Skip to main content
Infrastructure as Code
11 min read
Updated May 26, 2026

PulumivsAWS CDK

A detailed comparison of Pulumi and AWS CDK for Infrastructure as Code using general-purpose programming languages. Covers cloud support, language options, constructs, testing, and real-world use cases to help you choose the right developer-friendly IaC tool.

Pulumi
AWS CDK
IaC
TypeScript
Infrastructure
DevOps

Pulumi

A modern IaC platform that lets you define infrastructure using general-purpose programming languages. Supports 100+ cloud providers through its own engine and manages state via Pulumi Cloud or self-hosted backends.

Visit website

AWS CDK

AWS Cloud Development Kit is an open-source framework that lets you define AWS infrastructure using familiar programming languages. It synthesizes to CloudFormation templates, giving you the developer experience of code with the deployment engine of CloudFormation.

Visit website

Both Pulumi and AWS CDK share the same fundamental idea: let developers define infrastructure using real programming languages instead of YAML, JSON, or domain-specific languages. They both support TypeScript, Python, Go, Java, and C#. They both let you use loops, conditionals, classes, and functions to build reusable infrastructure abstractions. But under the hood, they work very differently.

AWS CDK (Cloud Development Kit), launched in 2019, is Amazon's answer to the verbosity of CloudFormation. You write infrastructure in a supported language, and CDK synthesizes it into CloudFormation templates that get deployed through the CloudFormation service. This means you get the developer experience of TypeScript or Python with the deployment reliability of CloudFormation - automatic rollback, drift detection, and managed state. CDK has a rich construct library with L1 (raw CloudFormation), L2 (opinionated defaults), and L3 (patterns) abstraction levels.

Pulumi, launched in 2018, takes a different approach. Instead of synthesizing to an intermediate format, Pulumi talks directly to cloud provider APIs through its own engine. This means Pulumi is not limited to AWS - it supports GCP, Azure, Kubernetes, and 100+ other providers. Pulumi manages its own state (via Pulumi Cloud, S3, or other backends) and has its own component model for building reusable abstractions.

The choice between these two tools often comes down to whether you are building exclusively on AWS or across multiple clouds. CDK gives you the deepest AWS integration because it is CloudFormation under the hood. Pulumi gives you the broadest cloud coverage with a consistent experience. Both tools are actively developed and have growing communities in 2026.

This comparison examines the practical differences across 11 dimensions and walks through concrete scenarios to help you pick the right tool. We will not pretend one is universally better - the right choice depends entirely on your cloud strategy and team context.

Feature Comparison

Providers & Scope

Cloud Provider Support
Pulumi
100+ native providers; AWS, GCP, Azure, Kubernetes, and SaaS services
AWS CDK
AWS-only natively; CDKTF bridges to Terraform providers but is a separate tool
AWS Service Coverage
Pulumi
Good coverage but new AWS features can lag; uses Terraform bridge for gaps
AWS CDK
Complete day-one coverage via auto-generated L1 constructs from CloudFormation spec

Language & Syntax

Supported Languages
Pulumi
TypeScript, Python, Go, C#, Java, YAML
AWS CDK
TypeScript, Python, Go, C#, Java

Architecture

Deployment Engine
Pulumi
Pulumi engine communicates directly with cloud provider APIs
AWS CDK
Synthesizes to CloudFormation templates deployed via CloudFormation service

State & Backend

State Management
Pulumi
Pulumi Cloud (default), S3, Azure Blob, GCS, or local filesystem
AWS CDK
Managed by CloudFormation - no state files to configure or maintain

Code Organization

Abstraction Model
Pulumi
Component resources as classes; published via npm, pip, or Go modules
AWS CDK
L1/L2/L3 constructs with tiered abstraction; Construct Hub for discovery

Operations

Change Preview
Pulumi
pulumi preview shows detailed resource-level diffs with property changes
AWS CDK
cdk diff shows construct-level changes; CloudFormation change sets for deployment
Rollback Behavior
Pulumi
No automatic rollback; failed deployments leave partial state to resolve
AWS CDK
Automatic CloudFormation rollback on stack creation or update failure

Testing & Quality

Testing
Pulumi
Native unit testing with mocks in Jest, pytest, Go test; property testing
AWS CDK
Assertions library for CDK constructs; snapshot testing; fine-grained assertions

Security

Secrets Management
Pulumi
Built-in per-value encryption with passphrase, AWS KMS, or Vault
AWS CDK
Relies on AWS Secrets Manager, SSM Parameter Store, or external tools

Ecosystem

CI/CD Integration
Pulumi
GitHub Actions, GitLab CI, Pulumi Deployments; automation API for custom workflows
AWS CDK
CDK Pipelines (self-mutating), CodePipeline, GitHub Actions via cdk-nag and cdk-diff

Pros and Cons

Pulumi

Strengths

  • Multi-cloud support with 100+ native providers plus Terraform provider bridge
  • Direct API communication without intermediate template synthesis
  • Built-in secrets management with per-value encryption in state
  • Apache 2.0 open-source license for the engine
  • Pulumi AI generates infrastructure code from natural language descriptions
  • Strong component model for building and publishing reusable infrastructure packages
  • Supports automation API for embedding Pulumi in custom tooling and workflows

Weaknesses

  • Smaller community and fewer examples compared to CDK for AWS-specific patterns
  • Pulumi Cloud is practically required for team collaboration and state management
  • Provider SDK updates can lag behind cloud provider API releases
  • Debugging errors can be confusing when runtime exceptions mix with provider errors
  • Fewer high-level abstractions compared to CDK's L2/L3 construct library for AWS
AWS CDK

Strengths

  • Rich L2 construct library with smart defaults that reduce boilerplate for common AWS patterns
  • Synthesizes to CloudFormation - gets automatic rollback, drift detection, and managed state
  • Day-one support for new AWS services through L1 constructs auto-generated from CloudFormation spec
  • No state management overhead - CloudFormation handles it on the AWS side
  • Large and active community with extensive examples for AWS-specific patterns
  • CDK Pipelines provides a self-mutating CI/CD pipeline construct out of the box

Weaknesses

  • AWS-only - CDKTF exists for Terraform but is a separate project with different ergonomics
  • CloudFormation limits apply: 500 resources per stack, 1MB template size
  • Synthesis step adds complexity and can produce hard-to-debug CloudFormation errors
  • L1 constructs (raw CloudFormation) are verbose and lack the ergonomics of L2s
  • Breaking changes between CDK major versions have caused upgrade pain
  • cdk diff output is less detailed than Pulumi preview for complex changes

Decision Matrix

Pick this if...

You are building exclusively on AWS

AWS CDK

You need multi-cloud infrastructure management

Pulumi

You want the richest library of pre-built AWS abstractions

AWS CDK

You need built-in secrets encryption in state

Pulumi

You want zero state management overhead

AWS CDK

You want to embed infrastructure provisioning in custom applications

Pulumi

You need automatic rollback on failed deployments

AWS CDK

You care about open-source licensing and avoiding vendor lock-in

Pulumi

Use Cases

TypeScript team building a serverless application on AWS with API Gateway, Lambda, and DynamoDB

AWS CDK

CDK's L2 constructs for API Gateway, Lambda, and DynamoDB have smart defaults and built-in integrations. For example, granting a Lambda function read access to a DynamoDB table is a single method call. The CDK Pipelines construct also provides a self-mutating CI/CD pipeline that deploys your application alongside your infrastructure.

Platform team managing infrastructure across AWS, GCP, and Kubernetes clusters

Pulumi

Pulumi is the only option here. CDK is AWS-only, so managing GCP resources or Kubernetes manifests requires a separate tool. Pulumi lets you define AWS VPCs, GKE clusters, and Kubernetes deployments in the same program with proper dependency ordering across providers.

Team that wants infrastructure code with no state management burden

AWS CDK

CDK synthesizes to CloudFormation, which means AWS manages all state tracking. You never configure a backend, worry about state locking, or deal with state file corruption. Pulumi requires either Pulumi Cloud or a self-managed backend, which adds operational overhead.

Organization with strict security requirements needing encrypted secrets in infrastructure state

Pulumi

Pulumi encrypts secret values directly in state using your choice of encryption provider (passphrase, AWS KMS, Azure Key Vault, GCP KMS, or HashiCorp Vault). CDK relies on CloudFormation, which does not encrypt parameter values in stack state. You need to use AWS Secrets Manager or SSM Parameter Store separately.

AWS-focused team that wants the richest library of pre-built infrastructure patterns

AWS CDK

CDK's Construct Hub has thousands of community-contributed constructs, and the official L2 library covers almost every AWS service with opinionated defaults. Pulumi has fewer pre-built AWS-specific abstractions, so you often end up writing more boilerplate for common patterns.

Team building a self-service developer platform that provisions infrastructure across multiple cloud accounts

Pulumi

Pulumi's Automation API lets you embed infrastructure provisioning into custom applications, CLIs, or web portals. You can programmatically create stacks, set configurations, and run deployments from your own code. CDK does not have an equivalent API for embedding in custom tooling.

Verdict

Pulumi4.1 / 5
AWS CDK4.0 / 5

AWS CDK is the stronger choice for AWS-only teams who want rich abstractions, managed state, and automatic rollback. Pulumi wins when you need multi-cloud support, secrets encryption, or the ability to embed IaC in custom tooling. Both tools deliver on the promise of using real programming languages for infrastructure, but they serve different architectural strategies.

Our Recommendation

Choose Pulumi if you manage infrastructure across multiple clouds or need embedded automation. Choose AWS CDK if you are all-in on AWS and want the deepest construct library with zero state management overhead.

Frequently Asked Questions

Yes. Since CDK deploys through CloudFormation, your resources exist as regular AWS resources. You can use pulumi import to adopt them into Pulumi state. The tricky part is removing them from CloudFormation management without deleting them - you need to set DeletionPolicy: Retain in your CDK constructs before destroying the CloudFormation stack. Pulumi also has tooling to help convert CDK code to Pulumi programs.
CDKTF (CDK for Terraform) uses the CDK construct programming model but synthesizes to Terraform JSON instead of CloudFormation. This gives you multi-cloud support through Terraform providers while using CDK-style constructs. However, CDKTF is less mature than both CDK and Pulumi, has a smaller community, and the synthesis-to-Terraform step can introduce its own debugging challenges. If you want a programming-language IaC tool with multi-cloud support, Pulumi is the more mature choice.
Both have excellent TypeScript support with full type checking and autocompletion. CDK has a slight edge for AWS because its L2 constructs provide richer TypeScript interfaces with builder-pattern methods and typed property objects. Pulumi's TypeScript experience is very good across all providers but the type definitions can sometimes be less ergonomic for complex AWS resources.
Yes. Since CDK synthesizes to CloudFormation, all CloudFormation limits apply. The 500-resource limit per stack is the most common pain point for large CDK applications. You can work around it by splitting your application into multiple stacks, but this adds cross-stack reference complexity. Pulumi does not have these limits since it communicates directly with cloud APIs.
The Pulumi engine is Apache 2.0 open source and free. You can self-manage state using S3 or other backends at no cost. Pulumi Cloud has a free individual tier that includes state management, secrets encryption, and deployment history. Team and enterprise tiers with RBAC, audit logs, and policy enforcement are paid. For personal projects and small teams, you can use Pulumi without paying anything.
Yes. CDK manages resources through CloudFormation stacks and Pulumi manages resources through its own state. As long as each resource is owned by exactly one tool, they do not conflict. Some teams use CDK for application infrastructure (where its L2 constructs shine) and Pulumi for cross-cloud or non-AWS resources.

Related Comparisons

Container Registries
HarborvsDocker Hub
Read comparison
FinOps & Cost Management
InfracostvsKubecost
Read comparison
Artifact Management
JFrog ArtifactoryvsGitHub Packages
Read comparison
Programming Languages
GovsRust
Read comparison
Deployment Strategies
Blue-Green DeploymentsvsCanary Deployments
Read comparison
JavaScript Runtimes
BunvsNode.js
Read comparison
GitOps & CI/CD
FluxvsJenkins
Read comparison
Continuous Delivery
SpinnakervsArgo CD
Read comparison
Testing & Automation
SeleniumvsPlaywright
Read comparison
Code Quality
SonarQubevsCodeClimate
Read comparison
Serverless
AWS LambdavsGoogle Cloud Functions
Read comparison
Serverless
Serverless FrameworkvsAWS SAM
Read comparison
NoSQL Databases
DynamoDBvsMongoDB
Read comparison
Cloud Storage
AWS S3vsGoogle Cloud Storage
Read comparison
Databases
PostgreSQLvsMySQL
Read comparison
Caching
RedisvsMemcached
Read comparison
Kubernetes Networking
CiliumvsCalico
Read comparison
Service Discovery
Consulvsetcd
Read comparison
Service Mesh
IstiovsLinkerd
Read comparison
Reverse Proxy & Load Balancing
NginxvsTraefik
Read comparison
CI/CD
Argo CDvsJenkins X
Read comparison
Deployment Platforms
VercelvsNetlify
Read comparison
Cloud Platforms
DigitalOceanvsAWS Lightsail
Read comparison
Monitoring & Observability
New RelicvsDatadog
Read comparison
Container Platforms
RanchervsOpenShift
Read comparison
CI/CD
CircleCIvsGitHub Actions
Read comparison
Security & Secrets
HashiCorp VaultvsAWS Secrets Manager
Read comparison
Monitoring & Observability
GrafanavsKibana
Read comparison
Security Scanning
SnykvsTrivy
Read comparison
Container Orchestration
Amazon ECSvsAmazon EKS
Read comparison
Infrastructure as Code
TerraformvsCloudFormation
Read comparison
Log Management
ELK StackvsLoki + Grafana
Read comparison
Source Control & DevOps Platforms
GitHubvsGitLab
Read comparison
Configuration Management
AnsiblevsChef
Read comparison
Container Orchestration
Docker SwarmvsKubernetes
Read comparison
Kubernetes Configuration
HelmvsKustomize
Read comparison
Monitoring & Observability
PrometheusvsDatadog
Read comparison
CI/CD
GitLab CIvsGitHub Actions
Read comparison
Containers
PodmanvsDocker
Read comparison
GitOps & CD
Argo CDvsFlux
Read comparison
CI/CD
JenkinsvsGitHub Actions
Read comparison
Infrastructure as Code
TerraformvsPulumi
Read comparison

Found an issue?