Reusable, secure service product catalog solution deploying AWS resources for frontend developers.
Managing Identity and Access Management (IAM) in modern organizations often involves manual, time-consuming processes that lead to delays, security risks, and compliance challenges. Traditionally, IT or Cloud Administrators manually create and assign IAM roles and permissions for development teams, which can result in inconsistent policies and operational bottlenecks.
This project introduces a reusable, easily deployable IAM provisioning solution tailored for Admin self-service using AWS Service Catalog and AWS Cloud Development Kit (CDK). It enables department-level administrators or platform engineers to securely provision pre-approved IAM roles for frontend web development team environment — without having to manually define or modify permissions. The solution can be extended to AWS Service Catalog portfolio for other roles (such as backend, and DevOps teams).
By standardizing IAM roles into catalog products, this solution empowers organizations to accelerate access provisioning, maintain policy consistency, and enforce security best practices. It provides clear separation of responsibilities: central security teams define the guardrails, while delegated admins can deploy trusted configurations to support team needs efficiently and securely.
| Actor Type | Responsibility |
|---|---|
| Central Security Team / IT Admins | Define IAM roles, resource permissions, and quotas. Establish organizational guardrails and compliance policies. May be part of the cybersecurity, IT admin, or cloud governance function. |
| Cloud/Platform Admins / Architects | Use AWS Service Catalog to provision pre-approved IAM roles for team members. May belong to DevOps, infrastructure, or architecture teams implementing the defined policies. |
| Development Teams | Consume the permissions via assumed roles. No direct role creation or provisioning. |
This solution delivers the following key components:
To help you get started quickly, this solution includes downloadable templates and CDK source code:
These artifacts are designed for reuse and easy deployment across organizations, making IAM provisioning faster, consistent, and secure.
The file frontend-scp-policies.ts stack defines a set of Service Control Policies (SCPs) that act as guardrails for all AWS accounts under the FrontendDevTeamOU. These SCPs ensure that developers can only access services and configurations that align with cost efficiency, compliance, and security best practices.
The SCPs enforced include:
These SCPs apply organization-wide and override IAM permissions — they are enforced even for root accounts.
// lib/frontend-scp-policies.ts
import * as cdk from 'aws-cdk-lib';
import * as organizations from 'aws-cdk-lib/aws-organizations';
import { Construct } from 'constructs';
/**
* Note: This SCP stack must be deployed from the AWS Organizations 'management/root account'.
* Requires the AWS Organization Root ID or Parent OU ID passed as a CDK context value.
* Note:
* - Use the following command to retrieve root ID: aws organizations list-roots --query 'Roots[0].Id' --output text
* - Deploy using: cdk deploy --context orgRootId=r-abc123
* - This enables SCPs and IAM roles to scope to this OU.
*/
export class FrontendScpPoliciesStack extends cdk.Stack {
public readonly frontendOuId: string;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const parentId = this.node.tryGetContext('orgRootId');
if (!parentId) {
throw new Error("Missing required context: orgRootId. Pass it via --context or cdk.json");
}
// Define the OU to group frontend development accounts under the specified parent OU
const frontendOU = new organizations.CfnOrganizationalUnit(this, 'FrontendDevTeamOU', {
name: 'FrontendDevTeamOU',
parentId,
});
this.frontendOuId = frontendOU.attrId;
// ========== EC2 INSTANCE TYPE RESTRICTION ==========
// Prevents launching any EC2 instance outside of cost-efficient, dev-approved types
new organizations.CfnPolicy(this, 'DenyUnapprovedEc2TypesSCP', {
name: 'DenyUnapprovedEc2Types',
description: 'Deny launching non-approved EC2 instance types.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: "ec2:RunInstances",
Resource: "*",
Condition: {
StringNotEqualsIfExists: {
"ec2:InstanceType": ["t3.micro", "t3.small", "t3.medium"]
}
}
}
]
},
targetIds: [this.frontendOuId],
});
// ========== IAM ADMIN RESTRICTION ==========
// Prevents IAM escalation by denying critical create/update permissions
new organizations.CfnPolicy(this, 'DenyIAMAdminSCP', {
name: 'DenyIAMAdminAccess',
description: 'Deny IAM admin-level actions.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: [
"iam:CreateUser",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:UpdateAssumeRolePolicy"
],
Resource: "*"
}
]
},
targetIds: [this.frontendOuId],
});
// ========== S3 PUBLIC ACCESS RESTRICTION ==========
// Deny attempts to make buckets/objects public using ACLs
new organizations.CfnPolicy(this, 'DenyS3PublicAccessSCP', {
name: 'DenyS3PublicAccess',
description: 'Prevent setting S3 public-read or public-read-write ACLs.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: ["s3:PutBucketAcl", "s3:PutObjectAcl"],
Resource: "*",
Condition: {
StringEqualsIfExists: {
"s3:x-amz-acl": ["public-read", "public-read-write"]
}
}
}
]
},
targetIds: [this.frontendOuId],
});
// ========== EBS VOLUME RESTRICTION ==========
// Limit unencrypted and large (>100GiB) volumes from being created
new organizations.CfnPolicy(this, 'DenyLargeUnencryptedEbsSCP', {
name: 'DenyLargeUnencryptedEbs',
description: 'Deny creating EBS volumes larger than 100GiB or without encryption.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: "ec2:CreateVolume",
Resource: "*",
Condition: {
NumericGreaterThanIfExists: { "ec2:VolumeSize": 100 },
BoolIfExists: { "ec2:Encrypted": "false" }
}
}
]
},
targetIds: [this.frontendOuId],
});
// ========== ALB CREATION GUARDRAIL ==========
// Require traceability tags on all ALBs and target groups
new organizations.CfnPolicy(this, 'RestrictALBCreationSCP', {
name: 'RestrictALBCreation',
description: 'Require ALBs to have tags for ownership and environment.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
Resource: "*",
Condition: {
Null: {
"aws:RequestTag/Owner": "true",
"aws:RequestTag/Environment": "true"
}
}
}
]
},
targetIds: [this.frontendOuId],
});
// ========== CLOUDFRONT GUARDRAIL ==========
// Prevent creating distributions without logging enabled (audit readiness)
new organizations.CfnPolicy(this, 'DenyCloudFrontWithoutLoggingSCP', {
name: 'DenyCloudFrontWithoutLogging',
description: 'Deny CloudFront distribution creation if logging is not enabled.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Effect: "Deny",
Action: ["cloudfront:CreateDistribution", "cloudfront:UpdateDistribution"],
Resource: "*",
Condition: {
BoolIfExists: {
"cloudfront:LoggingEnabled": "false"
}
}
}
]
},
targetIds: [this.frontendOuId],
});
// Note: Non-frontend backend services like databases, queues, or compute options
// outside the approved architecture are denied
new organizations.CfnPolicy(this, 'DenyUnapprovedServicesSCP', {
name: 'DenyUnapprovedServices',
description: 'Denies access to backend or irrelevant services for frontend web developers.',
type: 'SERVICE_CONTROL_POLICY',
content: {
Version: "2012-10-17",
Statement: [
{
Sid: 'DenyDatabaseServices',
Effect: 'Deny',
Action: [
"rds:*",
"dynamodb:*",
"neptune:*"
],
Resource: "*"
},
{
Sid: 'DenyMessagingServices',
Effect: 'Deny',
Action: [
"sns:*",
"sqs:*",
"mq:*"
],
Resource: "*"
},
{
Sid: 'DenyComputeNotInScope',
Effect: 'Deny',
Action: [
"lambda:*",
"eks:*",
"ecs:*"
],
Resource: "*"
},
{
Sid: 'DenyDeveloperTooling',
Effect: 'Deny',
Action: [
"cloud9:*",
"codebuild:*",
"codedeploy:*",
"codepipeline:*"
],
Resource: "*"
}
]
},
targetIds: [this.frontendOuId],
});
}
}The file frontend-iam-roles.ts defines the IAM roles necessary for enabling secure, compliant access to AWS resources by both the frontend development team and the Service Catalog engine.
These roles are designed with least-privilege principles, while remaining flexible enough to support CI/CD pipelines, EC2 instances, and developer interactions.
All roles operate within the boundaries defined by attached SCPs and tagging strategies.
| Role | Description |
|---|---|
| FrontendSCCatalogLaunchRole | Used internally by Service Catalog to launch resources |
| FrontendDevSCUserRole | Enables frontend devs to access approved Service Catalog products |
| FrontendS3AccessRole | Allows CI/CD pipelines or dev tools to read/write to the frontend S3 bucket |
| FrontendEc2S3AccessRole | Attached to EC2 instances to enable secure read-only access to S3 |
// lib/frontend-iam-roles.ts
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import { Construct } from 'constructs';
/**
*
* This stack defines IAM roles scoped for the frontend team to interact with Service Catalog
* and access S3 buckets from EC2 and CI/CD pipelines.
*
*/
export class FrontendIamRolesStack extends cdk.Stack {
public readonly launchRole: iam.Role;
public readonly devEndUserRole: iam.Role;
public readonly s3AccessRole: iam.Role;
public readonly ec2InstanceRole: iam.Role;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ========== SERVICE CATALOG LAUNCH ROLE ==========
this.launchRole = new iam.Role(this, 'FrontendSCCatalogLaunchRole', {
assumedBy: new iam.ServicePrincipal('servicecatalog.amazonaws.com'),
roleName: 'FrontendSCCatalogLaunchRole',
description: 'Used by Service Catalog to provision frontend infrastructure',
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess') // adjust later
]
});
// ========== DEV TEAM END USER ROLE ==========
this.devEndUserRole = new iam.Role(this, 'FrontendDevSCUserRole', {
assumedBy: new iam.AccountRootPrincipal(),
roleName: 'FrontendDevSCUserRole',
description: 'Allows frontend developers to browse and launch Service Catalog products',
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AWSServiceCatalogEndUserFullAccess')
]
});
// ========== S3 ACCESS ROLE FOR CI/CD OR DEV TOOLS ==========
this.s3AccessRole = new iam.Role(this, 'FrontendS3AccessRole', {
assumedBy: new iam.AccountRootPrincipal(), // Update for federated/OIDC CI/CD if needed
roleName: 'FrontendS3AccessRole',
description: 'Allows CI/CD or devs to upload static frontend assets to S3',
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
]
});
// ========== EC2 INSTANCE ROLE FOR S3 ACCESS ==========
this.ec2InstanceRole = new iam.Role(this, 'FrontendEc2S3AccessRole', {
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
roleName: 'FrontendEc2S3AccessRole',
description: 'Allows EC2 instances to access S3 content',
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonS3ReadOnlyAccess')
]
});
// Optionally attach instance profile if used in ASG/LaunchTemplate
new iam.CfnInstanceProfile(this, 'FrontendEc2InstanceProfile', {
roles: [this.ec2InstanceRole.roleName],
instanceProfileName: 'FrontendEc2InstanceProfile'
});
}
}To follow best practices, the CDK templates are defined first to provision the actual infrastructure resources for the frontend environment. These templates generate ARNs and tagging metadata that are then used by IAM roles for permission scoping.
Below is a breakdown of the key CDK stacks:
File frontend-s3-stack.ts provisions a secure and compliant S3 bucket to host static frontend assets such as HTML, CSS, JS, and images. It includes lifecycle rules for cost optimization (auto-archive and delete), server-side encryption, HTTPS enforcement, and fine-grained IAM bucket policies. The bucket integrates with CloudFront for global content delivery and is intended to be updated via CI/CD pipelines or frontend developer roles.
// lib/frontend-s3-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as logs from 'aws-cdk-lib/aws-logs';
export class FrontendS3Stack extends cdk.Stack {
public readonly bucket: s3.Bucket;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ========================
// S3 ACCESS LOG BUCKET
// ========================
// This bucket stores access logs from the main S3 bucket
const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
lifecycleRules: [
{
expiration: cdk.Duration.days(90),
},
],
});
// ========================
// CLOUDWATCH LOG GROUP (OPTIONAL)
// ========================
// CloudWatch cannot directly receive S3 access logs. Access logs go to S3 buckets.
// If you use AWS Athena or Lambda to process logs, you may forward them to CloudWatch.
// Here we define a log group that can be used for related logging (e.g. asset sync Lambda, custom processors).
new logs.LogGroup(this, 'FrontendS3OperationsLogGroup', {
retention: logs.RetentionDays.ONE_WEEK,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
// ========================
// S3 BUCKET FOR STATIC SITE CONTENT
// ========================
this.bucket = new s3.Bucket(this, 'FrontendAssetsBucket', {
bucketName: 'frontend-team-assets',
versioned: true,
publicReadAccess: false,
removalPolicy: cdk.RemovalPolicy.DESTROY,
autoDeleteObjects: true,
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
encryption: s3.BucketEncryption.S3_MANAGED,
enforceSSL: true,
lifecycleRules: [
{
transitions: [
{
storageClass: s3.StorageClass.GLACIER,
transitionAfter: cdk.Duration.days(90)
}
],
expiration: cdk.Duration.days(365),
id: 'ArchiveOldAssets'
}
]
});
// Add bucket policy for secure CloudFront access using OAC
this.bucket.addToResourcePolicy(new iam.PolicyStatement({
sid: 'AllowCloudFrontServiceAccess',
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('cloudfront.amazonaws.com')],
actions: ['s3:GetObject'],
resources: [`${this.bucket.bucketArn}/*`],
conditions: {
StringEquals: {
'AWS:SourceArn': 'arn:aws:cloudfront::${cdk.Aws.ACCOUNT_ID}:distribution/*'
}
}
}));
// Optional: Add bucket policy for IAM role-based access
this.bucket.addToResourcePolicy(new iam.PolicyStatement({
sid: 'FrontendTeamReadWriteAccess',
effect: iam.Effect.ALLOW,
principals: [new iam.ArnPrincipal('arn:aws:iam::123456789012:role/FrontendS3AccessRole')],
actions: [
's3:GetObject',
's3:PutObject',
's3:ListBucket'
],
resources: [
this.bucket.bucketArn,
`${this.bucket.bucketArn}/*`
]
}));
}
}cdk deploy --context bucketName=my-frontend-static-site#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { FrontendS3Stack } from '../lib/frontend-s3-stack';
const app = new cdk.App();
// Read the bucketName from cdk deploy --context or fallback to default
const bucketName = app.node.tryGetContext('bucketName') || 'frontend-default-bucket';
new FrontendS3Stack(app, 'FrontendS3Stack', {
bucketName: bucketName,
env: {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
}
});
File vpc-network-stack.ts defines the networking foundation for the frontend environment. It provisions a VPC with a custom CIDR range, isolated public and private subnets across availability zones, and a Network ACL (NACL), explicitly allow inbound HTTP (port 80) and HTTPS (port 443) traffic.
This VPC is referenced by all other stacks (ALB, EC2, ASG, etc.) to ensure consistent network boundaries.
// lib/vpc-network-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as logs from 'aws-cdk-lib/aws-logs';
import { Construct } from 'constructs';
export class VpcNetworkStack extends cdk.Stack {
public readonly vpc: ec2.Vpc;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ========================
// CLOUDWATCH LOG GROUP FOR VPC FLOW LOGS
// ========================
const vpcLogGroup = new logs.LogGroup(this, 'VpcFlowLogGroup', {
retention: logs.RetentionDays.ONE_WEEK,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
// Create a new VPC with 2 availability zones and defined subnet configurations
this.vpc = new ec2.Vpc(this, 'FrontendVPC', {
cidr: '10.0.0.0/16',
maxAzs: 2,
// Define subnet configuration: one public and one private per AZ
subnetConfiguration: [
{
name: 'PublicSubnet',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
},
{
name: 'PrivateSubnet',
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
cidrMask: 24,
},
],
natGateways: 1, // Allow internet access from private subnets via NAT
flowLogs: {
CloudWatch: {
destination: ec2.FlowLogDestination.toCloudWatchLogs(vpcLogGroup),
trafficType: ec2.FlowLogTrafficType.ALL,
},
});
// Create a custom Network ACL and associate it with public subnets
const nacl = new ec2.NetworkAcl(this, 'FrontendNACL', {
vpc: this.vpc,
subnetSelection: { subnetType: ec2.SubnetType.PUBLIC }
});
nacl.addEntry('AllowHTTP', {
ruleNumber: 100,
cidr: ec2.AclCidr.anyIpv4(), // Allow HTTP traffic from anywhere
ruleAction: ec2.Action.ALLOW,
traffic: ec2.AclTraffic.tcpPort(80),
});
nacl.addEntry('AllowHTTPS', {
ruleNumber: 110,
cidr: ec2.AclCidr.anyIpv4(), // Allow HTTPS traffic from anywhere
ruleAction: ec2.Action.ALLOW,
traffic: ec2.AclTraffic.tcpPort(443),
});
}
}To use the VPC and its subnets from vpc-network-stack.ts, the vpc object is passed to dependent stacks such as ALB, EC2, and ASG in bin/app.ts. This ensures all resources share the same network boundaries and configurations.
Code Example: Passing VPC to an ALB Stack
// bin/app.ts
import { VpcNetworkStack } from '../lib/vpc-network-stack';
import { FrontendAlbStack } from '../lib/frontend-alb-stack';
const vpcStack = new VpcNetworkStack(app, 'VpcNetworkStack');
new FrontendAlbStack(app, 'FrontendAlbStack', vpcStack.vpc);Note: CDK automatically creates and attaches an IGW (Internet Gateway) when the VPC define public subnets.
The stack defined in frontend-acm-route53-stack.ts provisions an ACM (AWS Certificate Manager) certificate and a DNS alias record in Route 53. These resources enable HTTPS for the frontend application hosted via CloudFront or an Application Load Balancer (ALB), automating certificate validation and domain linking.
www.example.com).This configuration provides a secure HTTPS entry point, improves SEO and browser compatibility, and automates certificate renewals.
// lib/frontend-acm-route53-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as acm from 'aws-cdk-lib/aws-certificatemanager';
import * as route53 from 'aws-cdk-lib/aws-route53';
import * as targets from 'aws-cdk-lib/aws-route53-targets';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import { Construct } from 'constructs';
interface FrontendAcmRoute53Props extends cdk.StackProps {
domainName: string;
subdomain: string;
distribution: cloudfront.IDistribution;
}
export class FrontendAcmRoute53Stack extends cdk.Stack {
public readonly certificate: acm.Certificate;
constructor(scope: Construct, id: string, props: FrontendAcmRoute53Props) {
super(scope, id, props);
const hostedZone = route53.HostedZone.fromLookup(this, 'HostedZone', {
domainName: props.domainName,
});
this.certificate = new acm.Certificate(this, 'FrontendCert', {
domainName: `${props.subdomain}.${props.domainName}`,
validation: acm.CertificateValidation.fromDns(hostedZone),
});
new route53.ARecord(this, 'AliasRecord', {
zone: hostedZone,
recordName: props.subdomain,
target: route53.RecordTarget.fromAlias(
new targets.CloudFrontTarget(props.distribution)
)
});
}
}The stack in frontend-cloudfront-stack.ts provisions an Amazon CloudFront distribution for securely serving static content from S3 and dynamic content via ALB or EC2. It uses an existing ACM certificate from the Route53 stack to enforce HTTPS with a custom domain.
// lib/frontend-cloudfront-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import { FrontendSecurityStack } from '../lib/frontend-security-stack';
import { Construct } from 'constructs';
interface FrontendCloudFrontProps extends cdk.StackProps {
siteBucket: s3.IBucket;
loadBalancer: elbv2.IApplicationLoadBalancer;
acmCertificateArn: string;
domainName: string;
subdomain: string;
}
export class FrontendCloudFrontStack extends cdk.Stack {
public readonly distribution: cloudfront.Distribution;
constructor(scope: Construct, id: string, props: FrontendCloudFrontProps) {
super(scope, id, props);
// ========================
// CLOUDFRONT LOG BUCKET
// ========================
// This S3 bucket receives access logs from CloudFront
// *** CloudFront does not natively support CloudWatch Logs ***
const cloudfrontLogBucket = new s3.Bucket(this, 'CloudFrontAccessLogBucket', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
lifecycleRules: [
{
expiration: cdk.Duration.days(90),
},
],
});
// Define Origin Access Control (OAC) for secure S3 access
const oac = new OriginAccessControl(this, 'FrontendS3OAC', {
originAccessControlConfig: {
name: 'FrontendStaticAssetsOAC',
originAccessControlOriginType: 's3',
signingBehavior: 'always',
signingProtocol: 'sigv4',
}
});
// Create CloudFront distribution with S3 as default origin and ALB as additional route
this.distribution = new cloudfront.Distribution(this, 'FrontendDistribution', {
defaultBehavior: {
// Serve static content from S3
origin: new origins.S3Origin(props.siteBucket, {
originAccessControl: oac,
)},
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
},
additionalBehaviors: {
'api/*': {
// Serve dynamic content via ALB for '/api/*' path
origin: new origins.LoadBalancerV2Origin(props.loadBalancer, {
protocolPolicy: cloudfront.OriginProtocolPolicy.HTTP_ONLY,
}),
cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
},
},
domainNames: [`${props.subdomain}.${props.domainName}`],
certificate: cloudfront.ViewerCertificate.fromAcmCertificate({
certificateArn: props.acmCertificateArn,
env: { region: 'us-east-1' },
node: this.node
}),
comment: 'CloudFront distribution for frontend site with TLS and dual origin routing',
enableLogging: true
logBucket: cloudfrontLogBucket,
logFilePrefix: 'cloudfront-access-logs/',
comment: 'CloudFront Distribution for Frontend Static and API Routing',
});
}
}The stack defined in frontend-compute-stack.ts provisions the compute layer of the frontend architecture to host dynamic content such as APIs, SSR pages, or React server components. It uses CfnParameter to expose configurable values like minimum and maximum capacity, which can be customized at deployment time through CloudFormation or Service Catalog interfaces.
This enables flexibility while allowing infrastructure teams to enforce constraints using IAM roles, Service Control Policies (SCPs), and Service Catalog launch constraints to prevent unauthorized modifications. The architecture ensures scalability, availability, and secure networking with:
Key points: Hosts SSR logic (e.g., Next.js), places EC2s in private subnets, and enables secure internet access through NAT.
// lib/frontend-compute-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import * as autoscaling from 'aws-cdk-lib/aws-autoscaling';
import * as logs from 'aws-cdk-lib/aws-logs';
import { CloudFrontIpProvider } from './cloudfront-ip-provider';
import { Construct } from 'constructs';
export class FrontendComputeStack extends cdk.Stack {
constructor(scope: Construct, id: string, vpc: ec2.Vpc, props?: cdk.StackProps) {
super(scope, id, props);
// ========================
// SECURITY GROUP for ALB
// ========================
const albSG = new ec2.SecurityGroup(this, 'AlbSG', {
vpc,
description: 'Allow HTTP/HTTPS to ALB',
allowAllOutbound: true,
});
// Fetch CloudFront IPs dynamically using custom resource
const cloudfrontIpProvider = new CloudFrontIpProvider(this, 'CloudFrontIpProvider');
// Add each IP as an ingress rule for ALB to only allow CloudFront traffic
for (const cidr of cloudfrontIpProvider.cloudfrontIpList) {
albSG.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.tcp(80), `Allow HTTP from ${cidr}`);
albSG.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.tcp(443), `Allow HTTPS from ${cidr}`);
}
// ========================
// CLOUDWATCH LOG GROUP FOR ALB
// ========================
const albLogGroup = new logs.LogGroup(this, 'AlbAccessLogs', {
retention: logs.RetentionDays.ONE_WEEK,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
// ========================
// APPLICATION LOAD BALANCER
// ========================
const alb = new elbv2.ApplicationLoadBalancer(this, 'FrontendALB', {
vpc,
internetFacing: true,
securityGroup: albSG,
vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
});
// Add HTTP listener (Note: you can enable HTTPS by attaching certificate)
const listener = alb.addListener('Listener', {
port: 80,
open: true,
});
// ========================
// SECURITY GROUP for EC2
// ========================
const ec2SG = new ec2.SecurityGroup(this, 'Ec2SG', {
vpc,
description: 'Allow traffic from ALB to EC2',
allowAllOutbound: true,
});
ec2SG.addIngressRule(albSG, ec2.Port.tcp(80));
// ========================
// CDK PARAMETERS for ASG
// ========================
const minCapacity = new cdk.CfnParameter(this, 'MinCapacity', {
type: 'Number',
default: 1,
description: 'Minimum EC2 instances in ASG',
});
const maxCapacity = new cdk.CfnParameter(this, 'MaxCapacity', {
type: 'Number',
default: 3,
description: 'Maximum EC2 instances in ASG',
});
// ========================
// AUTO SCALING GROUP
// ========================
const asg = new autoscaling.AutoScalingGroup(this, 'FrontendASG', {
vpc,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux(),
minCapacity: minCapacity.valueAsNumber,
maxCapacity: maxCapacity.valueAsNumber,
desiredCapacity: 1,
securityGroup: ec2SG,
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
});
// ========================
// CLOUDWATCH METRICS (Built-in)
// ========================
// Auto Scaling Group and EC2 instances automatically publish basic CloudWatch metrics
// such as CPUUtilization, NetworkIn, NetworkOut, etc. To collect detailed metrics or logs,
// install CloudWatch Agent via userData or SSM later if needed.
// ========================
// ATTACH ASG TO ALB
// ========================
listener.addTargets('AppTargets', {
port: 80,
targets: [asg],
healthCheck: {
path: '/',
interval: cdk.Duration.seconds(30),
},
});
}
}The NAT Gateway is implicitly configured through the VPC definition in vpc-network-stack.ts using the following configuration:
PRIVATE_WITH_EGRESS, indicating they require outbound internet access via a NAT Gateway.natGateways: 1 is specified in the VPC properties, prompting AWS CDK to automatically create a NAT Gateway and configure routing from private subnets through the NAT to the Internet Gateway.frontend-compute-stack.ts.This allows EC2 instances in private subnets to securely access external resources (e.g., for pulling NPM packages or calling APIs) without exposing them to the internet.
The Application Load Balancer (ALB) is deployed in public subnets to securely receive inbound web traffic from the internet. It forwards HTTP requests to private EC2 instances behind the scenes, providing a secure and scalable entry point for dynamic content hosted in the ASG.
This stack enhances the security posture of the frontend web infrastructure by integrating AWS Web Application Firewall (WAF) and AWS Shield protections directly with the CloudFront distribution.
This layer is critical for ensuring availability and defense-in-depth for public-facing web apps.
// lib/frontend-security-stack.ts
import * as cdk from 'aws-cdk-lib';
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as logs from 'aws-cdk-lib/aws-logs';
import { Construct } from 'constructs';
interface FrontendSecurityStackProps extends cdk.StackProps {
cloudfrontDistribution: cloudfront.IDistribution;
}
export class FrontendSecurityStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: FrontendSecurityStackProps) {
super(scope, id, props);
// Create a CloudWatch log group for WAF logs
const wafLogGroup = new logs.LogGroup(this, 'WafLogGroup', {
retention: logs.RetentionDays.ONE_WEEK,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
// Create a basic WAF WebACL with AWS managed rule group and logging
const webAcl = new wafv2.CfnWebACL(this, 'FrontendWebACL', {
defaultAction: { allow: {} },
scope: 'CLOUDFRONT',
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'FrontendWebACL',
sampledRequestsEnabled: true,
},
rules: [
{
name: 'AWS-AWSManagedRulesCommonRuleSet',
priority: 1,
overrideAction: { none: {} },
statement: {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},
},
visibilityConfig: {
sampledRequestsEnabled: true,
cloudWatchMetricsEnabled: true,
metricName: 'AWSCommonRules',
},
},
],
});
// Enable logging for the WebACL to the created log group
new wafv2.CfnLoggingConfiguration(this, 'WafLogging', {
resourceArn: webAcl.attrArn,
logDestinationConfigs: [wafLogGroup.logGroupArn],
});
// Associate WAF WebACL with the CloudFront distribution
new wafv2.CfnWebACLAssociation(this, 'WebACLAssociation', {
resourceArn: props.cloudfrontDistribution.distributionArn,
webAclArn: webAcl.attrArn,
});
// Reminder to enable Shield Advanced manually for full protection
new cdk.CfnOutput(this, 'ShieldReminder', {
value: 'Ensure AWS Shield Advanced is enabled for full DDoS protection on CloudFront.',
description: 'Shield Advanced requires Business or Enterprise Support and manual activation.',
});
}
}Check GitHub Repositoryfor Athena integration to analyze CloudFront and Site S3 logs and generate reports.
The file frontend-dev-product.ts defines a Service Catalog product using AWS CDK, representing a complete frontend infrastructure stack tailored for development environments. The product is encapsulated in a CloudFormationProduct and includes components such as VPC networking, SCP for OU level restricted permissions, S3 for static hosting, CloudFront, EC2-based compute, ACM certificates, and Route 53 DNS.
Additionally, a utility function is provided to associate the product with a Service Catalog portfolio, enabling platform teams to publish it for self-service use by development teams. This approach supports centralized governance while empowering teams with on-demand infrastructure provisioning.
// lib/products/frontend-dev-product.ts
import * as cdk from 'aws-cdk-lib';
import * as servicecatalog from 'aws-cdk-lib/aws-servicecatalog';
import { Construct } from 'constructs';
import { FrontendS3Stack } from '../frontend-s3-stack';
import { FrontendComputeStack } from '../frontend-compute-stack';
import { FrontendAcmRoute53Stack } from '../frontend-acm-route53-stack';
import { FrontendCloudFrontStack } from '../frontend-cloudfront-stack';
import { FrontendSecurityStack } from '../frontend-security-stack';
import { AthenaQueryStack } from '../Athena-query-stack';
/**
* =========================
* Service Catalog Product: Frontend Dev Infrastructure
* =========================
*
* This Service Catalog product provisions:
* - S3 bucket for static site hosting
* - CloudFront distribution
* - EC2 ASG with ALB
* - ACM certificate + Route 53 records
* - Logging Support for deployed resources
*
* Note: These stacks assumes no foundational VPC and security setup present in the account.
*/
export class FrontendDevProduct extends servicecatalog.CloudFormationProduct {
constructor(scope: Construct, id: string) {
super(scope, id, {
productName: 'Frontend Dev Infrastructure',
owner: 'Platform Admin',
distributor: 'Self-Service Portal',
description: 'Provision S3 + CloudFront + Compute + ACM + DNS for frontend this',
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromProductStack(
new FrontendProductStack(scope, 'FrontendProductStack')
)
});
}
}
/**
* This stack bundles all required infra for the frontend web product.
*/
class FrontendProductStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const env = {
account: process.env.CDK_DEFAULT_ACCOUNT, //CDK will get this from ~/.aws/credentials
region: process.env.CDK_DEFAULT_REGION //CDK will get this from ~/.aws/credentials};
};
// 1. Static S3 bucket for frontend assets
// Retrieve bucket name from context or fallback
const bucketName = this.node.tryGetContext('bucketName') || 'frontend-default-bucket';
const s3Stack = new FrontendS3Stack(this, 'FrontendS3Stack', {
bucketName: bucketName,
env,
});
// 2. ACM + Route53 stack (Certificate and DNS)
// Retrieve bucket name from context or fallback
const domainName = this.node.tryGetContext('domainName');
if (!domainName) {
throw new Error("Missing required context: domainName. Pass it via --context or cdk.json");
}
const acmRoute53Stack = new FrontendAcmRoute53Stack(this, 'FrontendAcmRoute53Stack', {
domainName: domainName,
subdomain: 'www',
distribution: undefined as any, // placeholder to be set after CloudFront stack
env
});
// 3. CloudFront stack (uses S3 + ACM)
const cloudfrontStack = new FrontendCloudFrontStack(this, 'FrontendCloudFrontStack', {
siteBucket: s3Stack.bucket,
acmCertificateArn: acmRoute53Stack.certificate.certificateArn,
domainName: domainName,
subdomain: 'www',
loadBalancer: undefined as any, // placeholder to be set after compute stack
env
});
// 4. Compute stack (ALB, ASG, EC2, dynamic content, SG based on CloudFront IPs)
const computeStack = new FrontendComputeStack(this, 'FrontendComputeStack', vpcStack.vpc, {
env
});
// Update CloudFrontStack with load balancer (after compute stack is created)
cloudfrontStack.distribution.node.addDependency(computeStack);
cloudfrontStack.distribution.node.tryRemoveChild('Resource');
// 5. Reconnect distribution into Route53 stack for alias
acmRoute53Stack.distribution = cloudfrontStack.distribution;
// 6. Security stack: adds WAF protection to CloudFront with logging
new FrontendSecurityStack(this, 'FrontendSecurityStack', {
cloudfrontDistribution: cloudfrontStack.distribution,
env
});
// 7. Athena stack to query logs from both CloudFront and S3
new AthenaQueryStack(this, 'AthenaQueryStack', {
env,
logsBucket: cloudfrontStack.logBucket, // assumes shared bucket for simplicity
cloudfrontPrefix: 'cloudfront-access-logs/',
s3AccessPrefix: 'frontend-access-logs/',
});
}
}
/**
* This function should be invoked in your Service Catalog stack (e.g., FrontendServiceCatalogStack)
* to wire this product to the SC portfolio with IAM role access.
*/
export function addFrontendDevProductToPortfolio(scope: Construct, portfolio: servicecatalog.Portfolio) {
const product = new FrontendDevProduct(scope, 'FrontendDevProduct');
portfolio.addProduct(product);
} The file frontend-servicecatalog.ts defines the Service Catalog portfolio for the frontend team using AWS CDK. It creates a portfolio that serves as a container for pre-approved infrastructure products, such as the frontend development stack.
The stack also imports and associates IAM roles to control who can launch the products (launch role) and who can access them (end user role). By linking the FrontendDevProduct to this portfolio, the platform team enables self-service provisioning for frontend developers while maintaining security, consistency, and governance.
// lib/frontend-servicecatalog.ts
import * as cdk from 'aws-cdk-lib';
import * as servicecatalog from 'aws-cdk-lib/aws-servicecatalog';
import { Construct } from 'constructs';
import { addFrontendDevProductToPortfolio } from './products/frontend-dev-product';
/**
* ==============================
* Service Catalog Portfolio for Frontend Team
* ==============================
*
* This stack wires IAM roles with a Service Catalog Portfolio.
* It enables frontend devs to self-service launch pre-approved infrastructure stacks.
*/
export class FrontendServiceCatalogStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: cdk.StackProps & {
launchRoleArn: string;
endUserRoleArn: string;
}) {
super(scope, id, props);
// Create a Service Catalog Portfolio
const portfolio = new servicecatalog.Portfolio(this, 'FrontendPortfolio', {
displayName: 'Frontend Dev Infrastructure Portfolio',
providerName: 'Platform Admin',
description: 'Contains curated frontend infra stacks (S3, CloudFront, EC2, etc.)'
});
// Import IAM roles by ARN
const launchRole = servicecatalog.Role.fromRoleArn(this, 'LaunchRoleImport', props.launchRoleArn);
const endUserRole = servicecatalog.Role.fromRoleArn(this, 'EndUserRoleImport', props.endUserRoleArn);
// Associate roles with portfolio
portfolio.setLaunchRole(launchRole);
portfolio.giveAccessToRole(endUserRole);
// Add Frontend Dev Product to the portfolio
addFrontendDevProductToPortfolio(this, portfolio);
}
}
The file frontend-service-quotas-stack section introduces governance controls to help manage resource usage and cost within the frontend development environment. The FrontendServiceQuotasStack defines strict service limits for critical AWS services such as EC2 and S3, ensuring that resource sprawl is prevented by capping instance counts and bucket creation.
In parallel, the FrontendBudgetsStack sets up a cost budget with automated email notifications when spending exceeds defined thresholds. These controls provide a safety net for platform teams to enforce cost discipline and prevent unexpected overuse of AWS resources, especially in development and sandbox accounts.
#// lib/frontend-service-quotas-stack.ts
!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { FrontendServiceCatalogStack } from '../lib/frontend-servicecatalog';
import { VpcNetworkStack } from '../lib/vpc-network-stack';
import { FrontendScpPoliciesStack } from '../lib/frontend-scp-policies';
import { FrontendIamRolesStack } from '../lib/frontend-iam-roles';
const app = new cdk.App();
const env = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
};
/** Foundational Steps provisioning vps, Devteam OU, Devteam Account, SCP, IAM roles */
// **Caution**: This Stack assume no foundation infrsature is deployed and no VPC/networkin is already present in the account.
// we are creating VPC with CIDR = 10.0.0.0/16, in any case, if you have existing VPC, please update the CIDR accordingly.
// 1. Create the VPC and networking resources
const vpcStack = new VpcNetworkStack(app, 'VpcNetworkStack', { env });
// 2. Creates OU and SCP to restrict access to the VPC
new FrontendScpPoliciesStack(app, 'FrontendScpPoliciesStack');
// 3. IAM roles for frontend team to interact with Service Catalog and S3
// new FrontendIamRolesStack (this, 'FrontendIamRolesStack'); //called in app.ts for arns
// Deploy IAM Roles first
const iamStack = new FrontendIamRolesStack(app, 'FrontendIamRolesStack', { env });
// Pass role ARNs to Service Catalog stack
new FrontendServiceCatalogStack(app, 'FrontendServiceCatalogStack', {
env,
launchRoleArn: iamStack.launchRole.roleArn,
endUserRoleArn: iamStack.devEndUserRole.roleArn
});
The file bin/app.ts section represents the main entry point of the CDK application and coordinates the deployment of all foundational infrastructure components required for a secure, governed, and self-service development environment.
It sequentially provisions a new VPC, sets up Service Control Policies (SCPs), and creates IAM roles used by both Service Catalog and developers. These IAM roles are then passed to the Service Catalog portfolio stack, which registers and configures a curated frontend infrastructure product.
This centralized orchestration ensures all the stacks are instantiated in the correct order with consistent environment setup for frontend teams.
// bin/app.ts
#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { FrontendServiceCatalogStack } from '../lib/frontend-servicecatalog';
import { VpcNetworkStack } from '../lib/vpc-network-stack';
import { FrontendScpPoliciesStack } from '../lib/frontend-scp-policies';
import { FrontendIamRolesStack } from '../lib/frontend-iam-roles';
import { FrontendServiceQuotasStack } from '../lib/frontend-service-qouta';
import { FrontendBudgetsStack } from '../lib/frontend-service-qouta';
const app = new cdk.App();
const env = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
};
/** Foundational Steps provisioning VPC, Devteam OU, Devteam Account, SCP, IAM roles */
// **Caution**: This stack assumes no foundation infrastructure is deployed and
// no VPC/networking is already present in the account. We are creating VPC with CIDR = 10.0.0.0/16.
// If you have an existing VPC, please update the CIDR accordingly.
// 1. Create the VPC and networking resources
const vpcStack = new VpcNetworkStack(app, 'VpcNetworkStack', { env });
// 2. Creates OU and SCP to restrict access to the VPC
new FrontendScpPoliciesStack(app, 'FrontendScpPoliciesStack');
// 3. IAM roles for frontend team to interact with Service Catalog and S3
const iamStack = new FrontendIamRolesStack(app, 'FrontendIamRolesStack', { env });
// 4. Enforce Service Quotas to prevent overuse of EC2, S3, etc.
new FrontendServiceQuotasStack(app, 'FrontendServiceQuotasStack', { env });
// 5. Set up budget monitoring with user-defined email
const budgetEmail = app.node.tryGetContext('budgetEmail');
if (!budgetEmail) {
throw new Error('Missing --context budgetEmail=yourname@example.com');
}
new FrontendBudgetsStack(app, 'FrontendBudgetsStack', {
env,
budgetEmail: budgetEmail
});
// 6. Pass role ARNs to Service Catalog stack
new FrontendServiceCatalogStack(app, 'FrontendServiceCatalogStack', {
env,
launchRoleArn: iamStack.launchRole.roleArn,
endUserRoleArn: iamStack.devEndUserRole.roleArn
});To publish your complete frontend infrastructure product to AWS Service Catalog, you can use thecdk deploy --all command. This will synthesize and deploy all defined CDK stacks, including networking, SCPs, IAM roles, and the Service Catalog portfolio and product.
Make sure to pass any required context values — such as domain name, bucket name, or budget email — using the--context flag to ensure all stacks receive their necessary runtime configuration.
cdk deploy --all
--context domainName=example.com
--context bucketName=frontend-dev-bucket
--context budgetEmail=team@example.com
This command will register the product into AWS Service Catalog, associate it with the appropriate portfolio and IAM roles, and make it available for self-service launch by approved developers via the AWS Console.
This end-to-end solution demonstrates how to enable self-service infrastructure provisioning for frontend developers using AWS Service Catalog with built-in governance and cost controls.
We've learned how to:
This project enables cloud platform teams to safely scale infrastructure across development teams with security, compliance, and operational excellence.