diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts
index 2fcb2a8d30629..24de4674aa16e 100644
--- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts
+++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts
@@ -85,6 +85,63 @@ describe('schedule target', () => {
     });
   });
 
+  test('creates IAM role and IAM policy for lambda version', () => {
+    const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', {
+      lambda: func,
+    });
+    const lambdaTarget = new LambdaInvoke(lambdaVersion, {});
+
+    new Schedule(stack, 'MyScheduleDummy', {
+      schedule: expr,
+      target: lambdaTarget,
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0);
+
+    Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', {
+      Properties: {
+        Target: {
+          Arn: {
+            Ref: 'MyLambdaVersion2EF97E33',
+          },
+          RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] },
+          RetryPolicy: {},
+        },
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'lambda:InvokeFunction',
+            Effect: 'Allow',
+            Resource: {
+              Ref: 'MyLambdaVersion2EF97E33',
+            },
+          },
+        ],
+      },
+      Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }],
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+      AssumeRolePolicyDocument: {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Effect: 'Allow',
+            Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } },
+            Principal: {
+              Service: 'scheduler.amazonaws.com',
+            },
+            Action: 'sts:AssumeRole',
+          },
+        ],
+      },
+    });
+  });
+
   test('creates IAM policy for provided IAM role', () => {
     const targetExecutionRole = new Role(stack, 'ProvidedTargetRole', {
       assumedBy: new AccountRootPrincipal(),
@@ -229,6 +286,68 @@ describe('schedule target', () => {
     });
   });
 
+  test('creates IAM role and IAM policy for lambda alias', () => {
+    const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', {
+      lambda: func,
+    });
+    const lambdaAlias = new lambda.Alias(stack, 'MyLambdaAlias', {
+      version: lambdaVersion,
+      aliasName: 'SomeAliasName',
+    });
+
+    const lambdaTarget = new LambdaInvoke(lambdaAlias, {});
+
+    new Schedule(stack, 'MyScheduleDummy', {
+      schedule: expr,
+      target: lambdaTarget,
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0);
+
+    Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', {
+      Properties: {
+        Target: {
+          Arn: {
+            Ref: 'MyLambdaAliasD26C43B4',
+          },
+          RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] },
+          RetryPolicy: {},
+        },
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'lambda:InvokeFunction',
+            Effect: 'Allow',
+            Resource: {
+              Ref: 'MyLambdaAliasD26C43B4',
+            },
+          },
+        ],
+      },
+      Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }],
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+      AssumeRolePolicyDocument: {
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Effect: 'Allow',
+            Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } },
+            Principal: {
+              Service: 'scheduler.amazonaws.com',
+            },
+            Action: 'sts:AssumeRole',
+          },
+        ],
+      },
+    });
+  });
+
   test('creates IAM policy for imported role for lambda function in the same account', () => {
     const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/someRole');
 
diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json
index fef13773ed7aa..5ab742258adbd 100644
--- a/packages/@aws-cdk/integ-runner/package.json
+++ b/packages/@aws-cdk/integ-runner/package.json
@@ -74,9 +74,8 @@
     "@aws-cdk/cloud-assembly-schema": "^38.0.0",
     "@aws-cdk/cloudformation-diff": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "cdk-assets": "^2.154.0",
+    "cdk-assets": "^2.155.17",
     "@aws-cdk/aws-service-spec": "^0.1.29",
-
     "@aws-cdk/cdk-cli-wrapper": "0.0.0",
     "aws-cdk": "0.0.0",
     "chalk": "^4",
diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
index 0e959c0a2a5ee..34f5825b5ff4e 100644
--- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
+++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
@@ -80,6 +80,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | 2.161.0 | (fix) |
 | [@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics](#aws-cdkcorecfnincluderejectcomplexresourceupdatecreatepolicyintrinsics) | When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. | 2.161.0 | (fix) |
 | [@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy](#aws-cdkaws-stepfunctions-tasksfixrunecstaskpolicy) | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | (fix) |
+| [@aws-cdk/aws-dynamodb:resourcePolicyPerReplica](#aws-cdkaws-dynamodbresourcepolicyperreplica) | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -143,6 +144,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
     "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
     "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
     "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
     "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
     "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
@@ -1509,4 +1511,22 @@ When this feature flag is enabled, if the task definition is created in the stac
 | 2.163.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica
+
+*When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix)
+
+If this flag is not set, the default behavior for `TableV2` is to use a different `resourcePolicy` for each replica. 
+
+If this flag is set to false, the behavior is that each replica shares the same `resourcePolicy` as the source table.
+This will prevent you from creating a new table which has an additional replica and a resource policy.
+
+This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->
diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts
index 6a78965620c01..fab6d1d3ce4b0 100644
--- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts
@@ -174,7 +174,18 @@ export class SDK implements ISDK {
   }
 
   public s3(): AWS.S3 {
-    return this.wrapServiceErrorHandling(new AWS.S3(this.config));
+    return this.wrapServiceErrorHandling(new AWS.S3({
+      // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
+      // However by default the S3 client is using an MD5 checksum for content integrity checking.
+      // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
+      // in practice it is just easier to use an allowed checksum mechanism.
+      // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
+      // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
+      // of the AWS SDKv3 and is a safe choice for all users.
+      s3DisableBodySigning: false,
+      computeChecksums: false,
+      ...this.config,
+    }));
   }
 
   public route53(): AWS.Route53 {
diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json
index 506da385ff312..202ac715eb2bb 100644
--- a/packages/aws-cdk/package.json
+++ b/packages/aws-cdk/package.json
@@ -104,7 +104,7 @@
     "archiver": "^5.3.2",
     "aws-sdk": "^2.1691.0",
     "camelcase": "^6.3.0",
-    "cdk-assets": "^2.155.0",
+    "cdk-assets": "^2.155.17",
     "cdk-from-cfn": "^0.162.0",
     "chalk": "^4",
     "chokidar": "^3.6.0",
diff --git a/yarn.lock b/yarn.lock
index a14ce1ed93150..f5c2805c1038d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -67,17 +67,10 @@
     jsonschema "^1.4.1"
     semver "^7.6.3"
 
-"@aws-cdk/cx-api@^2.158.0":
-  version "2.159.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094"
-  integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w==
-  dependencies:
-    semver "^7.6.3"
-
-"@aws-cdk/cx-api@^2.160.0":
-  version "2.160.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59"
-  integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw==
+"@aws-cdk/cx-api@^2.163.1":
+  version "2.163.1"
+  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e"
+  integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w==
   dependencies:
     semver "^7.6.3"
 
@@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3:
   resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
   integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==
 
-cdk-assets@^2.154.0:
-  version "2.154.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead"
-  integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw==
-  dependencies:
-    "@aws-cdk/cloud-assembly-schema" "^38.0.0"
-    "@aws-cdk/cx-api" "^2.158.0"
-    archiver "^5.3.2"
-    aws-sdk "^2.1691.0"
-    glob "^7.2.3"
-    mime "^2.6.0"
-    yargs "^16.2.0"
-
-cdk-assets@^2.155.0:
-  version "2.155.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf"
-  integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA==
+cdk-assets@^2.155.17:
+  version "2.155.17"
+  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5"
+  integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA==
   dependencies:
     "@aws-cdk/cloud-assembly-schema" "^38.0.1"
-    "@aws-cdk/cx-api" "^2.160.0"
+    "@aws-cdk/cx-api" "^2.163.1"
     archiver "^5.3.2"
     aws-sdk "^2.1691.0"
     glob "^7.2.3"