docs: fix various typos (#23020)

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/assert-internal/lib/assertions/have-resource-matchers.ts

@@ -422,7 +422,7 @@ export function matcherFrom(matcher: any): PropertyMatcher {
  * would show (in traditional JS fashion) something like '[function Function]', or more
  * accurately nothing at all since functions cannot be JSONified.
  *
- * We override to JSON() in order to produce a readadable version of the matcher.
+ * We override to JSON() in order to produce a readable version of the matcher.
  */
 export function annotateMatcher<A extends object>(how: A, matcher: PropertyMatcher): PropertyMatcher {
   (matcher as any).toJSON = () => how;

packages/@aws-cdk/assertions/README.md

@@ -594,7 +594,7 @@ Here are the available APIs for `Annotations`:
 The corresponding `findXxx()` API is complementary to the `hasXxx()` API, except instead
 of asserting its presence, it returns the set of matching messages.
 
-In addition, this suite of APIs is compatable with `Matchers` for more fine-grained control.
+In addition, this suite of APIs is compatible with `Matchers` for more fine-grained control.
 For example, the following assertion works as well:
 
 ```ts

packages/@aws-cdk/aws-apigateway/README.md

@@ -313,7 +313,7 @@ A usage plan specifies who can access one or more deployed API stages and method
 accessed. The plan uses API keys to identify API clients and meters access to the associated API stages for each key.
 Usage plans also allow configuring throttling limits and quota limits that are enforced on individual client API keys.
 
-The following example shows how to create and asscociate a usage plan and an API key:
+The following example shows how to create and associate a usage plan and an API key:
 
 ```ts
 declare const integration: apigateway.LambdaIntegration;

packages/@aws-cdk/aws-appmesh/lib/virtual-node-listener.ts

@@ -61,7 +61,7 @@ interface CommonHttpVirtualNodeListenerOptions extends VirtualNodeListenerCommon
 }
 
 /**
- * Represent the HTTP Node Listener prorperty
+ * Represent the HTTP Node Listener property
  */
 export interface HttpVirtualNodeListenerOptions extends CommonHttpVirtualNodeListenerOptions {
 
@@ -74,7 +74,7 @@ export interface HttpVirtualNodeListenerOptions extends CommonHttpVirtualNodeLis
 }
 
 /**
- * Represent the HTTP2 Node Listener prorperty
+ * Represent the HTTP2 Node Listener property
  */
 export interface Http2VirtualNodeListenerOptions extends CommonHttpVirtualNodeListenerOptions {
   /**
@@ -86,7 +86,7 @@ export interface Http2VirtualNodeListenerOptions extends CommonHttpVirtualNodeLi
 }
 
 /**
- * Represent the GRPC Node Listener prorperty
+ * Represent the GRPC Node Listener property
  */
 export interface GrpcVirtualNodeListenerOptions extends VirtualNodeListenerCommonOptions {
   /**
@@ -105,7 +105,7 @@ export interface GrpcVirtualNodeListenerOptions extends VirtualNodeListenerCommo
 }
 
 /**
- * Represent the TCP Node Listener prorperty
+ * Represent the TCP Node Listener property
  */
 export interface TcpVirtualNodeListenerOptions extends VirtualNodeListenerCommonOptions {
   /**

packages/@aws-cdk/aws-codebuild/README.md

@@ -104,7 +104,7 @@ const bbSource = codebuild.Source.bitBucket({
 
 ### For all Git sources
 
-For all Git sources, you can fetch submodules while cloing git repo.
+For all Git sources, you can fetch submodules while cloning git repo.
 
 ```ts
 const gitHubSource = codebuild.Source.gitHub({

packages/@aws-cdk/aws-codepipeline-actions/README.md

@@ -633,7 +633,7 @@ The actions available for updating StackSets are:
 
 * **CloudFormationDeployStackSetAction** - Create or update a CloudFormation StackSet directly from the pipeline, optionally
   immediately create and update Stack Instances as well.
-* **CloudFormationDeployStackInstancesAction** - Update outdated Stack Instaces using the current version of the StackSet.
+* **CloudFormationDeployStackInstancesAction** - Update outdated Stack Instances using the current version of the StackSet.
 
 Here's an example of using both of these actions:
 

packages/@aws-cdk/aws-cognito/README.md

@@ -72,7 +72,7 @@ new cognito.UserPool(this, 'myuserpool', {
 ```
 
 By default, usernames and email addresses in user pools are case sensitive, which means `user@example.com` and `User@example.com`
-are considered different. In most situations it is prefered to have usernames and email addresses be case insensitive so that
+are considered different. In most situations it is preferred to have usernames and email addresses be case insensitive so that
 capitalization differences are ignored. As shown above, you can make a user pool case insensitive by setting `signInCaseSensitive`
 to `false`. The case sensitivity cannot be changed once a user pool is created.
 

packages/@aws-cdk/aws-ec2/README.md

@@ -675,7 +675,7 @@ const sg = ec2.SecurityGroup.fromSecurityGroupId(this, 'SecurityGroupImport', 's
 });
 ```
 
-Alternatively, use lookup methods to import security groups if you do not know the ID or the configuration details. Method `SecurityGroup.fromLookupByName` looks up a security group if the secruity group ID is unknown.
+Alternatively, use lookup methods to import security groups if you do not know the ID or the configuration details. Method `SecurityGroup.fromLookupByName` looks up a security group if the security group ID is unknown.
 
 ```ts fixture=with-vpc
 const sg = ec2.SecurityGroup.fromLookupByName(this, 'SecurityGroupLookup', 'security-group-name', vpc);
@@ -1579,7 +1579,7 @@ For more information see
 #### Using add*Command on MultipartUserData
 
 To use the `add*Command` methods, that are inherited from the `UserData` interface, on `MultipartUserData` you must add a part
-to the `MultipartUserData` and designate it as the reciever for these methods. This is accomplished by using the `addUserDataPart()`
+to the `MultipartUserData` and designate it as the receiver for these methods. This is accomplished by using the `addUserDataPart()`
 method on `MultipartUserData` with the `makeDefault` argument set to `true`:
 
 ```ts

packages/@aws-cdk/aws-ecr/README.md

@@ -16,7 +16,7 @@ This package contains constructs for working with Amazon Elastic Container Regis
 ## Repositories
 
 Define a repository by creating a new instance of `Repository`. A repository
-holds multiple verions of a single container image.
+holds multiple versions of a single container image.
 
 ```ts
 const repository = new ecr.Repository(this, 'Repository');

packages/@aws-cdk/aws-elasticsearch/README.md

@@ -62,7 +62,7 @@ logging the domain logs and slow search logs.
 
 Some cluster configurations (e.g VPC access) require the existence of the [`AWSServiceRoleForAmazonElasticsearchService`](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/slr-es.html) Service-Linked Role.
 
-When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message simlar to:
+When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message similar to:
 
 ```console
 Before you can proceed, you must enable a service-linked role to give Amazon ES...
@@ -199,7 +199,7 @@ means anyone can access the domain using the configured master username and
 password.
 
 To enable unsigned basic auth access the domain is configured with an access
-policy that allows anyonmous requests, HTTPS required, node to node encryption,
+policy that allows anonymous requests, HTTPS required, node to node encryption,
 encryption at rest and fine grained access control.
 
 If the above settings are not set they will be configured as part of enabling

packages/@aws-cdk/aws-gamelift/README.md

@@ -289,7 +289,7 @@ fleet.addLocation('ap-southeast-1', 5, 2, 10);
 Some GameLift features require you to extend limited access to your AWS
 resources. This is done by creating an AWS IAM role. The GameLift Fleet class
 automatically created an IAM role with all the minimum necessary permissions
-for GameLift to access your ressources. If you wish, you may
+for GameLift to access your resources. If you wish, you may
 specify your own IAM role.
 
 ```ts
@@ -328,7 +328,7 @@ processes.
 
 You can then use CloudWatch alarms to alert you, for example, when matches has
 been rejected (potential matches that were rejected by at least one player
-since the last report) exceed a certain thresold which could means that you may
+since the last report) exceed a certain threshold which could means that you may
 have an issue in your matchmaking rules.
 
 CDK provides methods for accessing GameLift Fleet metrics with default configuration,
@@ -436,7 +436,7 @@ in the *Amazon GameLift FleetIQ Developer Guide*.
 
 The GameLift FleetIQ class automatically creates an IAM role with all the minimum necessary
 permissions for GameLift to access your Amazon EC2 Auto Scaling groups. If you wish, you may
-specify your own IAM role. It must have the correct permissions, or FleetIQ creation or ressource usage may fail.
+specify your own IAM role. It must have the correct permissions, or FleetIQ creation or resource usage may fail.
 
 ```ts
 declare const launchTemplate: ec2.ILaunchTemplate;
@@ -502,7 +502,7 @@ limited Spot availability.
 
 You can then use CloudWatch alarms to alert you, for example, when the portion
 of game servers that are currently supporting game executions exceed a certain
-thresold which could means that your autoscaling policy need to be adjust to
+threshold which could means that your autoscaling policy need to be adjust to
 add more instances to match with player demand.
 
 CDK provides a generic `metric` method that can be used

packages/@aws-cdk/aws-iam/README.md

@@ -45,7 +45,7 @@ declare const table: dynamodb.Table;
 table.grant(fn, 'dynamodb:PutItem');
 ```
 
-The `grant*` methods accept an `IGrantable` object. This interface is implemented by IAM principlal resources (groups, users and roles) and resources that assume a role such as a Lambda function, EC2 instance or a Codebuild project.
+The `grant*` methods accept an `IGrantable` object. This interface is implemented by IAM principal resources (groups, users and roles) and resources that assume a role such as a Lambda function, EC2 instance or a Codebuild project.
 
 You can find which `grant*` methods exist for a resource in the [AWS CDK API Reference](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-construct-library.html).
 
@@ -407,7 +407,7 @@ const newPolicy = new iam.Policy(this, 'MyNewPolicy', {
 
 [Permissions
 Boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-can be used as a mechanism to prevent privilege esclation by creating new
+can be used as a mechanism to prevent privilege escalation by creating new
 `Role`s. Permissions Boundaries are a Managed Policy, attached to Roles or
 Users, that represent the *maximum* set of permissions they can have. The
 effective set of permissions of a Role (or User) will be the intersection of

packages/@aws-cdk/aws-iotevents-actions/README.md

@@ -25,7 +25,7 @@ AWS IoT Events can trigger actions when it detects a specified event or transiti
 Currently supported are:
 
 - Use timer
-- Set variable to detector instanse
+- Set variable to detector instance
 - Invoke a Lambda function
 
 ## Use timer
@@ -96,9 +96,9 @@ online.transitionTo(offline, { when: iotevents.Expression.timeout('MyTimer') });
 offline.transitionTo(online, { when: iotevents.Expression.currentInput(input) });
 ```
 
-## Set variable to detector instanse
+## Set variable to detector instance
 
-The code snippet below creates an Action that set variable to detector instanse
+The code snippet below creates an Action that set variable to detector instance
 when it is triggered.
 
 ```ts

packages/@aws-cdk/aws-kinesisfirehose/README.md

@@ -28,7 +28,7 @@ endpoint or third-party services such as Datadog, Dynatrace, LogicMonitor, Mongo
 Relic, and Sumo Logic.
 
 Kinesis Data Firehose delivery streams are distinguished from Kinesis data streams in
-their models of consumtpion. Whereas consumers read from a data stream by actively pulling
+their models of consumption. Whereas consumers read from a data stream by actively pulling
 data from the stream, a delivery stream pushes data to its destination on a regular
 cadence. This means that data streams are intended to have consumers that do on-demand
 processing, like AWS Lambda or Amazon EC2. On the other hand, delivery streams are

packages/@aws-cdk/aws-lambda-go/README.md

@@ -210,7 +210,7 @@ By default this parameter is set to `AssetHashType.OUTPUT` which means that the
 
 If you specify `AssetHashType.SOURCE`, the CDK will calculate the asset hash by looking at the folder
 that contains your `go.mod` file. If you are deploying a single Lambda function, or you want to redeploy
-all of your functions if anything changes, then `AssetHashType.SOURCE` will probaby work.
+all of your functions if anything changes, then `AssetHashType.SOURCE` will probably work.
 
 
 For example, if my app looked like this:
@@ -232,7 +232,7 @@ will determine that the protect root is `lambda-app` (it contains the `go.mod` f
 Since I only have a single Lambda function, and any update to files within the `lambda-app` directory
 should trigger a new deploy, I could specify `AssetHashType.SOURCE`.
 
-On the other hand, if I had a project that deployed mmultiple Lambda functions, for example:
+On the other hand, if I had a project that deployed multiple Lambda functions, for example:
 
 ```bash
 lamda-app

packages/@aws-cdk/aws-logs/README.md

@@ -73,7 +73,7 @@ logGroup.grantWrite(new iam.ServicePrincipal('es.amazonaws.com'));
 
 Be aware that any ARNs or tokenized values passed to the resource policy will be converted into AWS Account IDs.
 This is because CloudWatch Logs Resource Policies do not accept ARNs as principals, but they do accept
-Account ID strings. Non-ARN principals, like Service principals or Any princpals, are accepted by CloudWatch.
+Account ID strings. Non-ARN principals, like Service principals or Any principals, are accepted by CloudWatch.
 
 ## Encrypting Log Groups
 
@@ -146,7 +146,7 @@ declare const logGroup: logs.LogGroup;
 logGroup.extractMetric('$.jsonField', 'Namespace', 'MetricName');
 ```
 
-Will extract the value of `jsonField` wherever it occurs in JSON-structed
+Will extract the value of `jsonField` wherever it occurs in JSON-structured
 log records in the LogGroup, and emit them to CloudWatch Metrics under
 the name `Namespace/MetricName`.
 

packages/@aws-cdk/aws-opensearchservice/README.md

@@ -75,7 +75,7 @@ logging the domain logs and slow search logs.
 
 Some cluster configurations (e.g VPC access) require the existence of the [`AWSServiceRoleForAmazonElasticsearchService`](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/slr.html) Service-Linked Role.
 
-When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message simlar to:
+When performing such operations via the AWS Console, this SLR is created automatically when needed. However, this is not the behavior when using CloudFormation. If an SLR is needed, but doesn't exist, you will encounter a failure message similar to:
 
 ```console
 Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service...
@@ -228,7 +228,7 @@ means anyone can access the domain using the configured master username and
 password.
 
 To enable unsigned basic auth access the domain is configured with an access
-policy that allows anyonmous requests, HTTPS required, node to node encryption,
+policy that allows anonymous requests, HTTPS required, node to node encryption,
 encryption at rest and fine grained access control.
 
 If the above settings are not set they will be configured as part of enabling

packages/@aws-cdk/aws-secretsmanager/README.md

@@ -218,7 +218,7 @@ credentials generation and rotation is integrated.
 ## Importing Secrets
 
 Existing secrets can be imported by ARN, name, and other attributes (including the KMS key used to encrypt the secret).
-Secrets imported by name should use the short-form of the name (without the SecretsManager-provided suffx);
+Secrets imported by name should use the short-form of the name (without the SecretsManager-provided suffix);
 the secret name must exist in the same account and region as the stack.
 Importing by name makes it easier to reference secrets created in different regions, each with their own suffix and ARN.
 

packages/@aws-cdk/aws-servicecatalogappregistry/README.md

@@ -22,7 +22,7 @@
 <!--END STABILITY BANNER-->
 
 [AWS Service Catalog App Registry](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/appregistry.html)
-enables organizations to create and manage repositores of applications and associated resources.
+enables organizations to create and manage repositories of applications and associated resources.
 
 ## Table Of Contents
 
@@ -140,7 +140,7 @@ const cdkPipeline = new ApplicationPipelineStack(app, 'CDKApplicationPipelineSta
 ## Attribute Group
 
 An AppRegistry attribute group acts as a container for user-defined attributes for an application.
-Metadata is attached in a machine-readble format to integrate with automated workflows and tools.
+Metadata is attached in a machine-readable format to integrate with automated workflows and tools.
 
 ```ts
 const attributeGroup = new appreg.AttributeGroup(this, 'MyFirstAttributeGroup', {

packages/@aws-cdk/cfnspec/lib/canned-metrics/README.md

@@ -56,7 +56,7 @@ HTTP code (ELB or backend), the metric name itself comes from an ENUM.
   public metricHttpCodeTarget(code: HttpCodeTarget, props?: cloudwatch.MetricOptions) {
 ```
 
-NetworkLoadBalancer: get rid of underscores and recapitalize abbrevations
+NetworkLoadBalancer: get rid of underscores and recapitalize abbreviations
 
 ```js
 metricTcpClientResetCount => 'TCP_Client_Reset_Count'

packages/@aws-cdk/cloud-assembly-schema/CONTRIBUTING.md

@@ -20,7 +20,7 @@ There are two main things to understand about the files in this module:
 
 - [`lib/schema`](./schema/)
 
-  This directory contains the generated json [schema](./schema/cloud-assembly.schema.json) from the aformentioned 
+  This directory contains the generated json [schema](./schema/cloud-assembly.schema.json) from the aforementioned 
   typescript code. It also contains a [version](./schema/cloud-assembly.version.json) file that holds the current version
   of the schema. These files are **not** intended for manual editing. Keep reading to understand how they change and when.
 
@@ -31,7 +31,7 @@ an updated json schema to [`cloud-assembly.schema.json`](./schema/cloud-assembly
 In addition, this command also performs a `major` version bump on the [version](./schema/cloud-assembly.version.json) file.
 
 Note that it is not generated as part of the build, this is to ensure developers will be intentional when making 
-changes to the schema. If changes to the code are perfomed, without generating a new schema, the tests will fail:
+changes to the schema. If changes to the code are performed, without generating a new schema, the tests will fail:
 
 ```console
 $ yarn test
@@ -58,7 +58,7 @@ This means that breaking changes will be rejected. These include:
 - Adding a required property. (same as changing from *optional* to *required*)
 - Changing the type of the property.
 
-In addition, the interfaces defined here are programatically exposed to users, via the `manifest` 
+In addition, the interfaces defined here are programmatically exposed to users, via the `manifest` 
 property of the [`CloudAssembly`](../cx-api/lib/cloud-assembly.ts) class. This means that the following are 
 also considered breaking changes: