CDKToolkit CloudFormation Stack Has Bootstrap Version 21 or Higher

Overview

The AWS Cloud Development Kit (CDK) requires a "bootstrap stack" in each AWS account and region where you deploy CDK applications. This stack creates supporting resources like S3 buckets for assets and IAM roles for deployments.

This check verifies that your CDKToolkit bootstrap stack is at version 21 or higher. Older bootstrap versions use legacy templates that lack modern security hardening.

Risk

Running an outdated bootstrap stack creates several security vulnerabilities:

• Weaker asset protection: S3 buckets and ECR repositories may have permissive configurations that make them easier to misuse
• Overly broad IAM roles: Deployment roles may trust more principals than necessary
• Artifact tampering: Attackers could modify deployment artifacts stored in bootstrap resources
• Privilege escalation: Compromised bootstrap roles could allow attackers to gain elevated access

Upgrading to version 21+ applies security improvements that have been added over time, including tighter IAM policies and better resource configurations.

Remediation Steps

Prerequisites

You need:

• AWS account access with permissions to update CloudFormation stacks
• The AWS CDK CLI installed (if using the command-line method)

Installing the AWS CDK CLI

The CDK CLI requires Node.js. Install it globally with npm:

npm install -g aws-cdk

Verify the installation:

cdk --version

You should see version 2.x or higher (CDK v2 uses bootstrap version 21+ by default).

AWS Console Method

1. Sign in to the AWS Console and navigate to CloudFormation
2. Find the stack named CDKToolkit in your stack list
3. Click on the CDKToolkit stack, then go to the Outputs tab
4. Look for the BootstrapVersion output value
5. If the version is below 21, you need to re-bootstrap using the CLI method below

Note: There is no way to upgrade the bootstrap stack directly from the console. You must use the CDK CLI.

AWS CLI: Check current bootstrap version

You can check your current bootstrap version with this command:

aws cloudformation describe-stacks \
    --stack-name CDKToolkit \
    --region us-east-1 \
    --query "Stacks[0].Outputs[?OutputKey=='BootstrapVersion'].OutputValue" \
    --output text

If this returns a number less than 21, proceed with re-bootstrapping.

CDK Bootstrap Command

Run the following command to upgrade your bootstrap stack to the latest version:

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1

Replace <ACCOUNT_ID> with your 12-digit AWS account ID.

Bootstrapping multiple regions

To bootstrap multiple regions at once:

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1 aws://<ACCOUNT_ID>/us-west-2 aws://<ACCOUNT_ID>/eu-west-1

Or use a loop to bootstrap all regions where you deploy:

ACCOUNT_ID="123456789012"
REGIONS="us-east-1 us-west-2 eu-west-1"

for REGION in $REGIONS; do
    echo "Bootstrapping $REGION..."
    cdk bootstrap aws://$ACCOUNT_ID/$REGION
done

Advanced: Customizing the bootstrap template

For enterprise environments, you may want to customize the bootstrap stack:

Limit trusted accounts (for cross-account deployments):

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1 \
    --trust <TRUSTED_ACCOUNT_ID> \
    --cloudformation-execution-policies "arn:aws:iam::aws:policy/AdministratorAccess"

Enable termination protection:

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1 \
    --termination-protection

Use a custom qualifier (for multiple bootstrap stacks in one account):

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1 \
    --qualifier myapp \
    --toolkit-stack-name CDKToolkit-myapp

Apply least-privilege execution policy (recommended for production):

cdk bootstrap aws://<ACCOUNT_ID>/us-east-1 \
    --cloudformation-execution-policies "arn:aws:iam::<ACCOUNT_ID>:policy/CDKDeploymentPolicy"

This requires you to first create a custom IAM policy that grants only the permissions your CDK apps need.

CloudFormation: Manual bootstrap template

If you cannot use the CDK CLI, you can deploy the bootstrap template directly via CloudFormation.

1. Download the latest bootstrap template:

curl -o bootstrap-template.yaml \
    https://raw.githubusercontent.com/aws/aws-cdk/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

2. Deploy using the AWS CLI:

aws cloudformation deploy \
    --template-file bootstrap-template.yaml \
    --stack-name CDKToolkit \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1 \
    --parameter-overrides \
        TrustedAccounts="" \
        CloudFormationExecutionPolicies="arn:aws:iam::aws:policy/AdministratorAccess"

Note: The CDK CLI method is preferred as it handles template updates automatically.

Terraform: Managing CDK bootstrap

While CDK bootstrap is typically managed via the CDK CLI, you can use Terraform to ensure the bootstrap stack exists and meets version requirements:

# Check bootstrap version using a data source
data "aws_cloudformation_stack" "cdk_toolkit" {
  name = "CDKToolkit"
}

# Output the current bootstrap version
output "bootstrap_version" {
  value = lookup(data.aws_cloudformation_stack.cdk_toolkit.outputs, "BootstrapVersion", "not found")
}

# Note: To actually upgrade the bootstrap stack, use the CDK CLI.
# Terraform can be used to monitor/alert on version drift.

For automated bootstrap management across accounts, consider using a CI/CD pipeline that runs cdk bootstrap as part of account provisioning.

Verification

After bootstrapping, verify the upgrade was successful:

1. Go to CloudFormation in the AWS Console
2. Click on the CDKToolkit stack
3. Select the Outputs tab
4. Confirm that BootstrapVersion shows 21 or higher

CLI verification

aws cloudformation describe-stacks \
    --stack-name CDKToolkit \
    --region us-east-1 \
    --query "Stacks[0].Outputs[?OutputKey=='BootstrapVersion'].OutputValue" \
    --output text

Expected output: 21 or higher.

To check all regions at once:

for REGION in us-east-1 us-west-2 eu-west-1; do
    VERSION=$(aws cloudformation describe-stacks \
        --stack-name CDKToolkit \
        --region $REGION \
        --query "Stacks[0].Outputs[?OutputKey=='BootstrapVersion'].OutputValue" \
        --output text 2>/dev/null)
    echo "$REGION: ${VERSION:-not bootstrapped}"
done

Additional Resources

• AWS CDK Bootstrapping Documentation
• CDK Bootstrap Customization Guide
• AWS CDK Security Best Practices
• CDK Bootstrap Template Source

Notes

• No downtime: Re-bootstrapping updates resources in place and does not affect running applications
• Backward compatible: Newer bootstrap versions support older CDK applications
• Multi-account environments: Each account and region combination needs its own bootstrap stack
• Version drift: Consider adding automated checks (via Prowler or AWS Config) to detect when bootstrap stacks fall behind the recommended version
• Termination protection: Enable termination protection on bootstrap stacks in production to prevent accidental deletion