Index
TL;DR
CDK Mixins are now stable in aws-cdk-lib — compose reusable infrastructure behaviors across any construct without extra packages. EKS v2 graduated to stable with production-ready APIs. And the CLI shipped --revert-drift to fix drifted resources in a single command.
These features are available in aws-cdk-lib v2.233.0 through v2.248.0 and aws-cdk CLI v2.1099.0 through v2.1117.0. Full changelogs on GitHub Releases.
Major Features
CDK Mixins — From Preview to Stable
If you've been waiting to adopt Mixins, the wait is over. The core Mixins API (Mixins.of(), Mixin, ConstructSelector) landed in aws-cdk-lib in February, and the @aws-cdk/cfn-property-mixins package graduated to stable in March. That means the fluent .with() method now works on any construct — L1, L2, or custom — directly from aws-cdk-lib, no extra packages needed.
Several service mixins ship directly in aws-cdk-lib:
// Apply mixins fluently with .with() — works on L1, L2, and custom constructs
new s3.CfnBucket(scope, 'MyL1Bucket')
.with(new s3.mixins.BucketBlockPublicAccess())
.with(new s3.mixins.BucketAutoDeleteObjects());
// Auto-delete ECR images on repository removal
new ecr.CfnRepository(this, 'Repo')
.with(new ecr.mixins.RepositoryAutoDeleteImages());
// Apply cluster settings to L1 constructs
new ecs.CfnCluster(this, 'Cluster')
.with(new ecs.mixins.ClusterSettings([{ name: 'containerInsights', value: 'enhanced' }]));
// .with() works on L2 constructs too
new s3.Bucket(stack, 'MyL2Bucket')
.with(new s3.mixins.BucketBlockPublicAccess());
Already using Aspects? The new Shims class lets you convert between Aspects and Mixins, so you can adopt incrementally without rewriting existing code.
Also new in the Mixins Preview package: EventBridge pattern generation for all events, custom merge strategies via IMergeStrategy, cross-account Vended Log delivery destinations, and the ability to pass resource objects directly into CFN Property mixin properties.
EKS v2 Graduates to Stable 🚀
The @aws-cdk/aws-eks-v2-alpha module is now aws-cdk-lib/aws-eks-v2 — stable APIs, no more alpha imports, production-ready. If you've been holding off on EKS v2 because of the alpha label, it's time to upgrade.
Alongside graduation, February brought Kubernetes 1.35 support, hybrid nodes for on-premises and edge infrastructure, EC2/HYBRID_LINUX/HYPERPOD_LINUX access entry types, removal policies for all EKS constructs, and bootstrapSelfManagedAddons support.
import { KubectlV35Layer } from '@aws-cdk/lambda-layer-kubectl-v35';
const cluster = new eks.Cluster(this, 'Cluster', {
version: eks.KubernetesVersion.V1_35,
kubectlLayer: new KubectlV35Layer(this, 'KubectlLayer'),
remoteNodeNetworks: [
{
cidrs: ['10.0.0.0/16'],
},
],
remotePodNetworks: [
{
cidrs: ['192.168.0.0/16'],
},
],
});
CLI Improvements
--revert-drift Option
Drifted resources used to mean manual remediation. Now a single flag on cdk deploy creates a drift-aware change set that brings your actual resource state back in line with your template:
$ cdk deploy --revert-drift MyStack
Concurrent Asset Builds & publish-assets
Two features that speed up CI/CD pipelines. Build assets in parallel with --asset-build-concurrency, and separate asset publishing from deployment with the new publish-assets command:
$ cdk deploy --asset-build-concurrency 4
$ cdk publish-assets MyStack --unstable=publish-assets
cdk diff --method & cdk destroy --concurrency
cdk diff now supports --method=change-set to always use a change set (and fail if it can't), replacing the deprecated --change-set flag. And cdk destroy gained --concurrency for parallel stack destruction.
Contributed by: Mike Voets (destroy --concurrency)
Additional CLI Updates
- Guard Hook failure details — the CLI now fetches and displays detailed failure annotations automatically (jkelley-godaddy)
-
Fn::ForEachdiff support — ForEach loops are no longer invisible incdk diff - Metadata in separate files — avoids the 512MB NodeJS string limit for extremely large apps
-
Changeset-based diff for nested stacks — accurate diffs including
--security-only -
cdk importfix —--role-arnno longer conflicts with--record-resource-mapping(Abhishek Chauhan) -
Docker
buildSecretsfix — secrets are now correctly passed to docker build (cartmanez)
New L2 Constructs
MediaPackage V2 (Alpha)
A full-featured L2 for AWS Elemental MediaPackage V2 — channel groups, channels, origin endpoints, manifests (HLS, DASH, LL-HLS, MSS), encryption/DRM, type-safe manifest filtering, grants, and CloudWatch metrics. Everything you need to set up a streaming pipeline in CDK:
import { ChannelGroup, Channel, OriginEndpoint, InputConfiguration, Segment, Manifest } from '@aws-cdk/aws-mediapackagev2-alpha';
const group = new ChannelGroup(stack, 'MyChannelGroup', {
channelGroupName: 'my-channel-group',
});
const channel = group.addChannel('MyChannel', {
channelName: 'my-channel',
input: InputConfiguration.cmaf(),
});
const endpoint = channel.addOriginEndpoint('MyEndpoint', {
originEndpointName: 'my-endpoint',
segment: Segment.cmaf(),
manifests: [Manifest.hls({ manifestName: 'index' })],
});
// Grant MediaLive permission to ingest content
channel.grants.ingest(mediaLiveRole);
See the full README for manifest filtering, encryption, and DRM examples.
Service Enhancements
DynamoDB Cross-Account Global Tables
Replicate tables across AWS accounts for multi-tenant architectures and disaster recovery. Permissions are automatically configured when both tables are in the same CDK app:
const sourceTable = new dynamodb.TableV2(sourceStack, 'SourceTable', {
tableName: 'MyMultiAccountTable',
partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
globalTableSettingsReplicationMode: dynamodb.GlobalTableSettingsReplicationMode.ALL,
});
// Replica in Account B — resource policies and KMS permissions handled for you
const replica = new dynamodb.TableV2MultiAccountReplica(replicaStack, 'ReplicaTable', {
tableName: 'MyMultiAccountTable',
replicaSourceTable: sourceTable,
globalTableSettingsReplicationMode: dynamodb.GlobalTableSettingsReplicationMode.ALL,
});
ALB JWT Authentication
Verify JWTs directly at the load balancer for service-to-service auth — no custom Lambda authorizers needed:
const listener = lb.addListener('Listener', {
protocol: elbv2.ApplicationProtocol.HTTPS,
port: 443,
certificates: [certificate],
defaultAction: elbv2.ListenerAction.authenticateJwt({
issuer: 'https://issuer.example.com',
jwksEndpoint: 'https://issuer.example.com/.well-known/jwks.json',
next: elbv2.ListenerAction.forward([myTargetGroup]),
}),
});
Contributed by: Kazuho Cryer-Shinozuka
OpenSearch S3 Vectors Engine
Sub-second vector search at lower cost by offloading vector data to S3:
const domain = new Domain(this, 'Domain', {
version: EngineVersion.OPENSEARCH_2_19,
s3VectorsEngineEnabled: true,
capacity: { dataNodeInstanceType: 'or1.medium.search' },
encryptionAtRest: { enabled: true },
});
Contributed by: Kazuho Cryer-Shinozuka
Kinesis Firehose Dynamic Partitioning
Partition streaming data on the fly using JQ expressions — no Lambda required:
const s3Destination = new firehose.S3Bucket(bucket, {
dynamicPartitioning: { enabled: true },
processors: [
firehose.MetadataExtractionProcessor.jq16({
customer_id: '.customer_id',
year: '.event_timestamp|strftime("%Y")',
}),
],
dataOutputPrefix: '!{partitionKeyFromQuery:year}/!{partitionKeyFromQuery:customer_id}/',
});
Contributed by: Tietew
Glue Typed Partition Projection (Alpha)
Type-safe partition projection for Glue tables — no more raw strings for integer, date, enum, and injected types:
new glue.S3Table(this, 'MyTable', {
database: myDatabase,
columns: [{ name: 'data', type: glue.Schema.STRING }],
partitionKeys: [{ name: 'year', type: glue.Schema.INTEGER }],
dataFormat: glue.DataFormat.JSON,
partitionProjection: {
year: glue.PartitionProjectionConfiguration.integer({
min: 2020, max: 2023, interval: 1, digits: 4,
}),
},
});
Contributed by: Kazuho Cryer-Shinozuka
Bedrock AgentCore: fromCodeAsset
Deploy agent runtimes from local code with automatic S3 packaging — no pre-built container required:
const artifact = agentcore.AgentRuntimeArtifact.fromCodeAsset({
path: path.join(__dirname, 'path/to/agent/code'),
runtime: agentcore.AgentCoreRuntime.PYTHON_3_12,
entrypoint: ['opentelemetry-instrument', 'main.py'],
});
new agentcore.Runtime(this, 'MyAgentRuntime', {
runtimeName: 'myAgent',
agentRuntimeArtifact: artifact,
});
Contributed by: Kenta Goto (fromCodeAsset)
More Service Updates
- API Gateway: TLS 1.3 enhanced security policies with post-quantum cryptography support
- EC2: VPC flow logs to Amazon Data Firehose (Tietew)
-
ECS:
forceNewDeployment()to trigger redeployment without definition changes - AutoScaling: Deletion protection and instance lifecycle policy with retention triggers (Masatomo Nomura)
-
RDS: Standalone
ParameterGroup.forInstance()/ParameterGroup.forCluster()factory methods - S3: Blocked encryption types to control allowed upload encryption (Yash Thakur), ABAC support (Kazuho Cryer-Shinozuka)
-
ECR Assets: Docker
buildContextsfor multi-context builds - CloudFront: JS runtime 2.0 as default for new projects (Kazuho Cryer-Shinozuka)
- S3 Tables (Alpha): Tagging, metrics, partition specs, sort orders (Michael Garbus, Olena R)
- API Gateway V2: Role support for Lambda authorizers (Elias Brange)
- Synthetics: Canary NodeJS 3.1 runtime (Bilal Quadri)
Community Highlights
Top External Contributors
Kazuho Cryer-Shinozuka — 8 contributions across ALB JWT auth, OpenSearch S3 Vectors, S3 ABAC, Glue typed partition projection, CloudFront JS 2.0 default, and more. A driving force behind CDK's service coverage.
Kenta Goto — Three high-impact features: publish-assets CLI command, concurrent asset builds, and Bedrock AgentCore fromCodeAsset. Consistently shipping features that improve developer velocity.
aki-kii — Built --revert-drift for the CLI and added AppSync enhanced metrics. Contributions spanning both CLI and construct library.
Tietew — Kinesis Firehose dynamic partitioning and EC2 flow log Firehose destinations — two highly requested features.
Masatomo Nomura — AutoScaling deletion protection and instance lifecycle policy across both months.
Olena R — S3 Tables metrics, partition specs, sort orders, and table properties.
Additional Contributors
Andre Kurait, Dave Dennis, Mike Voets, Elias Brange, David Konigsberg, Michael Garbus, Yuki Matsuda, Yash Thakur, Bilal Quadri, Bryan Koch, syukawa-gh, jkelley-godaddy, Juho Majasaari, Abhishek Chauhan, cartmanez
Community Content & Resources
From the Community:
AWS CDK Tips: How to Centrally Apply Configurations to Multiple Resources — Kenta Goto walks through patterns for applying configurations at scale — timely with Mixins going stable.
CDK Mixin for Deletion Protection — Hands-on walkthrough of building a custom Mixin, by johanneskonings.
Why is cdk.out (Cloud Assembly) Necessary in AWS CDK? — Kenta Goto explains the Cloud Assembly and why it matters for your workflow.
CDK - Using Central Register Pattern for Resource Sharing — A practical pattern for sharing resources across stacks, by tyckofranklin.
CDK Infrastructure for Amazon Bedrock AgentCore (And Every Gotcha You'll Hit) — Real-world guide to deploying Bedrock AgentCore with CDK, by rajmurugan.
Zero Orphaned Resources: Force Deleting Any CloudFormation Stack — Kenta Goto on cleaning up stuck stacks without leaving orphaned resources.
What Really Happens When You Deploy with AWS CDK? — A look under the hood at the CDK deployment process, by mianzubair.
Building a Serverless LLM Pipeline with Bedrock and SageMaker using CDK — End-to-end CDK pipeline for LLM fine-tuning, by katevu.
Resources:
- AWS IaC MCP Server — AI-powered CDK development via Model Context Protocol.
- CDK Construct Hub — Discover community-built constructs.
- AWS CDK API Reference
How Can You Be Involved
Report Issues
Open an issue on GitHub.
Contribute Code
Check our contributing guide and look for good first issue or help wanted labels.
Join the Conversation
- Slack: CDK.dev community
- GitHub: Discussions
-
Stack Overflow:
aws-cdktag
Star the Repo
Give us a star on GitHub! ⭐
Feedback? Share in GitHub Discussions.
Top comments (0)