CDKToolkit CloudFormation stack has Bootstrap version 21 or higher
cloudformation_stack_cdktoolkit_bootstrap_version
CloudFormation CDKToolkit stack's BootstrapVersion is compared to a recommended minimum (default 21). A lower value indicates the environment uses legacy bootstrap resources and IAM roles from older templates.
Risk
Outdated bootstrap stacks can lack recent hardening. Asset buckets or ECR repos may be easier to misuse, and deployment roles may have broader trust.
Adversaries could tamper artifacts or assume privileged roles, compromising integrity/confidentiality and enabling privilege escalation.
prowler aws --checks cloudformation_stack_cdktoolkit_bootstrap_version
Recommendation
Standardize on the modern bootstrap at or above the recommended version (e.g., >= 21) in every account and Region.
Apply least privilege to bootstrap roles, limit trusted accounts, enable termination protection, and periodically review for version drift to strengthen defense in depth.
Remediation
cdk bootstrap aws://<ACCOUNT_ID>/<REGION>
- Sign in to the AWS Console and open CloudShell
- Run: cdk bootstrap aws://<ACCOUNT_ID>/<REGION>
- In the console, go to CloudFormation > Stacks > CDKToolkit > Outputs
- Confirm Output "BootstrapVersion" is 21 or higher
Source Code
Resource Type
AwsCloudFormationStack
References
- https://towardsthecloud.com/blog/aws-cdk-bootstrap
- https://support.icompaas.com/support/solutions/articles/62000233694-ensure-that-cdktoolkit-stacks-have-a-bootstrap-version-of-21-or-higher-to-mitigate-security-risks
- https://docs.aws.amazon.com/cdk/v2/guide/ref-cli-cmd-bootstrap.html
- https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-customizing.html