aws
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json‎
Lines changed: 233 additions & 233 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json‎
Lines changed: 233 additions & 233 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json‎
Lines changed: 233 additions & 233 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json‎
Lines changed: 233 additions & 233 deletions
diff --git a/‎packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap‎
Lines changed: 1 addition & 9 deletions b/‎packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap‎
Lines changed: 3 additions & 27 deletions b/‎packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap‎
Lines changed: 3 additions & 27 deletions
diff --git a/‎packages/@aws-cdk/cx-api/FEATURE_FLAGS.md‎
Lines changed: 2 additions & 20 deletions b/‎packages/@aws-cdk/cx-api/FEATURE_FLAGS.md‎
Lines changed: 2 additions & 20 deletions
diff --git a/‎packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts‎
Lines changed: 1 addition & 9 deletions b/‎packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts‎
Lines changed: 1 addition & 9 deletions b/‎packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts‎
Lines changed: 10 additions & 3 deletions b/‎packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/principals.ts‎
Lines changed: 16 additions & 31 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/principals.ts‎
Lines changed: 16 additions & 31 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts‎
Lines changed: 1 addition & 16 deletions b/‎packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts‎
Lines changed: 1 addition & 16 deletions
@@ -10,15 +10,7 @@ exports[`stepfunctions should grant pipe role invoke access 1`] = `
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
-              "Service": {
-                "Fn::FindInMap": [
-                  "ServiceprincipalMap",
-                  {
-                    "Ref": "AWS::Region",
-                  },
-                  "states",
-                ],
-              },
+              "Service": "states.amazonaws.com",
             },
           },
         ],
 
@@ -27,15 +27,7 @@ exports[`step-function should grant pipe role push access (StartAsyncExecution)
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
-              "Service": {
-                "Fn::FindInMap": [
-                  "ServiceprincipalMap",
-                  {
-                    "Ref": "AWS::Region",
-                  },
-                  "states",
-                ],
-              },
+              "Service": "states.amazonaws.com",
             },
           },
         ],
@@ -74,15 +66,7 @@ exports[`step-function should grant pipe role push access (StartAsyncExecution)
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
-              "Service": {
-                "Fn::FindInMap": [
-                  "ServiceprincipalMap",
-                  {
-                    "Ref": "AWS::Region",
-                  },
-                  "states",
-                ],
-              },
+              "Service": "states.amazonaws.com",
             },
           },
         ],
@@ -121,15 +105,7 @@ exports[`step-function should grant pipe role push access (StartSyncExecution) w
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
-              "Service": {
-                "Fn::FindInMap": [
-                  "ServiceprincipalMap",
-                  {
-                    "Ref": "AWS::Region",
-                  },
-                  "states",
-                ],
-              },
+              "Service": "states.amazonaws.com",
             },
           },
         ],
 
@@ -38,7 +38,6 @@ Flags come in three types:
 | [@aws-cdk/core:enablePartitionLiterals](#aws-cdkcoreenablepartitionliterals) | Make ARNs concrete if AWS partition is known | 2.38.0 | (fix) |
 | [@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker](#aws-cdkaws-ecsdisableexplicitdeploymentcontrollerforcircuitbreaker) | Avoid setting the "ECS" deployment controller when adding a circuit breaker | 2.51.0 | (fix) |
 | [@aws-cdk/aws-events:eventsTargetQueueSameAccount](#aws-cdkaws-eventseventstargetqueuesameaccount) | Event Rules may only push to encrypted SQS queues in the same account | 2.51.0 | (fix) |
-| [@aws-cdk/aws-iam:standardizedServicePrincipals](#aws-cdkaws-iamstandardizedserviceprincipals) | Use standardized (global) service principals everywhere | 2.51.0 | (fix) |
 | [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | (fix) |
 | [@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy](#aws-cdkaws-s3serveraccesslogsusebucketpolicy) | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.60.0 | (fix) |
 | [@aws-cdk/customresources:installLatestAwsSdkDefault](#aws-cdkcustomresourcesinstalllatestawssdkdefault) | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | (default) |
@@ -72,7 +71,7 @@ Flags come in three types:
 | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) |
 | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
 | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) |
-| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | V2NEXT | (fix) |
+| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | 2.148.0 | (fix) |
 
 <!-- END table -->
 
@@ -101,7 +100,6 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
     "@aws-cdk/core:enablePartitionLiterals": true,
     "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
-    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
     "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
     "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
     "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
@@ -748,22 +746,6 @@ always apply, regardless of the value of this flag.
 | 2.51.0 | `false` | `true` |
 
 
-### @aws-cdk/aws-iam:standardizedServicePrincipals
-
-*Use standardized (global) service principals everywhere* (fix)
-
-We used to maintain a database of exceptions to Service Principal names in various regions. This database
-is no longer necessary: all service principals names have been standardized to their global form (`SERVICE.amazonaws.com`).
-
-This flag disables use of that exceptions database and always uses the global service principal.
-
-
-| Since | Default | Recommended |
-| ----- | ----- | ----- |
-| (not in v1) |  |  |
-| 2.51.0 | `false` | `true` |
-
-
 ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName
 
 *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix)
@@ -1370,7 +1352,7 @@ for more details.
 | Since | Default | Recommended |
 | ----- | ----- | ----- |
 | (not in v1) |  |  |
-| V2NEXT | `false` | `true` |
+| 2.148.0 | `false` | `true` |
 
 
 <!-- END details -->
@@ -140,15 +140,7 @@ describe('CodeDeploy ECS DeploymentGroup', () => {
           Action: 'sts:AssumeRole',
           Effect: 'Allow',
           Principal: {
-            Service: {
-              'Fn::FindInMap': [
-                'ServiceprincipalMap',
-                {
-                  Ref: 'AWS::Region',
-                },
-                'codedeploy',
-              ],
-            },
+            Service: 'codedeploy.amazonaws.com',
           },
         }],
         Version: '2012-10-17',
 
@@ -94,15 +94,7 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
           Action: 'sts:AssumeRole',
           Effect: 'Allow',
           Principal: {
-            Service: {
-              'Fn::FindInMap': [
-                'ServiceprincipalMap',
-                {
-                  Ref: 'AWS::Region',
-                },
-                'codedeploy',
-              ],
-            },
+            Service: 'codedeploy.amazonaws.com',
           },
         }],
         Version: '2012-10-17',
 
@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { CfnVPCEndpointService, CfnVPCEndpointServicePermissions } from './ec2.generated';
 import { ArnPrincipal } from '../../aws-iam';
 import { Aws, Fn, IResource, Resource, Stack, Token } from '../../core';
-import { Default, RegionInfo } from '../../region-info';
+import { RegionInfo } from '../../region-info';
 
 /**
  * A load balancer that can host a VPC Endpoint Service
@@ -46,6 +46,13 @@ export interface IVpcEndpointService extends IResource {
  */
 export class VpcEndpointService extends Resource implements IVpcEndpointService {
 
+  /**
+   * The default value for a VPC Endpoint Service name prefix, useful if you do
+   * not have a synthesize-time region literal available (all you have is
+   * `{ "Ref": "AWS::Region" }`)
+   */
+  public static readonly DEFAULT_PREFIX = 'com.amazonaws.vpce';
+
   /**
    * One or more network load balancers to host the service.
    * @attribute
@@ -119,8 +126,8 @@ export class VpcEndpointService extends Resource implements IVpcEndpointService
 
     const { region } = Stack.of(this);
     const serviceNamePrefix = !Token.isUnresolved(region) ?
-      (RegionInfo.get(region).vpcEndpointServiceNamePrefix ?? Default.VPC_ENDPOINT_SERVICE_NAME_PREFIX) :
-      Default.VPC_ENDPOINT_SERVICE_NAME_PREFIX;
+      (RegionInfo.get(region).vpcEndpointServiceNamePrefix ?? VpcEndpointService.DEFAULT_PREFIX) :
+      VpcEndpointService.DEFAULT_PREFIX;
 
     this.vpcEndpointServiceName = Fn.join('.', [serviceNamePrefix, Aws.REGION, this.vpcEndpointServiceId]);
     if (this.allowedPrincipals.length > 0) {
 
@@ -6,8 +6,7 @@ import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy';
 import { LITERAL_STRING_KEY, mergePrincipal } from './private/util';
 import { ISamlProvider } from './saml-provider';
 import * as cdk from '../../core';
-import * as cxapi from '../../cx-api';
-import { Default, FactName, RegionInfo } from '../../region-info';
+import { RegionInfo } from '../../region-info';
 
 /**
  * Any object that has an associated principal that a permission can be granted to
@@ -541,11 +540,13 @@ export class ServicePrincipal extends PrincipalBase {
    * These days all service principal names are standardized, and they are all
    * of the form `<servicename>.amazonaws.com`.
    *
-   * If the feature flag `@aws-cdk/aws-iam:standardizedServicePrincipals` is set, this
-   * method will always return its input. If this feature flag is not set, this
-   * method will perform the legacy behavior, which appends the region-specific
-   * domain suffix for some select services (for example, it would append `.cn`
-   * to some service principal names).
+   * To avoid breaking changes, handling is provided for services added with the formats below,
+   * however, no additional handling will be added for new regions or partitions.
+   *   - s3
+   *   - s3.amazonaws.com
+   *   - s3.amazonaws.com.cn
+   *   - s3.c2s.ic.gov
+   *   - s3.sc2s.sgov.gov
    *
    * @example
    * const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com');
@@ -942,44 +943,28 @@ class ServicePrincipalToken implements cdk.IResolvable {
   }
 
   public resolve(ctx: cdk.IResolveContext) {
-    return cdk.FeatureFlags.of(ctx.scope).isEnabled(cxapi.IAM_STANDARDIZED_SERVICE_PRINCIPALS)
-      ? this.newStandardizedBehavior(ctx)
-      : this.legacyBehavior(ctx);
-
-    // The correct behavior is to always use the global service principal
+    return this.newStandardizedBehavior(ctx);
   }
 
   /**
    * Return the global (original) service principal, and a second one if region is given and points to an opt-in region
    */
   private newStandardizedBehavior(ctx: cdk.IResolveContext) {
     const stack = cdk.Stack.of(ctx.scope);
+
+    // If the user had previously set the feature flag to `false` we would allow them to provide only the service name instead of the
+    // entire service principal. We can't break them so now everyone gets to do it!
+    const match = this.service.match(/^([^.]+)(?:(?:\.amazonaws\.com(?:\.cn)?)|(?:\.c2s\.ic\.gov)|(?:\.sc2s\.sgov\.gov))?$/);
+    const service = match ? `${match[1]}.amazonaws.com` : this.service;
     if (
       this.opts.region &&
       !cdk.Token.isUnresolved(this.opts.region) &&
       stack.region !== this.opts.region &&
       RegionInfo.get(this.opts.region).isOptInRegion
     ) {
-      return this.service.replace(/\.amazonaws\.com$/, `.${this.opts.region}.amazonaws.com`);
-    }
-    return this.service;
-  }
-
-  /**
-   * Do a single lookup
-   */
-  private legacyBehavior(ctx: cdk.IResolveContext) {
-    if (this.opts.region) {
-      // Special case, handle it separately to not break legacy behavior.
-      return RegionInfo.get(this.opts.region).servicePrincipal(this.service) ??
-        Default.servicePrincipal(this.service, this.opts.region, cdk.Aws.URL_SUFFIX);
+      return service.replace(/\.amazonaws\.com$/, `.${this.opts.region}.amazonaws.com`);
     }
-
-    const stack = cdk.Stack.of(ctx.scope);
-    return stack.regionalFact(
-      FactName.servicePrincipal(this.service),
-      Default.servicePrincipal(this.service, stack.region, cdk.Aws.URL_SUFFIX),
-    );
+    return service;
   }
 
   public toString() {
 
@@ -1,4 +1,3 @@
-import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { Template } from '../../assertions';
 import { Lazy, Stack, Token } from '../../core';
 import {
@@ -464,21 +463,7 @@ describe('IAM policy document', () => {
       expect(stack.resolve(s.toStatementJson())).toEqual({
         Effect: 'Allow',
         Action: 'test:Action',
-        Principal: { Service: 'codedeploy.cn-north-1.amazonaws.com.cn' },
-      });
-    });
-
-    // Deprecated: 'region' parameter to ServicePrincipal shouldn't be used.
-    testDeprecated('regional service principals resolve appropriately (with user-set region)', () => {
-      const stack = new Stack(undefined, undefined, { env: { region: 'cn-northeast-1' } });
-      const s = new PolicyStatement();
-      s.addActions('test:Action');
-      s.addServicePrincipal('codedeploy.amazonaws.com', { region: 'cn-north-1' });
-
-      expect(stack.resolve(s.toStatementJson())).toEqual({
-        Effect: 'Allow',
-        Action: 'test:Action',
-        Principal: { Service: 'codedeploy.cn-north-1.amazonaws.com.cn' },
+        Principal: { Service: 'codedeploy.amazonaws.com' },
       });
     });