# Native AWS IaC migration path checklist

Use before migrating between manual AWS, CloudFormation, CDK, Application Composer, or AWS Blocks.

> **July 2026** — All CDK paths target **CDK v2** (`aws-cdk-lib`). CloudFormation **Express mode** and **pre-deployment validation** affect deploy semantics after June 30, 2026.

## Path A: Manual AWS console → CloudFormation

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Inventory resources per account/region (Resource Explorer or Config) | Miss orphaned resources |
| 2 | Import existing resources into CFN stack where supported (`ImportResource`) | Duplicate resources on create |
| 3 | Document DeletionPolicy on stateful resources (RDS, S3) | Accidental data loss on stack delete |
| 4 | Run drift detection after import | Hidden manual changes break updates |
| 5 | Enable change sets for production updates | Blind deploys |

**Recommended approach:** Pilot one bounded stack (e.g., VPC + subnets) before account-wide import.

## Path B: Manual AWS → CDK

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Bootstrap CDK in each account/region (`cdk bootstrap`) | Deploy fails on asset bucket |
| 2 | Use `cdk import` or `CfnResource` for existing resources | Resource recreation |
| 3 | Commit `cdk synth` output or enforce synth in CI | Reviewers cannot audit CFN |
| 4 | Add cdk-nag before first prod deploy | Over-permissive IAM |
| 5 | Map bootstrap stack ownership (platform vs app team) | Orphaned bootstrap on account offboard |

**Recommended approach:** Start with greenfield stack; migrate brownfield after bootstrap discipline is proven.

## Path C: CloudFormation → CDK

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Wrap existing template with `CfnInclude` or port resource-by-resource | Big-bang rewrite |
| 2 | Preserve stack name and logical IDs where possible | Replacement churn |
| 3 | Run `cdk diff` against deployed stack | Unexpected replacements |
| 4 | Migrate parameters to CDK context or SSM | Hardcoded env drift |
| 5 | Retire raw template only after 2 successful prod deploys | Dual maintenance |

**Recommended approach:** Incremental port — one nested stack or microservice at a time.

## Path D: Application Composer → CDK

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Export SAM/CFN from Composer | No direct CDK export |
| 2 | Human-review IAM policies (least privilege) | `s3:*` and `lambda:*` in AI output |
| 3 | Map resources to L2 constructs (Lambda, API Gateway, DynamoDB) | Unmaintainable L1 port |
| 4 | Add unit tests and cdk-nag | Spike quality in production |
| 5 | Archive Composer project as RFC artifact only | Source of truth confusion |

**Recommended approach:** Composer is **spike only** — CDK repo is source of truth within one sprint.

## Path E: Application Composer → CloudFormation

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Export template to Git | Console-only template |
| 2 | IAM Access Analyzer on test account | Over-permissive roles |
| 3 | Parameterize environment-specific values | Hardcoded account IDs |
| 4 | Add to CI with `aws cloudformation deploy` + change sets | Manual deploy drift |

## Path F: AWS Blocks → CDK (escape hatch)

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | Identify Block limits (VPC topology, custom resources) | Hit abstraction ceiling |
| 2 | Add resources in `aws-blocks/index.cdk.ts` | Fighting framework |
| 3 | Run full `npm run deploy` (not sandbox) before prod | Missing CloudFront/WAF |
| 4 | Pin Blocks npm version; read release notes | Preview breaking changes |
| 5 | Document which layers are Blocks vs raw CDK | Onboarding confusion |

**Recommended approach:** Plan escape hatch in architecture review before Blocks adoption — not after production incident.

## Path G: CDK → Raw CloudFormation (rare)

| Step | Action | Risk if skipped |
|------|--------|-----------------|
| 1 | `cdk synth` and commit `*.template.json` | Loss of programmatic authoring |
| 2 | Remove CDK bootstrap dependency if no longer deploying via CDK | Stale asset buckets |
| 3 | Document why (compliance, auditor requirement) | Team reverts to CDK silently |

## Rollback triggers (all paths)

Stop migration and rollback if:

- Stack enters `UPDATE_ROLLBACK_FAILED`
- More than 10% of resources show `REPLACEMENT` in change set without approval
- IAM policy diff adds `*` actions on production path
- Drift detection shows >5% resource drift post-import

## Related posts

- [AWS CDK vs CloudFormation vs Blocks enterprise guide](/blog/aws-cdk-vs-cloudformation-vs-blocks-enterprise-decision-guide-2026/)
- [CloudFormation best practices](/blog/aws-cloudformation-best-practices-infrastructure-as-code/)
- [AWS Blocks preview guide](/blog/aws-blocks-application-backends-preview/)
