Amazon’s CDK creates a helper Cloudformation stack (by default named CDKToolkit
) with a few resources to assist with deployment. The most familiar to regular users are the S3 asset bucket and the ECR repository.
A source of mild frustration for my colleagues and me is that this default stack doesn’t set lifecycle policies on either, which then trips up Amazon’s security controls (S3 10 and ECR 3, respectively).
Fortunately, there is a relatively straightforward solution, and that’s customizing the Cloudformation template that manages the CDKToolkit stack. I hadn’t realized before now that you can do this but it’s well-documented. First, use cdk bootstrap
to output the contents of the template. You’ll want to ensure that you’re using the same version of CDK that you’ll use to deploy the stack: