A rule returns feedback on a specific level: Error, Warning or Informational.
Errors will start with the letter E
. Errors will (or can) result in a hard failure for the template being validated.
Warnings start with the letter W
. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.
Informational results start with the letter I
. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I
or --include-checks I
.
Rule Numbers | Category |
---|---|
(E|W|I)0XXX | Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.) |
(E|W|I)1XXX | Functions (Ref, GetAtt, etc.) |
(E|W|I)2XXX | Parameters |
(E|W|I)3XXX | Resources |
(E|W|I)4XXX | Metadata |
(E|W|I)6xxx | Outputs |
(E|W|I)7xxx | Mappings |
(E|W|I)8xxx | Conditions |
(E|W|I)9xxx | Reserved for users rules |
Warning
Rule E3012
is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks
if it is not required for your internal best practices. Conversely, strict typing is NOT enforced by default for this rule, so if strict adherence to resource value types is necessary for your use case, you can use --configure-rule E3012:strict=true
to enforce the rule.
Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.
A rule can be marked as experimental by setting the experimental
flag in the Rule's MetaData:
class MyExperimentalRule(CloudFormationLintRule):
id = 'E1234'
...
experimental = True
To include these rules, use the -e/include-experimental
argument when running cfn-lint.
(This documentation is generated by running cfn-lint --update-documentation
, do not alter this manually)
The following 236 rules are applied by this linter:
Rule ID | Title | Description | Config (Name:Type:Default) |
Source | Tags |
---|---|---|---|---|---|
E0000 | Parsing error found when parsing the template | Checks for JSON/YAML formatting errors in your template | Source | base |
|
E0001 | Error found when transforming the template | Errors found when performing transformation on the template | Source | base ,transform |
|
E0002 | Error processing rule on the template | Errors found when processing a rule on the template | Source | base ,rule |
|
E1001 | Basic CloudFormation Template Configuration | Making sure the basic CloudFormation template components are properly configured | sections:string: | Source | base |
E1002 | Validate if a template size is too large | Check the size of the template is less than the upper limit | Source | limits |
|
E1003 | Validate the max size of a description | Check if the size of the template description is less than the upper limit | Source | description ,limits |
|
E1004 | Template description can only be a string | Template description can only be a string | Source | description |
|
E1005 | Validate Transform configuration | Validate that the transforms section of a template is properly configured | Source | transform |
|
E1010 | GetAtt validation of parameters | Validates that GetAtt parameters are to valid resources and properties of those resources | Source | functions ,getatt |
|
E1011 | FindInMap validation of configuration | Making sure the function is a list of appropriate config | Source | functions ,findinmap |
|
E1015 | GetAz validation of parameters | Making sure the GetAz function is properly configured | Source | functions ,getaz |
|
E1016 | ImportValue validation of parameters | Making sure the ImportValue function is properly configured | Source | functions ,importvalue |
|
E1017 | Select validation of parameters | Making sure the Select function is properly configured | Source | functions ,select |
|
E1018 | Split validation of parameters | Making sure the split function is properly configured | Source | functions ,split |
|
E1019 | Sub validation of parameters | Making sure the sub function is properly configured | Source | functions ,sub |
|
E1020 | Ref validation of value | Making sure the Ref has a String value (no other functions are supported) | Source | functions ,ref |
|
E1021 | Base64 validation of parameters | Making sure the Base64 function is properly configured | Source | functions ,base64 |
|
E1022 | Join validation of parameters | Making sure the join function is properly configured | Source | functions ,join |
|
E1024 | Cidr validation of parameters | Making sure the function CIDR is a list with valid values | Source | functions ,cidr |
|
E1027 | Check dynamic references secure strings are in supported locations | Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. | Source | functions ,dynamic reference |
|
E1028 | Check Fn::If structure for validity | Check Fn::If to make sure its valid. Condition has to be a string. | Source | functions ,if |
|
E1029 | Sub is required if a variable is used in a string | If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. | custom_excludes:string: | Source | functions ,sub |
E1030 | Length validation of parameters | Making sure Fn::Length is configured correctly | Source | functions ,length |
|
E1031 | ToJsonString validation of parameters | Making sure Fn::ToJsonString is configured correctly | Source | functions ,toJsonString |
|
E1032 | Validates ForEach functions | Validates that ForEach parameters have a valid configuration | Source | functions ,foreach |
|
E1040 | Check if GetAtt matches destination format | Validate that if source and destination format exists that they match | Source | parameters ,ec2 ,imageid |
|
E1050 | Validate the structure of a dynamic reference | Make sure dynamic reference strings have the correct syntax | Source | functions ,dynamic reference |
|
E1051 | Validate dynamic references to secrets manager are only in resource properties | Dynamic references from secrets manager can only be used in resource properties | Source | functions ,dynamic reference |
|
E1052 | Validate dynamic references to SSM are in a valid location | Dynamic references to SSM parameters are only supported in certain locations | Source | functions ,dynamic reference |
|
E1101 | Validate an item against additional checks | Use supplemental logic to validate properties against | Source | ||
E1103 | Validate the format of a value | Parent rule for validating the format keyword in schemas | Source | ||
E1150 | Validate security group format | Security groups have to ref/gettatt to a security group or has the valid pattern | Source | ||
E1151 | Validate VPC id format | Check that a VPC id matches a pattern | Source | ||
E1152 | Validate AMI id format | Check that a AMI id matches a pattern | Source | ||
E1153 | Validate security group name | Security group names have to valid pattern | Source | ||
E1700 | Rules have the appropriate configuration | Making sure the Rules section is properly configured | Source | rules |
|
E1701 | Validate the configuration of Assertions | Make sure the Assert value in a Rule is properly configured | Source | rules |
|
E1702 | Validate the configuration of Rules RuleCondition | Make sure the RuleCondition in a Rule is properly configured | Source | rules |
|
E2001 | Parameters have appropriate properties | Making sure the parameters are properly configured | Source | parameters |
|
E2002 | Parameters have appropriate type | Making sure the parameters have a correct type | Source | parameters |
|
E2003 | Parameters have appropriate names | Check if Parameters are properly named (A-Za-z0-9) | Source | parameters ,name |
|
E2010 | Parameter limit not exceeded | Check the number of Parameters in the template is less than the upper limit | Source | parameters ,limits |
|
E2011 | Validate the name for a parameter | Validate the name of a parameter with special handling of the max length length | Source | parameters ,limits |
|
E2015 | Default value is within parameter constraints | Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern | Source | parameters |
|
E2529 | Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log Group | The current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set. | Source | resources ,lambda |
|
E2530 | SnapStart supports the configured runtime | To properly leverage SnapStart, you must have a runtime of Java11 or greater | Source | resources ,lambda |
|
E2531 | Validate if lambda runtime is deprecated | Check the lambda runtime has reached the end of life | Source | resources ,lambda ,runtime |
|
E2533 | Check if Lambda Function Runtimes are updatable | Check if an EOL Lambda Runtime is specified and you cannot update the function | Source | resources ,lambda ,runtime |
|
E2540 | CodePipeline Stages | See if CodePipeline stages are set correctly | Source | properties ,codepipeline |
|
E2541 | CodePipeline Stage Actions | See if CodePipeline stage actions are set correctly | Source | resources ,codepipeline |
|
E3001 | Basic CloudFormation Resource Check | Making sure the basic CloudFormation resources are properly configured | Source | resources |
|
E3002 | Resource properties are invalid | Making sure that resources properties are properly configured | Source | resources |
|
E3003 | Required Resource properties are missing | Make sure that Resources properties that are required exist | Source | resources ,properties ,required |
|
E3004 | Resource dependencies are not circular | Check that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAtt | Source | resources ,circularly ,dependson ,ref ,sub ,getatt |
|
E3005 | Check DependsOn values for Resources | Check that the DependsOn values are valid | Source | resources ,dependson |
|
E3006 | Validate the CloudFormation resource type | Resource types are validated against the spec accounting for regions | Source | resources |
|
E3007 | Unique resource and parameter names | All resources and parameters must have unique names | Source | parameters ,resources |
|
E3008 | Validate an array in order | Will validate arrays in order for schema validation | Source | resources ,properties ,array ,prefixItems |
|
E3009 | Check CloudFormation init configuration | Validate that the items in a CloudFormation init adhere to standards | Source | resources ,cloudformation init |
|
E3010 | Resource limit not exceeded | Check the number of Resources in the template is less than the upper limit | Source | resources ,limits |
|
E3011 | Check property names in Resources | Validate property names are property configured in Resources | Source | resources ,limits |
|
E3012 | Check resource properties values | Checks resource property values with Primitive Types for values that match those types. | strict:boolean:False | Source | resources |
E3013 | CloudFront Aliases | CloudFront aliases should contain valid domain names | Source | properties ,cloudfront |
|
E3014 | Validate only one of a set of required properties are specified | Make sure that Resources properties that are required exist. Along with other properties not being specified | Source | resources |
|
E3015 | Validate the resource condition is valid | Check the condition of a resource to make sure it exists inside the template | Source | resources ,conditions |
|
E3016 | Check the configuration of a resources UpdatePolicy | Make sure a resources UpdatePolicy is properly configured | Source | resources ,updatepolicy |
|
E3017 | Check Properties that need at least one of a list of properties | Making sure CloudFormation properties that require at least one property from a list. More than one can be included. | Source | resources |
|
E3018 | Check Properties that need only one of a list of properties | Making sure CloudFormation properties that require only one property from a list. One has to be specified. | Source | resources |
|
E3019 | Validate that all resources have unique primary identifiers | Use the primary identifiers in a resource schema to validate that resources inside the template are unique | Source | parameters ,resources |
|
E3020 | Validate that when a property is specified another property should be excluded | When certain properties are specified other properties should not be included | Source | resources |
|
E3021 | Validate that when a property is specified that other properties should be included | When certain properties are specified it results in other properties to be required | Source | resources |
|
E3022 | Resource SubnetRouteTableAssociation Properties | Validate there is only one SubnetRouteTableAssociation per subnet | Source | resources ,ec2 ,subnet ,route table |
|
E3023 | Validate Route53 RecordSets | Check if all RecordSets are correctly configured | Source | resources ,route53 ,record_set |
|
E3024 | Validate tag configuration | Validates tag values to make sure they have unique keys and they follow pattern requirements | Source | parameters ,resources ,tags |
|
E3025 | Validates RDS DB Instance Class | Validates the RDS DB instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3026 | Check Elastic Cache Redis Cluster settings | Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled | Source | resources ,elasticcache |
|
E3027 | Validate AWS Event ScheduleExpression format | Validate the formation of the AWS::Event ScheduleExpression | Source | resources ,events |
|
E3028 | Validate the metadata section of a resource | The metadata section can be unstructured but we do validate the items we can | Source | resources |
|
E3029 | Validate Route53 record set aliases | When using alias records you can't specify TTL or certain types are allowed | Source | resources ,route53 ,record_set |
|
E3030 | Check if properties have a valid value | Check if properties have a valid value in case of an enumator | Source | resources ,property ,allowed value |
|
E3031 | Check if property values adhere to a specific pattern | Check if properties have a valid value in case of a pattern (Regular Expression) | exceptions:list:[] | Source | resources ,property ,allowed pattern ,regex |
E3032 | Check if a array has between min and max number of values specified | Check array for the number of items in the list to validate they are between the minimum and maximum | Source | resources ,property ,array ,length |
|
E3033 | Check if a string has between min and max number of values specified | Check strings for its length between the minimum and maximum | Source | resources ,property ,string ,size |
|
E3034 | Check if a number is between min and max | Check numbers (integers and floats) for its value being between the minimum and maximum | Source | resources ,property ,number ,size |
|
E3035 | Check DeletionPolicy values for Resources | Check that the DeletionPolicy values are valid | Source | resources ,deletionpolicy |
|
E3036 | Check UpdateReplacePolicy values for Resources | Check that the UpdateReplacePolicy values are valid | Source | resources ,updatereplacepolicy |
|
E3037 | Check if a list has duplicate values | Certain lists don't support duplicate items. Check when duplicates are provided but not supported. | Source | resources ,property ,list |
|
E3038 | Check if Serverless Resources have Serverless Transform | Check that a template with Serverless Resources also includes the Serverless Transform | Source | resources ,transform |
|
E3039 | AttributeDefinitions / KeySchemas mismatch | Verify the set of Attributes in AttributeDefinitions and KeySchemas match | Source | resources ,dynamodb |
|
E3040 | Validate we aren't configuring read only properties | Read only properties can be configured in a CloudFormation template but they aren't sent to the resource provider code and can cause drift. | Source | resources ,properties |
|
E3041 | RecordSet HostedZoneName is a superdomain of or equal to Name | In a RecordSet, the HostedZoneName must be a superdomain of or equal to the Name being validated | Source | resource ,properties ,route53 |
|
E3042 | Validate at least one essential container is specified | Check that every TaskDefinition specifies at least one essential container | Source | properties ,ecs ,task ,container ,fargate |
|
E3043 | Validate parameters for in a nested stack | Evalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required. | Source | resources ,cloudformation |
|
E3044 | ECS service using FARGATE or EXTERNAL can only use SchedulingStrategy of REPLICA | When using a LaunchType of Fargate the SchedulingStrategy has to be Replica | Source | properties ,ecs ,service ,container ,fargate |
|
E3045 | Validate AccessControl are set with OwnershipControls | When using AccessControl other than private you must also configure OwnershipControls. The default is bucket owner enforced which disables ACLs. | Source | resources ,s3 |
|
E3046 | Validate ECS task logging configuration for awslogs | When 'awslogs' the options 'awslogs-group' and 'awslogs-region' are required | Source | resources |
|
E3047 | Validate ECS Fargate tasks have the right combination of CPU and memory | When using a ECS Fargate task there is a specfic combination of memory and cpu that can be used | Source | properties ,ecs ,service ,container ,fargate |
|
E3048 | Validate ECS Fargate tasks have required properties and values | When using a ECS Fargate task there is a specfic combination of required properties and values | Source | properties ,ecs ,service ,container ,fargate |
|
E3049 | Validate ECS tasks with dynamic host port have traffic-port ELB target groups | When using an ECS task definition of host port 0 and associating that container to an ELB the target group has to have a 'HealthCheckPort' of 'traffic-port' | Source | resources |
|
E3050 | Check if REFing to a IAM resource with path set | Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' | Source | properties ,iam |
|
E3051 | Validate the structure of a SSM document | SSM documents are nested JSON/YAML in CloudFormation this rule adds validation to those documents | Source | properties ,ssm ,document |
|
E3052 | Validate ECS service requires NetworkConfiguration | When using an ECS task definition has NetworkMode set to 'awsvpc' then 'NetworkConfiguration' is required | Source | resources ,ecs |
|
E3053 | Validate ECS task definition is has correct values for 'HostPort' | The 'HostPort' must either be undefined or equal to the 'ContainerPort' value | Source | resources ,ecs |
|
E3054 | Validate ECS service using Fargate uses TaskDefinition that allows Fargate | When using an ECS service with 'LaunchType' of 'FARGATE' the associated task definition must have 'RequiresCompatibilities' specified with 'FARGATE' listed | Source | resources ,ecs |
|
E3055 | Check CreationPolicy values for Resources | Check that the CreationPolicy values are valid | Source | resources ,creationPolicy |
|
E3056 | ECS service using HealthCheckGracePeriodSeconds must also have LoadBalancers specified | When using a HealthCheckGracePeriodSeconds on an ECS service, the service must also have a LoadBalancers specified with at least one LoadBalancer in the array. | Source | properties ,ecs ,service ,container |
|
E3057 | Validate that CloudFront TargetOriginId is a specified Origin | CloudFront TargetOriginId has to map to an Origin Id that is in the same DistributionConfig | Source | properties ,cloudfront |
|
E3058 | Validate at least one of the properties are required | Make sure at least one of the resource properties are included | Source | resources |
|
E3503 | ValidationDomain is superdomain of DomainName | In ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validated | Source | certificate ,certificatemanager ,domainvalidationoptions ,validationdomain |
|
E3504 | Check minimum 90 period is met between BackupPlan cold and delete | Check that Backup plans with lifecycle rules have >= 90 days between cold and delete | Source | properties ,backup ,plan ,lifecycle |
|
E3510 | Validate identity based IAM polices | IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies. | Source | resources ,iam |
|
E3511 | Validate IAM role arn pattern | Validate an IAM role arn pattern matches | Source | parameters ,iam |
|
E3512 | Validate resource based IAM polices | IAM resources polices are embedded JSON in CloudFormation. This rule validates those embedded policies. | Source | resources ,iam |
|
E3513 | Validate ECR repository policy | Private ECR repositories have a policy. This rule validates those policies. | Source | resources ,iam ,ecr |
|
E3601 | Validate the structure of a StateMachine definition | Validate the Definition or DefinitionString inside a AWS::StepFunctions::StateMachine resource | Source | resources ,statemachine |
|
E3615 | Validate the period is a valid value | Valid values are 10, 30, 60, and any multiple of 60. | Source | resources ,cloudwatch |
|
E3617 | Validate ManagedBlockchain instance type | Validates the ManagedBlockchain instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3620 | Validate a DocDB DB Instance class | Validates the DocDB instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3621 | Validate the instance types for AppStream Fleet | Validates the AppStream Fleet instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3628 | Validate EC2 instance types based on region | Validates the EC2 instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3633 | Validate Lambda event source mapping StartingPosition is used correctly | When 'EventSourceArn' is associate to Kinesis, Kafka, or DynamoDB you must specify 'StartingPosition | Source | resources |
|
E3634 | Validate Lambda event source mapping starting position is used with SQS | When 'EventSourceArn' is associated to SQS don't specify 'StartingPosition' | Source | resources |
|
E3635 | Validate Neptune DB instance class | Validates the instance types for Neptune DB based on region and data gathered from the pricing APIs | Source | resources |
|
E3638 | Validate DynamoDB BillingMode pay per request configuration | When 'BillingMode' is 'PAY_PER_REQUEST' don't specify 'ProvisionedThroughput' | Source | resources |
|
E3639 | When BillingMode is Provisioned you must specify ProvisionedThroughput | When 'BillingMode' is 'Provisioned' 'ProvisionedThroughput' is required | Source | resources |
|
E3641 | Validate GameLift Fleet EC2 instance type | Validates the GameLift Fleet EC2 instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3647 | Validate ElastiCache cluster cache node type | Validates the ElastiCache instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3652 | Validate Elasticsearch domain cluster instance | Validates the Elasticsearch instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3660 | RestApi requires a name when not using an OpenAPI specification | When using AWS::ApiGateway::RestApi you have to provide 'Name' if you don't provide 'Body' or 'BodyS3Location' | Source | resources ,apigateway |
|
E3661 | Validate Route53 health check has AlarmIdentifier when using CloudWatch | When 'Type' is 'CLOUDWATCH_METRIC' you must specify 'AlarmIdentifier' | Source | resources |
|
E3663 | Validate Lambda environment variable names aren't reserved | Lambda reserves a set of environment variable names for its use. This rule validates that the provided environment variable names don't use the reserved variable names | Source | resources ,lambda ,runtime |
|
E3667 | Validate RedShift cluster node type | Validates the RedShift instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3670 | Validate the instance types for an AmazonMQ Broker | Validates the instance types for AmazonMQ broker based on region and data gathered from the pricing APIs | Source | resources |
|
E3671 | Validate block device mapping configuration | Certain volume types require Iops to be specified | Source | resources ,ec2 |
|
E3672 | Validate the cluster node type for a DAX Cluster | Validates the DAX cluster instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3673 | Validate if an ImageId is required | Validate if an ImageID is required. It can be required if the associated LaunchTemplate doesn't specify an ImageID | Source | resources ,ec2 |
|
E3674 | Primary cannoy be True when PrivateIpAddress is specified | Only specify the private IP address for an instance in one spot | Source | resources ,ec2 |
|
E3675 | Validate EMR cluster instance type | Validates the EMR cluster instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E3676 | Validate ELBv2 protocols that require certificates have a certificate specified | When using HTTP or TLS you must specify a certificate | Source | resources |
|
E3677 | Validate Lambda using ZipFile requires an allowable runtime | Using the ZipFile attribute requires a javascript or python runtime to be specified | Source | resources |
|
E3678 | Using the ZipFile attribute requires a runtime to be specified | Using the ZipFile attribute requires a runtime to be specified | Source | resources |
|
E3679 | Validate ELB protocols that require certificates have a certificate specified | When using HTTPS or SSL you must provide a certificate | Source | resources |
|
E3680 | Application load balancers require at least 2 subnets | Source | resources |
||
E3682 | Validate when using Aurora certain properies aren't required | When creating an aurora DBInstance don't specify 'AllocatedStorage', 'BackupRetentionPeriod', 'CopyTagsToSnapshot', 'DeletionProtection', 'EnableIAMDatabaseAuthentication', 'MasterUserPassword', or 'StorageEncrypted' | Source | resources |
|
E3686 | Validate allowed properties when using a serverless RDS DB cluster | Validate that when EngineMode is 'serverless' or 'provisioned' that the appropriate allowed properties are provided. If 'EngineMode' is not provided make sure serverless properties don't exist at all. | Source | resources |
|
E3687 | Validate to and from ports based on the protocol | When using icmp, icmpv6, tcp, or udp you have to specify the to and from port ranges | Source | resources |
|
E3688 | Validate that to and from ports are both -1 | When ToPort or FromPort are -1 the other one must also be -1 | Source | resources |
|
E3689 | Validate MonitoringInterval and MonitoringRoleArn are used together | When MonitoringInterval is greater than 0 you need to specify MonitoringRoleArn. If MonitoringRoleArn is specified MonitoringInterval has to be greather than 0. | Source | resources |
|
E3690 | Validate DB Cluster Engine and Engine Version | Validate the DB Cluster engine along with the engine version | Source | resources |
|
E3691 | Validate DB Instance Engine and Engine Version | Validate the DB Instance engine along with the engine version | Source | resources |
|
E3692 | Validate Multi-AZ DB cluster configuration | When creating a Multi-AZ DB Cluster there are required fields and the allowed values are different | Source | resources |
|
E3693 | Validate Aurora DB cluster configuration | When creating an Aurora DB Cluster there are required fields and the allowed values are different | Source | resources |
|
E3694 | Validates RDS DB Cluster instance class | Validates the RDS DB Cluster instance types based on region and data gathered from the pricing APIs | Source | resources |
|
E4001 | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured | Source | metadata |
|
E4002 | Validate the configuration of the Metadata section | Validates that Metadata section is an object and has no null values | Source | metadata |
|
E5001 | Check that Modules resources are valid | Check that Modules resources are valid | Source | resources ,modules |
|
E6001 | Check the properties of Outputs | Validate the property structure for outputs | Source | outputs |
|
E6002 | Outputs have required properties | Making sure the outputs have required properties | Source | outputs |
|
E6003 | Check the type of Outputs | Validate the type of properties in the Outputs section | Source | outputs |
|
E6004 | Outputs have appropriate names | Check if Outputs are properly named (A-Za-z0-9) | Source | outputs |
|
E6005 | Validate the Output condition is valid | Check the condition of an output to make sure it exists inside the template | Source | outputs ,conditions |
|
E6010 | Output limit not exceeded | Check the number of Outputs in the template is less than the upper limit | Source | outputs ,limits |
|
E6011 | Check property names in Outputs | Validate property names are property configured in Outputs | Source | outputs ,limits |
|
E6101 | Validate that outputs values are a string | Make sure that output values have a type of string | Source | outputs |
|
E6102 | Validate that output exports have values of strings | Make sure output exports have a value of type string | Source | outputs |
|
E7001 | Mappings are appropriately configured | Check if Mappings are properly configured | Source | mappings |
|
E7002 | Check property names in Mappings | Validate property names are property configured in Mappings | Source | mappings ,limits |
|
E7010 | Max number of properties for Mappings | Check the number of Mappings in the template is less than the upper limit | Source | mappings ,limits |
|
E8001 | Conditions have appropriate properties | Check if Conditions are properly configured | Source | conditions |
|
E8002 | Check if the referenced Conditions are defined | Making sure the used conditions are actually defined in the Conditions section | Source | conditions |
|
E8003 | Check Fn::Equals structure for validity | Check Fn::Equals is a list of two elements | Source | functions ,equals |
|
E8004 | Check Fn::And structure for validity | Check Fn::And is a list of two elements | Source | functions ,and |
|
E8005 | Check Fn::Not structure for validity | Check Fn::Not is a list of one element | Source | functions ,not |
|
E8006 | Check Fn::Or structure for validity | Check Fn::Or is a list of two elements | Source | functions ,or |
|
E8007 | Check Condition structure for validity | Check Condition has a value of another condition | Source | functions ,and |
|
I1002 | Validate approaching the template size limit | Check the size of the template is approaching the upper limit | Source | limits |
|
I1003 | Validate if we are approaching the max size of a description | Check if the size of the template description is approaching the upper limit | Source | description ,limits |
|
I1022 | Use Sub instead of Join | Prefer a sub instead of Join when using a join delimiter that is empty | Source | functions ,sub ,join |
|
I2010 | Parameter limit | Check the number of Parameters in the template is approaching the upper limit | Source | parameters ,limits |
|
I2011 | Parameter name limit | Check the size of Parameter names in the template is approaching the upper limit | Source | parameters ,limits |
|
I2530 | Validate that SnapStart is configured for >= Java11 runtimes | SnapStart is a no-cost feature that can increase performance up to 10x. Enable SnapStart for Java 11 and greater runtimes | Source | resources ,lambda |
|
I3010 | Resource limit | Check the number of Resources in the template is approaching the upper limit | Source | resources ,limits |
|
I3011 | Check stateful resources have a set UpdateReplacePolicy/DeletionPolicy | The default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policies | Source | resources ,updatereplacepolicy ,deletionpolicy |
|
I3012 | Resource name limit | Check the size of Resource names in the template is approaching the upper limit | Source | resources ,limits |
|
I3013 | Check resources with auto expiring content have explicit retention period | The behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data losses | Source | resources ,retentionperiod |
|
I3037 | Check if a list that allows duplicates has any duplicates | Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. | Source | resources ,property ,list |
|
I3042 | ARNs should use correctly placed Pseudo Parameters | Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number | partition:boolean:True region:boolean:False accountId:boolean:False |
Source | resources |
I3100 | Checks for legacy instance type generations | New instance type generations increase performance and decrease cost | Source | resources ,ec2 ,rds ,elasticcache ,elasticsearch |
|
I6010 | Output limit | Check the number of Outputs in the template is approaching the upper limit | Source | outputs ,limits |
|
I6011 | Output name limit | Check the size of Output names in the template is approaching the upper limit | Source | outputs ,limits |
|
I7002 | Mapping name limit | Check the size of Mapping names in the template is approaching the upper limit | Source | mappings ,limits |
|
I7010 | Mapping limit | Check the number of Mappings in the template is approaching the upper limit | Source | mappings ,limits |
|
W1001 | Ref/GetAtt to resource that is available when conditions are applied | Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. | Source | conditions ,resources ,relationships ,ref ,getatt ,sub |
|
W1011 | Instead of REFing a parameter for a secret use a dynamic reference | Instead of REFing a parameter for a secret use a dynamic reference. Solutions like SSM parameter store and secrets manager provide better security of sercrets | Source | functions ,dynamic reference ,ref |
|
W1019 | Validate that parameters to a Fn::Sub are used | Validate that Fn::Sub Parameters are used | Source | functions ,sub |
|
W1020 | Sub isn't needed if it doesn't have a variable defined | Checks sub strings to see if a variable is defined. | Source | functions ,sub |
|
W1028 | Check Fn::If has a path that cannot be reached | Check Fn::If path can be reached | Source | functions ,if |
|
W1030 | Validate the values that come from a Ref function | Resolve the Ref and then validate the values against the schema | Source | functions ,ref |
|
W1031 | Validate the values that come from a Fn::Sub function | Resolve the Fn::Sub and then validate the values against the schema | Source | functions ,sub |
|
W1032 | Validate the values that come from a Fn::Join function | Resolve the Fn::Join and then validate the values against the schema | Source | functions ,join |
|
W1033 | Validate the values that come from a Fn::Split function | Resolve the Fn::Split and then validate the values against the schema | Source | functions ,split |
|
W1034 | Validate the values that come from a Fn::FindInMap function | Resolve the Fn::FindInMap and then validate the values against the schema | Source | functions ,findinmap |
|
W1035 | Validate the values that come from a Fn::Select function | Resolve the Fn::Select and then validate the values against the schema | Source | functions ,select |
|
W1036 | Validate the values that come from a Fn::GetAZs function | Resolve the Fn::GetAZs and then validate the values against the schema | Source | functions ,getazs |
|
W1040 | Validate the values that come from a Fn::ToJsonString function | Resolve the Fn::ToJsonString and then validate the values against the schema | Source | functions ,tojsonstring |
|
W2001 | Check if Parameters are Used | Making sure the parameters defined are used | Source | parameters |
|
W2010 | NoEcho parameters are not masked when used in Metadata and Outputs | Using the NoEcho attribute does not mask any information stored in the following: Metadata, Outputs, Resource Metadata | Source | functions ,dynamic reference ,ref |
|
W2030 | Check if parameters have a valid value | Check if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref) | Source | parameters ,resources ,property ,allowed value |
|
W2031 | Check if parameters have a valid value based on an allowed pattern | Check if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref) | Source | parameters ,resources ,property ,pattern |
|
W2501 | Check if Password Properties are correctly configured | Password properties should not be strings and if parameter using NoEcho | Source | parameters ,passwords ,security ,dynamic reference |
|
W2506 | Check if ImageId Parameters have the correct type | See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] | Source | parameters ,ec2 ,imageid |
|
W2511 | Check IAM Resource Policies syntax | See if the elements inside an IAM Resource policy are configured correctly. | Source | properties ,iam |
|
W2530 | Validate that SnapStart is properly configured | To properly leverage SnapStart, you must configure both the lambda function and attach a Lambda version resource | Source | resources ,lambda |
|
W2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give a warning if used. | Source | resources ,lambda ,runtime |
|
W2533 | Check required properties for Lambda if the deployment package is a .zip file | When the package type is Zip, you must also specify the handler and runtime properties. |
Source | resources ,lambda |
|
W3002 | Warn when properties are configured to only work with the package command | Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. | Source | resources |
|
W3005 | Check obsolete DependsOn configuration for Resources | Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. | Source | resources ,dependson ,ref ,getatt |
|
W3010 | Availability zone properties should not be hardcoded | Check if an Availability Zone property is hardcoded. | Source | parameters ,availabilityzone |
|
W3011 | Check resources with UpdateReplacePolicy/DeletionPolicy have both | Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion | Source | resources ,updatereplacepolicy ,deletionpolicy |
|
W3034 | Check if parameter values are between min and max | Check if parameter values value being between the minimum and maximum | Source | resources ,property ,number ,size |
|
W3037* | Check IAM Permission configuration | Check for valid IAM Permissions | Source | properties ,iam ,permissions |
|
W3045 | Controlling access to an S3 bucket should be done with bucket policies | Nearly all access control configurations can be more successfully achieved with bucket policies. Consider using bucket policies instead of access control. | Source | resources ,s3 |
|
W3663 | Validate SourceAccount is required property | When configuration a Lambda permission with a SourceArn that doesn't have an AccountId you should also specify the SourceAccount | Source | resources ,lambda ,permission |
|
W3687 | Validate that ports aren't specified for certain protocols | When using a protocol other than icmp, icmpv6, tcp, or udp the port ranges properties are ignored | Source | resources |
|
W3688 | When restoring DBCluster certain properties are ignored | When creating a DBCluster extra properties are ignored and could result in drift | Source | resources ,rds |
|
W3689 | When using a source DB certain properties are ignored | When creating a DBCluster from a source certain properties are ignored and could result in drift | Source | resources ,rds |
|
W3693 | Validate Aurora DB cluster configuration for ignored properties | When creating an Aurora DB Cluster there are fields that will allow for successful deployment but are ignored | Source | resources |
|
W4001 | Metadata Interface parameters exist | Metadata Interface parameters actually exist | Source | metadata |
|
W4005 | Validate cfnlint configuration in the Metadata | Metadata cfn-lint configuration has many values and we want to validate that | Source | metadata |
|
W6001 | Check Outputs using ImportValue | Check if the Output value is set using ImportValue, so creating an Output of an Output | Source | outputs ,importvalue |
|
W7001 | Check if Mappings are Used | Making sure the mappings defined are used | Source | mappings |
|
W8001 | Check if Conditions are Used | Making sure the conditions defined are used | Source | conditions |
|
W8003 | Fn::Equals will always return true or false | Validate Fn::Equals to see if its comparing two strings or two equal items. While this works it may not be intended. | Source | functions ,equals |
* experimental rules