aws
diff --git a/‎tests/ci/cdk/README.md
+4-23 b/‎tests/ci/cdk/README.md
+4-23
diff --git a/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
+1-1 b/‎tests/ci/cdk/cdk/aws_lc_analytics_stack.py
+1-1
diff --git a/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
+1-1 b/‎tests/ci/cdk/cdk/aws_lc_android_ci_stack.py
+1-1
diff --git a/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
+1-1 b/‎tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
+1-1
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
+2-4 b/‎tests/ci/cdk/cdk/aws_lc_github_ci_stack.py
+2-4
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_ci_x509_stack.py
+1-2 b/‎tests/ci/cdk/cdk/aws_lc_github_ci_x509_stack.py
+1-2
diff --git a/‎tests/ci/cdk/cdk/aws_lc_github_fuzz_ci_stack.py
+1-1 b/‎tests/ci/cdk/cdk/aws_lc_github_fuzz_ci_stack.py
+1-1
diff --git a/‎tests/ci/cdk/cdk/components.py
+5-3 b/‎tests/ci/cdk/cdk/components.py
+5-3
diff --git a/‎tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py
+1-1 b/‎tests/ci/cdk/cdk/linux_docker_image_batch_build_stack.py
+1-1
diff --git a/‎tests/ci/cdk/cdk/windows_docker_image_build_stack.py
+1-1 b/‎tests/ci/cdk/cdk/windows_docker_image_build_stack.py
+1-1
@@ -87,14 +87,14 @@ Use these commands to deploy the CI pipeline. Any changes to the CI or Docker im
 
 These commands are run from `aws-lc/tests/ci/cdk`.
 
-If not done previously, bootstrap cdk for the pipeline account before running the next commands.
+[SKIP IF NO CROSS-ACCOUNT DEPLOYMENT] Give the pipeline account administrator access to the deployment account's CloudFormation. Repeat this step depending on how many deployment environment there are. You only need to run this step once when the pipeline is deploying to a new account for the first time.
 ```
-cdk bootstrap aws://${PIPELINE_ACCOUNT_ID}/us-west-2
+cdk bootstrap aws://${DEPLOY_ACCOUNT_ID}/us-west-2 --trust ${PIPELINE_ACCOUNT_ID} --trust-for-lookup ${PIPELINE_ACCOUNT_ID} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
 ```
 
-[SKIP IF NO CROSS-ACCOUNT DEPLOYMENT] Give the pipeline account administrator access to the deployment account's CloudFormation. Repeat this step depending on how many deployment environment there are. You only need to run this step once when the pipeline is deploying to a new account for the first time.
+If not done previously, bootstrap cdk for the pipeline account before running the next commands.
 ```
-cdk bootstrap aws://${DEPLOY_ACCOUNT_ID}/us-west-2 --trust ${PIPELINE_ACCOUNT_ID} --trust-for-lookup ${PIPELINE_ACCOUNT_ID} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
+cdk bootstrap aws://${PIPELINE_ACCOUNT_ID}/us-west-2
 ```
 
 To deploy dev pipeline to the same account as your CI:
@@ -112,25 +112,6 @@ To deploy production pipeline using default parameters:
 ./run-cdk.sh --action deploy-production-pipeline
 ```
 
-<!-- Bootstrap pipeline account
-```
-AWS_ACCOUNT_ID=183295444613
-PIPELINE_ACCOUNT_ID=774305600158
-cdk bootstrap aws://${PIPELINE_ACCOUNT_ID}/us-west-2
-```
-
-Give pipeline account administrator access to deployment account's CloudFormation
-```
-cdk bootstrap aws://${AWS_ACCOUNT_ID}/us-west-2 --trust ${PIPELINE_ACCOUNT_ID} --trust-for-lookup ${PIPELINE_ACCOUNT_ID} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
-```
-
-Deploy pipeline
-```
-GITHUB_REPO_OWNER=nhatnghiho
-GITHUB_SOURCE_VERSION=ci-pipeline
-./run-cdk.sh --github-repo-owner ${GITHUB_REPO_OWNER} --github-source-version ${GITHUB_SOURCE_VERSION} --aws-account ${AWS_ACCOUNT_ID} --action invoke --command "cdk deploy AwsLcCiPipeline --require-approval never"
-``` -->
-
 ### CI Commands
 Use these commands if you wish to deploy individual stacks instead of the entire pipeline.
 
 
@@ -20,7 +20,7 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
-                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                  **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
 
@@ -22,7 +22,7 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
-                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                  **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
 
@@ -27,7 +27,7 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
-                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                  **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
 
@@ -8,7 +8,7 @@
 
 from cdk.components import PruneStaleGitHubBuilds
 from util.iam_policies import code_build_batch_policy_in_json, code_build_publish_metrics_in_json, \
-    code_build_cloudwatch_logs_policy_in_json, s3_read_policy_in_json
+    code_build_cloudwatch_logs_policy_in_json
 from util.metadata import GITHUB_PUSH_CI_BRANCH_TARGETS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, \
     PIPELINE_ACCOUNT, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME
 from util.build_spec_loader import BuildSpecLoader
@@ -21,7 +21,7 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
-                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                  **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
@@ -52,7 +52,6 @@ def __init__(self,
         code_build_cloudwatch_logs_policy = iam.PolicyDocument.from_json(
             code_build_cloudwatch_logs_policy_in_json([log_group])
         )
-        s3_assets_policy = iam.PolicyDocument.from_json(s3_read_policy_in_json())
         resource_access_role = iam.Role(scope=self,
                                         id="{}-resource-role".format(id),
                                         assumed_by=iam.CompositePrincipal(
@@ -61,7 +60,6 @@ def __init__(self,
                                         ),
                                         inline_policies={
                                             "code_build_cloudwatch_logs_policy": code_build_cloudwatch_logs_policy,
-                                            "s3_assets_policy": s3_assets_policy
                                         })
 
         # Define a IAM role for this stack.
 
@@ -9,13 +9,12 @@
     GITHUB_REPO_OWNER, PRE_PROD_ACCOUNT, STAGING_GITHUB_REPO_OWNER, STAGING_GITHUB_REPO_NAME,
 )
 
-
 class AwsLcGitHubX509CIStack(Stack):
     def __init__(
         self,
         scope: Construct,
         id: str,
-        env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+        env: typing.Union[Environment, typing.Dict[str, typing.Any]],
         **kwargs,
     ) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
@@ -22,7 +22,7 @@ def __init__(self,
                  scope: Construct,
                  id: str,
                  spec_file_path: str,
-                 env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+                 env: typing.Union[Environment, typing.Dict[str, typing.Any]],
                  **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
 
@@ -1,7 +1,9 @@
 import pathlib
+import typing
 
-from aws_cdk import aws_codebuild as codebuild, aws_lambda as lambda_, aws_ecr_assets as ecr_assets, aws_secretsmanager as sm, \
-    aws_events as events, aws_events_targets as events_targets, aws_iam as iam, Duration
+from aws_cdk import aws_codebuild as codebuild, aws_lambda as lambda_, aws_ecr_assets as ecr_assets, \
+    aws_secretsmanager as sm, \
+    aws_events as events, aws_events_targets as events_targets, aws_iam as iam, Duration, Environment
 
 from constructs import Construct
 from util.metadata import GITHUB_REPO_OWNER, GITHUB_TOKEN_SECRET_NAME
@@ -14,7 +16,7 @@ def __init__(
             id: str,
             *,
             project: codebuild.IProject,
-            env,
+            env: typing.Union[Environment, typing.Dict[str, typing.Any]],
             ec2_permissions: bool
     ) -> None:
         super().__init__(scope, id)
 
@@ -26,7 +26,7 @@ def __init__(
             self,
             scope: Construct,
             id: str,
-            env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+            env: typing.Union[Environment, typing.Dict[str, typing.Any]],
             **kwargs) -> None:
         super().__init__(scope, id, env=env, **kwargs)
 
 
@@ -34,7 +34,7 @@ def __init__(
             self,
             scope: Construct,
             id: str,
-            env: typing.Optional[typing.Union[Environment, typing.Dict[str, typing.Any]]],
+            env: typing.Union[Environment, typing.Dict[str, typing.Any]],
             **kwargs) -> None:
         super().__init__(
             scope,