              ├ UseBFile: (documentation changed)
│              ├ UseDirectPathFullLoad: (documentation changed)
│              └ UseLogminerReader: (documentation changed)
├[~] service aws-emr
│ └ resources
│    ├[~] resource AWS::EMR::Cluster
│    │ └ types
│    │    ├[~] type OnDemandProvisioningSpecification
│    │    │ └ properties
│    │    │    └ AllocationStrategy: (documentation changed)
│    │    └[~] type SpotProvisioningSpecification
│    │      └ properties
│    │         └ AllocationStrategy: (documentation changed)
│    └[~] resource AWS::EMR::InstanceFleetConfig
│      └ types
│         ├[~] type OnDemandProvisioningSpecification
│         │ └ properties
│         │    └ AllocationStrategy: (documentation changed)
│         └[~] type SpotProvisioningSpecification
│           └ properties
│              └ AllocationStrategy: (documentation changed)
├[~] service aws-kinesisanalyticsv2
│ └ resources
│    └[~] resource AWS::KinesisAnalyticsV2::Application
│      └ types
│         ├[~] type ApplicationConfiguration
│         │ └ properties
│         │    └ ApplicationSystemRollbackConfiguration: (documentation changed)
│         ├[~] type ApplicationSystemRollbackConfiguration
│         │ ├  - documentation: Describes whether system initiated rollbacks are enabled for a Flink-based Kinesis Data Analytics application.
│         │ │  + documentation: Describes the system rollback configuration for a Managed Service for Apache Flink application.
│         │ └ properties
│         │    └ RollbackEnabled: (documentation changed)
│         ├[~] type CheckpointConfiguration
│         │ ├  - documentation: Describes an application's checkpointing configuration. Checkpointing is the process of persisting application state for fault tolerance. For more information, see [Checkpoints for Fault Tolerance](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/concepts/programming-model.html#checkpoints-for-fault-tolerance) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/) .
│         │ │  + documentation: Describes an application's checkpointing configuration. Checkpointing is the process of persisting application state for fault tolerance. For more information, see [Checkpoints for Fault Tolerance](https://docs.aws.amazon.com/https://nightlies.apache.org/flink/flink-docs-master/docs/dev/datastream/fault-tolerance/checkpointing/) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://nightlies.apache.org/flink/flink-docs-master) .
│         │ └ properties
│         │    └ MinPauseBetweenCheckpoints: (documentation changed)
│         ├[~] type FlinkRunConfiguration
│         │ └ properties
│         │    └ AllowNonRestoredState: (documentation changed)
│         └[~] type ParallelismConfiguration
│           └  - documentation: Describes parameters for how a Flink-based Kinesis Data Analytics application executes multiple tasks simultaneously. For more information about parallelism, see [Parallel Execution](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/dev/parallel.html) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://ci.apache.org/projects/flink/flink-docs-release-1.8/) .
│              + documentation: Describes parameters for how a Flink-based Kinesis Data Analytics application executes multiple tasks simultaneously. For more information about parallelism, see [Parallel Execution](https://docs.aws.amazon.com/https://nightlies.apache.org/flink/flink-docs-master/docs/dev/datastream/execution/parallel/) in the [Apache Flink Documentation](https://docs.aws.amazon.com/https://nightlies.apache.org/flink/flink-docs-master) .
├[~] service aws-rds
│ └ resources
│    └[~] resource AWS::RDS::DBInstance
│      └ types
│         ├[~] type CertificateDetails
│         │ └  - documentation: Returns the details of the DB instance’s server certificate.
│         │    For more information, see [Using SSL/TLS to encrypt a connection to a DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the *Amazon RDS User Guide* and [Using SSL/TLS to encrypt a connection to a DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) in the *Amazon Aurora User Guide* .
│         │    + documentation: The details of the DB instance’s server certificate.
│         │    For more information, see [Using SSL/TLS to encrypt a connection to a DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the *Amazon RDS User Guide* and [Using SSL/TLS to encrypt a connection to a DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) in the *Amazon Aurora User Guide* .
│         └[~] type ProcessorFeature
│           └ properties
│              └ Value: (documentation changed)
├[~] service aws-rolesanywhere
│ └ resources
│    └[~] resource AWS::RolesAnywhere::CRL
│      ├ properties
│      │  ├ CrlData: (documentation changed)
│      │  ├ Enabled: (documentation changed)
│      │  ├ Name: (documentation changed)
│      │  └ Tags: (documentation changed)
│      └ attributes
│         └ CrlId: (documentation changed)
├[~] service aws-route53profiles
│ └ resources
│    └[~] resource AWS::Route53Profiles::ProfileAssociation
│      └ properties
│         └ ResourceId: (documentation changed)
├[~] service aws-ses
│ └ resources
│    ├[~] resource AWS::SES::ConfigurationSet
│    │ ├ properties
│    │ │  ├ DeliveryOptions: (documentation changed)
│    │ │  ├ ReputationOptions: (documentation changed)
│    │ │  └ TrackingOptions: (documentation changed)
│    │ └ types
│    │    ├[~] type DashboardOptions
│    │    │ └  - documentation: Settings for your VDM configuration as applicable to the Dashboard.
│    │    │    + documentation: An object containing additional settings for your VDM configuration as applicable to the Dashboard.
│    │    ├[~] type DeliveryOptions
│    │    │ └  - documentation: Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS).
│    │    │    + documentation: Specifies the name of the dedicated IP pool to associate with the configuration set and whether messages that use the configuration set are required to use Transport Layer Security (TLS).
│    │    ├[~] type GuardianOptions
│    │    │ └  - documentation: Settings for your VDM configuration as applicable to the Guardian.
│    │    │    + documentation: An object containing additional settings for your VDM configuration as applicable to the Guardian.
│    │    ├[~] type ReputationOptions
│    │    │ ├  - documentation: Contains information about the reputation settings for a configuration set.
│    │    │ │  + documentation: Enable or disable collection of reputation metrics for emails that you send using this configuration set in the current AWS Region.
│    │    │ └ properties
│    │    │    └ ReputationMetricsEnabled: (documentation changed)
│    │    ├[~] type TrackingOptions
│    │    │ └  - documentation: A domain that is used to redirect email recipients to an Amazon SES-operated domain. This domain captures open and click events generated by Amazon SES emails.
│    │    │    For more information, see [Configuring Custom Domains to Handle Open and Click Tracking](https://docs.aws.amazon.com/ses/latest/dg/configure-custom-open-click-domains.html) in the *Amazon SES Developer Guide* .
│    │    │    + documentation: An object that defines the tracking options for a configuration set. When you use the Amazon SES API v2 to send an email, it contains an invisible image that's used to track when recipients open your email. If your email contains links, those links are changed slightly in order to track when recipients click them.
│    │    │    You can optionally configure a custom subdomain that is used to redirect email recipients to an Amazon SES-operated domain. This domain captures open and click events generated by Amazon SES emails.
│    │    │    For more information, see [Configuring Custom Domains to Handle Open and Click Tracking](https://docs.aws.amazon.com/ses/latest/dg/configure-custom-open-click-domains.html) in the *Amazon SES Developer Guide* .
│    │    └[~] type VdmOptions
│    │      └ properties
│    │         ├ DashboardOptions: (documentation changed)
│    │         └ GuardianOptions: (documentation changed)
│    ├[~] resource AWS::SES::ConfigurationSetEventDestination
│    │ ├  - documentation: Specifies a configuration set event destination. An event destination is an AWS service that Amazon SES publishes email sending events to. When you specify an event destination, you provide one, and only one, destination. You can send event data to Amazon CloudWatch, Amazon Kinesis Data Firehose, or Amazon Simple Notification Service (Amazon SNS).
│    │ │  + documentation: Specifies a configuration set event destination. *Events* include message sends, deliveries, opens, clicks, bounces, and complaints. *Event destinations* are places that you can send information about these events to. For example, you can send event data to Amazon SNS to receive notifications when you receive bounces or complaints, or you can use Amazon Kinesis Data Firehose to stream data to Amazon S3 for long-term storage.
│    │ │  A single configuration set can include more than one event destination.
│    │ ├ properties
│    │ │  └ EventDestination: (documentation changed)
│    │ └ types
│    │    ├[~] type CloudWatchDestination
│    │    │ ├  - documentation: Contains information associated with an Amazon CloudWatch event destination to which email sending events are published.
│    │    │ │  Event destinations, such as Amazon CloudWatch, are associated with configuration sets, which enable you to publish email sending events. For information about using configuration sets, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html) .
│    │    │ │  + documentation: An object that defines an Amazon CloudWatch destination for email events. You can use Amazon CloudWatch to monitor and gain insights on your email sending metrics.
│    │    │ └ properties
│    │    │    └ DimensionConfigurations: (documentation changed)
│    │    ├[~] type DimensionConfiguration
│    │    │ ├  - documentation: Contains the dimension configuration to use when you publish email sending events to Amazon CloudWatch.
│    │    │ │  For information about publishing email sending events to Amazon CloudWatch, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html) .
│    │    │ │  + documentation: An object that defines the dimension configuration to use when you send email events to Amazon CloudWatch.
│    │    │ └ properties
│    │    │    ├ DefaultDimensionValue: (documentation changed)
│    │    │    ├ DimensionName: (documentation changed)
│    │    │    └ DimensionValueSource: (documentation changed)
│    │    ├[~] type EventBridgeDestination
│    │    │ ├  - documentation: An object that contains Event bus ARN associated with the event bridge destination.
│    │    │ │  + documentation: An object that defines an Amazon EventBridge destination for email events. You can use Amazon EventBridge to send notifications when certain email events occur.
│    │    │ └ properties
│    │    │    └ EventBusArn: (documentation changed)
│    │    ├[~] type EventDestination
│    │    │ ├  - documentation: Contains information about an event destination.
│    │    │ │  > When you create or update an event destination, you must provide one, and only one, destination. The destination can be Amazon CloudWatch, Amazon Kinesis Firehose or Amazon Simple Notification Service (Amazon SNS). 
│    │    │ │  Event destinations are associated with configuration sets, which enable you to publish email sending events to Amazon CloudWatch, Amazon Kinesis Firehose, or Amazon Simple Notification Service (Amazon SNS). For information about using configuration sets, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html) .
│    │    │ │  + documentation: In the Amazon SES API v2, *events* include message sends, deliveries, opens, clicks, bounces, complaints and delivery delays. *Event destinations* are places that you can send information about these events to. For example, you can send event data to Amazon SNS to receive notifications when you receive bounces or complaints, or you can use Amazon Kinesis Data Firehose to stream data to Amazon S3 for long-term storage.
│    │    │ └ properties
│    │    │    ├ CloudWatchDestination: (documentation changed)
│    │    │    ├ Enabled: (documentation changed)
│    │    │    ├ EventBridgeDestination: (documentation changed)
│    │    │    └ MatchingEventTypes: (documentation changed)
│    │    └[~] type KinesisFirehoseDestination
│    │      ├  - documentation: Contains the delivery stream ARN and the IAM role ARN associated with an Amazon Kinesis Firehose event destination.
│    │      │  Event destinations, such as Amazon Kinesis Firehose, are associated with configuration sets, which enable you to publish email sending events. For information about using configuration sets, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html) .
│    │      │  + documentation: An object that defines an Amazon Kinesis Data Firehose destination for email events. You can use Amazon Kinesis Data Firehose to stream data to other services, such as Amazon S3 and Amazon Redshift.
│    │      └ properties
│    │         └ IAMRoleARN: (documentation changed)
│    ├[~] resource AWS::SES::EmailIdentity
│    │ ├  - documentation: Specifies an identity for using within SES. An identity is an email address or domain that you use when you send email. Before you can use an identity to send email, you first have to verify it. By verifying an identity, you demonstrate that you're the owner of the identity, and that you've given Amazon SES API v2 permission to send email from the identity.
│    │ │  When you verify an email address, SES sends an email to the address. Your email address is verified as soon as you follow the link in the verification email. When you verify a domain without specifying the DkimSigningAttributes properties, OR only the NextSigningKeyLength property of DkimSigningAttributes, this resource provides a set of CNAME token names and values (DkimDNSTokenName1, DkimDNSTokenValue1, DkimDNSTokenName2, DkimDNSTokenValue2, DkimDNSTokenName3, DkimDNSTokenValue3) as outputs. You can then add these to the DNS configuration for your domain. Your domain is verified when Amazon SES detects these records in the DNS configuration for your domain. This verification method is known as Easy DKIM.
│    │ │  Alternatively, you can perform the verification process by providing your own public-private key pair. This verification method is known as Bring Your Own DKIM (BYODKIM). To use BYODKIM, your resource must include DkimSigningAttributes properties DomainSigningSelector and DomainSigningPrivateKey. When you specify this object, you provide a selector (DomainSigningSelector) (a component of the DNS record name that identifies the public key to use for DKIM authentication) and a private key (DomainSigningPrivateKey).
│    │ │  Additionally, you can associate an existing configuration set with the email identity that you're verifying.
│    │ │  + documentation: Specifies an identity for using within SES. An identity is an email address or domain that you use when you send email. Before you can use an identity to send email, you first have to verify it. By verifying an identity, you demonstrate that you're the owner of the identity, and that you've given Amazon SES API v2 permission to send email from the identity.
│    │ │  When you verify an email address, SES sends an email to the address. Your email address is verified as soon as you follow the link in the verification email. When you verify a domain without specifying the `DkimSigningAttributes` properties, OR only the `NextSigningKeyLength` property of `DkimSigningAttributes` , this resource provides a set of CNAME token names and values ( *DkimDNSTokenName1* , *DkimDNSTokenValue1* , *DkimDNSTokenName2* , *DkimDNSTokenValue2* , *DkimDNSTokenName3* , *DkimDNSTokenValue3* ) as outputs. You can then add these to the DNS configuration for your domain. Your domain is verified when Amazon SES detects these records in the DNS configuration for your domain. This verification method is known as Easy DKIM.
│    │ │  Alternatively, you can perform the verification process by providing your own public-private key pair. This verification method is known as Bring Your Own DKIM (BYODKIM). To use BYODKIM, your resource must include `DkimSigningAttributes` properties `DomainSigningSelector` and `DomainSigningPrivateKey` . When you specify this object, you provide a selector ( `DomainSigningSelector` ) (a component of the DNS record name that identifies the public key to use for DKIM authentication) and a private key ( `DomainSigningPrivateKey` ).
│    │ │  Additionally, you can associate an existing configuration set with the email identity that you're verifying.
│    │ └ properties
│    │    └ DkimSigningAttributes: (documentation changed)
│    ├[~] resource AWS::SES::ReceiptRule
│    │ └ types
│    │    ├[~] type Action
│    │    │ └ properties
│    │    │    └ WorkmailAction: (documentation changed)
│    │    ├[~] type AddHeaderAction
│    │    │ ├  - documentation: When included in a receipt rule, this action adds a header to the received email.
│    │    │ │  For information about adding a header using a receipt rule, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-action-add-header.html) .
│    │    │ │  + documentation: When included in a receipt rule, this action adds a header to the received email.
│    │    │ │  For information about adding a header using a receipt rule, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-receipt-rules-console-walkthrough.html) .
│    │    │ └ properties
│    │    │    └ HeaderName: (documentation changed)
│    │    └[~] type S3Action
│    │      └  - documentation: When included in a receipt rule, this action saves the received message to an Amazon Simple Storage Service (Amazon S3) bucket and, optionally, publishes a notification to Amazon Simple Notification Service (Amazon SNS).
│    │         To enable Amazon SES to write emails to your Amazon S3 bucket, use an AWS KMS key to encrypt your emails, or publish to an Amazon SNS topic of another account, Amazon SES must have permission to access those resources. For information about granting permissions, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html) .
│    │         > When you save your emails to an Amazon S3 bucket, the maximum email size (including headers) is 40 MB. Emails larger than that bounces. 
│    │         For information about specifying Amazon S3 actions in receipt rules, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-action-s3.html) .
│    │         + documentation: When included in a receipt rule, this action saves the received message to an Amazon Simple Storage Service (Amazon S3) bucket and, optionally, publishes a notification to Amazon Simple Notification Service (Amazon SNS).
│    │         To enable Amazon SES to write emails to your Amazon S3 bucket, use an AWS KMS key to encrypt your emails, or publish to an Amazon SNS topic of another account, Amazon SES must have permission to access those resources. For information about granting permissions, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html) .
│    │         > When you save your emails to an Amazon S3 bucket, the maximum email size (including headers) is 30 MB. Emails larger than that bounces. 
│    │         For information about specifying Amazon S3 actions in receipt rules, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-action-s3.html) .
│    ├[~] resource AWS::SES::ReceiptRuleSet
│    │ └ properties
│    │    └ RuleSetName: (documentation changed)
│    ├[~] resource AWS::SES::Template
│    │ └ types
│    │    └[~] type Template
│    │      ├  - documentation: The content of the email, composed of a subject line and either an HTML part or a text-only part.
│    │      │  + documentation: An object that defines the email template to use for an email message, and the values to use for any message variables in that template. An *email template* is a type of message template that contains content that you want to define, save, and reuse in email messages that you send.
│    │      └ properties
│    │         └ TemplateName: (documentation changed)
│    └[~] resource AWS::SES::VdmAttributes
│      └ types
│         ├[~] type DashboardAttributes
│         │ └  - documentation: Settings for your VDM configuration as applicable to the Dashboard.
│         │    + documentation: An object containing additional settings for your VDM configuration as applicable to the Dashboard.
│         └[~] type GuardianAttributes
│           └  - documentation: Settings for your VDM configuration as applicable to the Guardian.
│              + documentation: An object containing additional settings for your VDM configuration as applicable to the Guardian.
├[~] service aws-verifiedpermissions
│ └ resources
│    ├[~] resource AWS::VerifiedPermissions::IdentitySource
│    │ ├ properties
│    │ │  └ Configuration: (documentation changed)
│    │ └ types
│    │    └[~] type CognitoGroupConfiguration
│    │      └  - documentation: The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
│    │         This data type is part of a [CognitoUserPoolConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfiguration.html) structure and is a request parameter in [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│    │         + documentation: The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
│    ├[~] resource AWS::VerifiedPermissions::Policy
│    │ └  - documentation: Creates or updates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
│    │    You can directly update only static policies. To update a template-linked policy, you must update it's linked policy template instead.
│    │    - To create a static policy, in the `Definition` include a `Static` element that includes the Cedar policy text in the `Statement` element.
│    │    - To create a policy that is dynamically linked to a policy template, in the `Definition` include a `Templatelinked` element that specifies the policy template ID and the principal and resource to associate with this policy. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
│    │    > - If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.
│    │    > - When you edit a static policy, You can change only certain elements of a static policy:
│    │    > 
│    │    > - The action referenced by the policy.
│    │    > - A condition clause, such as when and unless.
│    │    > 
│    │    > You can't change these elements of a static policy:
│    │    > 
│    │    > - Changing a policy from a static policy to a template-linked policy.
│    │    > - Changing the effect of a static policy from permit or forbid.
│    │    > - The principal referenced by a static policy.
│    │    > - The resource referenced by a static policy.
│    │    > - To update a template-linked policy, you must update the template instead.
│    │    + documentation: Creates or updates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
│    │    You can directly update only static policies. To update a template-linked policy, you must update its linked policy template instead.
│    │    - To create a static policy, in the `Definition` include a `Static` element that includes the Cedar policy text in the `Statement` element.
│    │    - To create a policy that is dynamically linked to a policy template, in the `Definition` include a `Templatelinked` element that specifies the policy template ID and the principal and resource to associate with this policy. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
│    │    > - If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.
│    │    > - When you edit a static policy, You can change only certain elements of a static policy:
│    │    > 
│    │    > - The action referenced by the policy.
│    │    > - A condition clause, such as when and unless.
│    │    > 
│    │    > You can't change these elements of a static policy:
│    │    > 
│    │    > - Changing a policy from a static policy to a template-linked policy.
│    │    > - Changing the effect of a static policy from permit or forbid.
│    │    > - The principal referenced by a static policy.
│    │    > - The resource referenced by a static policy.
│    │    > - To update a template-linked policy, you must update the template instead.
│    └[~] resource AWS::VerifiedPermissions::PolicyStore
│      └ types
│         └[~] type SchemaDefinition
│           └ properties
│              └ CedarJson: (documentation changed)
├[~] service aws-wafv2
│ └ resources
│    ├[~] resource AWS::WAFv2::RuleGroup
│    │ └ types
│    │    └[~] type JsonBody
│    │      ├  - documentation: Inspect the body of the web request as JSON. The body immediately follows the request headers.
│    │      │  This is used to indicate the web request component to inspect, in the `FieldToMatch` specification.
│    │      │  Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. AWS WAF inspects only the parts of the JSON that result from the matches that you indicate.
│    │      │  Example JSON: `"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL" }`
│    │      │  + documentation: Inspect the body of the web request as JSON. The body immediately follows the request headers.
│    │      │  This is used to indicate the web request component to inspect, in the `FieldToMatch` specification.
│    │      │  Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. AWS WAF inspects only the parts of the JSON that result from the matches that you indicate.
│    │      │  Example JSON: `"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL" }`
│    │      │  For additional information about this request component option, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* .
│    │      └ properties
│    │         └ InvalidFallbackBehavior: (documentation changed)
│    └[~] resource AWS::WAFv2::WebACL
│      └ types
│         └[~] type JsonBody
│           ├  - documentation: Inspect the body of the web request as JSON. The body immediately follows the request headers.
│           │  This is used to indicate the web request component to inspect, in the `FieldToMatch` specification.
│           │  Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. AWS WAF inspects only the parts of the JSON that result from the matches that you indicate.
│           │  Example JSON: `"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL" }`
│           │  + documentation: Inspect the body of the web request as JSON. The body immediately follows the request headers.
│           │  This is used to indicate the web request component to inspect, in the `FieldToMatch` specification.
│           │  Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. AWS WAF inspects only the parts of the JSON that result from the matches that you indicate.
│           │  Example JSON: `"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL" }`
│           │  For additional information about this request component option, see [JSON body](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body) in the *AWS WAF Developer Guide* .
│           └ properties
│              └ InvalidFallbackBehavior: (documentation changed)
└[~] service aws-workspaces
  └ resources
     ├[~] resource AWS::WorkSpaces::Workspace
     │ ├ properties
     │ │  ├ UserName: (documentation changed)
     │ │  └ VolumeEncryptionKey: (documentation changed)
     │ └ types
     │    └[~] type WorkspaceProperties
     │      └ properties
     │         └ RunningMode: (documentation changed)
     └[~] resource AWS::WorkSpaces::WorkspacesPool
       ├  - documentation: Resource Type definition for AWS::WorkSpaces::WorkspacesPool
       │  + documentation: Describes a pool of WorkSpaces.
       ├ properties
       │  ├ ApplicationSettings: (documentation changed)
       │  ├ BundleId: (documentation changed)
       │  ├ Capacity: (documentation changed)
       │  ├ Description: (documentation changed)
       │  ├ DirectoryId: (documentation changed)
       │  ├ PoolName: (documentation changed)
       │  ├ Tags: (documentation changed)
       │  └ TimeoutSettings: (documentation changed)
       ├ attributes
       │  ├ CreatedAt: (documentation changed)
       │  ├ PoolArn: (documentation changed)
       │  └ PoolId: (documentation changed)
       └ types
          ├[~] type ApplicationSettings
          │ ├  - documentation: undefined
          │ │  + documentation: The persistent application settings for users in the pool.
          │ └ properties
          │    ├ SettingsGroup: (documentation changed)
          │    └ Status: (documentation changed)
          ├[~] type Capacity
          │ ├  - documentation: undefined
          │ │  + documentation: Describes the user capacity for the pool.
          │ └ properties
          │    └ DesiredUserSessions: (documentation changed)
          └[~] type TimeoutSettings
            ├  - documentation: undefined
            │  + documentation: Describes the timeout settings for the pool.
            └ properties
               ├ DisconnectTimeoutInSeconds: (documentation changed)
               ├ IdleDisconnectTimeoutInSeconds: (documentation changed)
               └ MaxUserDurationInSeconds: (documentation changed)
```

…s-cdk/aws-lambda-python-alpha/test/lambda-handler-poetry (#30787)

Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"><code>bd81538</code></a> 2024.07.04 (<a href="https://redirect.github.com/certifi/python-certifi/issues/295">#295</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/06a2cbf21f345563dde6c28b60e29d57e9b210b3"><code>06a2cbf</code></a> Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/294">#294</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/13bba02b72bac97c432c277158bc04b4d2a6bc23"><code>13bba02</code></a> Bump actions/checkout from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/293">#293</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/e8abcd0e62b334c164b95d49fcabdc9ecbca0554"><code>e8abcd0</code></a> Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/292">#292</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/124f4adf171e15cd9a91a8b6e0325ecc97be8fe1"><code>124f4ad</code></a> 2024.06.02 (<a href="https://redirect.github.com/certifi/python-certifi/issues/291">#291</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/c2196ce5d6ee675b27755a19948480a7823e2c6a"><code>c2196ce</code></a> --- (<a href="https://redirect.github.com/certifi/python-certifi/issues/290">#290</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/fefdeec7588ff1c05214b85a552afcad5fdb51b2"><code>fefdeec</code></a> Bump actions/checkout from 4.1.4 to 4.1.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/289">#289</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/3c5fb1560b826a7f83f1f9750173ff766492c9cf"><code>3c5fb15</code></a> Bump actions/download-artifact from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/286">#286</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/4a9569a3eb58db8548536fc16c5c5c7af946a5b1"><code>4a9569a</code></a> Bump actions/checkout from 4.1.2 to 4.1.4 (<a href="https://redirect.github.com/certifi/python-certifi/issues/287">#287</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/1fc808626a895a916b1e4c2b63abae6c5eafdbe3"><code>1fc8086</code></a> Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=certifi&package-manager=pip&previous-version=2023.7.22&new-version=2024.7.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

…30429)

### Issue # (if applicable)

Closes #30430

### Reason for this change

`ServerDeploymentConfig` does not support for configuring the [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config).

### Description of changes

- define `ZonalConfig` interface
- define `MinimumHealthyHostsPerZone` class
- add `zonalConfig` property to the `BaseDeploymentConfigProps`

### Description of how you validated changes

Add both unit and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…tartQueryExecution (#30447)

### Issue # (if applicable)

Closes #30446.

### Reason for this change
To use  "reuse result" feature in Amazon Athena on Step Functions.



### Description of changes
Add `resultReuseConfiguration` to the `AthenaStartQueryExecution`



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change

Just fix a broken link.

### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#30785)

### Reason for this change
Information about targets supported by `aws-events-targets` is also listed in `aws-events`, but this information is outdated and can be confusing to users.
Aggregating the list of supported targets in `aws-events-targets` will prevent contributors from forgetting to update it.

### Description of changes
Add a message to the README of `aws-events` encouraging people to look at `aws-events-targets` for information on targets.

### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #6831

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…s-cdk/aws-lambda-python-alpha/test/lambda-handler-custom-build (#30802)

Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"><code>bd81538</code></a> 2024.07.04 (<a href="https://redirect.github.com/certifi/python-certifi/issues/295">#295</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/06a2cbf21f345563dde6c28b60e29d57e9b210b3"><code>06a2cbf</code></a> Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/294">#294</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/13bba02b72bac97c432c277158bc04b4d2a6bc23"><code>13bba02</code></a> Bump actions/checkout from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/293">#293</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/e8abcd0e62b334c164b95d49fcabdc9ecbca0554"><code>e8abcd0</code></a> Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (<a href="https://redirect.github.com/certifi/python-certifi/issues/292">#292</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/124f4adf171e15cd9a91a8b6e0325ecc97be8fe1"><code>124f4ad</code></a> 2024.06.02 (<a href="https://redirect.github.com/certifi/python-certifi/issues/291">#291</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/c2196ce5d6ee675b27755a19948480a7823e2c6a"><code>c2196ce</code></a> --- (<a href="https://redirect.github.com/certifi/python-certifi/issues/290">#290</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/fefdeec7588ff1c05214b85a552afcad5fdb51b2"><code>fefdeec</code></a> Bump actions/checkout from 4.1.4 to 4.1.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/289">#289</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/3c5fb1560b826a7f83f1f9750173ff766492c9cf"><code>3c5fb15</code></a> Bump actions/download-artifact from 4.1.6 to 4.1.7 (<a href="https://redirect.github.com/certifi/python-certifi/issues/286">#286</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/4a9569a3eb58db8548536fc16c5c5c7af946a5b1"><code>4a9569a</code></a> Bump actions/checkout from 4.1.2 to 4.1.4 (<a href="https://redirect.github.com/certifi/python-certifi/issues/287">#287</a>)</li>
<li><a href="https://github.com/certifi/python-certifi/commit/1fc808626a895a916b1e4c2b63abae6c5eafdbe3"><code>1fc8086</code></a> Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (<a href="https://redirect.github.com/certifi/python-certifi/issues/288">#288</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=certifi&package-manager=pip&previous-version=2023.7.22&new-version=2024.7.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

…n rule (#30780)

### Issue # (if applicable)

### Reason for this change
The `createdBy` property existed in the L1 construct but was not present in the L2 construct

### Description of changes
- Add the `createdBy` property for `NotificationRule`, which was missing in the L2 construct.

### Description of how you validated changes
I Added a unit test for codestarnotifications and integration tests for pipeline and codestarnotifications

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

None

### Reason for this change

AWS EC2 now supports R8G instance type. But CDK L2 construct does not support this.  

### Description of changes

Update `InstanceClass`

### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ror during synth (#30634)

### Reason for this change

Creating multiple `Schedule`s causes Resolution Error during synth.
This PR does not fix the root cause (discussing at #28713), but apply a workaround to prevent the error.

### Description of changes

Use `ServicePrincipal` with conditions directly, instead of `PrincipalWithConditions`.

### Description of how you validated changes

Added a feature flag `{"@aws-cdk/aws-iam:minimizePolicies":true}` to unit tests.
Resolution errors occur before fix. No errors occur after fix.

## Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… defining authorization type in method or root api (#30822)

### Issue # (if applicable)

Closes #30444

### Reason for this change

The original PR caused a breaking change, we can't rollback because it
was released in v2.142.0 and it fixes customers issues (partially).
Simply doing a revert will be breaking for those customers again.

### Description of changes

Identified the root cause and we should use `AuthorizationType` instead
of `AuthorizationTypeOption`. `AuthorizationType` defaults to find the
authorization type from the authorizer, falling back to use the auth
type defined in the `Method` construct's options property and falling
back to `None`.

`AuthorizationTypeOptions` on the other hand tries to find the auth type
from `Method` construct's options property which can be None because
it's optional.

### Description of how you validated changes

New unit tests covering the changes and new integration tests covering
it.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.148.1/CHANGELOG.md)

Adds a condition to restrict s3 permissions on the file publish role.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*