AWS Security ChangesHomeSearch

AWS cdk documentation change

Service: cdk · 2026-01-28 · Documentation low

File: cdk/v2/guide/constructs.md

Summary

Added detailed documentation section explaining two methods for referencing resources between constructs (string vs object references) with multi-language code examples

Security assessment

The changes document general CDK usage patterns for resource referencing without mentioning security vulnerabilities, security patches, or security-specific features. While proper resource referencing is important for security, this is a standard infrastructure-as-code documentation update about API usage patterns.

Diff

diff --git a/cdk/v2/guide/constructs.md b/cdk/v2/guide/constructs.md
index 112b20226..01fa28a33 100644
--- a//cdk/v2/guide/constructs.md
+++ b//cdk/v2/guide/constructs.md
@@ -595,0 +596,387 @@ Some of our language-specific API references currently have errors in the paths
+#### Referencing resources from other constructs
+
+When configuring construct properties that reference other AWS resources, you have two equivalent options:
+
+  * **String references** : Pass explicit string values such as ARNs, names, or other resource identifiers
+
+  * **Object references** : Pass construct objects directly. This avoids having to determine which identifier type a property expects—the CDK handles that for you.
+
+
+
+
+##### Using string references
+
+You can always pass explicit string values such as ARNs, names, or other resource identifiers. This approach works for all properties and is required for nested properties within complex objects.
+
+The following example creates a Lambda function using an L1 construct (`CfnFunction`) with a role defined using an L2 construct (`Role`). The role’s ARN is passed to the `role` property:
+
+TypeScript
+    
+    
+    
+    const role = new iam.Role(this, 'MyRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          'service-role/AWSLambdaBasicExecutionRole'
+        ),
+      ],
+    });
+    
+    const myFunction = new lambda.CfnFunction(this, 'HelloWorldFunction', {
+      runtime: 'nodejs24.x',
+      role: role.roleArn, // Pass the ARN string explicitly
+      handler: 'index.handler',
+      code: {
+        zipFile: `
+        exports.handler = async function(event) {
+          return {
+            statusCode: 200,
+            body: JSON.stringify('Hello World!'),
+          };
+        };
+      `}
+    });
+
+JavaScript
+    
+    
+    
+    const role = new iam.Role(this, 'MyRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          'service-role/AWSLambdaBasicExecutionRole'
+        )
+      ]
+    });
+    
+    const myFunction = new lambda.CfnFunction(this, "HelloWorldFunction", {
+      runtime: 'nodejs24.x',
+      role: role.roleArn, // Pass the ARN string explicitly
+      handler: 'index.handler',
+      code: {
+        zipFile: `
+        exports.handler = async function(event) {
+          return {
+            statusCode: 200,
+            body: JSON.stringify('Hello World!'),
+          };
+        };
+      `}
+    });
+
+Python
+    
+    
+    
+    role = iam.Role(self, "MyRole",
+        assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
+        managed_policies=[
+            iam.ManagedPolicy.from_aws_managed_policy_name(
+                "service-role/AWSLambdaBasicExecutionRole"
+            )
+        ]
+    )
+    
+    my_function = _lambda.CfnFunction(self, "HelloWorldFunction",
+        runtime="nodejs24.x",
+        role=role.role_arn,  # Pass the ARN string explicitly
+        handler="index.handler",
+        code=_lambda.CfnFunction.CodeProperty(
+            zip_file=
+            """
+            exports.handler = async function(event) {
+              return {
+                statusCode: 200,
+                body: JSON.stringify('Hello World!'),
+              };
+            };
+            """
+        )
+    )
+
+Java
+    
+    
+    
+    Role role = Role.Builder.create(this, "MyRole")
+        .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
+        .managedPolicies(Arrays.asList(
+            ManagedPolicy.fromAwsManagedPolicyName(
+                "service-role/AWSLambdaBasicExecutionRole"
+            )
+        ))
+        .build();
+    
+    CfnFunction myFunction = CfnFunction.Builder.create(this, "HelloWorldFunction")
+        .runtime("nodejs24.x")
+        .role(role.getRoleArn())  // Pass the ARN string explicitly
+        .handler("index.handler")
+        .code(CfnFunction.CodeProperty.builder()
+            .zipFile(
+                "exports.handler = async function(event) {" +
+                "  return {" +
+                "    statusCode: 200," +
+                "    body: JSON.stringify('Hello World!')," +
+                "  };" +
+                "};")
+            .build())
+        .build();
+
+C#
+    
+    
+    
+    var role = new Role(this, "MyRole", new RoleProps
+    {
+        AssumedBy = new ServicePrincipal("lambda.amazonaws.com"),
+        ManagedPolicies = new[]
+        {
+            ManagedPolicy.FromAwsManagedPolicyName(
+                "service-role/AWSLambdaBasicExecutionRole"
+            )
+        }
+    });
+    
+    var myFunction = new CfnFunction(this, "HelloWorldFunction", new CfnFunctionProps
+    {
+        Runtime = "nodejs24.x",
+        Role = role.RoleArn,  // Pass the ARN string explicitly
+        Handler = "index.handler",
+        Code = new CfnFunction.CodeProperty
+        {
+            ZipFile = @"
+            exports.handler = async function(event) {
+              return {
+                statusCode: 200,
+                body: JSON.stringify('Hello World!'),
+              };
+            };
+            "
+        }
+    });
+
+Go
+    
+    
+    
+    role := awsiam.NewRole(stack, jsii.String("MyRole"), &awsiam.RoleProps{
+    	AssumedBy: awsiam.NewServicePrincipal(jsii.String("lambda.amazonaws.com"), nil),
+    	ManagedPolicies: &[]awsiam.IManagedPolicy{
+    		awsiam.ManagedPolicy_FromAwsManagedPolicyName(jsii.String("service-role/AWSLambdaBasicExecutionRole")),
+    	},
+    })
+    
+    myFunction := awslambda.NewCfnFunction(stack, jsii.String("HelloWorldFunction"), &awslambda.CfnFunctionProps{
+    	Runtime: jsii.String("nodejs24.x"),
+    	Role:    role.RoleArn(), // Pass the ARN string explicitly
+    	Handler: jsii.String("index.handler"),
+    	Code: &awslambda.CfnFunction_CodeProperty{
+    		ZipFile: jsii.String(`
+    		exports.handler = async function(event) {
+    		  return {
+    		    statusCode: 200,
+    		    body: JSON.stringify('Hello World!'),
+    		  };
+    		};
+    		`),
+    	},
+    })
+
+##### Using object references
+
+For selected properties, you can pass construct objects directly instead of extracting their attributes manually. Support for object references varies by property and may expand over time as new properties are added.
+