diff --git a/packages/aws-cdk/README.md b/packages/aws-cdk/README.md
index f50fb6509b1f9..265f4a39f1b7c 100644
--- a/packages/aws-cdk/README.md
+++ b/packages/aws-cdk/README.md
@@ -19,6 +19,7 @@ Command                               | Description
 [`cdk synth`](#cdk-synthesize)        | Synthesize a CDK app to CloudFormation template(s)
 [`cdk diff`](#cdk-diff)               | Diff stacks against current state
 [`cdk deploy`](#cdk-deploy)           | Deploy a stack into an AWS account
+[`cdk import`](#cdk-import)           | Import existing AWS resources into a CDK stack
 [`cdk watch`](#cdk-watch)             | Watches a CDK app for deployable and hotswappable changes
 [`cdk destroy`](#cdk-destroy)         | Deletes a stack from an AWS account
 [`cdk bootstrap`](#cdk-bootstrap)     | Deploy a toolkit stack to support deploying large stacks & artifacts
@@ -450,6 +451,53 @@ $ cdk watch --no-logs
 **Note**: This command is considered experimental,
 and might have breaking changes in the future.
 
+### `cdk import`
+
+Sometimes you want to import AWS resources that were created using other means
+into a CDK stack. For some resources (like Roles, Lambda Functions, Event Rules,
+...), it's feasible to create new versions in CDK and then delete the old
+versions. For other resources, this is not possible: stateful resources like S3
+Buckets, DynamoDB tables, etc., cannot be easily deleted without impact on the
+service.
+
+`cdk import`, which uses [CloudFormation resource
+imports](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html),
+makes it possible to bring an existing resource under CDK/CloudFormation's
+management. See the [list of resources that can be imported here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html).
+
+To import an existing resource to a CDK stack, follow the following steps:
+
+1. Run a `cdk diff` to make sure there are no pending changes to the CDK stack you want to
+   import resources into. The only changes allowed in an "import" operation are
+   the addition of new resources which you want to import.
+2. Add constructs for the resources you want to import to your Stack (for example,
+   for an S3 bucket, add something like `new s3.Bucket(this, 'ImportedS3Bucket', {});`).
+   **Do not add any other changes!** You must also make sure to exactly model the state
+   that the resource currently has. For the example of the Bucket, be sure to
+   include KMS keys, life cycle policies, and anything else that's relevant
+   about the bucket. If you do not, subsequent update operations may not do what
+   you expect.
+3. Run the `cdk import` - if there are multiple stacks in the CDK app, pass a specific
+   stack name as an argument.
+4. The CLI will prompt you to pass in the actual names of the resources you are
+   importing. After you supply it, the import starts.
+5. When `cdk import` reports success, the resource is managed by CDK. Any subsequent
+   changes in the construct configuration will be reflected on the resource.
+
+#### Limitations
+
+This feature is currently in preview. Be aware of the following limitations:
+
+- Importing resources in nested stacks is not possible.
+- Uses the deploy role credentials (necessary to read the encrypted staging
+  bucket). Requires a new version (version 12) of the bootstrap stack, for the added
+  IAM permissions to the `deploy-role`.
+- There is no check on whether the properties you specify are correct and complete
+  for the imported resource. Try starting a drift detection operation after importing.
+- Resources that depend on other resources must all be imported together, or one-by-one
+  in the right order. The CLI will not help you import dependent resources in the right
+  order, the CloudFormation deployment will fail with unresolved references.
+
 ### `cdk destroy`
 
 Deletes a stack from it's environment. This will cause the resources in the stack to be destroyed (unless they were
@@ -521,10 +569,10 @@ NOTICES
 16603   Toggling off auto_delete_objects for Bucket empties the bucket
 
         Overview: If a stack is deployed with an S3 bucket with
-                  auto_delete_objects=True, and then re-deployed with 
-                  auto_delete_objects=False, all the objects in the bucket 
+                  auto_delete_objects=True, and then re-deployed with
+                  auto_delete_objects=False, all the objects in the bucket
                   will be deleted.
-                 
+
         Affected versions: <1.126.0.
 
         More information at: https://github.com/aws/aws-cdk/issues/16603
@@ -533,12 +581,12 @@ NOTICES
 17061   Error when building EKS cluster with monocdk import
 
         Overview: When using monocdk/aws-eks to build a stack containing
-                  an EKS cluster, error is thrown about missing 
+                  an EKS cluster, error is thrown about missing
                   lambda-layer-node-proxy-agent/layer/package.json.
-         
+
         Affected versions: >=1.126.0 <=1.130.0.
 
-        More information at: https://github.com/aws/aws-cdk/issues/17061 
+        More information at: https://github.com/aws/aws-cdk/issues/17061
 
 
 If you don’t want to see an notice anymore, use "cdk acknowledge ID". For example, "cdk acknowledge 16603".
@@ -580,7 +628,7 @@ $cdk acknowledge 16603
 ### `cdk notices`
 
 List the notices that are relevant to the current CDK repository, regardless of context flags or notices that
-have been acknowledged: 
+have been acknowledged:
 
 ```console
 $ cdk notices
@@ -589,9 +637,9 @@ NOTICES
 
 16603   Toggling off auto_delete_objects for Bucket empties the bucket
 
-        Overview: if a stack is deployed with an S3 bucket with 
-                  auto_delete_objects=True, and then re-deployed with 
-                  auto_delete_objects=False, all the objects in the bucket 
+        Overview: if a stack is deployed with an S3 bucket with
+                  auto_delete_objects=True, and then re-deployed with
+                  auto_delete_objects=False, all the objects in the bucket
                   will be deleted.
 
         Affected versions: framework: <=2.15.0 >=2.10.0
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 15d7a22f1edfd..d4f674dfa2cac 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -453,6 +453,8 @@ Resources:
                   - cloudformation:DeleteStack
                   - cloudformation:UpdateTerminationProtection
                   - sts:GetCallerIdentity
+                  # `cdk import`
+                  - cloudformation:GetTemplateSummary
                 Resource: "*"
                 Effect: Allow
               - Sid: CliStagingBucket
@@ -507,7 +509,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '11'
+      Value: '12'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack
diff --git a/packages/aws-cdk/lib/api/cloudformation-deployments.ts b/packages/aws-cdk/lib/api/cloudformation-deployments.ts
index ebf40bbb7442b..5594c71a42630 100644
--- a/packages/aws-cdk/lib/api/cloudformation-deployments.ts
+++ b/packages/aws-cdk/lib/api/cloudformation-deployments.ts
@@ -6,10 +6,10 @@ import { publishAssets } from '../util/asset-publishing';
 import { Mode } from './aws-auth/credentials';
 import { ISDK } from './aws-auth/sdk';
 import { SdkProvider } from './aws-auth/sdk-provider';
-import { deployStack, DeployStackResult, destroyStack } from './deploy-stack';
+import { deployStack, DeployStackResult, destroyStack, makeBodyParameterAndUpload } from './deploy-stack';
 import { loadCurrentTemplateWithNestedStacks, loadCurrentTemplate } from './nested-stack-helpers';
 import { ToolkitInfo } from './toolkit-info';
-import { CloudFormationStack, Template } from './util/cloudformation';
+import { CloudFormationStack, Template, ResourcesToImport, ResourceIdentifierSummaries } from './util/cloudformation';
 import { StackActivityProgress } from './util/cloudformation/stack-activity-monitor';
 import { replaceEnvPlaceholders } from './util/placeholders';
 
@@ -224,6 +224,18 @@ export interface DeployStackOptions {
    * @default - nothing extra is appended to the User-Agent header
    */
   readonly extraUserAgent?: string;
+
+  /**
+   * List of existing resources to be IMPORTED into the stack, instead of being CREATED
+   */
+  readonly resourcesToImport?: ResourcesToImport;
+
+  /**
+   * If present, use this given template instead of the stored one
+   *
+   * @default - Use the stored template
+   */
+  readonly overrideTemplate?: any;
 }
 
 export interface DestroyStackOptions {
@@ -280,23 +292,52 @@ export class CloudFormationDeployments {
   }
 
   public async readCurrentTemplateWithNestedStacks(rootStackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
-    const sdk = await this.prepareSdkWithLookupOrDeployRole(rootStackArtifact);
+    const sdk = (await this.prepareSdkWithLookupOrDeployRole(rootStackArtifact)).stackSdk;
     return (await loadCurrentTemplateWithNestedStacks(rootStackArtifact, sdk)).deployedTemplate;
   }
 
   public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
     debug(`Reading existing template for stack ${stackArtifact.displayName}.`);
-    const sdk = await this.prepareSdkWithLookupOrDeployRole(stackArtifact);
+    const sdk = (await this.prepareSdkWithLookupOrDeployRole(stackArtifact)).stackSdk;
     return loadCurrentTemplate(stackArtifact, sdk);
   }
 
+  public async resourceIdentifierSummaries(
+    stackArtifact: cxapi.CloudFormationStackArtifact,
+    toolkitStackName?: string,
+  ): Promise<ResourceIdentifierSummaries> {
+    debug(`Retrieving template summary for stack ${stackArtifact.displayName}.`);
+    // Currently, needs to use `deploy-role` since it may need to read templates in the staging
+    // bucket which have been encrypted with a KMS key (and lookup-role may not read encrypted things)
+    const { stackSdk, resolvedEnvironment } = await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading);
+    const cfn = stackSdk.cloudFormation();
+
+    const toolkitInfo = await ToolkitInfo.lookup(resolvedEnvironment, stackSdk, toolkitStackName);
+
+    // Upload the template, if necessary, before passing it to CFN
+    const cfnParam = await makeBodyParameterAndUpload(
+      stackArtifact,
+      resolvedEnvironment,
+      toolkitInfo,
+      this.sdkProvider,
+      stackSdk);
+
+    const response = await cfn.getTemplateSummary(cfnParam).promise();
+    if (!response.ResourceIdentifierSummaries) {
+      debug('GetTemplateSummary API call did not return "ResourceIdentifierSummaries"');
+    }
+    return response.ResourceIdentifierSummaries ?? [];
+  }
+
   public async deployStack(options: DeployStackOptions): Promise<DeployStackResult> {
     const { stackSdk, resolvedEnvironment, cloudFormationRoleArn } = await this.prepareSdkFor(options.stack, options.roleArn);
 
     const toolkitInfo = await ToolkitInfo.lookup(resolvedEnvironment, stackSdk, options.toolkitStackName);
 
-    // Publish any assets before doing the actual deploy
-    await this.publishStackAssets(options.stack, toolkitInfo);
+    // Publish any assets before doing the actual deploy (do not publish any assets on import operation)
+    if (options.resourcesToImport === undefined) {
+      await this.publishStackAssets(options.stack, toolkitInfo);
+    }
 
     // Do a verification of the bootstrap stack version
     await this.validateBootstrapStackVersion(
@@ -327,6 +368,8 @@ export class CloudFormationDeployments {
       rollback: options.rollback,
       hotswap: options.hotswap,
       extraUserAgent: options.extraUserAgent,
+      resourcesToImport: options.resourcesToImport,
+      overrideTemplate: options.overrideTemplate,
     });
   }
 
@@ -348,16 +391,19 @@ export class CloudFormationDeployments {
     return stack.exists;
   }
 
-  private async prepareSdkWithLookupOrDeployRole(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<ISDK> {
+  private async prepareSdkWithLookupOrDeployRole(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<PreparedSdkForEnvironment> {
     // try to assume the lookup role
     try {
       const result = await prepareSdkWithLookupRoleFor(this.sdkProvider, stackArtifact);
       if (result.didAssumeRole) {
-        return result.sdk;
+        return {
+          resolvedEnvironment: result.resolvedEnvironment,
+          stackSdk: result.sdk,
+        };
       }
     } catch { }
     // fall back to the deploy role
-    return (await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading)).stackSdk;
+    return this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading);
   }
 
   /**
diff --git a/packages/aws-cdk/lib/api/deploy-stack.ts b/packages/aws-cdk/lib/api/deploy-stack.ts
index 76b9386cc9550..f87fa183b329b 100644
--- a/packages/aws-cdk/lib/api/deploy-stack.ts
+++ b/packages/aws-cdk/lib/api/deploy-stack.ts
@@ -1,5 +1,6 @@
 import * as cxapi from '@aws-cdk/cx-api';
 import * as chalk from 'chalk';
+import * as fs from 'fs-extra';
 import * as uuid from 'uuid';
 import { addMetadataAssetsToManifest } from '../assets';
 import { Tag } from '../cdk-toolkit';
@@ -15,7 +16,7 @@ import { ICON } from './hotswap/common';
 import { ToolkitInfo } from './toolkit-info';
 import {
   changeSetHasNoChanges, CloudFormationStack, TemplateParameters, waitForChangeSet,
-  waitForStackDeploy, waitForStackDelete, ParameterValues, ParameterChanges,
+  waitForStackDeploy, waitForStackDelete, ParameterValues, ParameterChanges, ResourcesToImport,
 } from './util/cloudformation';
 import { StackActivityMonitor, StackActivityProgress } from './util/cloudformation/stack-activity-monitor';
 
@@ -189,6 +190,19 @@ export interface DeployStackOptions {
    * @default - nothing extra is appended to the User-Agent header
    */
   readonly extraUserAgent?: string;
+
+  /**
+   * If set, change set of type IMPORT will be created, and resourcesToImport
+   * passed to it.
+   */
+  readonly resourcesToImport?: ResourcesToImport;
+
+  /**
+   * If present, use this given template instead of the stored one
+   *
+   * @default - Use the stored template
+   */
+  readonly overrideTemplate?: any;
 }
 
 const LARGE_TEMPLATE_SIZE_KB = 50;
@@ -245,7 +259,13 @@ export async function deployStack(options: DeployStackOptions): Promise<DeploySt
     debug(`${deployName}: deploying...`);
   }
 
-  const bodyParameter = await makeBodyParameter(stackArtifact, options.resolvedEnvironment, legacyAssets, options.toolkitInfo, options.sdk);
+  const bodyParameter = await makeBodyParameter(
+    stackArtifact,
+    options.resolvedEnvironment,
+    legacyAssets,
+    options.toolkitInfo,
+    options.sdk,
+    options.overrideTemplate);
   await publishAssets(legacyAssets.toManifest(stackArtifact.assembly.directory), options.sdkProvider, stackEnv);
 
   if (options.hotswap) {
@@ -298,7 +318,8 @@ async function prepareAndExecuteChangeSet(
   const changeSet = await cfn.createChangeSet({
     StackName: deployName,
     ChangeSetName: changeSetName,
-    ChangeSetType: update ? 'UPDATE' : 'CREATE',
+    ChangeSetType: options.resourcesToImport ? 'IMPORT' : update ? 'UPDATE' : 'CREATE',
+    ResourcesToImport: options.resourcesToImport,
     Description: `CDK Changeset for execution ${executionId}`,
     TemplateBody: bodyParameter.TemplateBody,
     TemplateURL: bodyParameter.TemplateURL,
@@ -386,15 +407,17 @@ async function makeBodyParameter(
   resolvedEnvironment: cxapi.Environment,
   assetManifest: AssetManifestBuilder,
   toolkitInfo: ToolkitInfo,
-  sdk: ISDK): Promise<TemplateBodyParameter> {
+  sdk: ISDK,
+  overrideTemplate?: any,
+): Promise<TemplateBodyParameter> {
 
   // If the template has already been uploaded to S3, just use it from there.
-  if (stack.stackTemplateAssetObjectUrl) {
+  if (stack.stackTemplateAssetObjectUrl && !overrideTemplate) {
     return { TemplateURL: restUrlFromManifest(stack.stackTemplateAssetObjectUrl, resolvedEnvironment, sdk) };
   }
 
   // Otherwise, pass via API call (if small) or upload here (if large)
-  const templateJson = toYAML(stack.template);
+  const templateJson = toYAML(overrideTemplate ?? stack.template);
 
   if (templateJson.length <= LARGE_TEMPLATE_SIZE_KB * 1024) {
     return { TemplateBody: templateJson };
@@ -413,8 +436,15 @@ async function makeBodyParameter(
   const templateHash = contentHash(templateJson);
   const key = `cdk/${stack.id}/${templateHash}.yml`;
 
+  let templateFile = stack.templateFile;
+  if (overrideTemplate) {
+    // Add a variant of this template
+    templateFile = `${stack.templateFile}-${templateHash}.yaml`;
+    await fs.writeFile(templateFile, templateJson, { encoding: 'utf-8' });
+  }
+
   assetManifest.addFileAsset(templateHash, {
-    path: stack.templateFile,
+    path: templateFile,
   }, {
     bucketName: toolkitInfo.bucketName,
     objectKey: key,
@@ -425,6 +455,33 @@ async function makeBodyParameter(
   return { TemplateURL: templateURL };
 }
 
+/**
+ * Prepare a body parameter for CFN, performing the upload
+ *
+ * Return it as-is if it is small enough to pass in the API call,
+ * upload to S3 and return the coordinates if it is not.
+ */
+export async function makeBodyParameterAndUpload(
+  stack: cxapi.CloudFormationStackArtifact,
+  resolvedEnvironment: cxapi.Environment,
+  toolkitInfo: ToolkitInfo,
+  sdkProvider: SdkProvider,
+  sdk: ISDK,
+  overrideTemplate?: any): Promise<TemplateBodyParameter> {
+
+  // We don't have access to the actual asset manifest here, so pretend that the
+  // stack doesn't have a pre-published URL.
+  const forceUploadStack = Object.create(stack, {
+    stackTemplateAssetObjectUrl: { value: undefined },
+  });
+
+  const builder = new AssetManifestBuilder();
+  const bodyparam = await makeBodyParameter(forceUploadStack, resolvedEnvironment, builder, toolkitInfo, sdk, overrideTemplate);
+  const manifest = builder.toManifest(stack.assembly.directory);
+  await publishAssets(manifest, sdkProvider, resolvedEnvironment, { quiet: true });
+  return bodyparam;
+}
+
 export interface DestroyStackOptions {
   /**
    * The stack to be destroyed
diff --git a/packages/aws-cdk/lib/api/util/cloudformation.ts b/packages/aws-cdk/lib/api/util/cloudformation.ts
index b3b5660d727c4..6e84e542045a7 100644
--- a/packages/aws-cdk/lib/api/util/cloudformation.ts
+++ b/packages/aws-cdk/lib/api/util/cloudformation.ts
@@ -16,6 +16,10 @@ interface TemplateParameter {
   [key: string]: any;
 }
 
+export type ResourceIdentifierProperties = CloudFormation.ResourceIdentifierProperties;
+export type ResourceIdentifierSummaries = CloudFormation.ResourceIdentifierSummaries;
+export type ResourcesToImport = CloudFormation.ResourcesToImport;
+
 /**
  * Represents an (existing) Stack in CloudFormation
  *
diff --git a/packages/aws-cdk/lib/api/util/cloudformation/stack-status.ts b/packages/aws-cdk/lib/api/util/cloudformation/stack-status.ts
index e26886225eea8..76069868cf99b 100644
--- a/packages/aws-cdk/lib/api/util/cloudformation/stack-status.ts
+++ b/packages/aws-cdk/lib/api/util/cloudformation/stack-status.ts
@@ -34,7 +34,7 @@ export class StackStatus {
   }
 
   get isDeploySuccess(): boolean {
-    return !this.isNotFound && (this.name === 'CREATE_COMPLETE' || this.name === 'UPDATE_COMPLETE');
+    return !this.isNotFound && (this.name === 'CREATE_COMPLETE' || this.name === 'UPDATE_COMPLETE' || this.name === 'IMPORT_COMPLETE');
   }
 
   public toString(): string {
diff --git a/packages/aws-cdk/lib/cdk-toolkit.ts b/packages/aws-cdk/lib/cdk-toolkit.ts
index 3d9901a0610fe..3e7c6f38dafbc 100644
--- a/packages/aws-cdk/lib/cdk-toolkit.ts
+++ b/packages/aws-cdk/lib/cdk-toolkit.ts
@@ -15,6 +15,7 @@ import { findCloudWatchLogGroups } from './api/logs/find-cloudwatch-logs';
 import { CloudWatchLogEventMonitor } from './api/logs/logs-monitor';
 import { StackActivityProgress } from './api/util/cloudformation/stack-activity-monitor';
 import { printSecurityDiff, printStackDiff, RequireApproval } from './diff';
+import { ResourceImporter } from './import';
 import { data, debug, error, highlight, print, success, warning } from './logging';
 import { deserializeStructure, serializeStructure } from './serialize';
 import { Configuration, PROJECT_CONFIG } from './settings';
@@ -360,6 +361,83 @@ export class CdkToolkit {
     });
   }
 
+  public async import(options: ImportOptions) {
+    print(chalk.grey("The 'cdk import' feature is currently in preview."));
+    const stacks = await this.selectStacksForDeploy(options.selector, true, true);
+
+    if (stacks.stackCount > 1) {
+      throw new Error(`Stack selection is ambiguous, please choose a specific stack for import [${stacks.stackArtifacts.map(x => x.id).join(', ')}]`);
+    }
+
+    if (!process.stdout.isTTY && !options.resourceMappingFile) {
+      throw new Error('--resource-mapping-file is required when input is not a terminal');
+    }
+
+    const stack = stacks.stackArtifacts[0];
+
+    highlight(stack.displayName);
+
+    const resourceImporter = new ResourceImporter(stack, this.props.cloudFormation, {
+      toolkitStackName: options.toolkitStackName,
+    });
+    const { additions, hasNonAdditions } = await resourceImporter.discoverImportableResources(options.force);
+    if (additions.length === 0) {
+      warning('%s: no new resources compared to the currently deployed stack, skipping import.', chalk.bold(stack.displayName));
+      return;
+    }
+
+    // Prepare a mapping of physical resources to CDK constructs
+    const actualImport = !options.resourceMappingFile
+      ? await resourceImporter.askForResourceIdentifiers(additions)
+      : await resourceImporter.loadResourceIdentifiers(additions, options.resourceMappingFile);
+
+    if (actualImport.importResources.length === 0) {
+      warning('No resources selected for import.');
+      return;
+    }
+
+    // If "--create-resource-mapping" option was passed, write the resource mapping to the given file and exit
+    if (options.recordResourceMapping) {
+      const outputFile = options.recordResourceMapping;
+      fs.ensureFileSync(outputFile);
+      await fs.writeJson(outputFile, actualImport.resourceMap, {
+        spaces: 2,
+        encoding: 'utf8',
+      });
+      print('%s: mapping file written.', outputFile);
+      return;
+    }
+
+    // Import the resources according to the given mapping
+    print('%s: importing resources into stack...', chalk.bold(stack.displayName));
+    const tags = tagsForStack(stack);
+    await resourceImporter.importResources(actualImport, {
+      stack,
+      deployName: stack.stackName,
+      roleArn: options.roleArn,
+      toolkitStackName: options.toolkitStackName,
+      tags,
+      execute: options.execute,
+      changeSetName: options.changeSetName,
+      usePreviousParameters: true,
+      progress: options.progress,
+      rollback: options.rollback,
+    });
+
+    // Notify user of next steps
+    print(
+      `Import operation complete. We recommend you run a ${chalk.blueBright('drift detection')} operation `
+      + 'to confirm your CDK app resource definitions are up-to-date. Read more here: '
+      + chalk.underline.blueBright('https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/detect-drift-stack.html'));
+    if (actualImport.importResources.length < additions.length) {
+      print('');
+      warning(`Some resources were skipped. Run another ${chalk.blueBright('cdk import')} or a ${chalk.blueBright('cdk deploy')} to bring the stack up-to-date with your CDK app definition.`);
+    } else if (hasNonAdditions) {
+      print('');
+      warning(`Your app has pending updates or deletes excluded from this import operation. Run a ${chalk.blueBright('cdk deploy')} to bring the stack up-to-date with your CDK app definition.`);
+    }
+  }
+
   public async destroy(options: DestroyOptions) {
     let stacks = await this.selectStacksForDestroy(options.selector, options.exclusively);
 
@@ -691,19 +769,12 @@ export interface DiffOptions {
   securityOnly?: boolean;
 }
 
-interface WatchOptions {
+interface CfnDeployOptions {
   /**
    * Criteria for selecting stacks to deploy
    */
   selector: StackSelector;
 
-  /**
-   * Only select the given stack
-   *
-   * @default false
-   */
-  exclusively?: boolean;
-
   /**
    * Name of the toolkit stack to use/deploy
    *
@@ -716,11 +787,6 @@ interface WatchOptions {
    */
   roleArn?: string;
 
-  /**
-   * Reuse the assets with the given asset IDs
-   */
-  reuseAssets?: string[];
-
   /**
    * Optional name to use for the CloudFormation change set.
    * If not provided, a name will be generated automatically.
@@ -728,10 +794,11 @@ interface WatchOptions {
   changeSetName?: string;
 
   /**
-   * Always deploy, even if templates are identical.
-   * @default false
+   * Whether to execute the ChangeSet
+   * Not providing `execute` parameter will result in execution of ChangeSet
+   * @default true
    */
-  force?: boolean;
+  execute?: boolean;
 
   /**
    * Display mode for stack deployment progress.
@@ -747,6 +814,26 @@ interface WatchOptions {
    * @default true
    */
   readonly rollback?: boolean;
+}
+
+interface WatchOptions extends Omit<CfnDeployOptions, 'execute'> {
+  /**
+   * Only select the given stack
+   *
+   * @default false
+   */
+  exclusively?: boolean;
+
+  /**
+   * Reuse the assets with the given asset IDs
+   */
+  reuseAssets?: string[];
+
+  /**
+   * Always deploy, even if templates are identical.
+   * @default false
+   */
+  force?: boolean;
 
   /**
    * Whether to perform a 'hotswap' deployment.
@@ -773,7 +860,7 @@ interface WatchOptions {
   readonly traceLogs?: boolean;
 }
 
-export interface DeployOptions extends WatchOptions {
+export interface DeployOptions extends CfnDeployOptions, WatchOptions {
   /**
    * ARNs of SNS topics that CloudFormation will notify with stack related events
    */
@@ -791,13 +878,6 @@ export interface DeployOptions extends WatchOptions {
    */
   tags?: Tag[];
 
-  /**
-   * Whether to execute the ChangeSet
-   * Not providing `execute` parameter will result in execution of ChangeSet
-   * @default true
-   */
-  execute?: boolean;
-
   /**
    * Additional parameters for CloudFormation at deploy time
    * @default {}
@@ -851,6 +931,30 @@ export interface DeployOptions extends WatchOptions {
   readonly cloudWatchLogMonitor?: CloudWatchLogEventMonitor;
 }
 
+export interface ImportOptions extends CfnDeployOptions {
+  /**
+   * Build a physical resource mapping and write it to the given file, without performing the actual import operation
+   *
+   * @default - No file
+   */
+
+  readonly recordResourceMapping?: string;
+
+  /**
+   * Path to a file with with the physical resource mapping to CDK constructs in JSON format
+   *
+   * @default - No mapping file
+   */
+  readonly resourceMappingFile?: string;
+
+  /**
+   * Allow non-addition changes to the template
+   *
+   * @default false
+   */
+  readonly force?: boolean;
+}
+
 export interface DestroyOptions {
   /**
    * Criteria for selecting stacks to deploy
diff --git a/packages/aws-cdk/lib/cli.ts b/packages/aws-cdk/lib/cli.ts
index 1a20ed9edf279..684b415dd2524 100644
--- a/packages/aws-cdk/lib/cli.ts
+++ b/packages/aws-cdk/lib/cli.ts
@@ -148,6 +148,35 @@ async function parseCommandLineArguments() {
           "Only in effect if specified alongside the '--watch' option",
       }),
     )
+    .command('import [STACK]', 'Import existing resource(s) into the given STACK', (yargs: Argv) => yargs
+      .option('execute', { type: 'boolean', desc: 'Whether to execute ChangeSet (--no-execute will NOT execute the ChangeSet)', default: true })
+      .option('change-set-name', { type: 'string', desc: 'Name of the CloudFormation change set to create' })
+      .option('toolkit-stack-name', { type: 'string', desc: 'The name of the CDK toolkit stack to create', requiresArg: true })
+      .option('rollback', {
+        type: 'boolean',
+        desc: "Rollback stack to stable state on failure. Defaults to 'true', iterate more rapidly with --no-rollback or -R. " +
+          'Note: do **not** disable this flag for deployments with resource replacements, as that will always fail',
+      })
+      .option('force', {
+        alias: 'f',
+        type: 'boolean',
+        desc: 'Do not abort if the template diff includes updates or deletes. This is probably safe but we\'re not sure, let us know how it goes.',
+      })
+      .option('record-resource-mapping', {
+        type: 'string',
+        alias: 'r',
+        requiresArg: true,
+        desc: 'If specified, CDK will generate a mapping of existing physical resources to CDK resources to be imported as. The mapping ' +
+          'will be written in the given file path. No actual import operation will be performed',
+      })
+      .option('resource-mapping', {
+        type: 'string',
+        alias: 'm',
+        requiresArg: true,
+        desc: 'If specified, CDK will use the given file to map physical resources to CDK resources for import, instead of interactively ' +
+          'asking the user. Can be run from scripts',
+      }),
+    )
     .command('watch [STACKS..]', "Shortcut for 'deploy --watch'", (yargs: Argv) => yargs
       // I'm fairly certain none of these options, present for 'deploy', make sense for 'watch':
       // .option('all', { type: 'boolean', default: false, desc: 'Deploy all available stacks' })
@@ -343,8 +372,8 @@ async function initCommandLine() {
       throw new Error('You must either specify a list of Stacks or the `--all` argument');
     }
 
-    args.STACKS = args.STACKS || [];
-    args.ENVIRONMENTS = args.ENVIRONMENTS || [];
+    args.STACKS = args.STACKS ?? (args.STACK ? [args.STACK] : []);
+    args.ENVIRONMENTS = args.ENVIRONMENTS ?? [];
 
     const selector: StackSelector = {
       allTopLevel: args.all,
@@ -446,6 +475,20 @@ async function initCommandLine() {
           traceLogs: args.logs,
         });
 
+      case 'import':
+        return cli.import({
+          selector,
+          toolkitStackName,
+          roleArn: args.roleArn,
+          execute: args.execute,
+          changeSetName: args.changeSetName,
+          progress: configuration.settings.get(['progress']),
+          rollback: configuration.settings.get(['rollback']),
+          recordResourceMapping: args['record-resource-mapping'],
+          resourceMappingFile: args['resource-mapping'],
+          force: args.force,
+        });
+
       case 'watch':
         return cli.watch({
           selector,
diff --git a/packages/aws-cdk/lib/import.ts b/packages/aws-cdk/lib/import.ts
new file mode 100644
index 0000000000000..0a5795313fbc0
--- /dev/null
+++ b/packages/aws-cdk/lib/import.ts
@@ -0,0 +1,367 @@
+import * as cfnDiff from '@aws-cdk/cloudformation-diff';
+import { ResourceDifference } from '@aws-cdk/cloudformation-diff';
+import * as cxapi from '@aws-cdk/cx-api';
+import * as chalk from 'chalk';
+import * as fs from 'fs-extra';
+import * as promptly from 'promptly';
+import { CloudFormationDeployments, DeployStackOptions } from './api/cloudformation-deployments';
+import { ResourceIdentifierProperties, ResourcesToImport } from './api/util/cloudformation';
+import { error, print, success, warning } from './logging';
+
+/**
+ * Parameters that uniquely identify a physical resource of a given type
+ * for the import operation, example:
+ *
+ * ```
+ * {
+ *   "AWS::S3::Bucket": ["BucketName"],
+ *   "AWS::IAM::Role": ["RoleName"],
+ *   "AWS::EC2::VPC": ["VpcId"]
+ * }
+ * ```
+ */
+export type ResourceIdentifiers = { [resourceType: string]: string[] };
+
+/**
+ * Mapping of CDK resources (L1 constructs) to physical resources to be imported
+ * in their place, example:
+ *
+ * ```
+ * {
+ *   "MyStack/MyS3Bucket/Resource": {
+ *     "BucketName": "my-manually-created-s3-bucket"
+ *   },
+ *   "MyStack/MyVpc/Resource": {
+ *     "VpcId": "vpc-123456789"
+ *   }
+ * }
+ * ```
+ */
+export type ResourceMap = { [logicalResource: string]: ResourceIdentifierProperties };
+
+export interface ResourceImporterOptions {
+  /**
+   * Name of toolkit stack if non-default
+   *
+   * @default - Default toolkit stack name
+   */
+  readonly toolkitStackName?: string;
+}
+
+/**
+ * Resource importing utility class
+ *
+ * - Determines the resources added to a template (compared to the deployed version)
+ * - Look up the identification information
+ *   - Load them from a file, or
+ *   - Ask the user, based on information supplied to us by CloudFormation's GetTemplateSummary
+ * - Translate the input to a structure expected by CloudFormation, update the template to add the
+ *   importable resources, then run an IMPORT changeset.
+ */
+export class ResourceImporter {
+  private _currentTemplate: any;
+
+  constructor(
+    private readonly stack: cxapi.CloudFormationStackArtifact,
+    private readonly cfn: CloudFormationDeployments,
+    private readonly options: ResourceImporterOptions = {}) { }
+
+  /**
+   * Ask the user for resources to import
+   */
+  public async askForResourceIdentifiers(available: ImportableResource[]): Promise<ImportMap> {
+    const ret: ImportMap = { importResources: [], resourceMap: {} };
+    const resourceIdentifiers = await this.resourceIdentifiers();
+
+    for (const resource of available) {
+      const identifier = await this.askForResourceIdentifier(resourceIdentifiers, resource);
+      if (!identifier) {
+        continue;
+      }
+
+      ret.importResources.push(resource);
+      ret.resourceMap[resource.logicalId] = identifier;
+    }
+
+    return ret;
+  }
+
+  /**
+   * Load the resources to import from a file
+   */
+  public async loadResourceIdentifiers(available: ImportableResource[], filename: string): Promise<ImportMap> {
+    const contents = await fs.readJson(filename);
+
+    const ret: ImportMap = { importResources: [], resourceMap: {} };
+    for (const resource of available) {
+      const descr = this.describeResource(resource.logicalId);
+      const idProps = contents[resource.logicalId];
+      if (idProps) {
+        print('%s: importing using %s', chalk.blue(descr), chalk.blue(fmtdict(idProps)));
+
+        ret.importResources.push(resource);
+        ret.resourceMap[resource.logicalId] = idProps;
+        delete contents[resource.logicalId];
+      } else {
+        print('%s: skipping', chalk.blue(descr));
+      }
+    }
+
+    const unknown = Object.keys(contents);
+    if (unknown.length > 0) {
+      warning(`Unrecognized resource identifiers in mapping file: ${unknown.join(', ')}`);
+    }
+
+    return ret;
+  }
+
+  /**
+   * Based on the provided resource mapping, prepare CFN structures for import (template,
+   * ResourcesToImport structure) and perform the import operation (CloudFormation deployment)
+   *
+   * @param resourceMap Mapping from CDK construct tree path to physical resource import identifiers
+   * @param options Options to pass to CloudFormation deploy operation
+   */
+  public async importResources(importMap: ImportMap, options: DeployStackOptions) {
+    const resourcesToImport: ResourcesToImport = await this.makeResourcesToImport(importMap);
+    const updatedTemplate = await this.currentTemplateWithAdditions(importMap.importResources);
+
+    try {
+      const result = await this.cfn.deployStack({
+        ...options,
+        overrideTemplate: updatedTemplate,
+        resourcesToImport,
+      });
+
+      const message = result.noOp
+        ? ' ✅  %s (no changes)'
+        : ' ✅  %s';
+
+      success('\n' + message, options.stack.displayName);
+    } catch (e) {
+      error('\n ❌  %s failed: %s', chalk.bold(options.stack.displayName), e);
+      throw e;
+    }
+  }
+
+  /**
+   * Perform a diff between the currently running and the new template, enusre that it is valid
+   * for importing and return a list of resources that are being added in the new version
+   *
+   * @return mapping logicalResourceId -> resourceDifference
+   */
+  public async discoverImportableResources(allowNonAdditions = false): Promise<DiscoverImportableResourcesResult> {
+    const currentTemplate = await this.currentTemplate();
+
+    const diff = cfnDiff.diffTemplate(currentTemplate, this.stack.template);
+
+    // Ignore changes to CDKMetadata
+    const resourceChanges = Object.entries(diff.resources.changes)
+      .filter(([logicalId, _]) => logicalId !== 'CDKMetadata');
+
+    // Split the changes into additions and non-additions. Imports only make sense
+    // for newly-added resources.
+    const nonAdditions = resourceChanges.filter(([_, dif]) => !dif.isAddition);
+    const additions = resourceChanges.filter(([_, dif]) => dif.isAddition);
+
+    if (nonAdditions.length) {
+      const offendingResources = nonAdditions.map(([logId, _]) => this.describeResource(logId));
+
+      if (allowNonAdditions) {
+        warning(`Ignoring updated/deleted resources (--force): ${offendingResources.join(', ')}`);
+      } else {
+        throw new Error('No resource updates or deletes are allowed on import operation. Make sure to resolve pending changes ' +
+                        `to existing resources, before attempting an import. Updated/deleted resources: ${offendingResources.join(', ')} (--force to override)`);
+      }
+    }
+
+    // Resources in the new template, that are not present in the current template, are a potential import candidates
+    return {
+      additions: additions.map(([logicalId, resourceDiff]) => ({
+        logicalId,
+        resourceDiff,
+        resourceDefinition: addDefaultDeletionPolicy(this.stack.template?.Resources?.[logicalId] ?? {}),
+      })),
+      hasNonAdditions: nonAdditions.length > 0,
+    };
+  }
+
+  /**
+   * Get currently deployed template of the given stack (SINGLETON)
+   *
+   * @returns Currently deployed CloudFormation template
+   */
+  private async currentTemplate(): Promise<any> {
+    if (!this._currentTemplate) {
+      this._currentTemplate = await this.cfn.readCurrentTemplate(this.stack);
+    }
+    return this._currentTemplate;
+  }
+
+  /**
+   * Return teh current template, with the given resources added to it
+   */
+  private async currentTemplateWithAdditions(additions: ImportableResource[]): Promise<any> {
+    const template = await this.currentTemplate();
+    if (!template.Resources) {
+      template.Resources = {};
+    }
+
+    for (const add of additions) {
+      template.Resources[add.logicalId] = add.resourceDefinition;
+    }
+
+    return template;
+  }
+
+  /**
+   * Get a list of import identifiers for all resource types used in the given
+   * template that do support the import operation (SINGLETON)
+   *
+   * @returns a mapping from a resource type to a list of property names that together identify the resource for import
+   */
+  private async resourceIdentifiers(): Promise<ResourceIdentifiers> {
+    const ret: ResourceIdentifiers = {};
+    const resourceIdentifierSummaries = await this.cfn.resourceIdentifierSummaries(this.stack, this.options.toolkitStackName);
+    for (const summary of resourceIdentifierSummaries) {
+      if ('ResourceType' in summary && summary.ResourceType && 'ResourceIdentifiers' in summary && summary.ResourceIdentifiers) {
+        ret[summary.ResourceType] = summary.ResourceIdentifiers;
+      }
+    }
+    return ret;
+  }
+
+  private async askForResourceIdentifier(
+    resourceIdentifiers: ResourceIdentifiers,
+    chg: ImportableResource,
+  ): Promise<ResourceIdentifierProperties | undefined> {
+    const resourceName = this.describeResource(chg.logicalId);
+
+    // Skip resources that do not support importing
+    const resourceType = chg.resourceDiff.newResourceType;
+    if (resourceType === undefined || !(resourceType in resourceIdentifiers)) {
+      warning(`${resourceName}: unsupported resource type ${resourceType}, skipping import.`);
+      return undefined;
+    }
+
+    const idProps = resourceIdentifiers[resourceType];
+    const resourceProps = chg.resourceDefinition.Properties ?? {};
+
+    const fixedIdProps = idProps.filter(p => resourceProps[p]);
+    const fixedIdInput: ResourceIdentifierProperties = Object.fromEntries(fixedIdProps.map(p => [p, resourceProps[p]]));
+
+    const missingIdProps = idProps.filter(p => !resourceProps[p]);
+
+    if (missingIdProps.length === 0) {
+      // We can auto-import this, but ask the user to confirm
+      const props = fmtdict(fixedIdInput);
+
+      if (!await promptly.confirm(
+        `${chalk.blue(resourceName)} (${resourceType}): import with ${chalk.yellow(props)} (yes/no) [default: yes]? `,
+        { default: 'yes' },
+      )) {
+        print(chalk.grey(`Skipping import of ${resourceName}`));
+        return undefined;
+      }
+    }
+
+    // Ask the user to provide missing props
+    const userInput: ResourceIdentifierProperties = {};
+    for (const missingIdProp of missingIdProps) {
+      const response = (await promptly.prompt(
+        `${chalk.blue(resourceName)} (${resourceType}): enter ${chalk.blue(missingIdProp)} to import (empty to skip):`,
+        { default: '', trim: true },
+      ));
+      if (!response) {
+        print(chalk.grey(`Skipping import of ${resourceName}`));
+        return undefined;
+      }
+      userInput[missingIdProp] = response;
+    }
+
+    return {
+      ...fixedIdInput,
+      ...userInput,
+    };
+  }
+
+  /**
+   * Convert the internal "resource mapping" structure to CloudFormation accepted "ResourcesToImport" structure
+   */
+  private async makeResourcesToImport(resourceMap: ImportMap): Promise<ResourcesToImport> {
+    return resourceMap.importResources.map(res => ({
+      LogicalResourceId: res.logicalId,
+      ResourceType: res.resourceDiff.newResourceType!,
+      ResourceIdentifier: resourceMap.resourceMap[res.logicalId],
+    }));
+  }
+
+  /**
+   * Convert CloudFormation logical resource ID to CDK construct tree path
+   *
+   * @param logicalId CloudFormation logical ID of the resource (the key in the template's Resources section)
+   * @returns Forward-slash separated path of the resource in CDK construct tree, e.g. MyStack/MyBucket/Resource
+   */
+  private describeResource(logicalId: string): string {
+    return this.stack.template?.Resources?.[logicalId]?.Metadata?.['aws:cdk:path'] ?? logicalId;
+  }
+}
+
+/**
+ * Information about a resource in the template that is importable
+ */
+export interface ImportableResource {
+  /**
+   * The logical ID of the resource
+   */
+  readonly logicalId: string;
+
+  /**
+   * The resource definition in the new template
+   */
+  readonly resourceDefinition: any;
+
+  /**
+   * The diff as reported by `cloudformation-diff`.
+   */
+  readonly resourceDiff: ResourceDifference;
+}
+
+/**
+ * The information necessary to execute an import operation
+ */
+export interface ImportMap {
+  /**
+   * Mapping logical IDs to physical names
+   */
+  readonly resourceMap: ResourceMap;
+
+  /**
+   * The selection of resources we are actually importing
+   *
+   * For each of the resources in this list, there is a corresponding entry in
+   * the `resourceMap` map.
+   */
+  readonly importResources: ImportableResource[];
+}
+
+function fmtdict<A>(xs: Record<string, A>) {
+  return Object.entries(xs).map(([k, v]) => `${k}=${v}`).join(', ');
+}
+
+/**
+ * Add a default 'Delete' policy, which is required to make the import succeed
+ */
+function addDefaultDeletionPolicy(resource: any): any {
+  if (resource.DeletionPolicy) { return resource; }
+
+  return {
+    ...resource,
+    DeletionPolicy: 'Delete',
+  };
+}
+
+export interface DiscoverImportableResourcesResult {
+  readonly additions: ImportableResource[];
+  readonly hasNonAdditions: boolean;
+}
\ No newline at end of file
diff --git a/packages/aws-cdk/lib/util/asset-publishing.ts b/packages/aws-cdk/lib/util/asset-publishing.ts
index a795528e739d4..bfa204530ed08 100644
--- a/packages/aws-cdk/lib/util/asset-publishing.ts
+++ b/packages/aws-cdk/lib/util/asset-publishing.ts
@@ -6,20 +6,36 @@ import { ISDK } from '../api/aws-auth/sdk';
 import { SdkProvider } from '../api/aws-auth/sdk-provider';
 import { debug, error, print } from '../logging';
 
+export interface PublishAssetsOptions {
+  /**
+   * Print progress at 'debug' level
+   */
+  readonly quiet?: boolean;
+}
+
 /**
  * Use cdk-assets to publish all assets in the given manifest.
  */
-export async function publishAssets(manifest: cdk_assets.AssetManifest, sdk: SdkProvider, targetEnv: cxapi.Environment) {
+export async function publishAssets(
+  manifest: cdk_assets.AssetManifest,
+  sdk: SdkProvider,
+  targetEnv: cxapi.Environment,
+  options: PublishAssetsOptions = {},
+) {
   // This shouldn't really happen (it's a programming error), but we don't have
   // the types here to guide us. Do an runtime validation to be super super sure.
-  if (targetEnv.account === undefined || targetEnv.account === cxapi.UNKNOWN_ACCOUNT
-    || targetEnv.region === undefined || targetEnv.account === cxapi.UNKNOWN_REGION) {
-    throw new Error(`Asset publishing requires resolved account and region, got ${JSON.stringify(targetEnv)}`);
+  if (
+    targetEnv.account === undefined ||
+    targetEnv.account === cxapi.UNKNOWN_ACCOUNT ||
+    targetEnv.region === undefined ||
+    targetEnv.account === cxapi.UNKNOWN_REGION
+  ) {
+    throw new Error(`Asset publishing requires resolved account and region, got ${JSON.stringify( targetEnv)}`);
   }
 
   const publisher = new cdk_assets.AssetPublishing(manifest, {
     aws: new PublishingAws(sdk, targetEnv),
-    progressListener: new PublishingProgressListener(),
+    progressListener: new PublishingProgressListener(options.quiet ?? false),
     throwOnError: false,
     publishInParallel: true,
   });
@@ -119,7 +135,11 @@ const EVENT_TO_LOGGER: Record<cdk_assets.EventType, (x: string) => void> = {
 };
 
 class PublishingProgressListener implements cdk_assets.IPublishProgressListener {
+  constructor(private readonly quiet: boolean) {
+  }
+
   public onPublishEvent(type: cdk_assets.EventType, event: cdk_assets.IPublishProgress): void {
-    EVENT_TO_LOGGER[type](`[${event.percentComplete}%] ${type}: ${event.message}`);
+    const handler = this.quiet && type !== 'fail' ? debug : EVENT_TO_LOGGER[type];
+    handler(`[${event.percentComplete}%] ${type}: ${event.message}`);
   }
 }
diff --git a/packages/aws-cdk/test/cdk-toolkit.test.ts b/packages/aws-cdk/test/cdk-toolkit.test.ts
index 52922d51ed50f..fd77172a9dff7 100644
--- a/packages/aws-cdk/test/cdk-toolkit.test.ts
+++ b/packages/aws-cdk/test/cdk-toolkit.test.ts
@@ -681,7 +681,9 @@ describe('synth', () => {
     const toolkit = defaultToolkitSetup();
     await toolkit.synth([], false, false);
 
-    expect(stderrMock.mock.calls[1][0]).toMatch('Test-Stack-A-Display-Name, Test-Stack-B');
+    // Separate tests as colorizing hampers detection
+    expect(stderrMock.mock.calls[1][0]).toMatch('Test-Stack-A-Display-Name');
+    expect(stderrMock.mock.calls[1][0]).toMatch('Test-Stack-B');
   });
 
   test('with no stdout option', async () => {
diff --git a/packages/aws-cdk/test/import.test.ts b/packages/aws-cdk/test/import.test.ts
new file mode 100644
index 0000000000000..816b89abd535d
--- /dev/null
+++ b/packages/aws-cdk/test/import.test.ts
@@ -0,0 +1,207 @@
+jest.mock('promptly', () => {
+  return {
+    ...jest.requireActual('promptly'),
+    confirm: jest.fn(),
+    prompt: jest.fn(),
+  };
+});
+
+import * as promptly from 'promptly';
+import { CloudFormationDeployments } from '../lib/api/cloudformation-deployments';
+import { ResourceImporter, ImportMap } from '../lib/import';
+import { testStack } from './util';
+import { MockSdkProvider } from './util/mock-sdk';
+
+const promptlyConfirm = promptly.confirm as jest.Mock;
+const promptlyPrompt = promptly.prompt as jest.Mock;
+
+let createChangeSetInput: AWS.CloudFormation.CreateChangeSetInput | undefined;
+
+const STACK_WITH_QUEUE = testStack({
+  stackName: 'StackWithQueue',
+  template: {
+    Resources: {
+      MyQueue: {
+        Type: 'AWS::SQS::Queue',
+        Properties: {},
+      },
+    },
+  },
+});
+
+const STACK_WITH_NAMED_QUEUE = testStack({
+  stackName: 'StackWithQueue',
+  template: {
+    Resources: {
+      MyQueue: {
+        Type: 'AWS::SQS::Queue',
+        Properties: {
+          QueueName: 'TheQueueName',
+        },
+      },
+    },
+  },
+});
+
+let sdkProvider: MockSdkProvider;
+let deployments: CloudFormationDeployments;
+beforeEach(() => {
+  jest.resetAllMocks();
+  sdkProvider = new MockSdkProvider({ realSdk: false });
+  deployments = new CloudFormationDeployments({ sdkProvider });
+  createChangeSetInput = undefined;
+});
+
+test('discovers importable resources', async () => {
+  givenCurrentStack(STACK_WITH_QUEUE.stackName, {
+    Resources: {},
+  });
+
+  const importer = new ResourceImporter(STACK_WITH_QUEUE, deployments);
+  const { additions } = await importer.discoverImportableResources();
+  expect(additions).toEqual([
+    expect.objectContaining({
+      logicalId: 'MyQueue',
+    }),
+  ]);
+});
+
+test('by default, its an error if there are non-addition changes in the template', async () => {
+  givenCurrentStack(STACK_WITH_QUEUE.stackName, {
+    Resources: {
+      SomethingThatDisappeared: {
+        Type: 'AWS::S3::Bucket',
+      },
+    },
+  });
+
+  const importer = new ResourceImporter(STACK_WITH_QUEUE, deployments);
+  await expect(importer.discoverImportableResources()).rejects.toThrow(/No resource updates or deletes/);
+
+  // But the error can be silenced
+  await expect(importer.discoverImportableResources(true)).resolves.toBeTruthy();
+});
+
+test('asks human for resource identifiers', async () => {
+  // GIVEN
+  givenCurrentStack(STACK_WITH_QUEUE.stackName, { Resources: {} });
+  const importer = new ResourceImporter(STACK_WITH_QUEUE, deployments);
+  const { additions } = await importer.discoverImportableResources();
+
+  // WHEN
+  promptlyPrompt.mockResolvedValue('TheQueueName');
+  const importable = await importer.askForResourceIdentifiers(additions);
+
+  // THEN
+  expect(importable.resourceMap).toEqual({
+    MyQueue: {
+      QueueName: 'TheQueueName',
+    },
+  });
+  expect(importable.importResources).toEqual([
+    expect.objectContaining({
+      logicalId: 'MyQueue',
+    }),
+  ]);
+});
+
+test('asks human to confirm automic import if identifier is in template', async () => {
+  // GIVEN
+  givenCurrentStack(STACK_WITH_NAMED_QUEUE.stackName, { Resources: {} });
+  const importer = new ResourceImporter(STACK_WITH_NAMED_QUEUE, deployments);
+  const { additions } = await importer.discoverImportableResources();
+
+  // WHEN
+  promptlyConfirm.mockResolvedValue(true);
+  const importable = await importer.askForResourceIdentifiers(additions);
+
+  // THEN
+  expect(importable.resourceMap).toEqual({
+    MyQueue: {
+      QueueName: 'TheQueueName',
+    },
+  });
+  expect(importable.importResources).toEqual([
+    expect.objectContaining({
+      logicalId: 'MyQueue',
+    }),
+  ]);
+});
+
+test('asks human to confirm automic import if identifier is in template', async () => {
+  // GIVEN
+  givenCurrentStack(STACK_WITH_QUEUE.stackName, { Resources: {} });
+  const importer = new ResourceImporter(STACK_WITH_QUEUE, deployments);
+  const { additions } = await importer.discoverImportableResources();
+  const importMap: ImportMap = {
+    importResources: additions,
+    resourceMap: {
+      MyQueue: { QueueName: 'TheQueueName' },
+    },
+  };
+
+  // WHEN
+  await importer.importResources(importMap, {
+    stack: STACK_WITH_QUEUE,
+  });
+
+  expect(createChangeSetInput?.ResourcesToImport).toEqual([
+    {
+      LogicalResourceId: 'MyQueue',
+      ResourceIdentifier: { QueueName: 'TheQueueName' },
+      ResourceType: 'AWS::SQS::Queue',
+    },
+  ]);
+});
+
+function givenCurrentStack(stackName: string, template: any) {
+  sdkProvider.stubCloudFormation({
+    describeStacks() {
+      return {
+        Stacks: [
+          {
+            StackName: stackName,
+            CreationTime: new Date(),
+            StackStatus: 'UPDATE_COMPLETE',
+            StackStatusReason: 'It is magic',
+            Outputs: [],
+          },
+        ],
+      };
+    },
+    getTemplate() {
+      return {
+        TemplateBody: JSON.stringify(template),
+      };
+    },
+    getTemplateSummary() {
+      return {
+        ResourceIdentifierSummaries: [
+          {
+            ResourceType: 'AWS::SQS::Queue',
+            ResourceIdentifiers: ['QueueName'],
+          },
+        ],
+      };
+    },
+    deleteChangeSet() {
+      return {};
+    },
+    createChangeSet(request) {
+      createChangeSetInput = request;
+      return {};
+    },
+    describeChangeSet() {
+      return {
+        Status: 'CREATE_COMPLETE',
+        Changes: [],
+      };
+    },
+    executeChangeSet() {
+      return {};
+    },
+    describeStackEvents() {
+      return {};
+    },
+  });
+}
\ No newline at end of file
diff --git a/packages/aws-cdk/test/integ/cli/app/app.js b/packages/aws-cdk/test/integ/cli/app/app.js
index 834b6369079c9..c98afe071d1fb 100644
--- a/packages/aws-cdk/test/integ/cli/app/app.js
+++ b/packages/aws-cdk/test/integ/cli/app/app.js
@@ -8,6 +8,7 @@ if (process.env.PACKAGE_LAYOUT_VERSION === '1') {
   var ssm = require('@aws-cdk/aws-ssm');
   var iam = require('@aws-cdk/aws-iam');
   var sns = require('@aws-cdk/aws-sns');
+  var sqs = require('@aws-cdk/aws-sqs');
   var lambda = require('@aws-cdk/aws-lambda');
   var docker = require('@aws-cdk/aws-ecr-assets');
 } else {
@@ -18,6 +19,7 @@ if (process.env.PACKAGE_LAYOUT_VERSION === '1') {
     aws_ssm: ssm,
     aws_iam: iam,
     aws_sns: sns,
+    aws_sqs: sqs,
     aws_lambda: lambda,
     aws_ecr_assets: docker
   } = require('aws-cdk-lib');
@@ -61,6 +63,27 @@ class YourStack extends cdk.Stack {
   }
 }
 
+class ImportableStack extends cdk.Stack {
+  constructor(parent, id, props) {
+    super(parent, id, props);
+
+    if (!process.env.OMIT_TOPIC) {
+      const queue = new sqs.Queue(this, 'Queue', {
+        removalPolicy: process.env.ORPHAN_TOPIC ? cdk.RemovalPolicy.RETAIN : cdk.RemovalPolicy.DESTROY,
+      });
+
+      new cdk.CfnOutput(this, 'QueueName', {
+        value: queue.queueName,
+      });
+      new cdk.CfnOutput(this, 'QueueLogicalId', {
+        value: queue.node.defaultChild.logicalId,
+      });
+    }
+
+    new cdk.CfnWaitConditionHandle(this, 'Handle');
+  }
+}
+
 class StackUsingContext extends cdk.Stack {
   constructor(parent, id, props) {
     super(parent, id, props);
@@ -367,6 +390,8 @@ switch (stackSet) {
     new SomeStage(app, `${stackPrefix}-stage`);
 
     new BuiltinLambdaStack(app, `${stackPrefix}-builtin-lambda-function`);
+
+    new ImportableStack(app, `${stackPrefix}-importable-stack`);
     break;
 
   case 'stage-using-context':
diff --git a/packages/aws-cdk/test/integ/cli/cli.integtest.ts b/packages/aws-cdk/test/integ/cli/cli.integtest.ts
index 7f65950550cb4..07a282b8beed5 100644
--- a/packages/aws-cdk/test/integ/cli/cli.integtest.ts
+++ b/packages/aws-cdk/test/integ/cli/cli.integtest.ts
@@ -988,6 +988,42 @@ integTest('skips notice refresh', withDefaultFixture(async (fixture) => {
   await expect(output).not.toContain('Notices refresh failed');
 }));
 
+/**
+ * Create a queue with a fresh name, redeploy orphaning the queue, then import it again
+ */
+integTest('test resource import', withDefaultFixture(async (fixture) => {
+  const outputsFile = path.join(fixture.integTestDir, 'outputs', 'outputs.json');
+  await fs.mkdir(path.dirname(outputsFile), { recursive: true });
+
+  // Initial deploy
+  await fixture.cdkDeploy('importable-stack', {
+    modEnv: { ORPHAN_TOPIC: '1' },
+    options: ['--outputs-file', outputsFile],
+  });
+
+  const outputs = JSON.parse((await fs.readFile(outputsFile, { encoding: 'utf-8' })).toString());
+  const queueName = outputs.QueueName;
+  const queueLogicalId = outputs.QueueLogicalId;
+  fixture.log(`Setup complete, created queue ${queueName}`);
+  try {
+    // Deploy again, orphaning the queue
+    await fixture.cdkDeploy('importable-stack', {
+      modEnv: { OMIT_TOPIC: '1' },
+    });
+
+    // Write a resource mapping file based on the ID from step one, then run an import
+    const mappingFile = path.join(fixture.integTestDir, 'outputs', 'mapping.json');
+    await fs.writeFile(mappingFile, JSON.stringify({ [queueLogicalId]: { QueueName: queueName } }), { encoding: 'utf-8' });
+
+    await fixture.cdk(['import',
+      '--resource-mapping', mappingFile,
+      fixture.fullStackName('importable-stack')]);
+  } finally {
+    // Cleanup
+    await fixture.cdkDestroy('importable-stack');
+  }
+}));
+
 async function listChildren(parent: string, pred: (x: string) => Promise<boolean>) {
   const ret = new Array<string>();
   for (const child of await fs.readdir(parent, { encoding: 'utf-8' })) {
diff --git a/packages/aws-cdk/test/integ/helpers/cdk.ts b/packages/aws-cdk/test/integ/helpers/cdk.ts
index 72dd0299f66ab..7fdeb052d21c3 100644
--- a/packages/aws-cdk/test/integ/helpers/cdk.ts
+++ b/packages/aws-cdk/test/integ/helpers/cdk.ts
@@ -109,6 +109,7 @@ export function withCdkApp<A extends TestContext & AwsContext>(block: (context:
         await installNpmPackages(fixture, {
           '@aws-cdk/core': installationVersion,
           '@aws-cdk/aws-sns': installationVersion,
+          '@aws-cdk/aws-sqs': installationVersion,
           '@aws-cdk/aws-iam': installationVersion,
           '@aws-cdk/aws-lambda': installationVersion,
           '@aws-cdk/aws-ssm': installationVersion,
@@ -722,9 +723,7 @@ const installNpm7 = memoize0(async (): Promise<string> => {
   await shell(['rm', '-rf', installDir]);
   await shell(['mkdir', '-p', installDir]);
 
-  await shell(['npm', 'install',
-    '--prefix', installDir,
-    'npm@7']);
+  await shell(['npm', 'install', 'npm@7'], { cwd: installDir });
 
   return path.join(installDir, 'node_modules', '.bin', 'npm');
 });
diff --git a/packages/aws-cdk/test/integ/helpers/test-helpers.ts b/packages/aws-cdk/test/integ/helpers/test-helpers.ts
index e74d7d000a777..5dc65f6ed492e 100644
--- a/packages/aws-cdk/test/integ/helpers/test-helpers.ts
+++ b/packages/aws-cdk/test/integ/helpers/test-helpers.ts
@@ -25,8 +25,6 @@ export function integTest(
   const runner = shouldSkip(name) ? testKind.skip : testKind;
 
   runner(name, async () => {
-    // eslint-disable-next-line no-console
-    console.log(`running test ${name} using ${runner.name}`);
     const output = new MemoryStream();
 
     output.write('================================================================\n');
diff --git a/packages/aws-cdk/test/util/mock-sdk.ts b/packages/aws-cdk/test/util/mock-sdk.ts
index 7b721cdf57a12..ae3d590e70f7e 100644
--- a/packages/aws-cdk/test/util/mock-sdk.ts
+++ b/packages/aws-cdk/test/util/mock-sdk.ts
@@ -31,6 +31,7 @@ export interface MockSdkProviderOptions {
  */
 export class MockSdkProvider extends SdkProvider {
   public readonly sdk: ISDK;
+  private readonly _mockSdk?: MockSdk;
 
   constructor(options: MockSdkProviderOptions = {}) {
     super(FAKE_CREDENTIAL_CHAIN, 'bermuda-triangle-1337', { customUserAgent: 'aws-cdk/jest' });
@@ -40,10 +41,17 @@ export class MockSdkProvider extends SdkProvider {
     if (options.realSdk ?? true) {
       this.sdk = new SDK(FAKE_CREDENTIALS, this.defaultRegion, { customUserAgent: 'aws-cdk/jest' });
     } else {
-      this.sdk = new MockSdk();
+      this.sdk = this._mockSdk = new MockSdk();
     }
   }
 
+  public get mockSdk(): MockSdk {
+    if (!this._mockSdk) {
+      throw new Error('MockSdkProvider was not created with \'realSdk: false\'');
+    }
+    return this._mockSdk;
+  }
+
   async baseCredentialsPartition(_environment: cxapi.Environment, _mode: Mode): Promise<string | undefined> {
     return undefined;
   }
diff --git a/packages/aws-cdk/tsconfig.json b/packages/aws-cdk/tsconfig.json
index ae3c57a0f5064..b1de148db28b3 100644
--- a/packages/aws-cdk/tsconfig.json
+++ b/packages/aws-cdk/tsconfig.json
@@ -1,8 +1,8 @@
 {
     "compilerOptions": {
-        "target": "ES2018",
+        "target": "ES2019",
         "module": "commonjs",
-        "lib": ["es2018", "dom"],
+        "lib": ["es2019", "dom"],
         "strict": true,
         "alwaysStrict": true,
         "declaration": true,