Posted on Oct 14

Building a Reusable AWS Governance Library with CDK: Constructs, Blueprints, and Aspects

Introduction

As organizations scale their AWS infrastructure, maintaining consistent security, compliance, and best practices across multiple CDK projects becomes challenging. Each team might implement their own governance rules, leading to inconsistencies, security gaps, and compliance violations.

The solution? Build a reusable governance library that can be shared across all your CDK projects.

In this article, I'll show you how to build a production-ready AWS governance library using three powerful CDK concepts:

Constructs - For organizational structure
Blueprints - For property injection (enforcing defaults)
Aspects - For validation and compliance checking

Why a Governance Library?

Before diving into implementation, let's understand the problem:

Without a Governance Library

// Project A const bucket = new s3.Bucket(this, 'Bucket', { encryption: s3.BucketEncryption.S3_MANAGED, blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // ... repeated security config }); // Project B (different team) const bucket = new s3.Bucket(this, 'Bucket', { // Oops! Forgot encryption, no public access block }); // Project C const bucket = new s3.Bucket(this, 'Bucket', { encryption: s3.BucketEncryption.KMS, // Inconsistent encryption method });

Problems:

❌ Inconsistent security configurations
❌ Copy-paste errors
❌ No centralized compliance enforcement
❌ Difficult to audit
❌ Hard to update org-wide

With a Governance Library

// Just one line - consistent governance across all projects CommonGovernancePatterns.soc2(app, 'myorg', 'my-project', 'production'); // All S3 buckets automatically get: // ✅ Encryption enabled // ✅ Public access blocked // ✅ SSL enforced // ✅ Versioning enabled (production) // ✅ Organizational tags applied

Architecture Overview

Our governance library uses a three-layer architecture:

┌─────────────────────────────────────┐ │ GovernanceFactory (Entry Point) │ │ - applyToApp() │ │ - applyToStack() │ └──────────────┬──────────────────────┘ │ ┌───────┴────────┐ │ │ ▼ ▼ ┌─────────────┐ ┌──────────────┐ │ Blueprints │ │ Aspects │ │ (Inject) │ │ (Validate) │ └─────────────┘ └──────────────┘ │ │ └────────┬───────┘ ▼ ┌──────────────────────┐ │ Your CDK Resources │ │ (S3, IAM, RDS...) │ └──────────────────────┘

Core Concepts Explained

1. Constructs

Constructs are CDK's building blocks. In our governance library, we use Constructs to organize and apply tags.

export class OrganizationalTags extends Construct { constructor(scope: Construct, id: string, private readonly config: GovernanceConfig) { super(scope, id); // Apply tags at scope level - they inherit to all children Tags.of(scope).add('Organization', config.organization); Tags.of(scope).add('Project', config.project); Tags.of(scope).add('Environment', config.environment); Tags.of(scope).add('ManagedBy', 'CDK'); Tags.of(scope).add('CostCenter', `${config.organization}-${config.project}-${config.environment}`); // Apply additional organizational tags if (config.organizationalTags) { Object.entries(config.organizationalTags).forEach(([key, value]) => { Tags.of(scope).add(key, value); }); } } }

Key Points:

Constructs organize code into logical units
Tags applied at App level propagate to all stacks and resources
Single source of truth for organizational metadata

2. Blueprints (Property Injection)

Blueprints use CDK's Property Injection feature to enforce defaults before resources are created. They implement the IPropertyInjector interface.

How Property Injection Works

When you create a resource like new s3.Bucket(this, 'MyBucket', props), CDK:

Takes your props
Passes them through all registered property injectors
Injectors modify the props
Creates the resource with modified props

Example: S3 Security Blueprint

export class SecureS3Blueprint implements IPropertyInjector { public readonly constructUniqueId: string; constructor(private readonly config: GovernanceConfig) { // This ID tells CDK which construct type to inject into this.constructUniqueId = Bucket.PROPERTY_INJECTION_ID; } public inject(originalProps: BucketProps, context: InjectionContext): BucketProps { const enforcedProps: Partial<BucketProps> = {}; // Block public access (override user's setting if needed) if (this.config.security?.blockPublicAccess !== false) { enforcedProps.blockPublicAccess = BlockPublicAccess.BLOCK_ALL; // Warn if we're overriding if (originalProps.blockPublicAccess !== BlockPublicAccess.BLOCK_ALL) { Annotations.of(context.scope).addWarning( `S3 bucket public access setting overridden for security compliance` ); } } // Enforce SSL if (this.config.security?.enforceSSL !== false) { enforcedProps.enforceSSL = true; } // Enforce encryption if (this.config.security?.enforceEncryption !== false) { enforcedProps.encryption = BucketEncryption.S3_MANAGED; } // Enable versioning in production if (this.config.environment === 'production' && this.config.security?.enableVersioning !== false) { enforcedProps.versioned = true; } // Merge original props with enforced props return { ...originalProps, ...enforcedProps, }; } }

Example: IAM Role Blueprint

export class SecureIAMRoleBlueprint implements IPropertyInjector { public readonly constructUniqueId: string; constructor(private readonly config: GovernanceConfig) { this.constructUniqueId = Role.PROPERTY_INJECTION_ID; } public inject(originalProps: RoleProps, context: InjectionContext): RoleProps { const additionalPolicies: any[] = []; // Add CloudWatch logging in production if (this.config.environment === 'production') { additionalPolicies.push( ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy') ); } // Enforce session duration limits based on compliance const maxSessionDuration = this.getMaxSessionDuration(); return { ...originalProps, managedPolicies: [ ...(originalProps.managedPolicies || []), ...additionalPolicies ], maxSessionDuration: originalProps.maxSessionDuration || maxSessionDuration, }; } private getMaxSessionDuration(): Duration { switch (this.config.complianceProfile) { case 'SOC2': case 'HIPAA': return Duration.hours(1); // Strict compliance case 'PCI': return Duration.hours(2); default: return this.config.environment === 'production' ? Duration.hours(4) : Duration.hours(12); } } }

Blueprint Benefits:

✅ Enforces defaults before resource creation
✅ Can override user-provided properties
✅ Works transparently - developers don't need to change code
✅ Centralized security enforcement

3. Aspects (Validation)

Aspects validate resources after they're created but before synthesis. They implement the IAspect interface and visit every construct in the tree.

How Aspects Work

Aspects use the Visitor pattern:

CDK calls visit(node) for every construct
You check if the construct is a resource you care about
You validate and add errors/warnings/info annotations
Annotations appear in CDK output during synthesis

Example: Security Compliance Aspect

export class SecurityComplianceAspect implements IAspect { constructor(private readonly config: GovernanceConfig) {} public visit(node: IConstruct): void { // Check different resource types if (node instanceof s3.Bucket) { this.validateS3Security(node); } if (node instanceof iam.Role) { this.validateIAMRoleSecurity(node); } if (node instanceof rds.DatabaseInstance) { this.validateRDSInstanceSecurity(node); } if (node instanceof ec2.SecurityGroup) { this.validateSecurityGroupRules(node); } } private validateS3Security(bucket: s3.Bucket): void { const bucketResource = bucket.node.defaultChild as s3.CfnBucket; // Check encryption if (this.config.security?.enforceEncryption && !bucketResource.bucketEncryption) { Annotations.of(bucket).addError( `S3 bucket "${bucket.node.id}" must have encryption enabled` ); } // Check versioning in production if (this.config.environment === 'production') { const versioningConfig = bucketResource.versioningConfiguration; if (!versioningConfig || versioningConfig.status !== 'Enabled') { Annotations.of(bucket).addError( `S3 bucket "${bucket.node.id}" must have versioning enabled in production` ); } } } private validateIAMRoleSecurity(role: iam.Role): void { const roleResource = role.node.defaultChild as iam.CfnRole; // Check for overly permissive policies const policies = roleResource.policies; if (policies && Array.isArray(policies)) { policies.forEach((policy: any) => { const statements = policy.policyDocument?.Statement; if (Array.isArray(statements)) { statements.forEach((statement: any) => { if (statement.Effect === 'Allow' && statement.Resource === '*' && statement.Action === '*') { Annotations.of(role).addError( `IAM role "${role.roleName}" has overly permissive policy with Action: "*" and Resource: "*"` ); } }); } }); } } private validateSecurityGroupRules(sg: ec2.SecurityGroup): void { const sgResource = sg.node.defaultChild as ec2.CfnSecurityGroup; if (sgResource.securityGroupIngress) { const ingress = Array.isArray(sgResource.securityGroupIngress) ? sgResource.securityGroupIngress : [sgResource.securityGroupIngress]; ingress.forEach((rule: any) => { // Check for SSH/RDP from 0.0.0.0/0 if (rule.cidrIp === '0.0.0.0/0') { if (rule.fromPort === 22 || rule.fromPort === 3389) { Annotations.of(sg).addError( `Security group allows SSH/RDP access from 0.0.0.0/0 - critical security risk!` ); } } }); } } }

Example: Naming Convention Aspect

export class NamingConventionAspect implements IAspect { constructor(private readonly config: GovernanceConfig) {} public visit(node: IConstruct): void { if (!this.config.naming?.enforce) return; const expectedPrefix = this.config.naming.prefix || `${this.config.organization}-${this.config.environment}`; // Validate S3 bucket names if (node instanceof s3.Bucket) { const bucketName = node.bucketName; if (bucketName && !bucketName.startsWith(expectedPrefix)) { Annotations.of(node).addError( `S3 bucket name "${bucketName}" must start with "${expectedPrefix}"` ); } } // Validate IAM role names if (node instanceof iam.Role) { const roleName = node.roleName; if (roleName && !roleName.includes(this.config.organization)) { Annotations.of(node).addWarning( `IAM role name "${roleName}" should include organization "${this.config.organization}"` ); } } } }

Aspect Benefits:

✅ Validates resources after creation
✅ Catches configuration issues before deployment
✅ Provides clear error messages
✅ Non-invasive - doesn't modify resources

Configuration System

Create a flexible configuration interface:

export interface GovernanceConfig { // Core identifiers organization: string; project: string; environment: 'development' | 'staging' | 'production'; // Compliance profiles complianceProfile?: 'SOC2' | 'HIPAA' | 'PCI' | 'GDPR' | 'basic'; // Custom tags requiredTags?: string[]; organizationalTags?: Record<string, string>; // Security settings security?: { enforceEncryption?: boolean; enforceSSL?: boolean; blockPublicAccess?: boolean; enableVersioning?: boolean; }; // Naming conventions naming?: { prefix?: string; pattern?: RegExp; enforce?: boolean; }; // Tagging strategy tagging?: { autoApply?: boolean; enforceRequired?: boolean; }; }

Compliance Profiles

Pre-configure settings for common compliance frameworks:

export const COMPLIANCE_PROFILES: Record<string, Partial<GovernanceConfig>> = { basic: { security: { enforceEncryption: true, enforceSSL: true, blockPublicAccess: true, }, requiredTags: ['Owner', 'Environment'], }, SOC2: { security: { enforceEncryption: true, enforceSSL: true, blockPublicAccess: true, enableVersioning: true, }, requiredTags: ['Owner', 'Team', 'DataClassification', 'Compliance'], tagging: { enforceRequired: true, }, }, HIPAA: { security: { enforceEncryption: true, enforceSSL: true, blockPublicAccess: true, enableVersioning: true, }, requiredTags: ['Owner', 'Team', 'DataClassification', 'PHI', 'Compliance'], tagging: { enforceRequired: true, }, }, }; export function mergeGovernanceConfig(config: GovernanceConfig): GovernanceConfig { const profile = config.complianceProfile ? COMPLIANCE_PROFILES[config.complianceProfile] : {}; return { ...DEFAULT_GOVERNANCE_CONFIG, ...profile, ...config, security: { ...DEFAULT_GOVERNANCE_CONFIG.security, ...profile.security, ...config.security, }, } as GovernanceConfig; }

Governance Factory

Create a factory class to orchestrate everything:

export class GovernanceFactory { /** * Apply governance to an entire CDK App */ static applyToApp(app: App, config: GovernanceConfig): void { const mergedConfig = mergeGovernanceConfig(config); // 1. Apply blueprints (property injection) this.applyBlueprints(app, mergedConfig); // 2. Apply organizational tags new OrganizationalTags(app, 'AppGovernance', mergedConfig); // 3. Apply aspects (validation) this.applyAspects(app, mergedConfig); } /** * Apply governance to a specific stack */ static applyToStack(stack: Stack, config: GovernanceConfig): void { const mergedConfig = mergeGovernanceConfig(config); new OrganizationalTags(stack, 'StackGovernance', mergedConfig); this.applyAspects(stack, mergedConfig); } /** * Apply blueprints via property injection */ private static applyBlueprints(app: App, config: GovernanceConfig): void { const blueprints = [ new SecureS3Blueprint(config), new SecureIAMRoleBlueprint(config), new SecureRDSBlueprint(config), ]; // Register blueprints with the App const existingInjectors = (app as any).propertyInjectors || []; (app as any).propertyInjectors = [...existingInjectors, ...blueprints]; } /** * Apply aspects for validation */ private static applyAspects(scope: Construct, config: GovernanceConfig): void { // Security compliance Aspects.of(scope).add(new SecurityComplianceAspect(config)); // Naming conventions if (config.naming?.enforce) { Aspects.of(scope).add(new NamingConventionAspect(config)); } // Required tags validation if (config.requiredTags && config.requiredTags.length > 0) { Aspects.of(scope).add(new RequiredTagsValidationAspect(config)); } // Compliance tag enforcement if (config.complianceProfile && config.complianceProfile !== 'basic') { Aspects.of(scope).add(new ComplianceTagEnforcementAspect(config)); } } }

Convenience Patterns

Add common usage patterns:

export class CommonGovernancePatterns { /** * Apply basic governance (suitable for most projects) */ static basic( app: App, organization: string, project: string, environment: 'development' | 'staging' | 'production' ): void { GovernanceFactory.applyToApp(app, { organization, project, environment, complianceProfile: 'basic', }); } /** * Apply SOC2 compliance governance */ static soc2( app: App, organization: string, project: string, environment: 'development' | 'staging' | 'production' ): void { GovernanceFactory.applyToApp(app, { organization, project, environment, complianceProfile: 'SOC2', }); } /** * Development-friendly governance (less strict) */ static development(app: App, organization: string, project: string): void { GovernanceFactory.applyToApp(app, { organization, project, environment: 'development', complianceProfile: 'basic', security: { enforceEncryption: false, // More flexible for dev enforceSSL: true, blockPublicAccess: true, enableVersioning: false, }, tagging: { enforceRequired: false, // Warnings instead of errors }, }); } /** * Production-ready governance (strict) */ static production( app: App, organization: string, project: string, complianceProfile: 'SOC2' | 'HIPAA' | 'PCI' | 'GDPR' = 'SOC2' ): void { GovernanceFactory.applyToApp(app, { organization, project, environment: 'production', complianceProfile, security: { enforceEncryption: true, enforceSSL: true, blockPublicAccess: true, enableVersioning: true, }, tagging: { enforceRequired: true, // Strict enforcement }, naming: { enforce: true, }, }); } }

Package Structure

Organize your library for reusability:

aws-governance-lib/ ├── src/ │ ├── config/ │ │ └── governance-config.ts # Configuration interfaces │ ├── constructs/ │ │ └── governance-factory.ts # Main factory class │ ├── blueprints/ │ │ └── security-blueprints.ts # Property injectors │ ├── aspects/ │ │ ├── core-governance.ts # Tags, naming, etc. │ │ ├── security-compliance.ts # Security validation │ │ └── infrastructure-validation.ts # Resource-specific │ ├── utils/ │ │ └── blueprint-helpers.ts # Helper functions │ └── index.ts # Public exports ├── test/ │ └── governance.test.ts ├── package.json ├── tsconfig.json └── README.md

package.json

{ "name": "@myorg/aws-governance-lib", "version": "1.0.0", "description": "Reusable AWS CDK governance library", "main": "lib/index.js", "types": "lib/index.d.ts", "scripts": { "build": "tsc", "test": "jest", "prepublishOnly": "npm run build" }, "peerDependencies": { "aws-cdk-lib": "^2.100.0", "constructs": "^10.0.0" }, "keywords": [ "aws", "cdk", "governance", "compliance", "security" ] }

Using the Library

Installation

npm install @myorg/aws-governance-lib

Basic Usage

import { App } from 'aws-cdk-lib'; import { CommonGovernancePatterns } from '@myorg/aws-governance-lib'; import { MyStack } from './stacks/MyStack'; const app = new App(); // Apply governance with one line CommonGovernancePatterns.basic(app, 'myorg', 'my-project', 'production'); // Create your stacks normally new MyStack(app, 'MyStack', {}); app.synth();

Advanced Usage

import { App } from 'aws-cdk-lib'; import { GovernanceFactory } from '@myorg/aws-governance-lib'; const app = new App(); // Custom configuration GovernanceFactory.applyToApp(app, { organization: 'myorg', project: 'data-platform', environment: 'production', complianceProfile: 'SOC2', organizationalTags: { 'BusinessUnit': 'Engineering', 'Department': 'Platform', 'CostCenter': 'CC-1234' }, security: { enforceEncryption: true, enforceSSL: true, blockPublicAccess: true, enableVersioning: true, }, naming: { prefix: 'myorg-prod', enforce: true, } });

Per-Stack Governance

const app = new App(); // Different governance per stack const devStack = new MyStack(app, 'DevStack', { env: 'dev' }); const prodStack = new MyStack(app, 'ProdStack', { env: 'prod' }); GovernanceFactory.applyToStack(devStack, { organization: 'myorg', project: 'my-project', environment: 'development', complianceProfile: 'basic', }); GovernanceFactory.applyToStack(prodStack, { organization: 'myorg', project: 'my-project', environment: 'production', complianceProfile: 'SOC2', });

Real-World Example

Let's see a complete example with validation output:

// bin/app.ts import { App } from 'aws-cdk-lib'; import { CommonGovernancePatterns } from '@myorg/aws-governance-lib'; import { DataPipelineStack } from './stacks/DataPipelineStack'; const app = new App(); // Apply SOC2 governance CommonGovernancePatterns.soc2(app, 'myorg', 'data-platform', 'production'); // Create stack new DataPipelineStack(app, 'DataPipelineStack', { env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION, }, }); app.synth();

// stacks/DataPipelineStack.ts import { Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as iam from 'aws-cdk-lib/aws-iam'; export class DataPipelineStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); // Create S3 bucket - governance applied automatically! const bucket = new s3.Bucket(this, 'DataLake', { // You don't need to specify security settings // The governance library handles it }); // Blueprint will inject: // - blockPublicAccess: BlockPublicAccess.BLOCK_ALL // - encryption: BucketEncryption.S3_MANAGED // - enforceSSL: true // - versioned: true (production) // Aspect will validate: // - All security settings are correct // - Naming convention follows org standards // - Required tags are present // Create IAM role const role = new iam.Role(this, 'DataPipelineRole', { assumedBy: new iam.ServicePrincipal('glue.amazonaws.com'), }); // Blueprint will inject: // - CloudWatch managed policies (production) // - Maximum session duration (1 hour for SOC2) } }

Synthesis Output

When you run cdk synth, you'll see:

[WARNING] S3 bucket "DataLake" missing required tag "DataClassification" - required for SOC2 compliance [INFO] Ensure S3 bucket "DataLake" has SSL enforcement via bucket policy ✅ Successfully applied organizational tags: Organization=myorg, Project=data-platform, Environment=production ✅ Security compliance checks passed for 5 resources

Testing the Library

Create comprehensive tests:

import { App, Stack } from 'aws-cdk-lib'; import { Template, Annotations, Match } from 'aws-cdk-lib/assertions'; import * as s3 from 'aws-cdk-lib/aws-s3'; import { GovernanceFactory } from '../src'; describe('Governance Library', () => { test('applies S3 security defaults', () => { const app = new App(); const stack = new Stack(app, 'TestStack'); GovernanceFactory.applyToStack(stack, { organization: 'test', project: 'test-project', environment: 'production', complianceProfile: 'SOC2', }); new s3.Bucket(stack, 'TestBucket', {}); const template = Template.fromStack(stack); // Verify security settings were injected template.hasResourceProperties('AWS::S3::Bucket', { PublicAccessBlockConfiguration: { BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true, }, BucketEncryption: { ServerSideEncryptionConfiguration: Match.anyValue(), }, VersioningConfiguration: { Status: 'Enabled', }, }); }); test('validates naming conventions', () => { const app = new App(); const stack = new Stack(app, 'TestStack'); GovernanceFactory.applyToStack(stack, { organization: 'test', project: 'test-project', environment: 'production', naming: { prefix: 'test-prod', enforce: true, }, }); new s3.Bucket(stack, 'TestBucket', { bucketName: 'wrong-prefix-bucket', }); app.synth(); // Check for naming convention errors const annotations = Annotations.fromStack(stack).findError( '*', Match.stringLikeRegexp('.*must start with "test-prod".*') ); expect(annotations.length).toBeGreaterThan(0); }); test('applies organizational tags', () => { const app = new App(); const stack = new Stack(app, 'TestStack'); GovernanceFactory.applyToStack(stack, { organization: 'test', project: 'test-project', environment: 'development', }); new s3.Bucket(stack, 'TestBucket', {}); const template = Template.fromStack(stack); // Verify tags were applied template.hasResourceProperties('AWS::S3::Bucket', { Tags: Match.arrayWith([ { Key: 'Organization', Value: 'test' }, { Key: 'Project', Value: 'test-project' }, { Key: 'Environment', Value: 'development' }, { Key: 'ManagedBy', Value: 'CDK' }, ]), }); }); });

Best Practices

1. Start Simple, Expand Gradually

// Phase 1: Just tagging GovernanceFactory.applyToApp(app, { organization: 'myorg', project: 'my-project', environment: 'production', }); // Phase 2: Add basic security // (update library, users automatically get new features) // Phase 3: Add compliance profiles // (rollout with migration guide)

2. Make Warnings Non-Breaking

// Use info/warnings for new validations if (config.strictMode) { Annotations.of(node).addError('Must have encryption'); } else { Annotations.of(node).addWarning('Should have encryption'); }

3. Allow Opt-Out Mechanisms

// Let teams opt-out if needed if (this.config.security?.enforceEncryption !== false) { // Apply encryption } // Usage: GovernanceFactory.applyToApp(app, { // ... security: { enforceEncryption: false, // Opt out }, });

4. Document Governance Decisions

/** * Enforces S3 bucket encryption for SOC2 compliance * * Required by: SOC2 CC6.1 - Encryption at Rest * Exceptions: Must be approved by Security team * Contact: security-team@myorg.com */ if (this.config.complianceProfile === 'SOC2') { enforcedProps.encryption = BucketEncryption.S3_MANAGED; }

5. Version Your Library Carefully

Use semantic versioning:

Patch (1.0.1): Bug fixes, non-breaking
Minor (1.1.0): New features, non-breaking
Major (2.0.0): Breaking changes (new enforcements)

Migration Strategy

Step 1: Install Library

npm install @myorg/aws-governance-lib

Step 2: Replace Existing Governance

// BEFORE import { applyStackGovernance } from './factories/stack-factory'; applyStackGovernance(stack, 'production'); // AFTER import { CommonGovernancePatterns } from '@myorg/aws-governance-lib'; CommonGovernancePatterns.production(app, 'myorg', 'my-project', 'SOC2');

Step 3: Keep Project-Specific Aspects

import { GovernanceFactory } from '@myorg/aws-governance-lib'; import { MyCustomAspect } from './aspects/custom-aspects'; // Apply library governance GovernanceFactory.applyToApp(app, config); // Add project-specific aspects Aspects.of(app).add(new MyCustomAspect());

Advanced: Resource-Specific Blueprints

Add blueprints for other AWS services:

// Lambda function blueprint export class SecureLambdaBlueprint implements IPropertyInjector { public readonly constructUniqueId = Function.PROPERTY_INJECTION_ID; public inject(originalProps: FunctionProps, context: InjectionContext): FunctionProps { return { ...originalProps, // Enable X-Ray tracing tracing: Tracing.ACTIVE, // Set environment encryption environmentEncryption: new kms.Key(context.scope, 'LambdaKey'), // Set timeout limits timeout: originalProps.timeout || Duration.seconds(30), }; } } // RDS blueprint export class SecureRDSBlueprint implements IPropertyInjector { public readonly constructUniqueId = DatabaseInstance.PROPERTY_INJECTION_ID; public inject(originalProps: DatabaseInstanceProps, context: InjectionContext): DatabaseInstanceProps { return { ...originalProps, storageEncrypted: true, backupRetention: Duration.days(7), multiAz: this.config.environment === 'production', deletionProtection: this.config.environment === 'production', publiclyAccessible: false, }; } }

Conclusion

Building a reusable governance library transforms how you manage AWS infrastructure:

Benefits Recap

✅ Consistency - All projects follow the same standards
✅ Security - Enforce security by default
✅ Compliance - Built-in SOC2, HIPAA, PCI, GDPR profiles
✅ Maintainability - Update governance in one place
✅ Developer Experience - One-line setup, transparent enforcement
✅ Auditability - Clear validation output
✅ Scalability - Works across unlimited projects

Key Takeaways

Use Blueprints for property injection (enforce defaults)
Use Aspects for validation (catch issues)
Use Constructs for organization (apply tags)
Make it configurable - different needs for dev/prod
Version carefully - breaking changes need migration guides
Document everything - explain why, not just what

Next Steps

Start with tagging and basic security
Add compliance profiles based on your needs
Expand to cover more AWS services
Get feedback from teams
Iterate and improve

With this architecture, you can ensure every CDK project in your organization follows best practices automatically, freeing developers to focus on building features instead of configuring security.

Resources

This architecture is battle-tested across multiple production environments with 100+ stacks and ensures consistent governance at scale.