diff --git a/package-lock.json b/package-lock.json
index 83f5b087b2..7473d08efa 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,7 +9,7 @@
       "version": "0.0.0",
       "dependencies": {
         "@oclif/core": "2.11.5",
-        "aws-cdk-lib": "2.87.0",
+        "aws-cdk-lib": "2.90.0",
         "aws-sdk": "^2.1427.0",
         "chalk": "^4.1.2",
         "codemaker": "^1.86.0",
@@ -36,7 +36,7 @@
         "@types/lodash.upperfirst": "^4.3.7",
         "@types/node": "20.4.5",
         "@types/yargs": "^17.0.19",
-        "aws-cdk": "2.87.0",
+        "aws-cdk": "2.90.0",
         "cz-conventional-changelog": "^3.3.0",
         "eslint": "^8.46.0",
         "eslint-plugin-custom-rules": "file:tools/eslint",
@@ -51,8 +51,8 @@
         "typescript": "~4.9.5"
       },
       "peerDependencies": {
-        "aws-cdk": "2.87.0",
-        "aws-cdk-lib": "2.87.0",
+        "aws-cdk": "2.90.0",
+        "aws-cdk-lib": "2.90.0",
         "constructs": "10.2.69"
       }
     },
@@ -83,14 +83,14 @@
       "integrity": "sha512-Kf5J8DfJK4wZFWT2Myca0lhwke7LwHcHBo+4TvWOGJrFVVKVuuiLCkzPPRBQQVDj0Vtn2NBokZAz8pfMpAqAKg=="
     },
     "node_modules/@aws-cdk/asset-kubectl-v20": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.1.tgz",
-      "integrity": "sha512-U1ntiX8XiMRRRH5J1IdC+1t5CE89015cwyt5U63Cpk0GnMlN5+h9WsWMlKlPXZR4rdq/m806JRlBMRpBUB2Dhw=="
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.2.tgz",
+      "integrity": "sha512-3M2tELJOxQv0apCIiuKQ4pAbncz9GuLwnKFqxifWfe77wuMxyTRPmxssYHs42ePqzap1LT6GDcPygGs+hHstLg=="
     },
     "node_modules/@aws-cdk/asset-node-proxy-agent-v5": {
-      "version": "2.0.165",
-      "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.165.tgz",
-      "integrity": "sha512-bsyLQD/vqXQcc9RDmlM1XqiFNO/yewgVFXmkMcQkndJbmE/jgYkzewwYGrBlfL725hGLQipXq19+jwWwdsXQqg=="
+      "version": "2.0.166",
+      "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.166.tgz",
+      "integrity": "sha512-j0xnccpUQHXJKPgCwQcGGNu4lRiC1PptYfdxBIH1L4dRK91iBxtSQHESRQX+yB47oGLaF/WfNN/aF3WXwlhikg=="
     },
     "node_modules/@babel/code-frame": {
       "version": "7.21.4",
@@ -3025,9 +3025,9 @@
       }
     },
     "node_modules/aws-cdk": {
-      "version": "2.87.0",
-      "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.87.0.tgz",
-      "integrity": "sha512-dBm74nl3dMUxoAzgjcfKnzJyoVNIV//B1sqDN11cC3LXEflYapcBxPxZHAyGcRXg5dW3m14dMdKVQfmt4N970g==",
+      "version": "2.90.0",
+      "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.90.0.tgz",
+      "integrity": "sha512-6u9pCZeDyIo03tQBdutLD723tuHBsbOQDor72FRxq1uNFWRbVCmZ8ROk2/APAjYJbl4BK2lW9SEgAb8hapaybA==",
       "dev": true,
       "bin": {
         "cdk": "bin/cdk"
@@ -3040,9 +3040,9 @@
       }
     },
     "node_modules/aws-cdk-lib": {
-      "version": "2.87.0",
-      "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.87.0.tgz",
-      "integrity": "sha512-9kirXX7L7OP/yGmCbaYlkt5OAtowGiGw0AYFIQvSwvx/UU3aJO5XuDwAgDsvToDkRpBi0yX0bNwqa0DItu+C6A==",
+      "version": "2.90.0",
+      "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.90.0.tgz",
+      "integrity": "sha512-7v2qgbut9HX1kuqYKiLWT0MQU7JAu2464cMVP+xsj8omnMBnbAkMDpxeRD5XMor1wM4K3ImIZeacp5WID1Mpdg==",
       "bundleDependencies": [
         "@balena/dockerignore",
         "case",
@@ -3056,9 +3056,9 @@
         "yaml"
       ],
       "dependencies": {
-        "@aws-cdk/asset-awscli-v1": "^2.2.177",
-        "@aws-cdk/asset-kubectl-v20": "^2.1.1",
-        "@aws-cdk/asset-node-proxy-agent-v5": "^2.0.148",
+        "@aws-cdk/asset-awscli-v1": "^2.2.200",
+        "@aws-cdk/asset-kubectl-v20": "^2.1.2",
+        "@aws-cdk/asset-node-proxy-agent-v5": "^2.0.166",
         "@balena/dockerignore": "^1.0.2",
         "case": "1.6.3",
         "fs-extra": "^11.1.1",
@@ -3066,7 +3066,7 @@
         "jsonschema": "^1.4.1",
         "minimatch": "^3.1.2",
         "punycode": "^2.3.0",
-        "semver": "^7.5.1",
+        "semver": "^7.5.4",
         "table": "^6.8.1",
         "yaml": "1.10.2"
       },
@@ -3282,7 +3282,7 @@
       }
     },
     "node_modules/aws-cdk-lib/node_modules/semver": {
-      "version": "7.5.2",
+      "version": "7.5.4",
       "inBundle": true,
       "license": "ISC",
       "dependencies": {
diff --git a/package.json b/package.json
index c3dbbba8e4..a21097ed15 100644
--- a/package.json
+++ b/package.json
@@ -38,7 +38,7 @@
     "@types/lodash.upperfirst": "^4.3.7",
     "@types/node": "20.4.5",
     "@types/yargs": "^17.0.19",
-    "aws-cdk": "2.87.0",
+    "aws-cdk": "2.90.0",
     "cz-conventional-changelog": "^3.3.0",
     "eslint": "^8.46.0",
     "eslint-plugin-custom-rules": "file:tools/eslint",
@@ -54,7 +54,7 @@
   },
   "dependencies": {
     "@oclif/core": "2.11.5",
-    "aws-cdk-lib": "2.87.0",
+    "aws-cdk-lib": "2.90.0",
     "aws-sdk": "^2.1427.0",
     "chalk": "^4.1.2",
     "codemaker": "^1.86.0",
@@ -68,8 +68,8 @@
     "yargs": "^17.6.2"
   },
   "peerDependencies": {
-    "aws-cdk": "2.87.0",
-    "aws-cdk-lib": "2.87.0",
+    "aws-cdk": "2.90.0",
+    "aws-cdk-lib": "2.90.0",
     "constructs": "10.2.69"
   },
   "config": {
diff --git a/src/experimental/constructs/__snapshots__/error-budget-alarm.test.ts.snap b/src/experimental/constructs/__snapshots__/error-budget-alarm.test.ts.snap
index c1f4d3a5a9..b826942f4a 100644
--- a/src/experimental/constructs/__snapshots__/error-budget-alarm.test.ts.snap
+++ b/src/experimental/constructs/__snapshots__/error-budget-alarm.test.ts.snap
@@ -2027,6 +2027,9 @@ exports[`The ErrorBudgetAlarmExperimental construct should create the correct re
       "Type": "AWS::EC2::SecurityGroupIngress",
     },
     "teststackTESTtestguec2appAA7F41BE": {
+      "DependsOn": [
+        "InstanceRoleTestguec2appC325BE42",
+      ],
       "Properties": {
         "LaunchTemplateData": {
           "IamInstanceProfile": {
@@ -3399,6 +3402,9 @@ exports[`The ErrorBudgetAlarmExperimental construct should create the correct re
       "Type": "AWS::EC2::SecurityGroupIngress",
     },
     "teststackTESTtestguec2appAA7F41BE": {
+      "DependsOn": [
+        "InstanceRoleTestguec2appC325BE42",
+      ],
       "Properties": {
         "LaunchTemplateData": {
           "IamInstanceProfile": {
diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
index 36090fe911..1866c44070 100644
--- a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
+++ b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
@@ -830,6 +830,9 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi
       "Type": "AWS::EC2::SecurityGroupIngress",
     },
     "teststackTESTtestguec2appAA7F41BE": {
+      "DependsOn": [
+        "InstanceRoleTestguec2appC325BE42",
+      ],
       "Properties": {
         "LaunchTemplateData": {
           "IamInstanceProfile": {
@@ -1669,6 +1672,9 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a
       "Type": "AWS::EC2::SecurityGroupIngress",
     },
     "teststackTESTtestguec2appAA7F41BE": {
+      "DependsOn": [
+        "InstanceRoleTestguec2appC325BE42",
+      ],
       "Properties": {
         "LaunchTemplateData": {
           "IamInstanceProfile": {
diff --git a/tools/integration-test/package.json b/tools/integration-test/package.json
index 1f71369cce..3bdd77ed56 100644
--- a/tools/integration-test/package.json
+++ b/tools/integration-test/package.json
@@ -19,8 +19,8 @@
     "@guardian/eslint-config-typescript": "5.0.0",
     "@types/jest": "^29.1.2",
     "@types/node": "20.4.5",
-    "aws-cdk": "2.87.0",
-    "aws-cdk-lib": "2.87.0",
+    "aws-cdk": "2.90.0",
+    "aws-cdk-lib": "2.90.0",
     "constructs": "10.2.69",
     "eslint": "^8.8.0",
     "eslint-plugin-custom-rules": "file:../eslint",