diff --git a/packages/@aws-cdk/aws-codebuild/allowed-breaking-changes-0.36.2.txt b/packages/@aws-cdk/aws-codebuild/allowed-breaking-changes-0.36.2.txt
new file mode 100644
index 0000000000000..de05065cb7777
--- /dev/null
+++ b/packages/@aws-cdk/aws-codebuild/allowed-breaking-changes-0.36.2.txt
@@ -0,0 +1,2 @@
+change-return-type:@aws-cdk/aws-codebuild.PipelineProject.addSecondaryArtifact
+change-return-type:@aws-cdk/aws-codebuild.Project.addSecondaryArtifact
diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
index 02b0ed08152d8..2d44917c69eac 100644
--- a/packages/@aws-cdk/aws-codebuild/lib/project.ts
+++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -734,7 +734,7 @@ export class Project extends ProjectBase {
    * @param secondaryArtifact the artifact to add as a secondary artifact
    * @see https://docs.aws.amazon.com/codebuild/latest/userguide/sample-multi-in-out.html
    */
-  public addSecondaryArtifact(secondaryArtifact: IArtifacts): any {
+  public addSecondaryArtifact(secondaryArtifact: IArtifacts): void {
     if (!secondaryArtifact.identifier) {
       throw new Error("The identifier attribute is mandatory for secondary artifacts");
     }
diff --git a/packages/@aws-cdk/aws-ec2/allowed-breaking-changes-0.36.2.txt b/packages/@aws-cdk/aws-ec2/allowed-breaking-changes-0.36.2.txt
new file mode 100644
index 0000000000000..d29f0f3516a18
--- /dev/null
+++ b/packages/@aws-cdk/aws-ec2/allowed-breaking-changes-0.36.2.txt
@@ -0,0 +1 @@
+removed:@aws-cdk/aws-ec2.Port.toRuleJSON
diff --git a/packages/@aws-cdk/aws-ec2/lib/port.ts b/packages/@aws-cdk/aws-ec2/lib/port.ts
index f8117687db146..948bfbdd854d4 100644
--- a/packages/@aws-cdk/aws-ec2/lib/port.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/port.ts
@@ -183,7 +183,7 @@ export class Port {
   /**
    * Produce the ingress/egress rule JSON for the given connection
    */
-  public toRuleJSON(): any {
+  public toRuleJson(): any {
     return {
       ipProtocol: this.props.protocol,
       fromPort: this.props.fromPort,
@@ -198,4 +198,4 @@ export class Port {
 
 function renderPort(port: number) {
   return Token.isUnresolved(port) ? `{IndirectPort}` : port.toString();
-}
\ No newline at end of file
+}
diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group.ts b/packages/@aws-cdk/aws-ec2/lib/security-group.ts
index b75e0af1db057..d05fecf0a097d 100644
--- a/packages/@aws-cdk/aws-ec2/lib/security-group.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/security-group.ts
@@ -76,7 +76,7 @@ abstract class SecurityGroupBase extends Resource implements ISecurityGroup {
       new CfnSecurityGroupIngress(scope, id, {
         groupId: this.securityGroupId,
         ...peer.toIngressRuleConfig(),
-        ...connection.toRuleJSON(),
+        ...connection.toRuleJson(),
         description
       });
     }
@@ -94,7 +94,7 @@ abstract class SecurityGroupBase extends Resource implements ISecurityGroup {
       new CfnSecurityGroupEgress(scope, id, {
         groupId: this.securityGroupId,
         ...peer.toEgressRuleConfig(),
-        ...connection.toRuleJSON(),
+        ...connection.toRuleJson(),
         description
       });
     }
@@ -298,7 +298,7 @@ export class SecurityGroup extends SecurityGroupBase {
 
     this.addDirectIngressRule({
       ...peer.toIngressRuleConfig(),
-      ...connection.toRuleJSON(),
+      ...connection.toRuleJson(),
       description
     });
   }
@@ -327,7 +327,7 @@ export class SecurityGroup extends SecurityGroupBase {
 
     const rule = {
       ...peer.toEgressRuleConfig(),
-      ...connection.toRuleJSON(),
+      ...connection.toRuleJson(),
       description
     };
 
diff --git a/packages/@aws-cdk/core/lib/stack.ts b/packages/@aws-cdk/core/lib/stack.ts
index 61897f992672e..1ed304ab23af8 100644
--- a/packages/@aws-cdk/core/lib/stack.ts
+++ b/packages/@aws-cdk/core/lib/stack.ts
@@ -390,7 +390,7 @@ export class Stack extends Construct implements ITaggable {
    * reports them as missing, and let the CLI resolve them by calling EC2
    * `DescribeAvailabilityZones` on the target environment.
    */
-  public get availabilityZones() {
+  public get availabilityZones(): string[] {
     // if account/region are tokens, we can't obtain AZs through the context
     // provider, so we fallback to use Fn::GetAZs. the current lowest common
     // denominator is 2 AZs across all AWS regions.
diff --git a/scripts/check-api-compatibility.sh b/scripts/check-api-compatibility.sh
index cf4520d852ade..fb8d57affd5bc 100755
--- a/scripts/check-api-compatibility.sh
+++ b/scripts/check-api-compatibility.sh
@@ -53,6 +53,7 @@ for i in ${!package_dirs[*]}; do
     if [[ ! -d $tmpdir/node_modules/${package_names[$i]} ]]; then continue; fi
     echo -n "${package_names[$i]}... "
     if npx jsii-diff \
+        --keys \
         --ignore-file ${package_dirs[$i]}/allowed-breaking-changes-${current_version}.txt \
         $tmpdir/node_modules/${package_names[$i]} \
         ${package_dirs[$i]} \