AWS
Build, deploy, and manage AWS infrastructure with Pulumi. This page links to every Pulumi capability for AWS: Infrastructure as Code, Environments, Secrets, and Configuration (ESC), Insights account scanning, and policy packs.
To start from scratch, follow the AWS get-started guide.
Infrastructure as Code
Pulumi IaC lets you define cloud infrastructure using TypeScript, Python, Go, C#, Java, or YAML — with deterministic deployments, a state backend, and a rich ecosystem of packages.
Pulumi provides several packages for working with AWS. Most projects combine more than one. For a deeper comparison, see Choosing a Pulumi AWS provider.
- AWS provider — the default AWS provider. Uses the AWS SDK to manage all AWS services.
- AWS Cloud Control provider — full coverage of resources available in the AWS Cloud Control API.
- AWSx — higher-level components that encapsulate AWS best practices.
- AWS API Gateway — simplified construction of AWS API Gateway REST APIs.
- Amazon EKS — create and manage Amazon Elastic Kubernetes Service clusters with sensible defaults.
- Docker — build and push Docker images to Amazon ECR or other registries.
- Kubernetes — deploy application workloads to Amazon EKS or any Kubernetes cluster.
Architecture templates
Pulumi templates are ready-to-deploy starting points for common architectures. Run pulumi new <template> to bootstrap a new project.
Start new AWS projects from a pre-built template:
- Container service on AWS — containerized service on Amazon ECS Fargate.
- Serverless application on AWS — AWS Lambda behind API Gateway with supporting resources.
- Static website on AWS — S3-hosted static site with CloudFront CDN.
- Virtual machine on AWS — EC2 instance with configurable networking.
- Kubernetes cluster on AWS — Amazon EKS cluster ready for workloads.
Guides
Hands-on Infrastructure as Code guides for building on AWS with Pulumi.
- Pulumi CDK Adapter for AWS — use AWS CDK constructs inside a Pulumi program.
- AWS Identity & Access Management (IAM) — model IAM roles, policies, and users in code.
- AWS Virtual Private Cloud (VPC) — define VPCs, subnets, and routing.
- AWS Lambda & serverless events — author Lambda functions and event sources in code.
- Amazon ECS — run containers on Elastic Container Service.
- Amazon EKS — run workloads on Elastic Kubernetes Service.
- Amazon ECR — build and publish images to Elastic Container Registry.
- Elastic Load Balancing — configure application and network load balancers.
- AWS API Gateway — configure HTTP and REST APIs on API Gateway.
- AWS CodePipeline & CodeDeploy — drive Pulumi stack updates from AWS developer tools.
Secrets & configuration (ESC)
Pulumi ESC (Environments, Secrets, and Configuration) is a centralized service for managing secrets, configuration, and short-lived credentials. It composes values from many sources — including AWS — into environments that Pulumi programs, CLIs, and CI/CD workflows can consume.
ESC integrates directly with AWS for short-lived credentials and secret retrieval:
- AWS OIDC login — generate short-lived AWS credentials for Pulumi programs and workflows.
- AWS Secrets Manager — pull secrets from Secrets Manager into ESC environments.
- AWS Systems Manager Parameter Store — pull configuration and secrets from Parameter Store into ESC environments.
- AWS IAM credential rotation — rotate IAM access keys on a schedule.
- AWS Lambda rotator — rotate arbitrary secrets via an AWS Lambda function.
Insights
Pulumi Insights continuously scans your clouds to build a searchable inventory of every resource — whether created by Pulumi or not — so you can find, audit, and govern cloud infrastructure across accounts, regions, and providers.
For AWS, Insights connects AWS accounts (including AWS Partitions) to inventory existing resources, search across accounts, and export data. See Add an AWS account for a step-by-step setup guide and Insights discovery overview for background.
Policy packs
Pulumi Policies lets you enforce rules on infrastructure at preview and update time, rejecting stacks that violate security, cost, or compliance standards. Pre-built policy packs are maintained by Pulumi and cover common regulatory and best-practice frameworks.
For AWS:
- Pulumi best practices for AWS — Pulumi-authored policies for common AWS misconfigurations.
- CIS AWS Foundations Benchmark
- NIST 800-53 for AWS
- PCI DSS for AWS
- HITRUST CSF for AWS
- CIS Kubernetes Benchmark on AWS — for EKS clusters.
- AWS Organizations Tag Policies — enforce Organizations tagging standards on Pulumi-managed resources.
- AWS Organizations Tag Policies in Insights — integration with Pulumi Insights.
Migration
Migrate existing AWS infrastructure from another IaC tool to Pulumi. The guides below walk through converting or coexisting with each source format.
- From CloudFormation — convert CloudFormation templates to Pulumi.
- From AWS CDK — move from AWS CDK to Pulumi, or use CDK constructs inside Pulumi programs.
- From Terraform — convert Terraform HCL and state to Pulumi.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.