113 KiB
CDK Feature Flags
CDK Feature Flags are a mechanism that allows the CDK to evolve and change the behavior of certain classes and methods, without causing disruption to existing deployed infrastructure.
Feature flags are context values and can be configured using any of the context management methods, at any level of the construct tree. Commonly, they are specified in the cdk.json file.
cdk init will create new CDK projects with a cdk.json file containing all recommended feature flags enabled.
Current list of feature flags
Flags come in three types:
- Default change: The default behavior of an API has been changed in order to improve its ergonomics. The old behavior can still be achieved, but requires source changes.
- Fix/deprecation: The old behavior was incorrect or not recommended for new users. The only way to keep it is to not set this flag.
- Config: Configurable behavior that we recommend you turn on.
| Flag | Summary | Since | Type |
|---|---|---|---|
| @aws-cdk/core:newStyleStackSynthesis | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | fix |
| @aws-cdk/core:stackRelativeExports | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | fix |
| @aws-cdk/aws-rds:lowercaseDbIdentifier | Force lowercasing of RDS Cluster names in CDK | 2.0.0 | fix |
| @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId | Allow adding/removing multiple UsagePlanKeys independently | 2.0.0 | fix |
| @aws-cdk/aws-lambda:recognizeVersionProps | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the fn.currentVersion. |
2.0.0 | fix |
| @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | 2.0.0 | fix |
| @aws-cdk/core:target-partitions | What regions to include in lookup tables of environment agnostic stacks | 2.4.0 | config |
| @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver | ECS extensions will automatically add an awslogs driver if no logging is specified |
2.8.0 | new default |
| @aws-cdk/aws-ec2:uniqueImdsv2TemplateName | Enable this feature flag to have Launch Templates generated by the InstanceRequireImdsv2Aspect use unique names. |
2.8.0 | fix |
| @aws-cdk/aws-iam:minimizePolicies | Minimize IAM policies by combining Statements | 2.18.0 | config |
| @aws-cdk/core:checkSecretUsage | Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations | 2.21.0 | config |
| @aws-cdk/aws-lambda:recognizeLayerVersion | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the fn.currentVersion. |
2.27.0 | fix |
| @aws-cdk/core:validateSnapshotRemovalPolicy | Error on snapshot removal policies on resources that do not support it. | 2.28.0 | new default |
| @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName | Generate key aliases that include the stack name | 2.29.0 | fix |
| @aws-cdk/aws-s3:createDefaultLoggingPolicy | Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist. | 2.31.0 | fix |
| @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption | Restrict KMS key policy for encrypted Queues a bit more | 2.32.0 | fix |
| @aws-cdk/aws-ecs:arnFormatIncludesClusterName | ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID. | 2.35.0 | fix |
| @aws-cdk/aws-apigateway:disableCloudWatchRole | Make default CloudWatch Role behavior safe for multiple API Gateways in one environment | 2.38.0 | fix |
| @aws-cdk/core:enablePartitionLiterals | Make ARNs concrete if AWS partition is known | 2.38.0 | fix |
| @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker | Avoid setting the "ECS" deployment controller when adding a circuit breaker | 2.51.0 | fix |
| @aws-cdk/aws-events:eventsTargetQueueSameAccount | Event Rules may only push to encrypted SQS queues in the same account | 2.51.0 | fix |
| @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName | Enable this feature to create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | fix |
| @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.60.0 | fix |
| @aws-cdk/customresources:installLatestAwsSdkDefault | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | new default |
| @aws-cdk/aws-route53-patters:useCertificate | Use the official Certificate resource instead of DnsValidatedCertificate |
2.61.0 | new default |
| @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup | Remove CloudWatch alarms from deployment group | 2.65.0 | fix |
| @aws-cdk/aws-rds:databaseProxyUniqueResourceName | Use unique resource name for Database Proxy | 2.65.0 | fix |
| @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId | Include authorizer configuration in the calculation of the API deployment logical ID. | 2.66.0 | fix |
| @aws-cdk/aws-ec2:launchTemplateDefaultUserData | Define user data for a launch template by default when a machine image is provided. | 2.67.0 | fix |
| @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments | SecretTargetAttachments uses the ResourcePolicy of the attached Secret. | 2.67.0 | fix |
| @aws-cdk/aws-redshift:columnId | Whether to use an ID to track Redshift column changes | 2.68.0 | fix |
| @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 | Enable AmazonEMRServicePolicy_v2 managed policies | 2.72.0 | fix |
| @aws-cdk/aws-apigateway:requestValidatorUniqueId | Generate a unique id for each RequestValidator added to a method | 2.78.0 | fix |
| @aws-cdk/aws-ec2:restrictDefaultSecurityGroup | Restrict access to the VPC default security group | 2.78.0 | new default |
| @aws-cdk/aws-kms:aliasNameRef | KMS Alias name and keyArn will have implicit reference to KMS Key | 2.83.0 | fix |
| @aws-cdk/core:includePrefixInUniqueNameGeneration | Include the stack prefix in the stack name generation process | 2.84.0 | fix |
| @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig | Generate a launch template when creating an AutoScalingGroup | 2.88.0 | fix |
| @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby | Enables support for Multi-AZ with Standby deployment for opensearch domains | 2.88.0 | new default |
| @aws-cdk/aws-efs:denyAnonymousAccess | EFS denies anonymous clients accesses | 2.93.0 | new default |
| @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId | When enabled, mount targets will have a stable logicalId that is linked to the associated subnet. | 2.93.0 | fix |
| @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion | Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default | 2.93.0 | new default |
| @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier | When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id. | 2.97.0 | fix |
| @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters | When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change. | 2.97.0 | fix |
| @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | fix |
| @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | fix |
| @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | fix |
| @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | new default |
| @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | new default |
| @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | fix |
| @aws-cdk/aws-eks:nodegroupNameAttribute | When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix. | 2.139.0 | fix |
| @aws-cdk/aws-ec2:ebsDefaultGp3Volume | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | new default |
| @aws-cdk/pipelines:reduceAssetRoleTrustScope | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | new default |
| @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm | When enabled, remove default deployment alarm settings | 2.143.0 | new default |
| @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault | When enabled, the custom resource used for AwsCustomResource will configure the logApiResponseData property as true by default |
2.145.0 | fix |
| @aws-cdk/aws-s3:keepNotificationInImportedBucket | When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack. | 2.155.0 | fix |
| @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask | When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model. | 2.156.0 | fix |
| @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions | When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration | 2.159.0 | fix |
| @aws-cdk/aws-ec2:ec2SumTImeoutEnabled | When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together. | 2.160.0 | fix |
| @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission | When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn. | 2.161.0 | fix |
| @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages | When enabled, both @aws-sdk and @smithy packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications. |
2.161.0 | fix |
| @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId | When enabled, the value of property instanceResourceId in construct DatabaseInstanceReadReplica will be set to the correct value which is DbiResourceId instead of currently DbInstanceArn |
2.161.0 | fix |
| @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics | When enabled, CFN templates added with cfn-include will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. |
2.161.0 | fix |
| @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | fix |
| @aws-cdk/aws-dynamodb:resourcePolicyPerReplica | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | 2.164.0 | fix |
| @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | new default |
| @aws-cdk/core:aspectStabilization | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | config |
| @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | fix |
| @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | 2.176.0 | fix |
| @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | 2.177.0 | fix |
| @aws-cdk/core:enableAdditionalMetadataCollection | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | 2.178.0 | config |
| @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy | [Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | fix |
| @aws-cdk/aws-s3:setUniqueReplicationRoleName | When enabled, CDK will automatically generate a unique role name that is used for s3 object replication. | 2.182.0 | fix |
| @aws-cdk/pipelines:reduceStageRoleTrustScope | Remove the root account principal from Stage addActions trust policy | 2.184.0 | new default |
| @aws-cdk/aws-events:requireEventBusPolicySid | When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals. | 2.186.0 | fix |
| @aws-cdk/aws-dynamodb:retainTableReplica | When enabled, table replica will be default to the removal policy of source table unless specified otherwise. | 2.187.0 | fix |
| @aws-cdk/cognito:logUserPoolClientSecretValue | When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs. | 2.187.0 | new default |
| @aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2 | When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter | 2.188.0 | new default |
| @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope | When enabled, scopes down the trust policy for the cross-account action role | 2.189.0 | new default |
| @aws-cdk/core:aspectPrioritiesMutating | When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING. | 2.189.1 | new default |
| @aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions | Add an S3 trust policy to a KMS key resource policy for SNS subscriptions. | 2.195.0 | fix |
| @aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration | When enabled, use resource IDs for VPC V2 migration | 2.196.0 | new default |
| @aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway | When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC. | 2.196.0 | fix |
| @aws-cdk/aws-s3:publicAccessBlockedByDefault | When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined. | 2.196.0 | fix |
| @aws-cdk/aws-lambda:useCdkManagedLogGroup | When enabled, CDK creates and manages loggroup for the lambda function | 2.200.0 | new default |
| @aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal | Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition | 2.202.0 | fix |
| @aws-cdk/core:explicitStackTags | When enabled, stack tags need to be assigned explicitly on a Stack. | 2.205.0 | new default |
| @aws-cdk/aws-signer:signingProfileNamePassedToCfn | Pass signingProfileName to CfnSigningProfile | 2.212.0 | fix |
| @aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener | Disable implicit openListener when custom security groups are provided | 2.214.0 | new default |
| @aws-cdk/aws-ecs-patterns:uniqueTargetGroupId | When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement | 2.221.0 | fix |
| @aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint | When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks. | 2.221.0 | fix |
| @aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault | When enabled, Network Load Balancer will be created with a security group by default. | 2.222.0 | new default |
| @aws-cdk/aws-route53-patterns:useDistribution | Use the Distribution resource instead of CloudFrontWebDistribution |
2.233.0 | new default |
| @aws-cdk/aws-eks:useNativeOidcProvider | When enabled, EKS V2 clusters will use the native OIDC provider resource AWS::IAM::OIDCProvider instead of creating the OIDCProvider with a custom resource (iam.OpenIDConnectProvider). | 2.237.0 | fix |
| @aws-cdk/core:automaticL1Traits | Automatically use the default L1 traits for L1 constructs` | 2.239.0 | new default |
| @aws-cdk/aws-cloudfront:defaultFunctionRuntimeV2_0 | Use cloudfront-js-2.0 as the default runtime for CloudFront Functions | 2.245.0 | new default |
| @aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy | When enabled, HTTPS/TLS listeners use post-quantum TLS policy by default | 2.245.0 | new default |
| @aws-cdk/aws-batch:defaultToAL2023 | Use AL2023 as the default imageType for EC2 Batch compute environments instead of the deprecated AL2 | 2.249.0 | new default |
Currently recommended cdk.json
The following json shows the current recommended set of flags, as cdk init would generate it for new projects.
{
"context": {
"@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true,
"@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
],
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
"@aws-cdk/core:enablePartitionLiterals": true,
"@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
"@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
"@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
"@aws-cdk/aws-route53-patters:useCertificate": true,
"@aws-cdk/customresources:installLatestAwsSdkDefault": false,
"@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
"@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
"@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
"@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
"@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
"@aws-cdk/aws-redshift:columnId": true,
"@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
"@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
"@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
"@aws-cdk/aws-kms:aliasNameRef": true,
"@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
"@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
"@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
"@aws-cdk/aws-efs:denyAnonymousAccess": true,
"@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
"@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
"@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
"@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
"@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
"@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
"@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
"@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
"@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
"@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
"@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
"@aws-cdk/aws-eks:nodegroupNameAttribute": true,
"@aws-cdk/aws-eks:useNativeOidcProvider": true,
"@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
"@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
"@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
"@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
"@aws-cdk/core:explicitStackTags": true,
"@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
"@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
"@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
"@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
"@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
"@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
"@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
"@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
"@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
"@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
"@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
"@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
"@aws-cdk/core:enableAdditionalMetadataCollection": true,
"@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false,
"@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,
"@aws-cdk/aws-events:requireEventBusPolicySid": true,
"@aws-cdk/core:aspectPrioritiesMutating": true,
"@aws-cdk/aws-dynamodb:retainTableReplica": true,
"@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
"@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
"@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
"@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
"@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
"@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": true,
"@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true,
"@aws-cdk/aws-route53-patterns:useDistribution": true,
"@aws-cdk/aws-cloudfront:defaultFunctionRuntimeV2_0": true,
"@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy": true,
"@aws-cdk/aws-batch:defaultToAL2023": true
}
}
Flags removed in v2
These default change flags have been removed in v2. These used to be configurable in v1, but in v2 their
behavior has become the default. Remove these from your cdk.json file. If the old behavior is important
for your infrastructure, see the flag's description on how to achieve it.
| Flag | Summary | Type | Since |
|---|---|---|---|
| @aws-cdk/core:enableStackNameDuplicates | Allow multiple stacks with the same name | new default | 1.16.0 |
| aws-cdk:enableDiffNoFail | Make cdk diff not fail when there are differences |
new default | 1.19.0 |
| @aws-cdk/aws-ecr-assets:dockerIgnoreSupport | DockerImageAsset properly supports .dockerignore files by default |
new default | 1.73.0 |
| @aws-cdk/aws-secretsmanager:parseOwnedSecretName | Fix the referencing of SecretsManager names from ARNs | new default | 1.77.0 |
| @aws-cdk/aws-kms:defaultKeyPolicies | Tighten default KMS key policies | new default | 1.78.0 |
| @aws-cdk/aws-s3:grantWriteWithoutAcl | Remove PutObjectAcl from Bucket.grantWrite |
new default | 1.85.0 |
| @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount | Do not specify a default DesiredCount for ECS services | new default | 1.92.0 |
| @aws-cdk/aws-efs:defaultEncryptionAtRest | Enable this feature flag to have elastic file systems encrypted at rest by default. | new default | 1.98.0 |
Flags with a different default in v2
These fix/deprecation flags are still configurable in v2, but their default has changed compared to v1. If you
are migrating a v1 CDK project to v2, explicitly set any of these flags which does not currently appear in your
cdk.json to false, to avoid unexpected infrastructure changes.
| Flag | Summary | Type | Since | v1 default | v2 default |
|---|---|---|---|---|---|
| @aws-cdk/core:newStyleStackSynthesis | Switch to new stack synthesis method which enables CI/CD | fix | 1.39.0 | false |
true |
| @aws-cdk/core:stackRelativeExports | Name exports based on the construct paths relative to the stack, rather than the global construct path | fix | 1.58.0 | false |
true |
| @aws-cdk/aws-rds:lowercaseDbIdentifier | Force lowercasing of RDS Cluster names in CDK | fix | 1.97.0 | false |
true |
| @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId | Allow adding/removing multiple UsagePlanKeys independently | fix | 1.98.0 | false |
true |
| @aws-cdk/aws-lambda:recognizeVersionProps | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the fn.currentVersion. |
fix | 1.106.0 | false |
true |
| @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | fix | 1.117.0 | false |
true |
| @aws-cdk/pipelines:reduceAssetRoleTrustScope | Remove the root account principal from PipelineAssetsFileRole trust policy | new default | false |
true |
|
| @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask | When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model. | fix | false |
true |
|
| @aws-cdk/core:aspectStabilization | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | config | false |
true |
|
| @aws-cdk/pipelines:reduceStageRoleTrustScope | Remove the root account principal from Stage addActions trust policy | new default | false |
true |
|
| @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope | When enabled, scopes down the trust policy for the cross-account action role | new default | false |
true |
|
| @aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint | When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks. | fix | false |
true |
|
| @aws-cdk/core:automaticL1Traits | Automatically use the default L1 traits for L1 constructs` | new default | false |
true |
Here is an example of a cdk.json file that restores v1 behavior for these flags:
{
"context": {
"@aws-cdk/core:newStyleStackSynthesis": false,
"@aws-cdk/core:stackRelativeExports": false,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": false,
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false,
"@aws-cdk/aws-lambda:recognizeVersionProps": false,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false
}
}
Feature flag details
Here are more details about each of the flags:
@aws-cdk/core:enableStackNameDuplicates
Allow multiple stacks with the same name
Flag type: New default behavior
If this is set, multiple stacks can use the same stack name (e.g. deployed to
different environments). This means that the name of the synthesized template
file will be based on the construct path and not on the defined stackName
of the stack.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.16.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Pass stack identifiers to the CLI instead of stack names.
aws-cdk:enableDiffNoFail
Make cdk diff not fail when there are differences
Flag type: New default behavior
Determines what status code cdk diff should return when the specified stack
differs from the deployed stack or the local CloudFormation template:
aws-cdk:enableDiffNoFail=true=> status code == 0aws-cdk:enableDiffNoFail=false=> status code == 1
You can override this behavior with the --fail flag:
--fail=> status code == 1--no-fail=> status code == 0
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.19.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Specify --fail to the CLI.
@aws-cdk/aws-ecr-assets:dockerIgnoreSupport
DockerImageAsset properly supports .dockerignore files by default
Flag type: New default behavior
If this flag is not set, the default behavior for DockerImageAsset is to use
glob semantics for .dockerignore files. If this flag is set, the default behavior
is standard Docker ignore semantics.
This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.73.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Update your .dockerignore file to match standard Docker ignore rules, if necessary.
@aws-cdk/aws-secretsmanager:parseOwnedSecretName
Fix the referencing of SecretsManager names from ARNs
Flag type: New default behavior
Secret.secretName for an "owned" secret will attempt to parse the secretName from the ARN, rather than the default full resource name, which includes the SecretsManager suffix.
If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split).
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.77.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Use parseArn(secret.secretName).resourceName to emulate the incorrect old parsing.
@aws-cdk/aws-kms:defaultKeyPolicies
Tighten default KMS key policies
Flag type: New default behavior
KMS Keys start with a default key policy that grants the account access to administer the key, mirroring the behavior of the KMS SDK/CLI/Console experience. Users may override the default key policy by specifying their own.
If this flag is not set, the default key policy depends on the setting of the trustAccountIdentities
flag. If false (the default, for backwards-compatibility reasons), the default key policy somewhat
resembles the default admin key policy, but with the addition of 'GenerateDataKey' permissions. If
true, the policy matches what happens when this feature flag is set.
Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it).
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.78.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Pass trustAccountIdentities: false to Key construct to restore the old behavior.
@aws-cdk/aws-s3:grantWriteWithoutAcl
Remove PutObjectAcl from Bucket.grantWrite
Flag type: New default behavior
Change the old 's3:PutObject*' permission to 's3:PutObject' on Bucket, as the former includes 's3:PutObjectAcl', which could be used to grant read/write object access to IAM principals in other accounts. Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.85.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Call bucket.grantPutAcl() in addition to bucket.grantWrite() to grant ACL permissions.
@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount
Do not specify a default DesiredCount for ECS services
Flag type: New default behavior
ApplicationLoadBalancedServiceBase, ApplicationMultipleTargetGroupServiceBase, NetworkLoadBalancedServiceBase, NetworkMultipleTargetGroupServiceBase, and QueueProcessingServiceBase currently determine a default value for the desired count of a CfnService if a desiredCount is not provided. The result of this is that on every deployment, the service count is reset to the fixed value, even if it was autoscaled.
If this flag is not set, the default behaviour for CfnService.desiredCount is to set a desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.92.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: You can pass desiredCount: 1 explicitly, but you should never need this.
@aws-cdk/aws-efs:defaultEncryptionAtRest
Enable this feature flag to have elastic file systems encrypted at rest by default.
Flag type: New default behavior
Encryption can also be configured explicitly using the encrypted property.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.98.0 | false |
true |
| (not configurable in v2) | true |
Compatibility with old behavior: Pass the encrypted: false property to the FileSystem construct to disable encryption.
@aws-cdk/core:newStyleStackSynthesis
Switch to new stack synthesis method which enables CI/CD
Flag type: Backwards incompatible bugfix
If this flag is specified, all Stacks will use the DefaultStackSynthesizer by
default. If it is not set, they will use the LegacyStackSynthesizer.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.39.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/core:stackRelativeExports
Name exports based on the construct paths relative to the stack, rather than the global construct path
Flag type: Backwards incompatible bugfix
Combined with the stack name this relative construct path is good enough to ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage).
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.58.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/aws-rds:lowercaseDbIdentifier
Force lowercasing of RDS Cluster names in CDK
Flag type: Backwards incompatible bugfix
Cluster names must be lowercase, and the service will lowercase the name when the cluster is created. However, CDK did not use to know about this, and would use the user-provided name referencing the cluster, which would fail if it happened to be mixed-case.
With this flag, lowercase the name in CDK so we can reference it properly.
Must be behind a permanent flag because changing a name from mixed case to lowercase between deployments would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!).
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.97.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId
Allow adding/removing multiple UsagePlanKeys independently
Flag type: Backwards incompatible bugfix
The UsagePlanKey resource connects an ApiKey with a UsagePlan. API Gateway does not allow more than one UsagePlanKey for any given UsagePlan and ApiKey combination. For this reason, CloudFormation cannot replace this resource without either the UsagePlan or ApiKey changing.
The feature addition to support multiple UsagePlanKey resources - 142bd0e2 - recognized this and attempted to keep existing UsagePlanKey logical ids unchanged. However, this intentionally caused the logical id of the UsagePlanKey to be sensitive to order. That is, when the 'first' UsagePlanKey resource is removed, the logical id of the 'second' assumes what was originally the 'first', which again is disallowed.
In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.98.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/aws-lambda:recognizeVersionProps
Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the fn.currentVersion.
Flag type: Backwards incompatible bugfix
The previous calculation incorrectly considered properties of the AWS::Lambda::Function resource that did
not constitute creating a new Version.
See 'currentVersion' section in the aws-lambda module's README for more details.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.106.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021
Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.
Flag type: Backwards incompatible bugfix
The security policy can also be configured explicitly using the minimumProtocolVersion property.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.117.0 | false |
true |
| 2.0.0 | true |
true |
@aws-cdk/core:target-partitions
What regions to include in lookup tables of environment agnostic stacks
Flag type: Configuration option
Has no effect on stacks that have a defined region, but will limit the amount of unnecessary regions included in stacks without a known region.
The type of this value should be a list of strings.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.137.0 | false |
["aws","aws-cn"] |
| 2.4.0 | false |
["aws","aws-cn"] |
@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver
ECS extensions will automatically add an awslogs driver if no logging is specified
Flag type: New default behavior
Enable this feature flag to configure default logging behavior for the ECS Service Extensions. This will enable the
awslogs log driver for the application container of the service to send the container logs to CloudWatch Logs.
This is a feature flag as the new behavior provides a better default experience for the users.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.140.0 | false |
true |
| 2.8.0 | false |
true |
Compatibility with old behavior: Specify a log driver explicitly.
@aws-cdk/aws-ec2:uniqueImdsv2TemplateName
Enable this feature flag to have Launch Templates generated by the InstanceRequireImdsv2Aspect use unique names.
Flag type: Backwards incompatible bugfix
Previously, the generated Launch Template names were only unique within a stack because they were based only on the
Instance construct ID. If another stack that has an Instance with the same construct ID is deployed in the same
account and region, the deployments would always fail as the generated Launch Template names were the same.
The new implementation addresses this issue by generating the Launch Template name with the Names.uniqueId method.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.140.0 | false |
true |
| 2.8.0 | false |
true |
@aws-cdk/aws-iam:minimizePolicies
Minimize IAM policies by combining Statements
Flag type: Configuration option
Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.150.0 | false |
true |
| 2.18.0 | false |
true |
@aws-cdk/core:checkSecretUsage
Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations
Flag type: Configuration option
With this flag enabled, SecretValue instances can only be passed to
constructs that accept SecretValues; otherwise, unsafeUnwrap() must be
called to use it as a regular string.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.153.0 | false |
true |
| 2.21.0 | false |
true |
@aws-cdk/aws-lambda:recognizeLayerVersion
Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the fn.currentVersion.
Flag type: Backwards incompatible bugfix
This flag correct incorporates Lambda Layer properties into the Lambda Function Version.
See 'currentVersion' section in the aws-lambda module's README for more details.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| 1.159.0 | false |
true |
| 2.27.0 | false |
true |
@aws-cdk/core:validateSnapshotRemovalPolicy
Error on snapshot removal policies on resources that do not support it.
Flag type: New default behavior
Makes sure we do not allow snapshot removal policy on resources that do not support it. If supplied on an unsupported resource, CloudFormation ignores the policy altogether. This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.28.0 | false |
true |
Compatibility with old behavior: The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it.
@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName
Generate key aliases that include the stack name
Flag type: Backwards incompatible bugfix
Enable this feature flag to have CodePipeline generate a unique cross account key alias name using the stack name.
Previously, when creating multiple pipelines with similar naming conventions and when crossAccountKeys is true, the KMS key alias name created for these pipelines may be the same due to how the uniqueId is generated.
This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.29.0 | false |
true |
@aws-cdk/aws-s3:createDefaultLoggingPolicy
Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.
Flag type: Backwards incompatible bugfix
For example, in order to send VPC flow logs to an S3 bucket, there is a specific Bucket Policy that needs to be attached to the bucket. If you create the bucket without a policy and then add the bucket as the flow log destination, the service will automatically create the bucket policy with the necessary permissions. If you were to then try and add your own bucket policy CloudFormation will throw and error indicating that a bucket policy already exists.
In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.31.0 | false |
true |
@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption
Restrict KMS key policy for encrypted Queues a bit more
Flag type: Backwards incompatible bugfix
Enable this feature flag to restrict the decryption of a SQS queue, which is subscribed to a SNS topic, to only the topic which it is subscribed to and not the whole SNS service of an account.
Previously the decryption was only restricted to the SNS service principal. To make the SQS subscription more secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.32.0 | false |
true |
@aws-cdk/aws-ecs:arnFormatIncludesClusterName
ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.
Flag type: Backwards incompatible bugfix
If this flag is not set, the old ARN format (without cluster name) for ECS is used. If this flag is set, the new ARN format (with cluster name) for ECS is used.
This is a feature flag as the old format is still valid for existing ECS clusters.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.35.0 | false |
true |
@aws-cdk/aws-apigateway:disableCloudWatchRole
Make default CloudWatch Role behavior safe for multiple API Gateways in one environment
Flag type: Backwards incompatible bugfix
Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi to not create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them.
When this flag is enabled you should either create the ApiGateway account and CloudWatch role separately or only enable the cloudWatchRole on a single RestApi.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.38.0 | false |
true |
@aws-cdk/core:enablePartitionLiterals
Make ARNs concrete if AWS partition is known
Flag type: Backwards incompatible bugfix
Enable this feature flag to get partition names as string literals in Stacks with known regions defined in their environment, such as "aws" or "aws-cn". Previously the CloudFormation intrinsic function "Ref: AWS::Partition" was used. For example:
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::123456789876:root
becomes:
Principal:
AWS: "arn:aws:iam::123456789876:root"
The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.38.0 | false |
true |
@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker
Avoid setting the "ECS" deployment controller when adding a circuit breaker
Flag type: Backwards incompatible bugfix
Enable this feature flag to avoid setting the "ECS" deployment controller when adding a circuit breaker to an ECS Service, as this will trigger a full replacement which fails to deploy when using set service names. This does not change any behaviour as the default deployment controller when it is not defined is ECS.
This is a feature flag as the new behavior provides a better default experience for the users.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.51.0 | false |
true |
@aws-cdk/aws-events:eventsTargetQueueSameAccount
Event Rules may only push to encrypted SQS queues in the same account
Flag type: Backwards incompatible bugfix
This flag applies to SQS Queues that are used as the target of event Rules. When enabled, only principals from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.51.0 | false |
true |
@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName
Enable this feature to create default policy names for imported roles that depend on the stack the role is in.
Flag type: Backwards incompatible bugfix
Without this, importing the same role in multiple places could lead to the permissions given for one version of the imported role to overwrite permissions given to the role at a different place where it was imported. This was due to all imported instances of a role using the same default policy name.
This new implementation creates default policy names based on the constructs node path in their stack.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.60.0 | false |
true |
@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy
Use S3 Bucket Policy instead of ACLs for Server Access Logging
Flag type: Backwards incompatible bugfix
Enable this feature flag to use S3 Bucket Policy for granting permission for Server Access Logging
rather than using the canned LogDeliveryWrite ACL. ACLs do not work when Object Ownership is
enabled on the bucket.
This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3.
@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.60.0 | false |
true |
@aws-cdk/customresources:installLatestAwsSdkDefault
Whether to install the latest SDK by default in AwsCustomResource
Flag type: New default behavior
This was originally introduced and enabled by default to not be limited by the SDK version that's installed on AWS Lambda. However, it creates issues for Lambdas bound to VPCs that do not have internet access, or in environments where 'npmjs.com' is not available.
The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.60.0 | false |
false |
Compatibility with old behavior: Set installLatestAwsSdk: true on all resources that need it.
@aws-cdk/aws-route53-patters:useCertificate
Use the official Certificate resource instead of DnsValidatedCertificate
Flag type: New default behavior
Enable this feature flag to use the official CloudFormation supported Certificate resource instead
of the deprecated DnsValidatedCertificate construct. If this flag is enabled and you are creating
the stack in a region other than us-east-1 then you must also set crossRegionReferences=true on the
stack.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.61.0 | false |
true |
Compatibility with old behavior: Define a DnsValidatedCertificate explicitly and pass in the certificate property
@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup
Remove CloudWatch alarms from deployment group
Flag type: Backwards incompatible bugfix
Enable this flag to be able to remove all CloudWatch alarms from a deployment group by removing the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.65.0 | false |
true |
@aws-cdk/aws-rds:databaseProxyUniqueResourceName
Use unique resource name for Database Proxy
Flag type: Backwards incompatible bugfix
If this flag is not set, the default behavior for DatabaseProxy is
to use id of the constructor for dbProxyName when it's not specified in the argument.
In this case, users can't deploy DatabaseProxys that have the same id in the same region.
If this flag is set, the default behavior is to use unique resource names for each DatabaseProxy.
This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.65.0 | false |
true |
@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId
Include authorizer configuration in the calculation of the API deployment logical ID.
Flag type: Backwards incompatible bugfix
The logical ID of the AWS::ApiGateway::Deployment resource is calculated by hashing the API configuration, including methods, and resources, etc. Enable this feature flag to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.66.0 | false |
true |
@aws-cdk/aws-ec2:launchTemplateDefaultUserData
Define user data for a launch template by default when a machine image is provided.
Flag type: Backwards incompatible bugfix
The ec2.LaunchTemplate construct did not define user data when a machine image is provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.67.0 | false |
true |
@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments
SecretTargetAttachments uses the ResourcePolicy of the attached Secret.
Flag type: Backwards incompatible bugfix
Enable this feature flag to make SecretTargetAttachments use the ResourcePolicy of the attached Secret. SecretTargetAttachments are created to connect a Secret to a target resource. In CDK code, they behave like regular Secret and can be used as a stand-in in most situations. Previously, adding to the ResourcePolicy of a SecretTargetAttachment did attempt to create a separate ResourcePolicy for the same Secret. However Secrets can only have a single ResourcePolicy, causing the CloudFormation deployment to fail.
When enabling this feature flag for an existing Stack, ResourcePolicies created via a SecretTargetAttachment will need replacement. This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.67.0 | false |
true |
@aws-cdk/aws-redshift:columnId
Whether to use an ID to track Redshift column changes
Flag type: Backwards incompatible bugfix
Redshift columns are identified by their name. If a column is renamed, the old column
will be dropped and a new column will be created. This can cause data loss.
This flag enables the use of an id attribute for Redshift columns. If this flag is enabled, the
internal CDK architecture will track changes of Redshift columns through their id, rather
than their name. This will prevent data loss when columns are renamed.
NOTE - Enabling this flag comes at a risk. When enabled, update the ids of all columns,
however do not change the namess of the columns. If the names of the columns are changed during
initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment
of the ids, the names of the columns can be changed without data loss.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.68.0 | false |
true |
@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2
Enable AmazonEMRServicePolicy_v2 managed policies
Flag type: Backwards incompatible bugfix
If this flag is not set, the default behavior for EmrCreateCluster is
to use AmazonElasticMapReduceRole managed policies.
If this flag is set, the default behavior is to use the new AmazonEMRServicePolicy_v2
managed policies.
This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.72.0 | false |
true |
@aws-cdk/aws-apigateway:requestValidatorUniqueId
Generate a unique id for each RequestValidator added to a method
Flag type: Backwards incompatible bugfix
This flag allows multiple RequestValidators to be added to a RestApi when
providing the RequestValidatorOptions in the addMethod() method.
If the flag is not set then only a single RequestValidator can be added in this way.
Any additional RequestValidators have to be created directly with new RequestValidator.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.78.0 | false |
true |
@aws-cdk/aws-ec2:restrictDefaultSecurityGroup
Restrict access to the VPC default security group
Flag type: New default behavior
Enable this feature flag to remove the default ingress/egress rules from the VPC default security group.
When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow all traffic. AWS Security best practices recommend removing these ingress/egress rules in order to restrict access to the default security group.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.78.0 | false |
true |
Compatibility with old behavior:
To allow all ingress/egress traffic to the VPC default security group you
can set the restrictDefaultSecurityGroup: false.
@aws-cdk/aws-kms:aliasNameRef
KMS Alias name and keyArn will have implicit reference to KMS Key
Flag type: Backwards incompatible bugfix
This flag allows an implicit dependency to be created between KMS Alias and KMS Key when referencing key.aliasName or key.keyArn.
If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.83.0 | false |
true |
@aws-cdk/core:includePrefixInUniqueNameGeneration
Include the stack prefix in the stack name generation process
Flag type: Backwards incompatible bugfix
This flag prevents the prefix of a stack from making the stack's name longer than the 128 character limit.
If the flag is set, the prefix is included in the stack name generation process. If the flag is not set, then the prefix of the stack is prepended to the generated stack name.
NOTE - Enabling this flag comes at a risk. If you have already deployed stacks, changing the status of this feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.84.0 | false |
true |
@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig
Generate a launch template when creating an AutoScalingGroup
Flag type: Backwards incompatible bugfix
Enable this flag to allow AutoScalingGroups to generate a launch template when being created. Launch configurations have been deprecated and cannot be created in AWS Accounts created after December 31, 2023. Existing 'AutoScalingGroup' properties used for creating a launch configuration will now create an equivalent 'launchTemplate'. Alternatively, users can provide an explicit 'launchTemplate' or 'mixedInstancesPolicy'. When this flag is enabled a 'launchTemplate' will attempt to set user data according to the OS of the machine image if explicit user data is not provided.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.88.0 | false |
true |
Compatibility with old behavior: If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false.
@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby
Enables support for Multi-AZ with Standby deployment for opensearch domains
Flag type: New default behavior
If this is set, an opensearch domain will automatically be created with multi-az with standby enabled.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.88.0 | false |
true |
Compatibility with old behavior: Pass capacity.multiAzWithStandbyEnabled: false to Domain construct to restore the old behavior.
@aws-cdk/aws-efs:denyAnonymousAccess
EFS denies anonymous clients accesses
Flag type: New default behavior
This flag adds the file system policy that denies anonymous clients
access to efs.FileSystem.
If this flag is not set, efs.FileSystem will allow all anonymous clients
that can access over the network.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.93.0 | false |
true |
Compatibility with old behavior: You can pass allowAnonymousAccess: true so allow anonymous clients access.
@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId
When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, each mount target will have a stable logicalId that is linked to the associated subnet. If the flag is set to false then the logicalIds of the mount targets can change if the number of subnets changes.
Set this flag to false for existing mount targets.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.93.0 | false |
true |
@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion
Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default
Flag type: New default behavior
If this is set, and a runtime prop is not passed to, Lambda NodeJs
functions will use the latest version of the runtime provided by the Lambda
service. Do not use this if you your lambda function is reliant on dependencies
shipped as part of the runtime environment.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.93.0 | false |
true |
Compatibility with old behavior: Pass runtime: lambda.Runtime.NODEJS_16_X to Function construct to restore the previous behavior.
@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier
When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID when creating or updating CfnSourceApiAssociation in the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.97.0 | false |
true |
@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters
When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, a scope of InstanceParameterGroup for
AuroraClusterInstance with each parameters will change to AuroraClusterInstance
from AuroraCluster.
If the flag is set to false then it can only make one AuroraClusterInstance
with each InstanceParameterGroup in the AuroraCluster.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.97.0 | false |
true |
@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials
When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.
Flag type: Backwards incompatible bugfix
The credentials property on the DatabaseClusterFromSnapshotProps
interface was deprecated with the new snapshotCredentials property being
recommended. Before deprecating credentials, a secret would be generated
while rendering credentials if the credentials property was undefined or
if a secret wasn't provided via the credentials property. This behavior
is replicated with the new snapshotCredentials property, but the original
credentials secret can still be created resulting in an extra database
secret.
Set this flag to prevent rendering deprecated credentials and creating an
extra database secret when only using snapshotCredentials to create an RDS
database cluster from a snapshot.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.98.0 | false |
true |
@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource
When enabled, the CodeCommit source action is using the default branch name 'main'.
Flag type: Backwards incompatible bugfix
When setting up a CodeCommit source action for the source stage of a pipeline, please note that the default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.103.1 | false |
true |
@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction
When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, a logical ID of LambdaPermission for a
LambdaAction will include an alarm ID. Therefore multiple alarms for the same Lambda
can be created with LambdaAction.
If the flag is set to false then it can only make one alarm for the Lambda with
LambdaAction.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.124.0 | false |
true |
@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse
Enables Pipeline to set the default value for crossAccountKeys to false.
Flag type: New default behavior
When this feature flag is enabled, and the crossAccountKeys property is not provided in a Pipeline
construct, the construct automatically defaults the value of this property to false.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.127.0 | false |
true |
Compatibility with old behavior: Pass crossAccountKeys: true to Pipeline construct to restore the previous behavior.
@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2
Enables Pipeline to set the default pipeline type to V2.
Flag type: New default behavior
When this feature flag is enabled, and the pipelineType property is not provided in a Pipeline
construct, the construct automatically defaults the value of this property to PipelineType.V2.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.133.0 | false |
true |
Compatibility with old behavior: Pass pipelineType: PipelineType.V1 to Pipeline construct to restore the previous behavior.
@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope
When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.134.0 | false |
true |
@aws-cdk/aws-eks:nodegroupNameAttribute
When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.139.0 | false |
true |
@aws-cdk/aws-ec2:ebsDefaultGp3Volume
When enabled, the default volume type of the EBS volume will be GP3
Flag type: New default behavior
When this featuer flag is enabled, the default volume type of the EBS volume will be EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.140.0 | false |
true |
Compatibility with old behavior: Pass volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD to Volume construct to restore the previous behavior.
@aws-cdk/pipelines:reduceAssetRoleTrustScope
Remove the root account principal from PipelineAssetsFileRole trust policy
Flag type: New default behavior
When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.141.0 | true |
true |
Compatibility with old behavior: Disable the feature flag to add the root account principal back
@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm
When enabled, remove default deployment alarm settings
Flag type: New default behavior
When this feature flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.143.0 | false |
true |
Compatibility with old behavior: Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior.
@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault
When enabled, the custom resource used for AwsCustomResource will configure the logApiResponseData property as true by default
Flag type: Backwards incompatible bugfix
This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN:
CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details.
Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.145.0 | false |
false |
@aws-cdk/aws-s3:keepNotificationInImportedBucket
When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.
Flag type: Backwards incompatible bugfix
Currently, adding notifications to a bucket where it was created by ourselves will override notification added where it is imported.
When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.155.0 | false |
false |
@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask
When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.
Flag type: Backwards incompatible bugfix
Currently, 'inputPath' and 'outputPath' from the TaskStateBase Props is being used under BedrockInvokeModelProps to define S3URI under 'input' and 'output' fields of State Machine Task definition.
When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.156.0 | true |
true |
Compatibility with old behavior: Disable the feature flag to use input and output path fields for s3 URI
@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions
When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration
Flag type: Backwards incompatible bugfix
Currently, we automatically add a number of cloudwatch permissions to the task role when no cloudwatch log group is specified as logConfiguration and it will grant 'Resources': ['*'] to the task role.
When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.159.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to continue grant permissions to log group when no log group is specified
@aws-cdk/aws-ec2:ec2SumTImeoutEnabled
When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.
Flag type: Backwards incompatible bugfix
Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used.
When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.160.0 | false |
true |
@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission
When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.
Flag type: Backwards incompatible bugfix
Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning it allows invocations from any source.
When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.161.0 | false |
true |
@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages
When enabled, both @aws-sdk and @smithy packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.
Flag type: Backwards incompatible bugfix
Currently, when bundling Lambda functions with the non-latest runtime that supports AWS SDK JavaScript (v3), only the '@aws-sdk/' packages are excluded by default. However, this can cause version mismatches between the '@aws-sdk/' and '@smithy/*' packages, as they are tightly coupled dependencies in AWS SDK v3.
When this feature flag is enabled, both '@aws-sdk/' and '@smithy/' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.161.0 | false |
true |
@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId
When enabled, the value of property instanceResourceId in construct DatabaseInstanceReadReplica will be set to the correct value which is DbiResourceId instead of currently DbInstanceArn
Flag type: Backwards incompatible bugfix
Currently, the value of the property 'instanceResourceId' in construct 'DatabaseInstanceReadReplica' is not correct, and set to 'DbInstanceArn' which is not correct when it is used to create the IAM Policy in the grantConnect method.
When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.161.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to use DbInstanceArn as value for property instanceResourceId
@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics
When enabled, CFN templates added with cfn-include will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.
Flag type: Backwards incompatible bugfix
Without enabling this feature flag, cfn-include will silently drop resource update or create policies that contain CFN Intrinsics if they include non-primitive values.
Enabling this feature flag will make cfn-include throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.161.0 | false |
true |
@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy
When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.
Flag type: Backwards incompatible bugfix
Currently, in the IAM Run Ecs policy generated by SFN EcsRunTask(), CDK will construct the ARN with wildcard attached at the end. The revision number at the end will be replaced with a wildcard which it shouldn't.
When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.163.0 | false |
true |
@aws-cdk/aws-dynamodb:resourcePolicyPerReplica
When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas
Flag type: Backwards incompatible bugfix
If this flag is not set, the default behavior for TableV2 is to use a different resourcePolicy for each replica.
If this flag is set to false, the behavior is that each replica shares the same resourcePolicy as the source table.
This will prevent you from creating a new table which has an additional replica and a resource policy.
This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.164.0 | false |
true |
@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault
When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.
Flag type: New default behavior
Currently, if the machineImage property of the BastionHost construct defaults to using the latest Amazon Linux 2 AMI. Amazon Linux 2 hits end-of-life in June 2025, so using Amazon Linux 2023 by default is a more future-proof and secure option.
When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.172.0 | false |
true |
Compatibility with old behavior: Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct.
@aws-cdk/core:aspectStabilization
When enabled, a stabilization loop will be run when invoking Aspects during synthesis.
Flag type: Configuration option
Previously, Aspects were invoked in a single pass of the construct tree. This meant that Aspects which created other Aspects were not run, and Aspects that created new nodes in the tree sometimes did not inherit their parent Aspects.
When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.172.0 | true |
true |
@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource
When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method creates a custom resource internally, but the new method doesn't need a custom resource.
If the flag is set to false then a custom resource will be created when using UserPoolDomainTarget.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.174.0 | false |
true |
@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault
When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere
Flag type: Backwards incompatible bugfix
For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress.
Using a feature flag to make sure existing customers who might be relying on the overly restrictive permissions are not broken.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.176.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to only allow IPv4 ingress in the default security group rules.
@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections
When enabled, the default behaviour of OIDC provider will reject unauthorized connections
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, the default behaviour of OIDC Provider's custom resource handler will default to reject unauthorized connections when downloading CA Certificates.
When this feature flag is disabled, the behaviour will be the same as current and will allow downloading thumbprints from unsecure connections.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.177.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to allow unsecure OIDC connection.
@aws-cdk/core:enableAdditionalMetadataCollection
When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues.
Flag type: Configuration option
When this feature flag is enabled, CDK expands the scope of usage data collection to include the following:
- L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects.
- L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted.
- L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.178.0 | false |
true |
@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy
[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement
Flag type: Backwards incompatible bugfix
[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement. This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions. However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. We recommend to unset the feature flag if already set which will restore the original behavior.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.180.0 | false |
false |
@aws-cdk/aws-s3:setUniqueReplicationRoleName
When enabled, CDK will automatically generate a unique role name that is used for s3 object replication.
Flag type: Backwards incompatible bugfix
When performing cross-account S3 replication, we need to explicitly specify a role name for the replication execution role. When this feature flag is enabled, a unique role name is specified only when performing cross-account replication. When disabled, 'CDKReplicationRole' is always specified.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.182.0 | false |
true |
@aws-cdk/pipelines:reduceStageRoleTrustScope
Remove the root account principal from Stage addActions trust policy
Flag type: New default behavior
When this feature flag is enabled, the root account principal will not be added to the trust policy of stage role. When this feature flag is disabled, it will keep the root account principal in the trust policy.
For cross-account cases, when this feature flag is enabled the trust policy will be scoped to the role only. If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.184.0 | true |
true |
Compatibility with old behavior: Disable the feature flag to add the root account principal back
@aws-cdk/aws-events:requireEventBusPolicySid
When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals.
Flag type: Backwards incompatible bugfix
Currently, when granting permissions to service principals using grantPutEventsTo(), the operation silently fails because service principals require resource policies with Statement IDs.
When this flag is enabled:
- Resource policies will be created with Statement IDs for service principals
- The operation will succeed as expected
When this flag is disabled:
- A warning will be emitted
- The grant operation will be dropped
- No permissions will be added
This fixes the issue where permissions were silently not being added for service principals.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.186.0 | false |
true |
@aws-cdk/aws-dynamodb:retainTableReplica
When enabled, table replica will be default to the removal policy of source table unless specified otherwise.
Flag type: Backwards incompatible bugfix
Currently, table replica will always be deleted when stack deletes regardless of source table's deletion policy. When enabled, table replica will be default to the removal policy of source table unless specified otherwise.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.187.0 | false |
true |
@aws-cdk/cognito:logUserPoolClientSecretValue
When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs.
Flag type: New default behavior
When this feature flag is enabled, the SDK API call response to describe user pool client values will be logged in the custom resource lambda function logs.
When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom resource lambda function logs.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.187.0 | false |
false |
Compatibility with old behavior: Enable the feature flag to keep the old behavior and log the client secret values
@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2
When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter
Flag type: New default behavior
When this feature flag is enabled, the resultWriterV2 property is used instead of resultWriter in DistributedMap class. resultWriterV2 uses ResultWriterV2 class in StepFunctions ASL and can have either Bucket/Prefix or WriterConfig or both.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.188.0 | false |
true |
Compatibility with old behavior: Disable the feature flag and set resultWriter in DistributedMap
@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope
When enabled, scopes down the trust policy for the cross-account action role
Flag type: New default behavior
When this feature flag is enabled, the trust policy of the cross-account action role will be scoped to the pipeline role. If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED. When this feature flag is disabled, it will keep the root account principal in the trust policy.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.189.0 | true |
true |
Compatibility with old behavior: Disable the feature flag to add the root account principal back
@aws-cdk/core:aspectPrioritiesMutating
When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING.
Flag type: New default behavior
Custom Aspects you add have a priority of DEFAULT (500) if you don't assign a more specific priority, which is higher than MUTATING (200). This is relevant if a custom Aspect you add and an Aspect added by CDK try to configure the same value.
If this flag is set to false (old behavior), Aspects added by CDK are also added with a priority of DEFAULT; because their priorities are equal, the Aspects that is closest to the target construct executes last (either yours or the Aspect added by the CDK).
If this flag is set to true (recommended behavior), Aspects added by CDK are added with a priority of MUTATING, and custom Aspects you add with DEFAULT priority will always execute last and "win" the write. If you need Aspects added by CDK to run after yours, your Aspect needs to have a priority of MUTATING or lower.
This setting only applies to Aspects that were already being added for you before version 2.172.0. Aspects introduced since that version will always be added with a priority of MUTATING, independent of this feature flag.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.189.1 | false |
true |
Compatibility with old behavior: To add mutating Aspects controlling construct values that can be overridden by Aspects added by CDK, give them MUTATING priority:
```
Aspects.of(stack).add(new MyCustomAspect(), {
priority: AspectPriority.MUTATING,
});
```
@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions
Add an S3 trust policy to a KMS key resource policy for SNS subscriptions.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, a S3 trust policy will be added to the KMS key resource policy for encrypted SNS subscriptions.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.195.0 | false |
true |
@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration
When enabled, use resource IDs for VPC V2 migration
Flag type: New default behavior
When this feature flag is enabled, the VPC V2 migration will use resource IDs instead of getAtt references for migrating resources from VPC V1 to VPC V2. This helps ensure a smoother migration path between the two versions.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.196.0 | false |
false |
Compatibility with old behavior: Disable the feature flag to use getAtt references for VPC V2 migration
@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway
When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, EgressOnlyGateway resource will not be created when you create a vpc with only public subnets.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.196.0 | false |
true |
@aws-cdk/aws-s3:publicAccessBlockedByDefault
When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined.
Flag type: Backwards incompatible bugfix
When BlockPublicAccess is not set at all, s3's default behavior will be to set all options to true in aws console. The previous behavior in cdk before this feature was; if only some of the BlockPublicAccessOptions were set (not all 4), then the ones undefined would default to false. This is counter intuitive to the console behavior where the options would start in true state and a user would uncheck the boxes as needed. The new behavior from this feature will allow a user, for example, to set 1 of the 4 BlockPublicAccessOpsions to false, and on deployment the other 3 will remain true.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.196.0 | false |
true |
@aws-cdk/aws-lambda:useCdkManagedLogGroup
When enabled, CDK creates and manages loggroup for the lambda function
Flag type: New default behavior
When this feature flag is enabled, CDK will create a loggroup for lambda function with default properties which supports CDK features Tag propagation, Property Injectors, Aspects if the cdk app doesnt pass a 'logRetention' or 'logGroup' explicitly. LogGroups created via 'logRetention' do not support Tag propagation, Property Injectors, Aspects. LogGroups created via 'logGroup' created in CDK support Tag propagation, Property Injectors, Aspects.
When this feature flag is disabled, a loggroup is created by Lambda service on first invocation of the function (existing behavior). LogGroups created in this way do not support Tag propagation, Property Injectors, Aspects.
DO NOT ENABLE: If you have an existing app defining a lambda function and have not supplied a logGroup or logRetention prop and your lambda function has executed at least once, the logGroup has been already created with the same name so your deployment will start failing. Refer aws-lambda/README.md for more details on Customizing Log Group creation.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.200.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to let lambda service create logGroup or specify logGroup or logRetention
@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal
Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition
Flag type: Backwards incompatible bugfix
This flag enables the grant methods (grant, grantDecrypt, grantEncrypt, etc.) on Aliases imported by name to grant permissions based on the 'kms:ResourceAliases' condition rather than no-op grants. When disabled, grant calls on imported aliases will be dropped (no-op) to maintain compatibility.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.202.0 | false |
true |
Compatibility with old behavior: Remove calls to the grant* methods on the aliases referenced by name
@aws-cdk/core:explicitStackTags
When enabled, stack tags need to be assigned explicitly on a Stack.
Flag type: New default behavior
Without this feature flag enabled, if tags are added to a Stack using
Tags.of(scope).add(...), they will be added to both the stack and all resources
in the stack template.
That leads to the tags being applied twice: once in the template, and once
again automatically by CloudFormation, which will apply all stack tags to
all resources in the stack. This leads to loss of control, as the
excludeResourceTypes option of the Tags API will not have any effect.
With this flag enabled, tags added to a stack using Tags.of(...) are ignored,
and Stack tags must be configured explicitly on the Stack object.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.205.0 | false |
true |
Compatibility with old behavior: Configure stack-level tags using new Stack(..., { tags: { ... } }).
@aws-cdk/aws-signer:signingProfileNamePassedToCfn
Pass signingProfileName to CfnSigningProfile
Flag type: Backwards incompatible bugfix
When enabled, the signingProfileName property is passed to the L1 CfnSigningProfile construct,
which ensures that the AWS Signer profile is created with the specified name.
When disabled, the signingProfileName is not passed to CloudFormation, maintaining backward
compatibility with existing deployments where CloudFormation auto-generated profile names.
This feature flag is needed because enabling it can cause existing signing profiles to be
replaced during deployment if a signingProfileName was specified but not previously used
in the CloudFormation template.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.212.0 | false |
true |
@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener
Disable implicit openListener when custom security groups are provided
Flag type: New default behavior
ApplicationLoadBalancedServiceBase currently defaults openListener to true, which creates security group rules allowing ingress from 0.0.0.0/0. This can be a security risk when users provide custom security groups on their load balancer, expecting those to be the only ingress rules.
If this flag is not set, openListener will always default to true for backward compatibility. If true, openListener will default to false when custom security groups are detected on the load balancer, and true otherwise. Users can still explicitly set openListener: true to override this behavior.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.214.0 | false |
true |
Compatibility with old behavior: You can pass openListener: true explicitly to maintain the old behavior.
@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId
When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, ECS patterns will generate unique target group IDs that include both the load balancer type (public/private) and load balancer name. This prevents CloudFormation conflicts when switching between public and private load balancers or when changing load balancer names.
Without this flag, target groups use generic IDs like 'ECS' which can cause conflicts when the underlying load balancer is replaced due to changes in internetFacing or loadBalancerName properties.
This is a breaking change as it will cause target group replacement when the flag is enabled.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.221.0 | false |
true |
@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint
When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, the JSONPath apiEndpoint value will be resolved dynamically at runtime, while slightly increasing the size of the state machine definition. When disabled, the JSONPath apiEndpoint property will only support a static string value.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.221.0 | true |
true |
@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault
When enabled, Network Load Balancer will be created with a security group by default.
Flag type: New default behavior
When this feature flag is enabled, Network Load Balancer will be created with a security group by default.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.222.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to create Network Load Balancer without a security group by default.
@aws-cdk/aws-route53-patterns:useDistribution
Use the Distribution resource instead of CloudFrontWebDistribution
Flag type: New default behavior
Enable this feature flag to use the new Distribution resource instead
of the deprecated CloudFrontWebDistribution construct.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.233.0 | false |
true |
Compatibility with old behavior: Define a CloudFrontWebDistribution explicitly
@aws-cdk/aws-eks:useNativeOidcProvider
When enabled, EKS V2 clusters will use the native OIDC provider resource AWS::IAM::OIDCProvider instead of creating the OIDCProvider with a custom resource (iam.OpenIDConnectProvider).
Flag type: Backwards incompatible bugfix
When this feature flag is enabled, EKS clusters will use the native AWS::IAM::OIDCProvider CloudFormation resource instead of the custom resource provider for creating OIDC providers.
WARNING: Enabling this flag on a cluster with an existing OIDC provider created by the custom resource (iam.OpenIDConnectProvider)
will cause the OIDC provider to be replaced with the native resource, which may lead to disruption.
To migrate in place without disruption, follow the guide at: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-eks/README.md#migrating-from-the-deprecated-eksopenidconnectprovider-to-eksoidcprovidernative
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.237.0 | false |
true |
Compatibility with old behavior: Disable the feature flag to use the custom resource provider.
@aws-cdk/core:automaticL1Traits
Automatically use the default L1 traits for L1 constructs`
Flag type: New default behavior
When enabled, the construct library will apply default L1 traits for types that have no traits defined yet. Traits regulate behaviors such as how to create resource policies, or how to find an encryption key for a given L1 construct.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.239.0 | true |
true |
Compatibility with old behavior: Register traits explicitly for each resource type
@aws-cdk/aws-cloudfront:defaultFunctionRuntimeV2_0
Use cloudfront-js-2.0 as the default runtime for CloudFront Functions
Flag type: New default behavior
When enabled, CloudFront Functions will use cloudfront-js-2.0 runtime by default instead of cloudfront-js-1.0.
The runtime can still be configured explicitly using the runtime property.
If keyValueStore is specified, the runtime will always be cloudfront-js-2.0 regardless of this flag.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.245.0 | false |
true |
Compatibility with old behavior: Set runtime: FunctionRuntime.JS_1_0 explicitly to use the v1.0 runtime.
@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy
When enabled, HTTPS/TLS listeners use post-quantum TLS policy by default
Flag type: New default behavior
When this feature flag is enabled, HTTPS and TLS listeners that do not have an explicit
sslPolicy will use the post-quantum cryptography policy
ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 by default.
This policy uses the non-restricted variant (without -Res-) to maintain AES-CBC cipher support for TLS 1.2 clients, ensuring nearly 100% backward compatibility with the previous CDK default. Post-quantum policies provide protection against "Harvest Now, Decrypt Later" attacks using hybrid ML-KEM key exchange.
When disabled (default), no explicit SSL policy is set, preserving the existing CDK behavior
where RECOMMENDED_TLS (ELBSecurityPolicy-TLS13-1-2-2021-06) is used.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.245.0 | false |
true |
Compatibility with old behavior: Disable this feature flag to preserve existing behavior where no explicit SSL policy is set.
@aws-cdk/aws-batch:defaultToAL2023
Use AL2023 as the default imageType for EC2 Batch compute environments instead of the deprecated AL2
Flag type: New default behavior
When enabled, EC2 Batch compute environments (both ECS and EKS) that do not specify an imageType
will default to ECS_AL2023 or EKS_AL2023 instead of the deprecated ECS_AL2 or EKS_AL2
(Amazon Linux 2, reaching EOL June 2026 for ECS; already EOL for EKS).
For EKS compute environments with a launch template, userdataType will automatically be set
to EKS_NODEADM when an AL2023 image type is used, as required by the AWS Batch API.
When disabled, the default imageType remains ECS_AL2 / EKS_AL2 for backward compatibility.
| Since | Unset behaves like | Recommended value |
|---|---|---|
| (not in v1) | ||
| 2.249.0 | false |
true |
Compatibility with old behavior: Explicitly set imageType to ECS_AL2 or EKS_AL2 in your compute environment images configuration.
Warning: Enabling this flag on existing stacks may cause compute environment replacement, which terminates running jobs. To migrate safely, first pin existing environments to their current imageType explicitly, then enable the flag.