chore(release): 2.244.0 (#37289)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.244.0/CHANGELOG.md)

Author: mergify[bot]

.gitattributes

@@ -7,6 +7,7 @@
 *.zip binary
 *.png binary
 *.jpg binary
+*.tar binary
 *.tgz binary
 *.tar.gz binary
 # Hide snapshots from GitHub UI, except for the actual templates

.github/workflows/pr-linter.yml

@@ -36,7 +36,7 @@ jobs:
     steps:
       - name: "Download workflow_run artifact"
         if: github.event_name == 'workflow_run'
-        uses: dawidd6/action-download-artifact@v16
+        uses: dawidd6/action-download-artifact@v19
         continue-on-error: true
         with:
           run_id: ${{ github.event.workflow_run.id }}

.github/workflows/security-report.yml

@@ -74,7 +74,7 @@ jobs:
             );
             
             if (botComment) {
-              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**Please try `merge from main` to avoid findings unrelated to the PR.**\n\n---\n\n';
+              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**This security report is NOT a review blocker.** Please try `merge from main` to avoid findings unrelated to the PR.\n\n---\n\n';
               await github.rest.issues.updateComment({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
@@ -126,7 +126,7 @@ jobs:
             );
             
             if (botComment) {
-              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**Please try `merge from main` to avoid findings unrelated to the PR.**\n\n---\n\n';
+              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**This security report is NOT a review blocker.** Please try `merge from main` to avoid findings unrelated to the PR.\n\n---\n\n';
               await github.rest.issues.updateComment({
                 owner: context.repo.owner,
                 repo: context.repo.repo,

CHANGELOG.v2.alpha.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.244.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.243.0-alpha.0...v2.244.0-alpha.0) (2026-03-19)
+
+
+### Bug Fixes
+
+* **kinesisanalytics-flink-alpha:** mark deprecated flink runtimes as deprecated ([#37155](https://github.com/aws/aws-cdk/issues/37155)) ([0a89447](https://github.com/aws/aws-cdk/commit/0a894472650bb1a2c41050ae2b00581fb937c924))
+
 ## [2.243.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.242.0-alpha.0...v2.243.0-alpha.0) (2026-03-11)
 
 ## [2.242.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.241.0-alpha.0...v2.242.0-alpha.0) (2026-03-10)

CHANGELOG.v2.md

@@ -2,6 +2,25 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.244.0](https://github.com/aws/aws-cdk/compare/v2.243.0...v2.244.0) (2026-03-19)
+
+
+### Features
+
+* **codebuild:** add support for macOS 26 runners ([#37240](https://github.com/aws/aws-cdk/issues/37240)) ([1b7b292](https://github.com/aws/aws-cdk/commit/1b7b2929fccd786c0bd38ea735b90aef9e470106)), closes [#37241](https://github.com/aws/aws-cdk/issues/37241) [#35836](https://github.com/aws/aws-cdk/issues/35836)
+* update L1 CloudFormation resource definitions ([#37260](https://github.com/aws/aws-cdk/issues/37260)) ([40a5142](https://github.com/aws/aws-cdk/commit/40a5142771b1ea450a2f7c684e102548a626ddba))
+* **rds:** add standalone resource creation for ParameterGroup ([#37165](https://github.com/aws/aws-cdk/issues/37165)) ([5441a51](https://github.com/aws/aws-cdk/commit/5441a515b6aab9e091c7a09f96663c723b122bcf)), closes [#9741](https://github.com/aws/aws-cdk/issues/9741)
+* **ecs:** add forceNewDeployment feature for ecs service ([#35726](https://github.com/aws/aws-cdk/issues/35726)) ([d16dc7e](https://github.com/aws/aws-cdk/commit/d16dc7e433c4986f3473b2992ba36bee9fb64f1e)), closes [#27762](https://github.com/aws/aws-cdk/issues/27762)
+* **mixins:** helpers to convert between Aspects and Mixins ([#37235](https://github.com/aws/aws-cdk/issues/37235)) ([4537f69](https://github.com/aws/aws-cdk/commit/4537f694f7b8da5fa038b994031998c85bfbe3c8))
+* **spec2cdk:** add `actions()` method to Grants classes ([#36987](https://github.com/aws/aws-cdk/issues/36987)) ([bbeaf5d](https://github.com/aws/aws-cdk/commit/bbeaf5df5aef3f926586b4fe94fbcb6f903da8ce))
+
+
+### Bug Fixes
+
+* **aws-cdk-lib:** error annotations now have error codes ([#37270](https://github.com/aws/aws-cdk/issues/37270)) ([0b9629e](https://github.com/aws/aws-cdk/commit/0b9629e421a2edc41d749af13ba058eba14342fa))
+* **eks:** clear OCI repo/version after local pull for Helm v4 compatibility ([#37142](https://github.com/aws/aws-cdk/issues/37142)) ([e6a8804](https://github.com/aws/aws-cdk/commit/e6a88047b5776a69156ef5116930e5788ee550b7)), closes [/github.com/helm/helm/blob/v3.19.0/pkg/action/install.go#L753-L769](https://github.com/aws//github.com/helm/helm/blob/v3.19.0/pkg/action/install.go/issues/L753-L769) [/github.com/helm/helm/blob/main/pkg/action/install.go#L893-L909](https://github.com/aws//github.com/helm/helm/blob/main/pkg/action/install.go/issues/L893-L909)
+* all errors now have error codes ([#36934](https://github.com/aws/aws-cdk/issues/36934)) ([408c12f](https://github.com/aws/aws-cdk/commit/408c12f0b00fede5c3a8b1d43024e961087adcfa))
+
 ## [2.243.0](https://github.com/aws/aws-cdk/compare/v2.242.0...v2.243.0) (2026-03-11)
 
 

design/mixins-facades-traits.md

@@ -23,7 +23,7 @@ graph TD
         M["<b>Mixins</b><br/>Inward-looking features<br/><i>BucketVersioning, AutoDeleteObjects</i>"]
         CFN(["<b>CFN Resource<br/>Construct</b>"])
         T["<b>Traits</b><br/>Outward advertisement of contracts<br/><i>Encryptable, HasResourcePolicy</i>"]
-        F["<b>Facades</b><br/>Simplified interfaces for integrations<br/><i>Grants, Metrics, Reflections</i>"]
+        F["<b>Facades</b><br/>Simplified interfaces for external consumers<br/><i>Grants, Metrics, Reflections</i>"]
 
         M --- CFN
         CFN --- T
@@ -63,14 +63,24 @@ the right Trait, and build custom L2s by composing these building blocks.
 
 ### Mixins
 
-Mixins are **inward-looking features** that modify a resource's own
-configuration. They are composable abstractions applied to constructs via the
-`.with()` method from the `constructs` library.
+Mixins are **inward-looking features** that extend a resource's own behavior.
+They are composable abstractions applied to constructs via the `.with()` method
+from the `constructs` library.
 
-Mixins operate on a single primary resource. While a mixin can create auxiliary
-resources (like custom resource handlers) or accept other constructs as props,
-it is not designed for integrations between two equally important resources
-(e.g. connecting an SNS Topic to an SQS Queue). For those, use a Facade.
+A Mixin is a feature *of* the target resource. The defining question is: "is
+this feature about the target resource?" If yes, it is a Mixin — regardless of
+whether it sets properties on the L1, creates auxiliary resources, or both.
+
+Mixins operate on a single primary resource. A Mixin may set properties on the
+L1 resource directly (e.g. enabling versioning), create auxiliary resources that
+serve the primary resource (e.g. a custom resource handler for auto-deletion, or
+a delivery source for vended logs), or accept other constructs as props (e.g. a
+destination log group or S3 bucket). What matters is that the feature is *about*
+the target resource — the auxiliary resources and props exist to support it.
+
+Mixins are not designed for integrations between two equally important resources
+where neither is subordinate to the other (e.g. granting a role access to a
+bucket). For those, use a Facade.
 
 Mixins target L1 (`Cfn*`) resources. When applied to an L2 construct via
 `.with()`, the mixin framework automatically delegates to the L1 default child.
@@ -90,14 +100,19 @@ Mixins target L1 (`Cfn*`) resources. When applied to an L2 construct via
 
 **When to use:**
 
-- A feature modifies the resource's own configuration.
+- The feature is *about* the target resource — it extends the resource's own
+  behavior or lifecycle.
+- The feature sets properties on the L1 resource (e.g. enabling versioning).
+- The feature creates auxiliary resources that serve the primary resource (e.g.
+  custom resource handlers, delivery sources, policy resources).
 - The feature should work with both L1 and L2 constructs.
-- The feature involves creating auxiliary resources (custom resources, policies).
 - Users should be able to compose features independently of L2 props.
 
 **When not to use:**
 
-- The feature integrates the resource with something external (use a Facade).
+- The feature serves an external consumer, not the target resource (use a
+  Facade). For example, granting a role access to a bucket is about the
+  role's needs, not the bucket's behavior.
 - The feature advertises a capability to other constructs (use a Trait).
 - You need to change the optionality of properties or change defaults (Mixins
   cannot do this).
@@ -108,8 +123,15 @@ For detailed implementation guidelines, see
 ### Facades
 
 Facades are **resource-specific simplified interfaces that provide
-integrations** for a resource with other things. They are standalone classes
-with a static factory method that accepts a resource reference interface.
+integrations** for a resource with external consumers. They are standalone
+classes with a static factory method that accepts a resource reference interface.
+
+The defining characteristic of a Facade is directionality: a Facade serves an
+*external consumer*, not the target resource. For example, `BucketGrants`
+exists to serve the grantee (a role that needs access), not the bucket. The
+bucket doesn't care about the grant — the grant exists because the consumer
+needs it. Compare this to a Mixin like `BucketAutoDeleteObjects`, which is a
+feature *of* the bucket regardless of any external consumer.
 
 Facades are always specific to a particular resource type — that is why it is
 `BucketGrants` and not just `Grants`. While Facades for different resources look
@@ -130,16 +152,15 @@ provide their own Facades for any resource without modifying `aws-cdk-lib`.
 - Accept the resource reference interface (`IBucketRef`), enabling use with
   both L1 and L2 constructs.
 - Exposed as properties on the construct interface (e.g. `readonly grants`).
-- Do not modify the resource's own configuration.
 
 **Examples:** `BucketGrants`, `TopicGrants`, `BucketMetrics`, `BucketReflection`
 
 **When to use:**
 
-- The feature provides an integration between a specific resource and something
-  external (IAM permissions, CloudWatch metrics, event patterns).
+- The feature serves an external consumer, not the target resource (e.g. IAM
+  permissions serve the grantee, CloudWatch metrics serve the operator).
 - The feature should work with both L1 and L2 constructs.
-- The feature does not modify the resource itself.
+- The feature is not *about* the target resource's own behavior.
 
 ### Traits
 

docs/DESIGN_GUIDELINES.md

@@ -213,11 +213,19 @@ distinct role and can be used independently of an L2.
 
 ### Mixins
 
-Mixins are **inward-looking features** that modify a resource's own
-configuration. They are composable abstractions applied to constructs via the
-`.with()` method. Mixins usually operate on a single primary resource and can be
-applied to L1s, L2s, or custom constructs alike. They are not designed for
-integrations between two equally important resources — use a
+Mixins are **inward-looking features** that extend a resource's own behavior.
+They are composable abstractions applied to constructs via the `.with()` method.
+
+A Mixin is a feature *of* the target resource. The defining question is: "is
+this feature about the target resource?" If yes, it is a Mixin — regardless of
+whether it sets properties on the L1, creates auxiliary resources (e.g. custom
+resource handlers, delivery sources), or both. Mixins may accept other
+constructs as props (e.g. a destination log group), but the feature remains
+about the target resource.
+
+Mixins usually operate on a single primary resource and can be applied to L1s,
+L2s, or custom constructs alike. They are not designed for features that serve
+an external consumer rather than the target resource — use a
 [Facade](#facades) for that.
 
 Examples: `BucketVersioning`, `BucketAutoDeleteObjects`, `BucketBlockPublicAccess`.
@@ -235,10 +243,12 @@ new s3.Bucket(this, 'Bucket', { removalPolicy: RemovalPolicy.DESTROY })
 
 When to use a Mixin:
 
-- A feature can be expressed as a modification to an L1 resource.
+- The feature is *about* the target resource — it extends the resource's own
+  behavior or lifecycle.
+- The feature sets properties on the L1 resource (e.g. enabling versioning).
+- The feature creates auxiliary resources that serve the primary resource (e.g.
+  custom resource handlers, delivery sources, policy resources).
 - The same feature should be applicable to both L1 and L2 constructs.
-- A feature involves creating auxiliary resources (e.g., custom resources,
-  policies) that support the primary resource.
 - You want to allow users to compose features independently of the L2
   construct's props.
 
@@ -253,10 +263,16 @@ For detailed implementation guidelines, see the
 ### Facades
 
 Facades are **resource-specific simplified interfaces that provide
-integrations** for a resource with other things. They are standalone classes
-with a static factory method (e.g., `fromBucket()` or `of()`) that accepts a
-resource reference interface. Facades are exposed as properties on the construct
-interface.
+integrations** for a resource with external consumers. They are standalone
+classes with a static factory method (e.g., `fromBucket()` or `of()`) that
+accepts a resource reference interface. Facades are exposed as properties on the
+construct interface.
+
+The defining characteristic of a Facade is directionality: a Facade serves an
+*external consumer*, not the target resource. For example, `BucketGrants`
+exists to serve the grantee (a role that needs access), not the bucket. Compare
+this to a Mixin like `BucketAutoDeleteObjects`, which is a feature *of* the
+bucket regardless of any external consumer.
 
 Facades are always specific to a particular resource type — that is why it is
 `BucketGrants` and not just `Grants`. While Facades for different resources look
@@ -284,10 +300,10 @@ grants.read(role);
 
 When to use a Facade:
 
-- The feature provides an integration between a specific resource and something
-  external (e.g., IAM permissions, CloudWatch metrics, event patterns).
+- The feature serves an external consumer, not the target resource (e.g., IAM
+  permissions serve the grantee, CloudWatch metrics serve the operator).
 - The feature should work with both L1 and L2 constructs.
-- The feature does not modify the resource's own configuration.
+- The feature is not *about* the target resource's own behavior.
 
 The [Grants](#grants) section below describes the most common Facade in detail.
 
@@ -318,8 +334,8 @@ interact with directly.
 
 | Question                                         | Mixin                           | Facade           | Trait            |
 | ------------------------------------------------ | ------------------------------- | ---------------- | ---------------- |
-| Does it modify the resource itself?              | yes                             | no               |                  |
-| Does it integrate with external things?          | no                              | yes              | yes              |
+| Is the feature *about* the target resource?      | yes                             | no               |                  |
+| Does it serve an external consumer?              | no                              | yes              | yes              |
 | Does it advertise a service-agnostic capability? | cross-service Mixins            | no               | yes              |
 | Is it specific to one resource type?             | yes                             | yes              | no               |
 | Should it work with L1 constructs?               | yes                             | yes              | yes              |
@@ -1541,6 +1557,7 @@ so on). The `grants.json` file has the following general structure:
 {
   "resources": {
     "Topic": {
+      "isEncrypted": true,
       "hasResourcePolicy": true,
       "grants": {
         "publish": {
@@ -1561,6 +1578,11 @@ so on). The `grants.json` file has the following general structure:
 where:
 
 * `Topic` - the class to generate grants for. This will lead to a class named TopicGrants.
+* `isEncrypted` - indicates whether the resource is encrypted with a KMS key. When true, the `actions()` method will
+have an `options` parameter of type `EncryptedPermissionOptions` that allows users to specify additional KMS permissions
+to be granted on the key. If left undefined, but at least one grant method includes `keyActions`, the CDK will assume 
+that the resource is encrypted and the same behavior will apply. Note that if `isEncrypted` is explicitly set to false, 
+it is an error to specify `keyActions` in any of the grants.
 * `hasResourcePolicy` - indicates whether the resource supports a resource policy. When true, all auto-generated methods in the Grants class will attempt to add statements to the resource policy when applicable. When false, the methods will only modify the principal's policy.
 * `publish` - the name of a grant.
 * `actions` - the actions to encompass in the grant.

docs/MIXINS_DESIGN_GUIDELINES.md

@@ -13,14 +13,20 @@ For an overview of how Mixins relate to Facades and Traits, see the
 
 Mixins are appropriate when:
 
-- A feature can be expressed as a modification to an L1 resource (e.g.,
-  enabling versioning on a bucket).
+- The feature is *about* the target resource — it extends the resource's own
+  behavior or lifecycle.
+- The feature sets properties on the L1 resource (e.g., enabling versioning on
+  a bucket).
+- The feature creates auxiliary resources that serve the primary resource (e.g.,
+  custom resource handlers, delivery sources, policy resources).
 - The same feature should be applicable to both L1 and L2 constructs.
-- A feature involves creating auxiliary resources (e.g., custom resources,
-  policies) that support the primary resource.
 - You want to allow users to compose features independently of the L2
   construct's props.
 
+Mixins are _not_ appropriate when the feature serves an external consumer rather
+than the target resource (use a Facade). For example, granting a role access to
+a bucket is about the role's needs, not the bucket's behavior.
+
 Mixins are _not_ a replacement for construct properties. They cannot change the
 optionality of properties or change defaults.