What is AWS CDK — and why does it matter
AWS CDK (Cloud Development Kit) is an open-source framework that lets you define cloud infrastructure using real programming languages — TypeScript, Python, Java, Go, or C#. Instead of writing YAML or JSON templates, you write actual code with loops, conditionals, abstractions, and unit tests.
This matters because infrastructure is software. The constraints that make YAML brittle for large applications — no reuse, no type checking, no testing — make it equally brittle for large infrastructure codebases. CDK solves this by making infrastructure a first-class citizen of your engineering workflow.
import * as cdk from 'aws-cdk-lib'; import { Vpc, SubnetType } from 'aws-cdk-lib/aws-ec2'; import { FargateService, Cluster } from 'aws-cdk-lib/aws-ecs'; import { DatabaseInstance, DatabaseInstanceEngine } from 'aws-cdk-lib/aws-rds'; export class ApiStack extends cdk.Stack { constructor(scope: cdk.App, id: string) { super(scope, id); // VPC with private subnets — CDK handles route tables, NAT gateways, IGW const vpc = new Vpc(this, 'AppVpc', { maxAzs: 2, subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'Public' }, { subnetType: SubnetType.PRIVATE_WITH_EGRESS, name: 'Private' } ] }); // RDS in private subnet — credential rotation handled automatically const db = new DatabaseInstance(this, 'AppDb', { engine: DatabaseInstanceEngine.postgres({ version: PostgresEngineVersion.VER_16 }), vpc, vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS }, multiAz: true, deletionProtection: true }); } }
In ~25 lines of TypeScript, CDK provisions a complete VPC with public and private subnets, NAT gateways, an Internet Gateway, route tables, a Multi-AZ RDS instance with automatic credential rotation, and all the security group wiring between them. The equivalent CloudFormation YAML runs to several hundred lines and is nearly impossible to review meaningfully.
CDK vs Terraform vs CloudFormation
This is the most common question CDK consultants answer, and the honest answer is that all three are valid — but they're not equivalent.
CloudFormation
AWS CDK
Terraform is excellent for multi-cloud environments. If you're running significant workloads on GCP or Azure alongside AWS, Terraform's provider ecosystem is unmatched. But for AWS-primary teams, CDK's L2 constructs — which encode AWS security best practices into reusable abstractions — significantly reduce the chance of misconfigured IAM, open security groups, or unencrypted storage. The productivity advantage is real.
When to hire a CDK consultant
CDK is accessible enough that senior engineers can get started quickly. The problems show up 6—18 months later: drift between environments, circular dependencies between stacks, IAM roles that are far too permissive, no account-level guardrails, and AWS bills that nobody can explain.
Hire a CDK consultant when:
- You're migrating to AWS for the first time and want to build the right foundation rather than refactor in 18 months
- Your AWS bill is unexplained — resources left running, no tagging strategy, no budget alerts, no rightsizing
- Security or compliance review is pending and your infrastructure needs to meet SOC 2, HIPAA, or FedRAMP requirements
- You're scaling from one AWS account to many — multi-account architecture with Control Tower and AWS Organizations requires specific CDK patterns
- Your deployments are slow or fragile — CDK pipeline setup, stack splitting, and environment promotion are non-trivial to get right
- Your team is all-in on CDK but has no senior CDK experience — architectural decisions made early are very hard to undo
What a CDK consulting engagement looks like
A CDK consulting engagement is typically structured in two to three phases. The shape varies by situation — a greenfield project looks very different from a remediation of an existing CDK codebase — but the phases are consistent.
What Orion's Ark Solutions delivers
Orion Digital Platforms is an AWS Select Consulting Partner. Our Ark Solutions practice handles CDK engagements of all sizes — from greenfield architecture for Series A companies to multi-account remediation for enterprise engineering teams.
Well-Architected Review
A 47-point assessment against the AWS Well-Architected Framework. Written findings, severity ratings, and a prioritized remediation roadmap. Fixed-fee engagement.
CDK Foundation Build
Complete CDK codebase: VPC, ECS, RDS, IAM, S3, CloudFront, and CI/CD pipeline. Includes constructs library, unit tests, and runbook. Typical engagement: 4—8 weeks.
Multi-Account Architecture
AWS Organizations, Control Tower, Service Control Policies, and CDK pipelines that deploy correctly across dev, staging, and production accounts. HIPAA and SOC 2 ready.
Cost Optimization Audit
Rightsize compute, eliminate waste, implement budget alerts and automated shutdown. Customers typically recover 15—40% of their AWS bill within 30 days.
Migration Planning and Execution
Zero-downtime migration to AWS — from on-prem, Heroku, or another cloud. CDK-driven infrastructure from day one. Full architecture decision record delivered.
Fractional Cloud Leadership
CTO-level cloud architecture guidance on a part-time basis. Ideal for Series A—B companies that need senior AWS expertise without a full-time platform hire.
Common CDK mistakes — and how consultants catch them
1. Putting everything in one stack
A single CDK stack that provisions every resource in your account is fragile and slow to deploy. Stack splitting — separating stateful resources (databases, S3) from stateless (ECS services, Lambda) — dramatically improves deployment velocity and reduces blast radius when something goes wrong.
2. Granting wildcard IAM permissions
CDK's L2 constructs apply least-privilege IAM by default — but many teams override them during development and never revisit. A CDK code review typically surfaces iam:* grants and over-permissioned execution roles that would fail a SOC 2 audit immediately.
// — Common mistake — seen in the wild constantly role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName( 'AdministratorAccess' // gives this function access to everything )); // — CDK L2 constructs handle this correctly bucket.grantRead(lambdaFn); // s3:GetObject on this bucket only table.grantReadWriteData(lambdaFn); // dynamodb:* on this table only queue.grantSendMessages(lambdaFn); // sqs:SendMessage on this queue only
3. No environment parity
Development environments that differ substantially from production are a root cause of production incidents. CDK makes environment parity easy — the same construct with different parameters — but teams frequently hand-roll dev environments and skip the parity guarantee.
4. Missing cost allocation tags
AWS bills are notoriously opaque without tags. A CDK aspect — a construct that applies a transformation to every resource in a stack — can enforce tagging across your entire account. Without it, you're flying blind on which team, product, or feature is driving cost growth.
class RequiredTags implements cdk.IAspect { visit(node: IConstruct) { if (node instanceof CfnResource) { cdk.Tags.of(node).add('Team', this.team); cdk.Tags.of(node).add('Environment', this.env); cdk.Tags.of(node).add('CostCenter', this.costCenter); } } } // Applied once, tags every resource in the stack cdk.Aspects.of(app).add(new RequiredTags({ team: 'platform', env: 'prod', costCenter: 'eng-01' }));
5. CDK pipeline drift
Self-mutating CDK pipelines (CDK Pipelines) are powerful but require careful bootstrap configuration across accounts. Teams that set this up manually often end up with pipelines that break silently on CDK version upgrades or that can't deploy to new environments without manual intervention.
CDK consultants have seen these mistakes dozens of times. A 4-week engagement that prevents a security misconfiguration, eliminates 20% of your AWS bill, and accelerates your deployment pipeline typically pays for itself within 60 days. The opportunity cost of fixing these things reactively — under time pressure, after an incident — is much higher.
Schedule a CDK discovery call
We'll review your current infrastructure, identify the highest-value improvements, and scope an engagement. 30 minutes, no sales pitch.
Book a discovery call —