AWS Construct Library¶
The AWS Construct Library is a set of modules which expose a rich API for
defining AWS resources in CDK apps. The AWS Construct Library is organized to
modules based on the AWS service the resource belongs to. For example, the
@aws-cdk/aws-ec2 module includes the @aws-cdk/aws-ec2.VpcNetwork
construct which makes it easy to define an Amazon VPC in your CDK app.
The AWS Construct Library includes many common patterns and capabilities which are designed to allow developers to focus on their application-specific architectures and reduces the boilerplate and glue logic needed when working with AWS.
Least-Privilege IAM policies¶
IAM policies are automatically defined based on intent. For example, when
subscribing an AWS SNS
Topic to a AWS Lambda
Function, the function’s IAM permission
policy will automatically be modified to allow the specific topic to invoke the
Furthermore, most AWS Constructs expose
grant* methods which allow
intent-based permission definitions. For example, the AWS S3
construct has a
method which accepts an AWS IAM
such as a
User or a
and will modify their policy to allow the principal to read objects from the bucket.
AWS Constructs that can be used as targets for various event providers implement
interfaces such as
(for AWS CloudWatch Event Rule target),
(for AWS CloudWatch Alarm actions), etc.
EC2 network entities such as the
Elastic Load Balancer <@aws-cdk/aws-ec2.ElasticLoadBalancer
AutoScalingGroup instances can connect to each other
based on definitions of security groups.
The AWS CDK provides a rich API for defining security group connections. For more information, see Allowing Connections in the @aws-cdk/aws-ec2 documentation.
For more information see the @aws-cdk/aws-cloudwatch documentation.
If you need to reference a resource which is defined outside of your CDK app (e.g. a bucket, a VPC, etc),
you can use the
Xxxx.import(...) static methods which are available on AWS Constructs. For example,
Bucket.import() method can be used to obtain
BucketRef object which can be used in most places where
a bucket is required. This patterns allows treating resources defined outside your app as if they
were part of your app.