Profile Applicability:

  • Level 1

Description:

AWS Cloud Development Kit (CDK) is a framework used to define cloud infrastructure using programming languages. CDK requires a bootstrap stack that creates resources necessary for deploying CDK applications (such as S3 buckets, ECR repositories, and IAM roles). The CDKToolkit stack must have an appropriate Bootstrap version to ensure that all necessary security features and configurations are implemented. This SOP ensures that your CDKToolkit stacks are running version 21 or higher to mitigate potential security risks and improve compatibility with the latest AWS CDK features.

Rationale:

  • Security: A higher version of the Bootstrap stack contains updated security configurations, such as proper encryption and IAM roles, which help mitigate potential risks from outdated versions.

  • Compatibility: Newer versions of the Bootstrap stack ensure compatibility with newer CDK features and AWS resources.

  • Best Practices: Running the latest Bootstrap version ensures that you’re adhering to best practices and security guidelines provided by AWS for CDK applications.

Impact:

Pros:

  • Improved Security: By updating to version 21 or higher, you incorporate the latest security enhancements, ensuring that the CDK toolkit stack is protected against potential vulnerabilities.

  • Better Performance and Features: Version 21 or higher includes updated features and bug fixes, improving the stability and usability of CDK applications.

  • Compliance: Aligns with the best practices recommended by AWS to ensure that your CDK applications follow security standards.

Cons:

  • Potential Compatibility Issues: Upgrading the Bootstrap stack might introduce compatibility issues with older CDK applications that rely on previous configurations.

  • Requires Redeployment: Updating the CDKToolkit stack requires redeployment, which might involve some downtime or configuration adjustments.

Default Value:

The CDKToolkit stack is created automatically when you use the AWS CDK for the first time. However, it may be created with a lower version depending on when the stack was first bootstrapped. You need to manually upgrade it to version 21 or higher.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudformation:DescribeStacks

    • cloudformation:UpdateStack

    • cloudformation:CreateStack

  • AWS CLI installed and configured.

  • Ensure you have permissions to manage CloudFormation stacks and CDK resources.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFormation under Services.

  3. In the CloudFormation Dashboard, search for the CDKToolkit stack.

  4. Review the Stack Name and Stack Details to identify the Bootstrap version.

  5. If the version is below 21, you need to update the stack by following the next steps.

Using AWS CLI:

  1. To check the Bootstrap version for your CDKToolkit stack, run the following command:

    aws cloudformation describe-stacks --stack-name CDKToolkit --query 'Stacks[*].{StackName:StackName,StackStatus:StackStatus,CreationTime:CreationTime}'

  2. The CreationTime and other stack metadata will indicate when the CDKToolkit stack was created and can give a clue about the version.

  3. To check if the CDKToolkit stack version is 21 or higher, run the following command to list the resources associated with the stack:

    aws cloudformation describe-stack-resources --stack-name CDKToolkit --query 'StackResources[*].{LogicalResourceId:LogicalResourceId,ResourceType:ResourceType,PhysicalResourceId:PhysicalResourceId}'

  4. Review the output for any signs that the Bootstrap stack version is outdated. If the stack version is below 21, follow the steps in the Implementation section to upgrade it.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon CloudFormation.

  2. In the CloudFormation Dashboard, select the CDKToolkit stack.

  3. If the version is lower than 21, delete the old stack:

    • Click on the Delete Stack option.

  4. Recreate the stack using the CDK Bootstrap command to deploy the latest version:

    • Open your terminal or AWS CloudShell.

Run the following AWS CDK CLI command to bootstrap with the latest version:

cdk bootstrap aws://<account-id>/<region> --profile <your-aws-profile>

Using AWS CLI:

  1. If the Bootstrap version is outdated (below version 21), update the stack by running the CDK bootstrap command:

    cdk bootstrap aws://<account-id>/<region> --profile <your-aws-profile>

  2. After running this command, verify the stack has been successfully updated to the latest version:

    aws cloudformation describe-stacks --stack-name CDKToolkit --query 'Stacks[*].{StackName:StackName,StackStatus:StackStatus}'

Backout Plan:

Using AWS Console:

  1. If upgrading the bootstrap version causes issues, sign in to the AWS Management Console.

  2. Navigate to CloudFormation, select the CDKToolkit stack, and delete it.

  3. After deletion, you can choose to re-deploy the stack with the previous version or a different version, based on your requirements.

Using AWS CLI:

  1. To revert to a previous version of the bootstrap stack (if necessary), delete the CDKToolkit stack:

    aws cloudformation delete-stack --stack-name CDKToolkit

  2. Re-bootstrap the environment with the desired version:

    cdk bootstrap --profile <AWS_PROFILE>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.