AWS Construct Library

The AWS Construct Library is a set of modules which expose a rich API for defining AWS resources in CDK apps. The AWS Construct Library is organized to modules based on the AWS service the resource belongs to. For example, the @aws-cdk/aws-ec2 module includes the @aws-cdk/aws-ec2.VpcNetwork construct which makes it easy to define an Amazon VPC in your CDK app.

The AWS Construct Library includes many common patterns and capabilities which are designed to allow developers to focus on their application-specific architectures and reduces the boilerplate and glue logic needed when working with AWS.

Least-Privilege IAM policies

IAM policies are automatically defined based on intent. For example, when subscribing an AWS SNS Topic to a AWS Lambda Function, the function’s IAM permission policy will automatically be modified to allow the specific topic to invoke the function.

Furthermore, most AWS Constructs expose grant* methods which allow intent-based permission definitions. For example, the AWS S3 Bucket construct has a grantRead(principal) method which accepts an AWS IAM Principal such as a User or a Role, and will modify their policy to allow the principal to read objects from the bucket.

Event-driven APIs

Many of the AWS constructs include on* methods which can be used to react to events emitted by the construct. For example, the AWS CodeCommit Repository construct has an onCommit method.

AWS Constructs that can be used as targets for various event providers implement interfaces such as IEventRuleTarget (for AWS CloudWatch Event Rule target), IAlarmAction (for AWS CloudWatch Alarm actions), etc.

For more information see the @aws-cdk/aws-cloudwatch and @aws-cdk/aws-events documentation.

Security Groups

EC2 network entities such as the Elastic Load Balancer <@aws-cdk/aws-ec2.ElasticLoadBalancer and AutoScalingGroup instances can connect to each other based on definitions of security groups.

The AWS CDK provides a rich API for defining security group connections. For more information, see Allowing Connections in the @aws-cdk/aws-ec2 documentation.


Many AWS resources emit AWS CloudWatch metrics as part of their normal operation. Metrics can be used to setup Alarms or included in Dashboards.

Metric objects for AWS Constructs can be obtained via metricXxx() methods. For example, the metricDuration() method reports the execution time of an AWS Lambda function.

For more information see the @aws-cdk/aws-cloudwatch documentation.


If you need to reference a resource which is defined outside of your CDK app (e.g. a bucket, a VPC, etc), you can use the Xxxx.import(...) static methods which are available on AWS Constructs. For example, the Bucket.import() method can be used to obtain a BucketRef object which can be used in most places where a bucket is required. This patterns allows treating resources defined outside your app as if they were part of your app.

AWS CloudFormation Layer

Every module in the AWS Construct Library includes a cloudformation namespace which contains low-level constructs which represent the low-level AWS CloudFormation semantics of this service. See AWS CloudFormation Library for details.