High-level Application Load Balancer builder following AWS security best practices. **Default Security Settings:** - Internet-facing = false (internal by default for security) - HTTP/2 = enabled - Deletion protection = false (can be enabled for production) - Drop invalid headers = true (security best practice) **Rationale:** These defaults follow AWS Well-Architected Framework: - Internal ALBs by default prevent accidental public exposure - HTTP/2 improves performance - Dropping invalid headers prevents header injection attacks **Escape Hatch:** Access the underlying CDK ApplicationLoadBalancer via the `LoadBalancer` property for advanced scenarios not covered by this builder.

High-level ALB Listener builder following AWS best practices. **Default Settings:** - Protocol = HTTP - Port = 80 - Default action = fixed response (503) **Rationale:** - Fixed response by default prevents unhandled requests - Explicit target group configuration required

High-level ALB Target Group builder following AWS best practices. **Default Settings:** - Protocol = HTTP - Port = 80 - Target type = IP (for Fargate) - Deregistration delay = 30 seconds - Health check enabled with sensible defaults **Rationale:** - IP target type required for Fargate tasks - Shorter deregistration delay improves deployment speed - Health checks ensure traffic only goes to healthy targets

Helper functions for App Runner operations

High-level AWS App Runner service builder following AWS best practices. **Default Settings:** - Auto-scaling = 1-10 instances - Memory = 2 GB - vCPU = 1 - Port = 8080 - Health check = /health **Rationale:** App Runner provides fully managed container hosting similar to Azure App Service. These defaults follow AWS Well-Architected Framework: - Sensible scaling limits for cost control - Standard health check endpoint - Container-first approach **Use Cases:** - Containerized web applications - REST APIs - Background workers - Microservices **Escape Hatch:** Access the underlying CDK CfnService via the `Service` property for advanced scenarios not covered by this builder.

High-level AWS AppSync (GraphQL API) builder following AWS best practices. **Default Settings:** - AuthorizationMode = API_KEY (for development) - XrayEnabled = true (distributed tracing) - LogLevel = ALL (comprehensive logging) **Rationale:** These defaults follow Yan Cui's GraphQL API recommendations: - AppSync provides managed GraphQL with subscriptions - Built-in caching and offline support - Better than API Gateway for complex mobile/web apps - X-Ray tracing for debugging **Use Cases:** - Mobile applications (iOS, Android) - Real-time web applications - Offline-first applications - Complex data fetching requirements - GraphQL subscriptions **Escape Hatch:** Access the underlying CDK GraphqlApi via the `GraphqlApi` property for advanced scenarios not covered by this builder.

AppSync Data Source Configuration

Helper functions for AppSync operations

High-level Bastion Host builder following AWS security best practices. **Default Security Settings:** - Instance type = t3.nano (minimal compute for SSH access) - Machine image = Amazon Linux 2023 - Requires IMDSv2 = true (enhanced security) - Subnet type = PUBLIC (for external SSH access) **Rationale:** These defaults follow AWS Well-Architected Framework: - t3.nano is cost-effective for bastion workloads - Amazon Linux 2023 has latest security patches - IMDSv2 prevents SSRF attacks against instance metadata - Public subnet placement allows external access **Security Note:** Bastion hosts should use strict security groups and key-based authentication. Consider AWS Systems Manager Session Manager as a more secure alternative. **Escape Hatch:** Access the underlying CDK BastionHostLinux via the `BastionHost` property for advanced scenarios not covered by this builder.

High-level S3 Bucket builder following AWS security best practices. **Default Security Settings:** - BlockPublicAccess = BLOCK_ALL (prevents public access) - ServerSideEncryption = SSE-KMS with AWS managed key (aws/s3) - Versioning = disabled (opt-in via versioned operation) - EnforceSSL = true (requires HTTPS for all requests) **Rationale:** These defaults follow AWS Well-Architected Framework security pillar: - Encryption at rest protects data from unauthorized access - Blocking public access prevents accidental data exposure - SSL/TLS enforcement protects data in transit - KMS provides audit trails and key rotation capabilities **Escape Hatch:** Access the underlying CDK Bucket via the `Bucket` property on the returned resource for advanced scenarios not covered by this builder.

High-level S3 Bucket Policy builder following AWS security best practices. **Default Security Settings:** - No default statements (explicit policy definition required) - Applies to specific bucket only **Rationale:** These defaults follow AWS Well-Architected Framework security pillar: - Principle of least privilege requires explicit permissions - No default deny-all to allow incremental policy building - Bucket-specific policies prevent accidental broad access **Best Practices:** - Deny HTTP requests (enforce HTTPS) - Restrict access by IP address when possible - Use condition keys to limit access - Apply MFA delete for critical buckets **Escape Hatch:** Access the underlying CDK BucketPolicy via the `Policy` property for advanced scenarios not covered by this builder.

High-level Certificate Manager builder following AWS security best practices. **Default Security Settings:** - Validation method = DNS (more secure than email validation) - Key algorithm = RSA_2048 (industry standard) - Transparency logging = enabled (default AWS behavior) **Rationale:** These defaults follow AWS Well-Architected Framework security pillar: - DNS validation is automated and doesn't rely on email - RSA_2048 provides strong encryption with broad compatibility - Certificate transparency helps detect mis-issuance **Use Cases:** - HTTPS for CloudFront distributions - HTTPS for Application Load Balancers - Custom domain names for API Gateway **Escape Hatch:** Access the underlying CDK Certificate via the `Certificate` property for advanced scenarios not covered by this builder.

Factory helpers to build common IBehaviorOptions for S3 and HTTP origins. These helpers are useful if you prefer to construct behaviors and pass them via defaultBehavior/additionalBehavior.

High-level CloudTrail builder following AWS security best practices. **Default Security Settings:** - IsMultiRegionTrail = true (captures events from all regions) - IncludeGlobalServiceEvents = true (includes IAM, STS, CloudFront events) - EnableFileValidation = true (enables log file integrity validation) - ManagementEvents = ReadWriteType.ALL (logs all management events) - SendToCloudWatchLogs = true (enables CloudWatch Logs integration) **Rationale:** CloudTrail provides audit logs of all AWS API calls, which is critical for: - Security incident investigation and forensics - Compliance requirements (HIPAA, PCI-DSS, SOC2, GDPR) - Detecting unauthorized access or privilege escalation - Meeting AWS Well-Architected Framework security pillar requirements Per "Security as Code" (O'Reilly): "Log all API calls with CloudTrail. This is non-negotiable for security monitoring." **Note on Costs:** The first trail recording management events is free. Additional trails or data events incur charges. CloudWatch Logs integration has additional costs but provides real-time monitoring capabilities.

Represents a CloudTrail trail specification after configuration.

High-level CloudWatch Alarm builder for monitoring AWS resources. Supports common metrics and custom metric creation.

High-level CloudWatch Synthetics Canary builder following AWS best practices. **Default Settings:** - Runtime = Synthetics Python 3.10 - Schedule = Every 5 minutes - Timeout = 60 seconds - Memory = 960 MB - Active tracing = enabled (X-Ray) **Rationale:** These defaults follow AWS Well-Architected Framework: - Python runtime provides flexibility and ease of use - 5-minute checks balance cost and availability monitoring - Active tracing helps debug canary failures - Memory sized for typical HTTP/HTTPS checks **Use Cases:** - Website uptime monitoring - API endpoint health checks - User workflow validation - Multi-step transactions **Escape Hatch:** Access the underlying CDK Canary via the `Canary` property for advanced scenarios not covered by this builder.

High-level CloudWatch Log Group builder following AWS best practices. **Default Security Settings:** - Retention = 7 days (cost-effective default, change for compliance) - Removal policy = DESTROY (logs cleaned up on stack deletion) - Encryption = AWS managed key (optional customer managed key) **Rationale:** These defaults follow AWS Well-Architected Framework: - 7-day retention balances observability and cost - DESTROY removal policy prevents orphaned log groups - Encryption at rest protects sensitive log data **Escape Hatch:** Access the underlying CDK LogGroup via the `LogGroup` property for advanced scenarios not covered by this builder.

Helper functions for CloudWatch Logs

Configuration for CloudWatch Metric Filter. Extracts metrics from log events based on pattern matching. **Use Cases:** - Extract custom business metrics from application logs - Monitor error patterns and frequencies - Track specific application events - Create alarms on log-based metrics **Best Practices:** - Use structured logging (JSON) for easier pattern matching - Test filter patterns with CloudWatch Logs Insights - Set appropriate metric units - Use metric namespaces to organize custom metrics

Configuration for CloudWatch Subscription Filter. Streams log events to destinations in real-time. **Common Destinations:** - Lambda functions (for log processing) - Kinesis streams (for log aggregation) - Kinesis Firehose (for S3 archival) - OpenSearch (for log analytics) **Production Use Cases:** - Stream logs to centralized logging (ELK, Splunk) - Real-time log processing and alerting - Security event monitoring (SIEM integration) - Compliance log archival **Best Practices:** - Use filter patterns to reduce unnecessary data transfer - Consider costs for high-volume log streaming - Set appropriate IAM permissions for destinations - Monitor subscription filter delivery failures

Helper functions for CloudWatch Synthetics

High-level Custom Resource builder for one-time deployment tasks. **Default Settings:** - Timeout = 5 minutes - Remove on update = true (cleanup on changes) **Rationale:** Custom Resources provide deployment-time execution similar to Azure Deployment Scripts. These defaults follow AWS Well-Architected Framework: - Reasonable timeout for typical init tasks - Automatic cleanup prevents resource leaks **Use Cases:** - Database migrations and seeding - DNS record creation - Third-party API calls - Certificate validation - Resource initialization **Escape Hatch:** Access the underlying CDK AwsCustomResource via the `CustomResource` property for advanced scenarios not covered by this builder.

Helper functions for Custom Resource operations

High-level CloudWatch Dashboard builder following AWS monitoring best practices. **Default Settings:** - Dashboard name = construct name - Period for metrics = 5 minutes (good balance of granularity and cost) - Widgets arranged in rows and columns **Rationale:** These defaults follow AWS Well-Architected Framework operational excellence pillar: - Clear dashboard names improve discoverability - 5-minute periods provide good visibility without excessive cost - Structured layout improves readability **Best Practices:** - Organize related metrics together - Use alarms to highlight critical issues - Include both system and business metrics - Set appropriate Y-axis ranges for clarity **Escape Hatch:** Access the underlying CDK Dashboard via the `Dashboard` property for advanced scenarios not covered by this builder.

High-level RDS Proxy builder following AWS best practices. **Default Settings:** - Debug logging = false (opt-in for troubleshooting) - IAM authentication = true (recommended for security) - Require TLS = true (enforce encrypted connections) - Idle timeout = 30 minutes **Rationale:** RDS Proxy provides connection pooling and improves failover times. IAM authentication removes the need for password management.

High-level Amazon DocumentDB (MongoDB-compatible) cluster builder following AWS best practices. **Default Settings:** - Engine = docdb - Instance class = db.t3.medium - Instances = 1 (single instance for dev) - Port = 27017 (MongoDB default) - Backup retention = 7 days - Preferred backup window = 03:00-04:00 UTC - Encryption at rest = enabled - Deletion protection = disabled (for dev) **Rationale:** These defaults follow AWS Well-Architected Framework: - MongoDB compatibility for easy migration from Cosmos DB - T3.medium suitable for development and testing - Encryption enabled by default for security - Single instance reduces costs for non-production **Use Cases:** - Document database applications - Content management systems - User profiles and catalogs - Mobile and web applications - Migration from MongoDB or Cosmos DB **Escape Hatch:** Access the underlying CDK DatabaseCluster via the `Cluster` property for advanced scenarios not covered by this builder.

Helper functions for DocumentDB operations

High-level EC2 Instance builder following AWS security best practices. **Default Security Settings:** - Instance type = t3.micro (cost-effective for dev/test) - Detailed monitoring = disabled (opt-in via monitoring operation) - IMDSv2 required = true (enhanced security for instance metadata) - EBS encryption = enabled by default **Rationale:** These defaults follow AWS Well-Architected Framework: - t3.micro provides good balance of compute/cost for many workloads - IMDSv2 prevents SSRF attacks against instance metadata - EBS encryption protects data at rest - Minimal IAM permissions follow least-privilege principle **Escape Hatch:** Access the underlying CDK Instance via the `Instance` property on the returned resource for advanced scenarios not covered by this builder.

Helper functions for creating ECR lifecycle rules

High-level ECR Repository builder following AWS best practices. **Default Security Settings:** - Image scan on push = enabled (security best practice) - Image tag mutability = MUTABLE (allows tag reuse for development) - Lifecycle policy = delete untagged images after 7 days - Encryption = AES256 (AWS managed encryption) - Removal policy = RETAIN (prevents accidental deletion) **Rationale:** These defaults follow AWS Well-Architected Framework: - Image scanning detects vulnerabilities automatically - Lifecycle policies reduce storage costs - Encryption at rest protects container images - RETAIN policy prevents accidental data loss **Escape Hatch:** Access the underlying CDK Repository via the `Repository` property for advanced scenarios not covered by this builder.

High-level ECS Cluster builder following AWS best practices. **Default Settings:** - Container Insights = ENABLED (monitoring and observability) - Execute command logging = enabled (for debugging) **Rationale:** Container Insights provides metrics and logs for troubleshooting. Use ContainerInsights.ENHANCED for more detailed monitoring.

High-level Fargate Service builder for ECS. **Default Settings:** - CPU = 256 (.25 vCPU) - Memory = 512 MB - Desired count = 1 - Platform version = LATEST - Public IP = false (secure by default) **Rationale:** Fargate provides serverless container orchestration. Private networking by default enhances security.

High-level EKS Cluster builder following AWS best practices. **Default Security Settings:** - Kubernetes version = latest stable - Endpoint access = PUBLIC_AND_PRIVATE - Cluster logging = enabled for all log types - Encryption = enabled with AWS managed key **Rationale:** These defaults follow AWS Well-Architected Framework: - Latest K8s version for security patches - Public and private access for flexibility - Comprehensive logging for troubleshooting - Encryption at rest for data protection **Escape Hatch:** Access the underlying CDK Cluster via the `Cluster` property for advanced scenarios not covered by this builder.

Helper functions for ElastiCache operations

High-level ElastiCache Redis cluster builder following AWS best practices. **Default Settings:** - Engine = Redis 7.0 - Node type = cache.t3.micro (free tier eligible) - Number of nodes = 1 (single node for dev) - Port = 6379 (Redis default) - Automatic failover = disabled (single node) - Encryption at rest = enabled - Encryption in transit = enabled **Rationale:** These defaults follow AWS Well-Architected Framework: - Redis 7.0 provides latest features and security - T3.micro suitable for development and testing - Encryption enabled by default for security - Single node reduces costs for non-production **Use Cases:** - Session storage - Application caching - Real-time analytics - Leaderboards and counters **Escape Hatch:** Access the underlying CDK CfnCacheCluster via the `CacheCluster` property for advanced scenarios not covered by this builder.

High-level Elastic Beanstalk Application builder. **Rationale:** Elastic Beanstalk simplifies application deployment by managing infrastructure, auto-scaling, load balancing, and monitoring. **Note:** Elastic Beanstalk requires additional configuration via environments and configuration options for production use.

High-level Elastic Beanstalk Environment builder. **Default Settings:** - Tier = WebServer - Solution stack = Latest (must be specified by user for actual deployment) **Rationale:** Environments represent deployments of your application. Configuration is highly dependent on the platform and application type.

High-level Elastic IP builder following AWS best practices. **Default Settings:** - Domain = VPC (required for VPC instances) - No instance association by default (explicit attachment) **Rationale:** These defaults follow AWS Well-Architected Framework: - VPC is the standard domain for modern AWS architectures - Explicit association prevents accidental attachments - Static IPs are expensive, use only when necessary **Use Cases:** - NAT Gateways (automatic EIP allocation) - Static IPs for public-facing services - Whitelisting with third-party services **Escape Hatch:** Access the underlying CDK CfnEIP via the `ElasticIP` property for advanced scenarios not covered by this builder.

Helper functions for Elastic IP operations

High-level EventBridge Rule builder following AWS best practices. **Default Security Settings:** - Enabled = true (rules are active by default) - Event bus = default event bus - Dead letter queue = not configured (opt-in for production) **Rationale:** These defaults follow AWS Well-Architected Framework: - Active rules by default to prevent misconfiguration - Default event bus for simplicity - DLQ opt-in allows users to handle failures explicitly **Escape Hatch:** Access the underlying CDK Rule via the `Rule` property on the returned resource for advanced scenarios not covered by this builder.

High-level Fargate Task Definition builder following AWS best practices. **Default Settings:** - CPU = 256 (.25 vCPU) - Memory = 512 MB - Network mode = awsvpc (required for Fargate) **Rationale:** Task definitions define the containers that run in your ECS service. Fargate task definitions require awsvpc network mode.

Helper module for common filter patterns

High-level API Gateway V2 HTTP API builder following AWS best practices. **Default Security Settings:** - CORS = disabled (opt-in for specific origins) - Auto-deploy = true **Rationale:** These defaults follow AWS Well-Architected Framework: - CORS disabled by default prevents unauthorized cross-origin access - HTTP API provides low-latency, cost-effective API Gateway - Auto-deploy simplifies deployment workflow **Escape Hatch:** Access the underlying CDK HttpApi via the `Api` property for advanced scenarios not covered by this builder.

Helper functions for creating HTTP API CORS configurations

High-level Kinesis Stream builder following AWS best practices. **Default Security Settings:** - Encryption = enabled with AWS managed key - Retention period = 24 hours - Shard count = 1 (for low throughput) - Stream mode = PROVISIONED **Rationale:** These defaults follow AWS Well-Architected Framework: - Encryption at rest for data protection - 24-hour retention balances cost and recovery needs - Single shard for cost optimization (scale as needed) - Provisioned mode for predictable costs **Escape Hatch:** Access the underlying CDK Stream via the `Stream` property for advanced scenarios not covered by this builder.

Helper functions for common KMS key patterns

High-level KMS Key builder following AWS security best practices. **Default Security Settings:** - Key rotation = enabled (automatic yearly rotation) - Removal policy = RETAIN (prevents accidental key deletion) - Key spec = SYMMETRIC_DEFAULT (AES-256-GCM) - Key usage = ENCRYPT_DECRYPT **Rationale:** These defaults follow AWS Well-Architected Framework: - Automatic rotation reduces risk of key compromise - Retained keys prevent data loss (encrypted data becomes unreadable without key) - Symmetric encryption is most common use case - CloudTrail provides audit trails for all key usage **Use Cases:** - Encrypt data at rest (S3, EBS, RDS, DynamoDB) - Encrypt secrets (Secrets Manager, Parameter Store) - Sign and verify (asymmetric keys) - Generate HMACs **Escape Hatch:** Access the underlying CDK Key via the `Key` property on the returned resource for advanced scenarios not covered by this builder.

Lambda Powertools integration for production-grade observability. **Features:** - Structured logging with correlation IDs - Custom metrics without CloudWatch overhead - Distributed tracing integration - Best practice environment variables **Rationale:** Yan Cui strongly recommends Lambda Powertools for production Lambda functions: - Reduces boilerplate for logging, metrics, tracing - Standardizes observability across functions - Automatic correlation ID propagation - Zero cold-start impact **Use Cases:** - Production Lambda functions - Microservices architecture - Event-driven applications - Distributed tracing requirements **Supported Runtimes:** - Python 3.8+ - Node.js 14.x+ - Java 8+, 11, 17 - .NET 6+

Helper functions for Lambda Powertools integration

Helper functions for creating S3 lifecycle rules

High-level Network Load Balancer builder following AWS best practices. **Default Security Settings:** - Internet-facing = false (internal by default for security) - Cross-zone load balancing = enabled (for high availability) - Deletion protection = false (opt-in for production) - IP address type = IPv4 **Rationale:** These defaults follow AWS Well-Architected Framework: - Internal by default prevents accidental public exposure - Cross-zone balancing improves availability and fault tolerance - IPv4 provides broadest compatibility **Escape Hatch:** Access the underlying CDK NetworkLoadBalancer via the `LoadBalancer` property for advanced scenarios not covered by this builder.

Observability helpers for CloudTrail, CloudWatch, GuardDuty, and AWS Config. **Rationale:** - CloudTrail provides audit logs for compliance and security investigations - CloudWatch alarms enable proactive incident response - GuardDuty detects threats and anomalous behavior - AWS Config tracks resource configuration changes These tools are essential for: - Security monitoring and threat detection - Compliance auditing (SOC2, HIPAA, PCI-DSS) - Operational visibility and troubleshooting - Cost optimization through usage tracking

High-level OIDC Provider builder for federated identity in IAM. **Use Cases: ** - GitHub Actions authentication - GitLab CI/CD authentication - Other OIDC-based identity providers **Security Best Practices: ** - Limit client IDs to known applications - Use thumbprints to verify the identity provider's certificate - Apply least-privilege IAM policies to federated roles **Escape Hatch: ** Access the underlying CDK OpenIdConnectProvider via the `Provider` property for advanced scenarios not covered by this builder.

High-level CloudFront Origin Access Identity (OAI) builder. **Use Case:** OAI allows CloudFront to access private S3 buckets without making them public. This is a security best practice for serving static content. **Note:** AWS recommends using Origin Access Control (OAC) instead of OAI for new applications. OAI is maintained for backward compatibility. **Escape Hatch:** Access the underlying CDK OriginAccessIdentity via the `Identity` property.

High-level API Gateway REST API builder following AWS best practices. **Default Security Settings:** - Endpoint type = REGIONAL (recommended for most use cases) - Deploy = true (automatically creates deployment) - CloudWatch role = automatically configured **Rationale:** REST APIs provide full control over API Gateway features including: - Request/response transformation - API keys and usage plans - Request validators - VPC Link integration - Custom authorizers **Escape Hatch:** Access the underlying CDK RestApi via the `RestApi` property on RestApiSpec for advanced scenarios not covered by this builder.

High-level Route 53 A Record builder. **Rationale:** A records map domain names to IP addresses or AWS resources. Supports alias records for AWS resources like ALB, CloudFront, etc.

High-level Route 53 Health Check builder following AWS best practices. **Default Settings:** - Type = HTTPS (more secure than HTTP) - Port = 443 - Request interval = 30 seconds (standard) - Failure thresholds = 3 (balanced sensitivity) **Rationale:** Health checks monitor endpoint availability for failover routing. HTTPS health checks verify both connectivity and SSL/TLS validity. **Use Cases:** - Failover routing policies - Weighted routing with health-based failover - CloudWatch alarms for endpoint health

Helper functions for creating Route 53 record targets

High-level Route 53 Hosted Zone builder following AWS best practices. **Default Settings:** - Query logging = disabled (opt-in via logging operation) - DNSSEC = disabled (opt-in, requires KMS key) **Rationale:** Hosted zones manage DNS records for your domain. DNSSEC and logging are opt-in features with additional costs. **Escape Hatch:** Access the underlying CDK HostedZone via the `HostedZone` property for advanced scenarios not covered by this builder.

High-level Route 53 Private Hosted Zone builder. **Use Case:** Private hosted zones are used for DNS resolution within VPCs only. They are not accessible from the public internet. **Rationale:** Private zones are ideal for internal service discovery and microservices architectures within AWS.

High-level Route 53 RecordSet builder with traffic routing policies. **Supported Routing Policies:** - Simple (default) - Weighted (distribute traffic based on weights) - Failover (primary/secondary failover) - Geolocation (route based on user location) - Latency (route to lowest latency endpoint) - Multivalue (return multiple healthy IPs) **Default Settings:** - TTL = 300 seconds (5 minutes) - Type = A record **Rationale:** RecordSet provides advanced routing capabilities beyond simple A records. Essential for high-availability, multi-region architectures. **Use Cases:** - Active-passive failover - Traffic distribution across regions - Blue-green deployments - Load distribution

Helper functions for Route53 RecordSet routing policies

High-level EC2 Route Table builder following AWS networking best practices. **Default Settings:** - No default routes (explicit route configuration required) **Rationale:** Explicit route configuration follows the principle of least privilege and prevents accidental traffic routing. **Escape Hatch:** Access the underlying CDK CfnRouteTable via the `RouteTable` property for advanced scenarios not covered by this builder.

High-level Secrets Manager Secret builder following AWS security best practices. **Default Security Settings:** - Encryption = KMS with AWS managed key (aws/secretsmanager) - Automatic rotation = disabled (opt-in via rotation operation) - Removal policy = RETAIN (prevents accidental deletion) **Rationale:** These defaults follow AWS Well-Architected Framework: - KMS encryption provides enhanced security and audit trails - Secrets retained on stack deletion prevents data loss - Rotation is opt-in as it requires Lambda function setup **Escape Hatch:** Access the underlying CDK Secret via the `Secret` property on the returned resource for advanced scenarios not covered by this builder.

Helper functions for creating secret string generators

Toggle configurations for optional AWS security services These services have associated costs and should be enabled based on security requirements

High-level Systems Manager Document builder. **Default Settings:** - Document type = Command - Document format = JSON **Rationale:** SSM Documents define actions that Systems Manager performs on managed instances. Command documents are most common for remote execution. **Use Cases:** - Remote command execution - Automated patching - Configuration enforcement - Inventory collection

Helper functions for SSM operations

High-level Systems Manager Parameter Store builder following AWS best practices. **Default Settings:** - Type = String (most common) - Tier = Standard (free, up to 10,000 parameters) **Rationale:** Parameter Store provides centralized configuration management. String type covers most use cases (connection strings, URLs, etc.). Standard tier is free and sufficient for most applications. **Use Cases:** - Application configuration - Database connection strings - API endpoints and keys - Feature flags **Escape Hatch:** Access the underlying CDK StringParameter via the `Parameter` property for advanced scenarios not covered by this builder.

High-level AWS Step Functions (State Machine) builder following AWS best practices. **Default Settings:** - StateMachineType = STANDARD (for long-running workflows) - Logging = ALL events logged to CloudWatch (requires logDestination for Stack deployment) - TracingEnabled = true (X-Ray integration) - Timeout = 1 hour (configurable) **Rationale:** These defaults follow Yan Cui's production serverless best practices: - Standard type for reliable, exactly-once execution - Full logging for debugging and audit trails (requires logDestination when deploying) - X-Ray tracing for distributed system visibility - Reasonable timeout prevents runaway workflows **Use Cases:** - Order processing workflows - ETL data pipelines - Human approval workflows - Saga orchestration patterns - Microservice orchestration **Escape Hatch:** Access the underlying CDK StateMachine via the `StateMachine` property for advanced scenarios not covered by this builder.

Helper functions for Step Functions operations

Tag builder for fluent tag creation using immutable state

Tag builder for fluent tag creation

Global tagging helpers for consistent resource tagging across stacks. **Rationale:** - Tags enable cost allocation and resource organization - Consistent tagging simplifies governance and compliance - Tags help with automation and resource discovery - Standard tags improve operational visibility **Best Practices:** - Apply tags at stack level for inheritance - Use consistent tag names across organization - Include: project, environment, owner, cost-center - Avoid PII or sensitive data in tags

High-level VPC Gateway Attachment builder for connecting internet and VPN gateways to VPCs. **Use Cases: ** - Attach an Internet Gateway to enable internet access - Attach a Virtual Private Gateway for VPN connections **Rationale: ** Explicit gateway attachments provide fine-grained control over network connectivity and follow the principle of explicit configuration. **Escape Hatch: ** Access the underlying CDK VPCGatewayAttachment via the `Attachment` property for advanced scenarios not covered by this builder.

High-level AWS X-Ray enhanced tracing builder following AWS best practices. **Default Settings:** - InsightsEnabled = true (automatic anomaly detection) - NotificationsEnabled = false (opt-in for notifications) **Rationale:** These defaults follow Yan Cui's production debugging recommendations: - X-Ray Groups for filtering traces by business logic - Sampling Rules for cost-effective tracing at scale - Insights for automatic anomaly detection **Use Cases:** - Production debugging and troubleshooting - Performance optimization - Distributed tracing across services - Error rate analysis - Latency profiling **Escape Hatch:** Access the underlying CDK CfnGroup/CfnSamplingRule via properties for advanced scenarios not covered by this builder.

Helper functions for X-Ray operations

X-Ray Sampling Rule Configuration