feat(sources): update documentation

[aws-cdk-automation]

⚠️ This Pull Request updates daily and will overwrite all manual changes pushed to the branch

Updates the documentation source from upstream. See details in workflow run.

---

Automatically created by projen via the "update-source-documentation" workflow

[github-actions]

To work on this Pull Request, please create a new branch and PR. This prevents your work from being deleted by the automation.

Run the following commands inside the repo:

gh co 739
git switch -c fix-pr-739 && git push -u origin HEAD
gh pr create -t "fix: PR #739" --body "Fixes https://github.com/cdklabs/awscdk-service-spec/pull/739"

[github-actions]

@aws-cdk/aws-service-spec: Model database diff detected

├[~] service aws-accessanalyzer
│ └ resources
│    └[~] resource AWS::AccessAnalyzer::Analyzer
│      ├ properties
│      │  ├ ArchiveRules: (documentation changed)
│      │  └ Type: (documentation changed)
│      └ types
│         ├[~] type ArchiveRule
│         │ ├  - documentation: The criteria for an archive rule.
│         │ │  + documentation: Contains information about an archive rule.
│         │ └ properties
│         │    └ RuleName: (documentation changed)
│         └[~] type Filter
│           └  - documentation: The criteria that defines the rule.
│              To learn about filter keys that you can use to create an archive rule, see [filter keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html) in the *User Guide* .
│              + documentation: The criteria that defines the archive rule.
│              To learn about filter keys that you can use to create an archive rule, see [filter keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html) in the *User Guide* .
├[~] service aws-internetmonitor
│ └ resources
│    └[~] resource AWS::InternetMonitor::Monitor
│      └ types
│         ├[~] type InternetMeasurementsLogDelivery
│         │ └ properties
│         │    └ S3Config: (documentation changed)
│         └[~] type S3Config
│           ├  - documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs.
│           │  + documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to S3 logs, and `DISABLED` otherwise.
│           │  The measurements are also published to Amazon CloudWatch Logs.
│           └ properties
│              ├ BucketName: (documentation changed)
│              ├ BucketPrefix: (documentation changed)
│              └ LogDeliveryStatus: (documentation changed)
├[~] service aws-rolesanywhere
│ └ resources
│    ├[~] resource AWS::RolesAnywhere::Profile
│    │ ├  - documentation: Creates a *profile* , a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.
│    │ │  *Required permissions:* `rolesanywhere:CreateProfile` .
│    │ │  + documentation: Creates a Profile.
│    │ └ properties
│    │    ├ DurationSeconds: (documentation changed)
│    │    ├ Enabled: (documentation changed)
│    │    ├ ManagedPolicyArns: (documentation changed)
│    │    ├ Name: (documentation changed)
│    │    ├ RequireInstanceProperties: (documentation changed)
│    │    ├ RoleArns: (documentation changed)
│    │    ├ SessionPolicy: (documentation changed)
│    │    └ Tags: (documentation changed)
│    └[~] resource AWS::RolesAnywhere::TrustAnchor
│      ├  - documentation: Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an AWS Private Certificate Authority ( AWS Private CA ) or by uploading a CA certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary AWS credentials.
│      │  *Required permissions:* `rolesanywhere:CreateTrustAnchor` .
│      │  + documentation: Creates a TrustAnchor.
│      └ types
│         ├[~] type Source
│         │ ├  - documentation: The trust anchor type and its related certificate data.
│         │ │  + documentation: Object representing the TrustAnchor type and its related certificate data.
│         │ └ properties
│         │    ├ SourceData: (documentation changed)
│         │    └ SourceType: (documentation changed)
│         └[~] type SourceData
│           └  - documentation: The data field of the trust anchor depending on its type.
│              + documentation: A union object representing the data field of the TrustAnchor depending on its type
└[~] service aws-s3express
  └ resources
     ├[~] resource AWS::S3Express::BucketPolicy
     │ ├  - documentation: Resource Type definition for AWS::S3Express::BucketPolicy.
     │ │  + documentation: Applies an Amazon S3 bucket policy to an Amazon S3 directory bucket.
     │ │  - **Permissions** - If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must both have the required permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. For more information about directory bucket policies and permissions, see [AWS Identity and Access Management (IAM) for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html) in the *Amazon S3 User Guide* .
     │ │  > To ensure that bucket owners don't inadvertently lock themselves out of their own buckets, the root principal in a bucket owner's AWS account can perform the `GetBucketPolicy` , `PutBucketPolicy` , and `DeleteBucketPolicy` API actions, even if their bucket policy explicitly denies the root principal's access. Bucket owner root principals can only be blocked from performing these API actions by VPC endpoint policies and AWS Organizations policies. 
     │ │  The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
     │ │  - Create
     │ │  - s3express:GetBucketPolicy
     │ │  - s3express:PutBucketPolicy
     │ │  - Read
     │ │  - s3express:GetBucketPolicy
     │ │  - Update
     │ │  - s3express:GetBucketPolicy
     │ │  - s3express:PutBucketPolicy
     │ │  - Delete
     │ │  - s3express:GetBucketPolicy
     │ │  - s3express:DeleteBucketPolicy
     │ │  - List
     │ │  - s3express:GetBucketPolicy
     │ │  - s3express:ListAllMyDirectoryBuckets
     │ │  For more information about example bucket policies, see [Example bucket policies for S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html) in the *Amazon S3 User Guide* .
     │ │  The following operations are related to `AWS::S3Express::BucketPolicy` :
     │ │  - [PutBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html)
     │ │  - [GetBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicy.html)
     │ │  - [DeleteBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html)
     │ │  - [ListDirectoryBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListDirectoryBuckets.html)
     │ └ properties
     │    └ PolicyDocument: (documentation changed)
     └[~] resource AWS::S3Express::DirectoryBucket
       ├  - documentation: Resource Type definition for AWS::S3Express::DirectoryBucket.
       │  + documentation: The `AWS::S3Express::DirectoryBucket` resource creates an Amazon S3 directory bucket in the same AWS Region where you create the AWS CloudFormation stack.
       │  To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
       │  > You can only delete empty buckets. Deletion fails for buckets that have contents. 
       │  - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
       │  - Create
       │  - s3express:CreateBucket
       │  - s3express:ListAllMyDirectoryBuckets
       │  - Read
       │  - s3express:ListAllMyDirectoryBuckets
       │  - Delete
       │  - s3express:DeleteBucket
       │  - s3express:ListAllMyDirectoryBuckets
       │  - List
       │  - s3express:ListAllMyDirectoryBuckets
       │  The following operations are related to `AWS::S3Express::DirectoryBucket` :
       │  - [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html)
       │  - [ListDirectoryBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListDirectoryBuckets.html)
       │  - [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html)
       ├ properties
       │  ├ BucketName: (documentation changed)
       │  ├ DataRedundancy: (documentation changed)
       │  └ LocationName: (documentation changed)
       └ attributes
          └ Arn: (documentation changed)