Skip to content

Latest commit

 

History

History
287 lines (272 loc) · 80.1 KB

rules.md

File metadata and controls

287 lines (272 loc) · 80.1 KB

Rules

Rule levels

A rule returns feedback on a specific level: Error, Warning or Informational.

Errors

Errors will start with the letter E. Errors will (or can) result in a hard failure for the template being validated.

Warnings

Warnings start with the letter W. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.

Informational

Informational results start with the letter I. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I or --include-checks I.

Categories

Rule Numbers Category
(E|W|I)0XXX Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.)
(E|W|I)1XXX Functions (Ref, GetAtt, etc.)
(E|W|I)2XXX Parameters
(E|W|I)3XXX Resources
(E|W|I)4XXX Metadata
(E|W|I)6xxx Outputs
(E|W|I)7xxx Mappings
(E|W|I)8xxx Conditions
(E|W|I)9xxx Reserved for users rules

Warning Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices. Conversely, strict typing is NOT enforced by default for this rule, so if strict adherence to resource value types is necessary for your use case, you can use --configure-rule E3012:strict=true to enforce the rule.

Experimental rules

Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.

A rule can be marked as experimental by setting the experimental flag in the Rule's MetaData:

class MyExperimentalRule(CloudFormationLintRule):
    id = 'E1234'
    ...
    experimental = True

To include these rules, use the -e/include-experimental argument when running cfn-lint.

Rules

(This documentation is generated by running cfn-lint --update-documentation, do not alter this manually)

The following 236 rules are applied by this linter:

Rule ID Title Description Config
(Name:Type:Default)
Source Tags
E0000 Parsing error found when parsing the template Checks for JSON/YAML formatting errors in your template Source base
E0001 Error found when transforming the template Errors found when performing transformation on the template Source base,transform
E0002 Error processing rule on the template Errors found when processing a rule on the template Source base,rule
E1001 Basic CloudFormation Template Configuration Making sure the basic CloudFormation template components are properly configured sections:string: Source base
E1002 Validate if a template size is too large Check the size of the template is less than the upper limit Source limits
E1003 Validate the max size of a description Check if the size of the template description is less than the upper limit Source description,limits
E1004 Template description can only be a string Template description can only be a string Source description
E1005 Validate Transform configuration Validate that the transforms section of a template is properly configured Source transform
E1010 GetAtt validation of parameters Validates that GetAtt parameters are to valid resources and properties of those resources Source functions,getatt
E1011 FindInMap validation of configuration Making sure the function is a list of appropriate config Source functions,findinmap
E1015 GetAz validation of parameters Making sure the GetAz function is properly configured Source functions,getaz
E1016 ImportValue validation of parameters Making sure the ImportValue function is properly configured Source functions,importvalue
E1017 Select validation of parameters Making sure the Select function is properly configured Source functions,select
E1018 Split validation of parameters Making sure the split function is properly configured Source functions,split
E1019 Sub validation of parameters Making sure the sub function is properly configured Source functions,sub
E1020 Ref validation of value Making sure the Ref has a String value (no other functions are supported) Source functions,ref
E1021 Base64 validation of parameters Making sure the Base64 function is properly configured Source functions,base64
E1022 Join validation of parameters Making sure the join function is properly configured Source functions,join
E1024 Cidr validation of parameters Making sure the function CIDR is a list with valid values Source functions,cidr
E1027 Check dynamic references secure strings are in supported locations Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. Source functions,dynamic reference
E1028 Check Fn::If structure for validity Check Fn::If to make sure its valid. Condition has to be a string. Source functions,if
E1029 Sub is required if a variable is used in a string If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. custom_excludes:string: Source functions,sub
E1030 Length validation of parameters Making sure Fn::Length is configured correctly Source functions,length
E1031 ToJsonString validation of parameters Making sure Fn::ToJsonString is configured correctly Source functions,toJsonString
E1032 Validates ForEach functions Validates that ForEach parameters have a valid configuration Source functions,foreach
E1040 Check if GetAtt matches destination format Validate that if source and destination format exists that they match Source parameters,ec2,imageid
E1050 Validate the structure of a dynamic reference Make sure dynamic reference strings have the correct syntax Source functions,dynamic reference
E1051 Validate dynamic references to secrets manager are only in resource properties Dynamic references from secrets manager can only be used in resource properties Source functions,dynamic reference
E1052 Validate dynamic references to SSM are in a valid location Dynamic references to SSM parameters are only supported in certain locations Source functions,dynamic reference
E1101 Validate an item against additional checks Use supplemental logic to validate properties against Source
E1103 Validate the format of a value Parent rule for validating the format keyword in schemas Source
E1150 Validate security group format Security groups have to ref/gettatt to a security group or has the valid pattern Source
E1151 Validate VPC id format Check that a VPC id matches a pattern Source
E1152 Validate AMI id format Check that a AMI id matches a pattern Source
E1153 Validate security group name Security group names have to valid pattern Source
E1700 Rules have the appropriate configuration Making sure the Rules section is properly configured Source rules
E1701 Validate the configuration of Assertions Make sure the Assert value in a Rule is properly configured Source rules
E1702 Validate the configuration of Rules RuleCondition Make sure the RuleCondition in a Rule is properly configured Source rules
E2001 Parameters have appropriate properties Making sure the parameters are properly configured Source parameters
E2002 Parameters have appropriate type Making sure the parameters have a correct type Source parameters
E2003 Parameters have appropriate names Check if Parameters are properly named (A-Za-z0-9) Source parameters,name
E2010 Parameter limit not exceeded Check the number of Parameters in the template is less than the upper limit Source parameters,limits
E2011 Validate the name for a parameter Validate the name of a parameter with special handling of the max length length Source parameters,limits
E2015 Default value is within parameter constraints Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern Source parameters
E2529 Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log Group The current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set. Source resources,lambda
E2530 SnapStart supports the configured runtime To properly leverage SnapStart, you must have a runtime of Java11 or greater Source resources,lambda
E2531 Validate if lambda runtime is deprecated Check the lambda runtime has reached the end of life Source resources,lambda,runtime
E2533 Check if Lambda Function Runtimes are updatable Check if an EOL Lambda Runtime is specified and you cannot update the function Source resources,lambda,runtime
E2540 CodePipeline Stages See if CodePipeline stages are set correctly Source properties,codepipeline
E2541 CodePipeline Stage Actions See if CodePipeline stage actions are set correctly Source resources,codepipeline
E3001 Basic CloudFormation Resource Check Making sure the basic CloudFormation resources are properly configured Source resources
E3002 Resource properties are invalid Making sure that resources properties are properly configured Source resources
E3003 Required Resource properties are missing Make sure that Resources properties that are required exist Source resources,properties,required
E3004 Resource dependencies are not circular Check that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAtt Source resources,circularly,dependson,ref,sub,getatt
E3005 Check DependsOn values for Resources Check that the DependsOn values are valid Source resources,dependson
E3006 Validate the CloudFormation resource type Resource types are validated against the spec accounting for regions Source resources
E3007 Unique resource and parameter names All resources and parameters must have unique names Source parameters,resources
E3008 Validate an array in order Will validate arrays in order for schema validation Source resources,properties,array,prefixItems
E3009 Check CloudFormation init configuration Validate that the items in a CloudFormation init adhere to standards Source resources,cloudformation init
E3010 Resource limit not exceeded Check the number of Resources in the template is less than the upper limit Source resources,limits
E3011 Check property names in Resources Validate property names are property configured in Resources Source resources,limits
E3012 Check resource properties values Checks resource property values with Primitive Types for values that match those types. strict:boolean:False Source resources
E3013 CloudFront Aliases CloudFront aliases should contain valid domain names Source properties,cloudfront
E3014 Validate only one of a set of required properties are specified Make sure that Resources properties that are required exist. Along with other properties not being specified Source resources
E3015 Validate the resource condition is valid Check the condition of a resource to make sure it exists inside the template Source resources,conditions
E3016 Check the configuration of a resources UpdatePolicy Make sure a resources UpdatePolicy is properly configured Source resources,updatepolicy
E3017 Check Properties that need at least one of a list of properties Making sure CloudFormation properties that require at least one property from a list. More than one can be included. Source resources
E3018 Check Properties that need only one of a list of properties Making sure CloudFormation properties that require only one property from a list. One has to be specified. Source resources
E3019 Validate that all resources have unique primary identifiers Use the primary identifiers in a resource schema to validate that resources inside the template are unique Source parameters,resources
E3020 Validate that when a property is specified another property should be excluded When certain properties are specified other properties should not be included Source resources
E3021 Validate that when a property is specified that other properties should be included When certain properties are specified it results in other properties to be required Source resources
E3022 Resource SubnetRouteTableAssociation Properties Validate there is only one SubnetRouteTableAssociation per subnet Source resources,ec2,subnet,route table
E3023 Validate Route53 RecordSets Check if all RecordSets are correctly configured Source resources,route53,record_set
E3024 Validate tag configuration Validates tag values to make sure they have unique keys and they follow pattern requirements Source parameters,resources,tags
E3025 Validates RDS DB Instance Class Validates the RDS DB instance types based on region and data gathered from the pricing APIs Source resources
E3026 Check Elastic Cache Redis Cluster settings Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled Source resources,elasticcache
E3027 Validate AWS Event ScheduleExpression format Validate the formation of the AWS::Event ScheduleExpression Source resources,events
E3028 Validate the metadata section of a resource The metadata section can be unstructured but we do validate the items we can Source resources
E3029 Validate Route53 record set aliases When using alias records you can't specify TTL or certain types are allowed Source resources,route53,record_set
E3030 Check if properties have a valid value Check if properties have a valid value in case of an enumator Source resources,property,allowed value
E3031 Check if property values adhere to a specific pattern Check if properties have a valid value in case of a pattern (Regular Expression) exceptions:list:[] Source resources,property,allowed pattern,regex
E3032 Check if a array has between min and max number of values specified Check array for the number of items in the list to validate they are between the minimum and maximum Source resources,property,array,length
E3033 Check if a string has between min and max number of values specified Check strings for its length between the minimum and maximum Source resources,property,string,size
E3034 Check if a number is between min and max Check numbers (integers and floats) for its value being between the minimum and maximum Source resources,property,number,size
E3035 Check DeletionPolicy values for Resources Check that the DeletionPolicy values are valid Source resources,deletionpolicy
E3036 Check UpdateReplacePolicy values for Resources Check that the UpdateReplacePolicy values are valid Source resources,updatereplacepolicy
E3037 Check if a list has duplicate values Certain lists don't support duplicate items. Check when duplicates are provided but not supported. Source resources,property,list
E3038 Check if Serverless Resources have Serverless Transform Check that a template with Serverless Resources also includes the Serverless Transform Source resources,transform
E3039 AttributeDefinitions / KeySchemas mismatch Verify the set of Attributes in AttributeDefinitions and KeySchemas match Source resources,dynamodb
E3040 Validate we aren't configuring read only properties Read only properties can be configured in a CloudFormation template but they aren't sent to the resource provider code and can cause drift. Source resources,properties
E3041 RecordSet HostedZoneName is a superdomain of or equal to Name In a RecordSet, the HostedZoneName must be a superdomain of or equal to the Name being validated Source resource,properties,route53
E3042 Validate at least one essential container is specified Check that every TaskDefinition specifies at least one essential container Source properties,ecs,task,container,fargate
E3043 Validate parameters for in a nested stack Evalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required. Source resources,cloudformation
E3044 ECS service using FARGATE or EXTERNAL can only use SchedulingStrategy of REPLICA When using a LaunchType of Fargate the SchedulingStrategy has to be Replica Source properties,ecs,service,container,fargate
E3045 Validate AccessControl are set with OwnershipControls When using AccessControl other than private you must also configure OwnershipControls. The default is bucket owner enforced which disables ACLs. Source resources,s3
E3046 Validate ECS task logging configuration for awslogs When 'awslogs' the options 'awslogs-group' and 'awslogs-region' are required Source resources
E3047 Validate ECS Fargate tasks have the right combination of CPU and memory When using a ECS Fargate task there is a specfic combination of memory and cpu that can be used Source properties,ecs,service,container,fargate
E3048 Validate ECS Fargate tasks have required properties and values When using a ECS Fargate task there is a specfic combination of required properties and values Source properties,ecs,service,container,fargate
E3049 Validate ECS tasks with dynamic host port have traffic-port ELB target groups When using an ECS task definition of host port 0 and associating that container to an ELB the target group has to have a 'HealthCheckPort' of 'traffic-port' Source resources
E3050 Check if REFing to a IAM resource with path set Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' Source properties,iam
E3051 Validate the structure of a SSM document SSM documents are nested JSON/YAML in CloudFormation this rule adds validation to those documents Source properties,ssm,document
E3052 Validate ECS service requires NetworkConfiguration When using an ECS task definition has NetworkMode set to 'awsvpc' then 'NetworkConfiguration' is required Source resources,ecs
E3053 Validate ECS task definition is has correct values for 'HostPort' The 'HostPort' must either be undefined or equal to the 'ContainerPort' value Source resources,ecs
E3054 Validate ECS service using Fargate uses TaskDefinition that allows Fargate When using an ECS service with 'LaunchType' of 'FARGATE' the associated task definition must have 'RequiresCompatibilities' specified with 'FARGATE' listed Source resources,ecs
E3055 Check CreationPolicy values for Resources Check that the CreationPolicy values are valid Source resources,creationPolicy
E3056 ECS service using HealthCheckGracePeriodSeconds must also have LoadBalancers specified When using a HealthCheckGracePeriodSeconds on an ECS service, the service must also have a LoadBalancers specified with at least one LoadBalancer in the array. Source properties,ecs,service,container
E3057 Validate that CloudFront TargetOriginId is a specified Origin CloudFront TargetOriginId has to map to an Origin Id that is in the same DistributionConfig Source properties,cloudfront
E3058 Validate at least one of the properties are required Make sure at least one of the resource properties are included Source resources
E3503 ValidationDomain is superdomain of DomainName In ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validated Source certificate,certificatemanager,domainvalidationoptions,validationdomain
E3504 Check minimum 90 period is met between BackupPlan cold and delete Check that Backup plans with lifecycle rules have >= 90 days between cold and delete Source properties,backup,plan,lifecycle
E3510 Validate identity based IAM polices IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies. Source resources,iam
E3511 Validate IAM role arn pattern Validate an IAM role arn pattern matches Source parameters,iam
E3512 Validate resource based IAM polices IAM resources polices are embedded JSON in CloudFormation. This rule validates those embedded policies. Source resources,iam
E3513 Validate ECR repository policy Private ECR repositories have a policy. This rule validates those policies. Source resources,iam,ecr
E3601 Validate the structure of a StateMachine definition Validate the Definition or DefinitionString inside a AWS::StepFunctions::StateMachine resource Source resources,statemachine
E3615 Validate the period is a valid value Valid values are 10, 30, 60, and any multiple of 60. Source resources,cloudwatch
E3617 Validate ManagedBlockchain instance type Validates the ManagedBlockchain instance types based on region and data gathered from the pricing APIs Source resources
E3620 Validate a DocDB DB Instance class Validates the DocDB instance types based on region and data gathered from the pricing APIs Source resources
E3621 Validate the instance types for AppStream Fleet Validates the AppStream Fleet instance types based on region and data gathered from the pricing APIs Source resources
E3628 Validate EC2 instance types based on region Validates the EC2 instance types based on region and data gathered from the pricing APIs Source resources
E3633 Validate Lambda event source mapping StartingPosition is used correctly When 'EventSourceArn' is associate to Kinesis, Kafka, or DynamoDB you must specify 'StartingPosition Source resources
E3634 Validate Lambda event source mapping starting position is used with SQS When 'EventSourceArn' is associated to SQS don't specify 'StartingPosition' Source resources
E3635 Validate Neptune DB instance class Validates the instance types for Neptune DB based on region and data gathered from the pricing APIs Source resources
E3638 Validate DynamoDB BillingMode pay per request configuration When 'BillingMode' is 'PAY_PER_REQUEST' don't specify 'ProvisionedThroughput' Source resources
E3639 When BillingMode is Provisioned you must specify ProvisionedThroughput When 'BillingMode' is 'Provisioned' 'ProvisionedThroughput' is required Source resources
E3641 Validate GameLift Fleet EC2 instance type Validates the GameLift Fleet EC2 instance types based on region and data gathered from the pricing APIs Source resources
E3647 Validate ElastiCache cluster cache node type Validates the ElastiCache instance types based on region and data gathered from the pricing APIs Source resources
E3652 Validate Elasticsearch domain cluster instance Validates the Elasticsearch instance types based on region and data gathered from the pricing APIs Source resources
E3660 RestApi requires a name when not using an OpenAPI specification When using AWS::ApiGateway::RestApi you have to provide 'Name' if you don't provide 'Body' or 'BodyS3Location' Source resources,apigateway
E3661 Validate Route53 health check has AlarmIdentifier when using CloudWatch When 'Type' is 'CLOUDWATCH_METRIC' you must specify 'AlarmIdentifier' Source resources
E3663 Validate Lambda environment variable names aren't reserved Lambda reserves a set of environment variable names for its use. This rule validates that the provided environment variable names don't use the reserved variable names Source resources,lambda,runtime
E3667 Validate RedShift cluster node type Validates the RedShift instance types based on region and data gathered from the pricing APIs Source resources
E3670 Validate the instance types for an AmazonMQ Broker Validates the instance types for AmazonMQ broker based on region and data gathered from the pricing APIs Source resources
E3671 Validate block device mapping configuration Certain volume types require Iops to be specified Source resources,ec2
E3672 Validate the cluster node type for a DAX Cluster Validates the DAX cluster instance types based on region and data gathered from the pricing APIs Source resources
E3673 Validate if an ImageId is required Validate if an ImageID is required. It can be required if the associated LaunchTemplate doesn't specify an ImageID Source resources,ec2
E3674 Primary cannoy be True when PrivateIpAddress is specified Only specify the private IP address for an instance in one spot Source resources,ec2
E3675 Validate EMR cluster instance type Validates the EMR cluster instance types based on region and data gathered from the pricing APIs Source resources
E3676 Validate ELBv2 protocols that require certificates have a certificate specified When using HTTP or TLS you must specify a certificate Source resources
E3677 Validate Lambda using ZipFile requires an allowable runtime Using the ZipFile attribute requires a javascript or python runtime to be specified Source resources
E3678 Using the ZipFile attribute requires a runtime to be specified Using the ZipFile attribute requires a runtime to be specified Source resources
E3679 Validate ELB protocols that require certificates have a certificate specified When using HTTPS or SSL you must provide a certificate Source resources
E3680 Application load balancers require at least 2 subnets Source resources
E3682 Validate when using Aurora certain properies aren't required When creating an aurora DBInstance don't specify 'AllocatedStorage', 'BackupRetentionPeriod', 'CopyTagsToSnapshot', 'DeletionProtection', 'EnableIAMDatabaseAuthentication', 'MasterUserPassword', or 'StorageEncrypted' Source resources
E3686 Validate allowed properties when using a serverless RDS DB cluster Validate that when EngineMode is 'serverless' or 'provisioned' that the appropriate allowed properties are provided. If 'EngineMode' is not provided make sure serverless properties don't exist at all. Source resources
E3687 Validate to and from ports based on the protocol When using icmp, icmpv6, tcp, or udp you have to specify the to and from port ranges Source resources
E3688 Validate that to and from ports are both -1 When ToPort or FromPort are -1 the other one must also be -1 Source resources
E3689 Validate MonitoringInterval and MonitoringRoleArn are used together When MonitoringInterval is greater than 0 you need to specify MonitoringRoleArn. If MonitoringRoleArn is specified MonitoringInterval has to be greather than 0. Source resources
E3690 Validate DB Cluster Engine and Engine Version Validate the DB Cluster engine along with the engine version Source resources
E3691 Validate DB Instance Engine and Engine Version Validate the DB Instance engine along with the engine version Source resources
E3692 Validate Multi-AZ DB cluster configuration When creating a Multi-AZ DB Cluster there are required fields and the allowed values are different Source resources
E3693 Validate Aurora DB cluster configuration When creating an Aurora DB Cluster there are required fields and the allowed values are different Source resources
E3694 Validates RDS DB Cluster instance class Validates the RDS DB Cluster instance types based on region and data gathered from the pricing APIs Source resources
E4001 Metadata Interface have appropriate properties Metadata Interface properties are properly configured Source metadata
E4002 Validate the configuration of the Metadata section Validates that Metadata section is an object and has no null values Source metadata
E5001 Check that Modules resources are valid Check that Modules resources are valid Source resources,modules
E6001 Check the properties of Outputs Validate the property structure for outputs Source outputs
E6002 Outputs have required properties Making sure the outputs have required properties Source outputs
E6003 Check the type of Outputs Validate the type of properties in the Outputs section Source outputs
E6004 Outputs have appropriate names Check if Outputs are properly named (A-Za-z0-9) Source outputs
E6005 Validate the Output condition is valid Check the condition of an output to make sure it exists inside the template Source outputs,conditions
E6010 Output limit not exceeded Check the number of Outputs in the template is less than the upper limit Source outputs,limits
E6011 Check property names in Outputs Validate property names are property configured in Outputs Source outputs,limits
E6101 Validate that outputs values are a string Make sure that output values have a type of string Source outputs
E6102 Validate that output exports have values of strings Make sure output exports have a value of type string Source outputs
E7001 Mappings are appropriately configured Check if Mappings are properly configured Source mappings
E7002 Check property names in Mappings Validate property names are property configured in Mappings Source mappings,limits
E7010 Max number of properties for Mappings Check the number of Mappings in the template is less than the upper limit Source mappings,limits
E8001 Conditions have appropriate properties Check if Conditions are properly configured Source conditions
E8002 Check if the referenced Conditions are defined Making sure the used conditions are actually defined in the Conditions section Source conditions
E8003 Check Fn::Equals structure for validity Check Fn::Equals is a list of two elements Source functions,equals
E8004 Check Fn::And structure for validity Check Fn::And is a list of two elements Source functions,and
E8005 Check Fn::Not structure for validity Check Fn::Not is a list of one element Source functions,not
E8006 Check Fn::Or structure for validity Check Fn::Or is a list of two elements Source functions,or
E8007 Check Condition structure for validity Check Condition has a value of another condition Source functions,and
I1002 Validate approaching the template size limit Check the size of the template is approaching the upper limit Source limits
I1003 Validate if we are approaching the max size of a description Check if the size of the template description is approaching the upper limit Source description,limits
I1022 Use Sub instead of Join Prefer a sub instead of Join when using a join delimiter that is empty Source functions,sub,join
I2010 Parameter limit Check the number of Parameters in the template is approaching the upper limit Source parameters,limits
I2011 Parameter name limit Check the size of Parameter names in the template is approaching the upper limit Source parameters,limits
I2530 Validate that SnapStart is configured for >= Java11 runtimes SnapStart is a no-cost feature that can increase performance up to 10x. Enable SnapStart for Java 11 and greater runtimes Source resources,lambda
I3010 Resource limit Check the number of Resources in the template is approaching the upper limit Source resources,limits
I3011 Check stateful resources have a set UpdateReplacePolicy/DeletionPolicy The default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policies Source resources,updatereplacepolicy,deletionpolicy
I3012 Resource name limit Check the size of Resource names in the template is approaching the upper limit Source resources,limits
I3013 Check resources with auto expiring content have explicit retention period The behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data losses Source resources,retentionperiod
I3037 Check if a list that allows duplicates has any duplicates Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. Source resources,property,list
I3042 ARNs should use correctly placed Pseudo Parameters Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number partition:boolean:True
region:boolean:False
accountId:boolean:False
Source resources
I3100 Checks for legacy instance type generations New instance type generations increase performance and decrease cost Source resources,ec2,rds,elasticcache,elasticsearch
I6010 Output limit Check the number of Outputs in the template is approaching the upper limit Source outputs,limits
I6011 Output name limit Check the size of Output names in the template is approaching the upper limit Source outputs,limits
I7002 Mapping name limit Check the size of Mapping names in the template is approaching the upper limit Source mappings,limits
I7010 Mapping limit Check the number of Mappings in the template is approaching the upper limit Source mappings,limits
W1001 Ref/GetAtt to resource that is available when conditions are applied Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. Source conditions,resources,relationships,ref,getatt,sub
W1011 Instead of REFing a parameter for a secret use a dynamic reference Instead of REFing a parameter for a secret use a dynamic reference. Solutions like SSM parameter store and secrets manager provide better security of sercrets Source functions,dynamic reference,ref
W1019 Validate that parameters to a Fn::Sub are used Validate that Fn::Sub Parameters are used Source functions,sub
W1020 Sub isn't needed if it doesn't have a variable defined Checks sub strings to see if a variable is defined. Source functions,sub
W1028 Check Fn::If has a path that cannot be reached Check Fn::If path can be reached Source functions,if
W1030 Validate the values that come from a Ref function Resolve the Ref and then validate the values against the schema Source functions,ref
W1031 Validate the values that come from a Fn::Sub function Resolve the Fn::Sub and then validate the values against the schema Source functions,sub
W1032 Validate the values that come from a Fn::Join function Resolve the Fn::Join and then validate the values against the schema Source functions,join
W1033 Validate the values that come from a Fn::Split function Resolve the Fn::Split and then validate the values against the schema Source functions,split
W1034 Validate the values that come from a Fn::FindInMap function Resolve the Fn::FindInMap and then validate the values against the schema Source functions,findinmap
W1035 Validate the values that come from a Fn::Select function Resolve the Fn::Select and then validate the values against the schema Source functions,select
W1036 Validate the values that come from a Fn::GetAZs function Resolve the Fn::GetAZs and then validate the values against the schema Source functions,getazs
W1040 Validate the values that come from a Fn::ToJsonString function Resolve the Fn::ToJsonString and then validate the values against the schema Source functions,tojsonstring
W2001 Check if Parameters are Used Making sure the parameters defined are used Source parameters
W2010 NoEcho parameters are not masked when used in Metadata and Outputs Using the NoEcho attribute does not mask any information stored in the following: Metadata, Outputs, Resource Metadata Source functions,dynamic reference,ref
W2030 Check if parameters have a valid value Check if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref) Source parameters,resources,property,allowed value
W2031 Check if parameters have a valid value based on an allowed pattern Check if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref) Source parameters,resources,property,pattern
W2501 Check if Password Properties are correctly configured Password properties should not be strings and if parameter using NoEcho Source parameters,passwords,security,dynamic reference
W2506 Check if ImageId Parameters have the correct type See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] Source parameters,ec2,imageid
W2511 Check IAM Resource Policies syntax See if the elements inside an IAM Resource policy are configured correctly. Source properties,iam
W2530 Validate that SnapStart is properly configured To properly leverage SnapStart, you must configure both the lambda function and attach a Lambda version resource Source resources,lambda
W2531 Check if EOL Lambda Function Runtimes are used Check if an EOL Lambda Runtime is specified and give a warning if used. Source resources,lambda,runtime
W2533 Check required properties for Lambda if the deployment package is a .zip file When the package type is Zip, you must also specify the handler and runtime properties. Source resources,lambda
W3002 Warn when properties are configured to only work with the package command Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. Source resources
W3005 Check obsolete DependsOn configuration for Resources Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. Source resources,dependson,ref,getatt
W3010 Availability zone properties should not be hardcoded Check if an Availability Zone property is hardcoded. Source parameters,availabilityzone
W3011 Check resources with UpdateReplacePolicy/DeletionPolicy have both Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion Source resources,updatereplacepolicy,deletionpolicy
W3034 Check if parameter values are between min and max Check if parameter values value being between the minimum and maximum Source resources,property,number,size
W3037* Check IAM Permission configuration Check for valid IAM Permissions Source properties,iam,permissions
W3045 Controlling access to an S3 bucket should be done with bucket policies Nearly all access control configurations can be more successfully achieved with bucket policies. Consider using bucket policies instead of access control. Source resources,s3
W3663 Validate SourceAccount is required property When configuration a Lambda permission with a SourceArn that doesn't have an AccountId you should also specify the SourceAccount Source resources,lambda,permission
W3687 Validate that ports aren't specified for certain protocols When using a protocol other than icmp, icmpv6, tcp, or udp the port ranges properties are ignored Source resources
W3688 When restoring DBCluster certain properties are ignored When creating a DBCluster extra properties are ignored and could result in drift Source resources,rds
W3689 When using a source DB certain properties are ignored When creating a DBCluster from a source certain properties are ignored and could result in drift Source resources,rds
W3693 Validate Aurora DB cluster configuration for ignored properties When creating an Aurora DB Cluster there are fields that will allow for successful deployment but are ignored Source resources
W4001 Metadata Interface parameters exist Metadata Interface parameters actually exist Source metadata
W4005 Validate cfnlint configuration in the Metadata Metadata cfn-lint configuration has many values and we want to validate that Source metadata
W6001 Check Outputs using ImportValue Check if the Output value is set using ImportValue, so creating an Output of an Output Source outputs,importvalue
W7001 Check if Mappings are Used Making sure the mappings defined are used Source mappings
W8001 Check if Conditions are Used Making sure the conditions defined are used Source conditions
W8003 Fn::Equals will always return true or false Validate Fn::Equals to see if its comparing two strings or two equal items. While this works it may not be intended. Source functions,equals

* experimental rules