diff --git a/packages/@aws-cdk/aws-apigateway/lib/api-key.ts b/packages/@aws-cdk/aws-apigateway/lib/api-key.ts
index c6dd3e8c44dbd..1852ab0a42ad1 100644
--- a/packages/@aws-cdk/aws-apigateway/lib/api-key.ts
+++ b/packages/@aws-cdk/aws-apigateway/lib/api-key.ts
@@ -165,7 +165,7 @@ export class ApiKey extends ApiKeyBase {
     const resource = new CfnApiKey(this, 'Resource', {
       customerId: props.customerId,
       description: props.description,
-      enabled: props.enabled || true,
+      enabled: props.enabled ?? true,
       generateDistinctId: props.generateDistinctId,
       name: this.physicalName,
       stageKeys: this.renderStageKeys(props.resources),
diff --git a/packages/@aws-cdk/aws-apigateway/test/api-key.test.ts b/packages/@aws-cdk/aws-apigateway/test/api-key.test.ts
index a929519d39c5a..3008568ce2de4 100644
--- a/packages/@aws-cdk/aws-apigateway/test/api-key.test.ts
+++ b/packages/@aws-cdk/aws-apigateway/test/api-key.test.ts
@@ -17,10 +17,33 @@ describe('api key', () => {
     // should have an api key with no props defined.
   });
 
+
+  test('enabled flag is respected', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new apigateway.ApiKey(stack, 'my-api-key', {
+      enabled: false,
+      value: 'arandomstringwithmorethantwentycharacters',
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::ApiGateway::ApiKey', {
+      Enabled: false,
+      Value: 'arandomstringwithmorethantwentycharacters',
+    });
+  });
+
+
   test('specify props for apiKey', () => {
     // GIVEN
     const stack = new cdk.Stack();
-    const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+    const api = new apigateway.RestApi(stack, 'test-api', {
+      cloudWatchRole: false,
+      deploy: true,
+      deployOptions: { stageName: 'test' },
+    });
     api.root.addMethod('GET'); // api must have atleast one method.
 
     // WHEN
@@ -61,7 +84,11 @@ describe('api key', () => {
   test('use an imported api key', () => {
     // GIVEN
     const stack = new cdk.Stack();
-    const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+    const api = new apigateway.RestApi(stack, 'test-api', {
+      cloudWatchRole: false,
+      deploy: true,
+      deployOptions: { stageName: 'test' },
+    });
     api.root.addMethod('GET'); // api must have atleast one method.
 
     // WHEN
@@ -83,7 +110,11 @@ describe('api key', () => {
     // GIVEN
     const stack = new cdk.Stack();
     const user = new iam.User(stack, 'User');
-    const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+    const api = new apigateway.RestApi(stack, 'test-api', {
+      cloudWatchRole: false,
+      deploy: true,
+      deployOptions: { stageName: 'test' },
+    });
     api.root.addMethod('GET'); // api must have atleast one method.
 
     // WHEN
@@ -130,7 +161,11 @@ describe('api key', () => {
     // GIVEN
     const stack = new cdk.Stack();
     const user = new iam.User(stack, 'User');
-    const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+    const api = new apigateway.RestApi(stack, 'test-api', {
+      cloudWatchRole: false,
+      deploy: true,
+      deployOptions: { stageName: 'test' },
+    });
     api.root.addMethod('GET'); // api must have atleast one method.
 
     // WHEN
@@ -182,7 +217,11 @@ describe('api key', () => {
     // GIVEN
     const stack = new cdk.Stack();
     const user = new iam.User(stack, 'User');
-    const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+    const api = new apigateway.RestApi(stack, 'test-api', {
+      cloudWatchRole: false,
+      deploy: true,
+      deployOptions: { stageName: 'test' },
+    });
     api.root.addMethod('GET'); // api must have atleast one method.
 
     // WHEN
@@ -253,7 +292,11 @@ describe('api key', () => {
     test('only api key is created when rate limiting properties are not provided', () => {
       // GIVEN
       const stack = new cdk.Stack();
-      const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+      const api = new apigateway.RestApi(stack, 'test-api', {
+        cloudWatchRole: false,
+        deploy: true,
+        deployOptions: { stageName: 'test' },
+      });
       api.root.addMethod('GET'); // api must have atleast one method.
 
       // WHEN
@@ -281,7 +324,11 @@ describe('api key', () => {
     test('api key and usage plan are created and linked when rate limiting properties are provided', () => {
       // GIVEN
       const stack = new cdk.Stack();
-      const api = new apigateway.RestApi(stack, 'test-api', { cloudWatchRole: false, deploy: true, deployOptions: { stageName: 'test' } });
+      const api = new apigateway.RestApi(stack, 'test-api', {
+        cloudWatchRole: false,
+        deploy: true,
+        deployOptions: { stageName: 'test' },
+      });
       api.root.addMethod('GET'); // api must have atleast one method.
 
       // WHEN
diff --git a/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts b/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts
index fa1068025c657..d8d5c91f41507 100644
--- a/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts
+++ b/packages/@aws-cdk/aws-rds/lib/cluster-engine.ts
@@ -334,6 +334,8 @@ export class AuroraMysqlEngineVersion {
   public static readonly VER_2_09_1 = AuroraMysqlEngineVersion.builtIn_5_7('2.09.1');
   /** Version "5.7.mysql_aurora.2.09.2". */
   public static readonly VER_2_09_2 = AuroraMysqlEngineVersion.builtIn_5_7('2.09.2');
+  /** Version "5.7.mysql_aurora.2.09.3". */
+  public static readonly VER_2_09_3 = AuroraMysqlEngineVersion.builtIn_5_7('2.09.3');
   /** Version "5.7.mysql_aurora.2.10.0". */
   public static readonly VER_2_10_0 = AuroraMysqlEngineVersion.builtIn_5_7('2.10.0');
   /** Version "5.7.mysql_aurora.2.10.1". */
diff --git a/packages/@aws-cdk/aws-s3-deployment/README.md b/packages/@aws-cdk/aws-s3-deployment/README.md
index f9bff70495c1d..1b86bb4fa92e4 100644
--- a/packages/@aws-cdk/aws-s3-deployment/README.md
+++ b/packages/@aws-cdk/aws-s3-deployment/README.md
@@ -9,8 +9,6 @@
 
 <!--END STABILITY BANNER-->
 
-> __Status: Experimental__
-
 This library allows populating an S3 bucket with the contents of .zip files
 from other S3 buckets or from local disk.
 
@@ -278,12 +276,14 @@ new s3deploy.BucketDeployment(this, 'DeployMeWithEfsStorage', {
   which can be deployed into the bucket by this timeout.
 - When the `BucketDeployment` is removed from the stack, the contents are retained
   in the destination bucket ([#952](https://github.com/aws/aws-cdk/issues/952)).
-- Bucket deployment _only happens_ during stack create/update. This means that
-  if you wish to update the contents of the destination, you will need to
-  change the source s3 key (or bucket), so that the resource will be updated.
-  This is inline with best practices. If you use local disk assets, this will
-  happen automatically whenever you modify the asset, since the S3 key is based
-  on a hash of the asset contents.
+- If you are using `s3deploy.Source.bucket()` to take the file source from
+  another bucket: the deployed files will only be updated if the key (file name)
+  of the file in the source  bucket changes. Mutating the file in place will not
+  be good enough: the custom resource will simply not run if the properties don't
+  change.
+  - If you use assets (`s3deploy.Source.asset()`) you don't need to worry
+    about this: the asset system will make sure that if the files have changed, 
+    the file name is unique and the deployment will run.
 
 ## Development
 
diff --git a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json
index 1be4360363dcc..fa5bc72955461 100644
--- a/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json
+++ b/packages/@aws-cdk/cfnspec/spec-source/cfn-docs/cfn-docs.json
@@ -512,7 +512,7 @@
       "properties": {
         "AccessToken": "Personal Access token for 3rd party source control system for an Amplify app, used to create webhook and read-only deploy key. Token is not stored.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.",
         "AutoBranchCreationConfig": "Sets the configuration for your automatic branch creation.",
-        "BasicAuthConfig": "The credentials for basic authorization for an Amplify app.",
+        "BasicAuthConfig": "The credentials for basic authorization for an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .",
         "BuildSpec": "The build specification (build spec) for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 25000.\n\n*Pattern:* (?s).+",
         "CustomHeaders": "The custom HTTP headers for an Amplify app.\n\n*Length Constraints:* Minimum length of 0. Maximum length of 25000.\n\n*Pattern:* (?s).*",
         "CustomRules": "The custom rewrite and redirect rules for an Amplify app.",
@@ -577,7 +577,7 @@
       "description": "The AWS::Amplify::Branch resource creates a new branch within an app.",
       "properties": {
         "AppId": "The unique ID for an Amplify app.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 20.\n\n*Pattern:* d[a-z0-9]+",
-        "BasicAuthConfig": "The basic authorization credentials for a branch of an Amplify app.",
+        "BasicAuthConfig": "The basic authorization credentials for a branch of an Amplify app. You must base64-encode the authorization credentials and provide them in the format `user:password` .",
         "BranchName": "The name for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 255.\n\n*Pattern:* (?s).+",
         "BuildSpec": "The build specification (build spec) for the branch.\n\n*Length Constraints:* Minimum length of 1. Maximum length of 25000.\n\n*Pattern:* (?s).+",
         "Description": "The description for the branch that is part of an Amplify app.\n\n*Length Constraints:* Maximum length of 1000.\n\n*Pattern:* (?s).*",
@@ -13198,7 +13198,7 @@
       "description": "Specifies a VPC attachment.",
       "properties": {
         "AddSubnetIds": "The IDs of one or more subnets to add. You can specify at most one subnet per Availability Zone.",
-        "Options": "The VPC attachment options.\n\n- DnsSupport (enable | disable)\n- Ipv6Support (enable| disable)\n- ApplianceModeSupport (enable | disable)",
+        "Options": "The VPC attachment options in JSON or YAML.\n\n- DnsSupport (enable | disable)\n- Ipv6Support (enable| disable)\n- ApplianceModeSupport (enable | disable)",
         "RemoveSubnetIds": "The IDs of one or more subnets to remove.",
         "SubnetIds": "The IDs of the subnets.",
         "Tags": "The tags for the VPC attachment.",
@@ -15246,7 +15246,7 @@
         "SnapshotWindow": "The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node group (shard).\n\nExample: `05:00-09:00`\n\nIf you do not specify this parameter, ElastiCache automatically chooses an appropriate time range.",
         "SnapshottingClusterId": "The cluster ID that is used as the daily snapshot source for the replication group. This parameter cannot be set for Redis (cluster mode enabled) replication groups.",
         "Tags": "A list of tags to be added to this resource. Tags are comma-separated key,value pairs (e.g. Key= `myKey` , Value= `myKeyValue` . You can include multiple tags as shown following: Key= `myKey` , Value= `myKeyValue` Key= `mySecondKey` , Value= `mySecondKeyValue` . Tags on replication groups will be replicated to all nodes.",
-        "TransitEncryptionEnabled": "A flag that enables in-transit encryption when set to `true` .\n\nYou cannot modify the value of `TransitEncryptionEnabled` after the cluster is created. To enable in-transit encryption on a cluster you must set `TransitEncryptionEnabled` to `true` when you create a cluster.\n\nThis parameter is valid only if the `Engine` parameter is `redis` , the `EngineVersion` parameter is `3.2.6` or `4.x` or `5.x` , and the cluster is being created in an Amazon VPC.\n\nIf you enable in-transit encryption, you must also specify a value for `CacheSubnetGroup` .\n\n*Required:* Only available when creating a replication group in an Amazon VPC using redis version `3.2.6` or `4.x` onward.\n\nDefault: `false`\n\n> For HIPAA compliance, you must specify `TransitEncryptionEnabled` as `true` , an `AuthToken` , and a `CacheSubnetGroup` .",
+        "TransitEncryptionEnabled": "A flag that enables in-transit encryption when set to `true` .\n\nYou cannot modify the value of `TransitEncryptionEnabled` after the cluster is created. To enable in-transit encryption on a cluster you must set `TransitEncryptionEnabled` to `true` when you create a cluster.\n\nThis parameter is valid only if the `Engine` parameter is `redis` , the `EngineVersion` parameter is `3.2.6` or `4.x` onward, and the cluster is being created in an Amazon VPC.\n\nIf you enable in-transit encryption, you must also specify a value for `CacheSubnetGroup` .\n\n*Required:* Only available when creating a replication group in an Amazon VPC using redis version `3.2.6` or `4.x` onward.\n\nDefault: `false`\n\n> For HIPAA compliance, you must specify `TransitEncryptionEnabled` as `true` , an `AuthToken` , and a `CacheSubnetGroup` .",
         "UserGroupIds": "The list of user groups to associate with the replication group."
       }
     },