diff --git a/tests/ci/cdk/README.md b/tests/ci/cdk/README.md
index aeae3cab11..c03b920a9d 100644
--- a/tests/ci/cdk/README.md
+++ b/tests/ci/cdk/README.md
@@ -16,6 +16,11 @@ AWS-LC CI uses AWS CDK to define and deploy AWS resources (e.g. AWS CodeBuild, E
     * step 3: change **Source provider** to **GitHub**. 
     * step 4: click **Connect using OAuth** and **Connect to GitHub**.
     * step 5: follow the OAuth app to grant access.
+* Setup Python environment:
+  * From `aws-lc/tests/ci` run:
+```shell
+python -m pip install -r requirements.txt
+```
 
 ### Minimal permissions:
 
@@ -60,6 +65,18 @@ To setup or update the CI in your account you will need the following IAM permis
 
 ### Commands
 
+These commands are run from `aws-lc/tests/ci/cdk`. \
+If not done previously, bootstrap cdk before running the commands below:
+```shell
+cdk bootstrap aws://${AWS_ACCOUNT_ID}/us-west-2
+```
+
+You may also need to request an increase to certain account quotas:
+```shell
+open https://${CDK_DEPLOY_REGION}.console.aws.amazon.com/servicequotas/home/services/ec2/quotas
+```
+* **EC2-VPC Elastic IPs** = 20
+
 Note: `GITHUB_REPO_OWNER` specifies the GitHub repo targeted by this CI setup.
 * https://github.com/${GITHUB_REPO_OWNER}/aws-lc.git
 
diff --git a/tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py b/tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
index 81be51dfd2..709d2c4a7f 100644
--- a/tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
+++ b/tests/ci/cdk/cdk/aws_lc_ec2_test_framework_ci_stack.py
@@ -85,7 +85,7 @@ def __init__(self,
                                 iam.ManagedPolicy.from_aws_managed_policy_name("CloudWatchAgentServerPolicy")
                             ])
         iam.CfnInstanceProfile(scope=self, id="{}-ec2-profile".format(id),
-                               roles=["{}-ec2-role".format(id)],
+                               roles=[ec2_role.role_name],
                                instance_profile_name="{}-ec2-profile".format(id))
 
         # create vpc for ec2s
diff --git a/tests/ci/cdk/cdk/windows_docker_image_build_stack.py b/tests/ci/cdk/cdk/windows_docker_image_build_stack.py
index 3416a125eb..edabec930c 100644
--- a/tests/ci/cdk/cdk/windows_docker_image_build_stack.py
+++ b/tests/ci/cdk/cdk/windows_docker_image_build_stack.py
@@ -47,7 +47,8 @@ def __init__(self,
                         ])
 
         # Define Windows EC2 instance, where the SSM document will be executed.
-        machine_image = ec2.MachineImage.latest_windows(ec2.WindowsVersion.WINDOWS_SERVER_2019_ENGLISH_FULL_CONTAINERSLATEST)
+        machine_image = ec2.MachineImage.latest_windows(
+            ec2.WindowsVersion.WINDOWS_SERVER_2019_ENGLISH_FULL_BASE)
         vpc = ec2.Vpc(scope=self, id="{}-vpc".format(id))
         block_device_volume = ec2.BlockDeviceVolume.ebs(volume_size=200, delete_on_termination=True)
         block_device = ec2.BlockDevice(device_name="/dev/sda1", volume=block_device_volume)
diff --git a/tests/ci/cdk/run-cdk.sh b/tests/ci/cdk/run-cdk.sh
index 696930d966..eb069f2bcd 100755
--- a/tests/ci/cdk/run-cdk.sh
+++ b/tests/ci/cdk/run-cdk.sh
@@ -44,7 +44,7 @@ function destroy_ci() {
     echo "destroy_ci should not be executed on team account."
     exit 1
   fi
-  cdk destroy aws-lc-* --force
+  cdk destroy 'aws-lc-*' --force
   # CDK stack destroy does not delete s3 bucket automatically.
   delete_s3_buckets
   # CDK stack destroy does not delete ecr automatically.
@@ -57,7 +57,7 @@ function destroy_docker_img_build_stack() {
     exit 1
   fi
   # Destroy all temporary resources created for all docker image build.
-  cdk destroy aws-lc-docker-image-build-* --force
+  cdk destroy 'aws-lc-docker-image-build-*' --force
   # CDK stack destroy does not delete s3 bucket automatically.
   delete_s3_buckets
 }
@@ -83,7 +83,7 @@ function create_win_docker_img_build_stack() {
 }
 
 function create_github_ci_stack() {
-  cdk deploy aws-lc-ci-* --require-approval never
+  cdk deploy 'aws-lc-ci-*' --require-approval never
 }
 
 function run_linux_img_build() {
@@ -178,7 +178,7 @@ function build_linux_docker_images() {
   trap destroy_docker_img_build_stack EXIT
 
   # Create/update aws-ecr repo.
-  cdk deploy aws-lc-ecr-linux-* --require-approval never
+  cdk deploy 'aws-lc-ecr-linux-*' --require-approval never
 
   # Create docker image build stack.
   create_linux_docker_img_build_stack
@@ -196,7 +196,7 @@ function build_win_docker_images() {
  trap destroy_docker_img_build_stack EXIT
 
  # Create/update aws-ecr repo.
- cdk deploy aws-lc-ecr-windows-* --require-approval never
+ cdk deploy 'aws-lc-ecr-windows-*' --require-approval never
 
  # Create aws windows build stack
  create_win_docker_img_build_stack
@@ -222,19 +222,19 @@ function create_android_resources() {
   # TODO: Move resource creation to aws cdk when cdk has support for device form resource constructs.
   # Issue: https://github.com/aws/aws-cdk/issues/17893
   DEVICEFARM_PROJECT=`aws devicefarm create-project --name aws-lc-android-ci | \
-                             python -c 'import json,sys;obj=json.load(sys.stdin);print(obj["project"]["arn"])'`
+                             python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["project"]["arn"])'`
 
   DEVICEFARM_DEVICE_POOL=`aws devicefarm create-device-pool --project-arn ${DEVICEFARM_PROJECT} \
     --name "aws-lc-device-pool" \
     --description "AWS-LC Device Pool" \
     --rules file://../android/devicepool_rules.json --max-devices 2 | \
-    python -c 'import json,sys;obj=json.load(sys.stdin);print(obj["devicePool"]["arn"])'`
+    python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["devicePool"]["arn"])'`
 
   DEVICEFARM_DEVICE_POOL_FIPS=`aws devicefarm create-device-pool --project-arn ${DEVICEFARM_PROJECT} \
     --name "aws-lc-device-pool-fips" \
     --description "AWS-LC FIPS Device Pool" \
     --rules file://../android/devicepool_rules_fips.json --max-devices 2 | \
-    python -c 'import json,sys;obj=json.load(sys.stdin);print(obj["devicePool"]["arn"])'`
+    python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["devicePool"]["arn"])'`
 
   cat <<EOF
 
@@ -385,7 +385,7 @@ function main() {
     build_win_docker_images
     ;;
   synth)
-    cdk synth aws-lc-ci-*
+    cdk synth 'aws-lc-ci-*'
     ;;
   diff)
     cdk diff aws-lc-ci-*
diff --git a/tests/ci/docker_images/dependencies/build_cryptofuzz_modules.sh b/tests/ci/docker_images/dependencies/build_cryptofuzz_modules.sh
index 1f85cb5d20..db0f7d44cf 100755
--- a/tests/ci/docker_images/dependencies/build_cryptofuzz_modules.sh
+++ b/tests/ci/docker_images/dependencies/build_cryptofuzz_modules.sh
@@ -29,9 +29,9 @@ cd botan
 git rev-parse HEAD
 python3 configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" --disable-shared --disable-modules=locking_allocator,x509,tls --build-targets=static --without-documentation
 make -j$(nproc)
-export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN"
 env LIBBOTAN_A_PATH `realpath libbotan-3.a`
-env BOTAN_INCLUDE_PATH `realpath build/include`
+env BOTAN_INCLUDE_PATH `realpath build/include/public`
+export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN -I $(realpath build/include/internal)"
 cd "${CRYPTOFUZZ_SRC}/modules/botan/"
 make -j$(nproc)
 
diff --git a/tests/ci/setup.py b/tests/ci/setup.py
index 8b7cea624d..f339245627 100644
--- a/tests/ci/setup.py
+++ b/tests/ci/setup.py
@@ -23,7 +23,7 @@
         "aws-cdk-lib==2.74.0",
         "constructs==10.1.314",
         # PyYAML is a YAML parser and emitter for Python. Used to read build_spec.yaml.
-        "pyyaml==5.3.1",
+        "pyyaml==6.0",
         # A formatter for Python code.
         "yapf==0.30.0",
         # Introduced by benchmark framework.
@@ -31,7 +31,7 @@
         # Introduced by Android Device Farm CI.
         "requests",
         "arnparse==0.0.2",
-        "urllib3==1.25.4"
+        "urllib3==1.25.10"
     ],
 
     python_requires=">=3.6",