A rule returns feedback on a specific level: Error, Warning or Informational.
Errors will start with the letter E. Errors will (or can) result in a hard failure for the template being validated.
Warnings start with the letter W. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.
Informational results start with the letter I. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I or --include-checks I.
| Rule Numbers | Category |
|---|---|
| (E|W|I)0XXX | Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.) |
| (E|W|I)1XXX | Functions (Ref, GetAtt, etc.) |
| (E|W|I)2XXX | Parameters |
| (E|W|I)3XXX | Resources |
| (E|W|I)4XXX | Metadata |
| (E|W|I)6xxx | Outputs |
| (E|W|I)7xxx | Mappings |
| (E|W|I)8xxx | Conditions |
| (E|W|I)9xxx | Reserved for users rules |
Warning
Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices. Conversely, strict typing is NOT enforced by default for this rule, so if strict adherence to resource value types is necessary for your use case, you can use --configure-rule E3012:strict=true to enforce the rule.
Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.
A rule can be marked as experimental by setting the experimental flag in the Rule's MetaData:
class MyExperimentalRule(CloudFormationLintRule):
id = 'E1234'
...
experimental = TrueTo include these rules, use the -e/include-experimental argument when running cfn-lint.
(This documentation is generated by running cfn-lint --update-documentation, do not alter this manually)
The following 158 rules are applied by this linter:
| Rule ID | Title | Description | Config (Name:Type:Default) |
Source | Tags |
|---|---|---|---|---|---|
| E0000 | Parsing error found when parsing the template | Checks for JSON/YAML formatting errors in your template | Source | base |
|
| E0001 | Error found when transforming the template | Errors found when performing transformation on the template | Source | base,transform |
|
| E0002 | Error processing rule on the template | Errors found when processing a rule on the template | Source | base,rule |
|
| E1001 | Basic CloudFormation Template Configuration | Making sure the basic CloudFormation template components are properly configured | sections:string: | Source | base |
| E1002 | Template size limit | Check the size of the template is less than the upper limit | Source | limits |
|
| E1003 | Template description limit | Check if the size of the template description is less than the upper limit | Source | description,limits |
|
| E1004 | Template description can only be a string | Template description can only be a string | Source | description |
|
| E1010 | GetAtt validation of parameters | Validates that GetAtt parameters are to valid resources and properties of those resources | Source | functions,getatt |
|
| E1011 | FindInMap validation of configuration | Making sure the function is a list of appropriate config | Source | functions,findinmap |
|
| E1012 | Check if Refs exist | Making sure the refs exist | Source | functions,ref |
|
| E1015 | GetAz validation of parameters | Making sure the GetAz function is properly configured | Source | functions,getaz |
|
| E1016 | ImportValue validation of parameters | Making sure the ImportValue function is properly configured | Source | functions,importvalue |
|
| E1017 | Select validation of parameters | Making sure the Select function is properly configured | Source | functions,select |
|
| E1018 | Split validation of parameters | Making sure the split function is properly configured | Source | functions,split |
|
| E1019 | Sub validation of parameters | Making sure the sub function is properly configured | Source | functions,sub |
|
| E1020 | Ref validation of value | Making sure the Ref has a String value (no other functions are supported) | Source | functions,ref |
|
| E1021 | Base64 validation of parameters | Making sure the Base64 function is properly configured | Source | functions,base64 |
|
| E1022 | Join validation of parameters | Making sure the join function is properly configured | Source | functions,join |
|
| E1023 | Validation NOT function configuration | Making sure that NOT functions are list | Source | functions,not |
|
| E1024 | Cidr validation of parameters | Making sure the function CIDR is a list with valid values | Source | functions,cidr |
|
| E1026 | Cannot reference resources in the Conditions block of the template | Check that any Refs in the Conditions block uses no resources | Source | conditions,functions,ref |
|
| E1027 | Check dynamic references secure strings are in supported locations | Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. | Source | functions,dynamic reference |
|
| E1028 | Check Fn::If structure for validity | Check Fn::If to make sure its valid. Condition has to be a string. | Source | functions,if |
|
| E1029 | Sub is required if a variable is used in a string | If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. | custom_excludes:string: | Source | functions,sub |
| E1030 | Length validation of parameters | Making sure Fn::Length is configured correctly | Source | functions,length |
|
| E1031 | ToJsonString validation of parameters | Making sure Fn::ToJsonString is configured correctly | Source | functions,toJsonString |
|
| E1032 | Validates ForEach functions | Validates that ForEach parameters have a valid configuration | Source | functions,foreach |
|
| E2001 | Parameters have appropriate properties | Making sure the parameters are properly configured | Source | parameters |
|
| E2002 | Parameters have appropriate type | Making sure the parameters have a correct type | Source | parameters |
|
| E2003 | Parameters have appropriate names | Check if Parameters are properly named (A-Za-z0-9) | Source | parameters |
|
| E2010 | Parameter limit not exceeded | Check the number of Parameters in the template is less than the upper limit | Source | parameters,limits |
|
| E2011 | Parameter name limit not exceeded | Check the size of Parameter names in the template is less than the upper limit | Source | parameters,limits |
|
| E2012 | Parameter value limit not exceeded | Check if the size of Parameter values in the template is less than the upper limit | Source | parameters,limits |
|
| E2014 | Default value cannot use Refs | Check if Refs are not used in Parameter Defaults | Source | parameters,ref |
|
| E2015 | Default value is within parameter constraints | Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern | Source | parameters |
|
| E2503 | Resource ELB Properties | See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate | Source | properties,elb |
|
| E2504 | Check Ec2 Ebs Properties | See if Ec2 Ebs Properties are valid | Source | properties,ec2,ebs |
|
| E2507 | Check if IAM Policies are properly configured | See if there elements inside an IAM policy are correct | Source | properties,iam |
|
| E2520 | Check Properties that are mutually exclusive | Making sure CloudFormation properties that are exclusive are not defined | Source | resources |
|
| E2521 | Check Properties that are required together | Make sure CloudFormation resource properties are included together when required | Source | resources |
|
| E2522 | Check Properties that need at least one of a list of properties | Making sure CloudFormation properties that require at least one property from a list. More than one can be included. | Source | resources |
|
| E2523 | Check Properties that need only one of a list of properties | Making sure CloudFormation properties that require only one property from a list. One has to be specified. | Source | resources |
|
| E2529 | Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log Group | The current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set. | Source | resources,lambda |
|
| E2530 | SnapStart supports the configured runtime | To properly leverage SnapStart, you must have a runtime of Java11 or greater | Source | resources,lambda |
|
| E2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give an error if used. | Source | resources,lambda,runtime |
|
| E2532 | Check State Machine Definition for proper syntax | Check the State Machine String Definition to make sure its JSON. Validate basic syntax of the file to determine validity. | Source | resources,stepfunctions |
|
| E2540 | CodePipeline Stages | See if CodePipeline stages are set correctly | Source | properties,codepipeline |
|
| E2541 | CodePipeline Stage Actions | See if CodePipeline stage actions are set correctly | Source | resources,codepipeline |
|
| E3000 | Resource schema | CloudFormation Registry resource schema validation | Source | resources |
|
| E3001 | Basic CloudFormation Resource Check | Making sure the basic CloudFormation resources are properly configured | Source | resources |
|
| E3002 | Resource properties are invalid | Making sure that resources properties are properly configured | Source | resources |
|
| E3003 | Required Resource properties are missing | Making sure that Resources properties that are required exist | Source | resources |
|
| E3004 | Resource dependencies are not circular | Check that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAtt | Source | resources,circularly,dependson,ref,sub,getatt |
|
| E3005 | Check DependsOn values for Resources | Check that the DependsOn values are valid | Source | resources,dependson |
|
| E3006 | Resources have appropriate names | Check if Resources are properly named (A-Za-z0-9) | Source | resources |
|
| E3007 | Unique resource and parameter names | All resources and parameters must have unique names | Source | parameters,resources |
|
| E3008 | Check values of properties for valid Refs and GetAtts | Checks resource properties for Ref and GetAtt values | Source | resources,ref,getatt |
|
| E3010 | Resource limit not exceeded | Check the number of Resources in the template is less than the upper limit | Source | resources,limits |
|
| E3011 | Resource name limit not exceeded | Check the size of Resource names in the template is less than the upper limit | Source | resources,limits |
|
| E3012 | Check resource properties values | Checks resource property values with Primitive Types for values that match those types. | strict:boolean:False | Source | resources |
| E3013 | CloudFront Aliases | CloudFront aliases should contain valid domain names | Source | properties,cloudfront |
|
| E3016 | Check the configuration of a resources UpdatePolicy | Make sure a resources UpdatePolicy is properly configured | Source | resources,updatepolicy |
|
| E3017 | Property is required based on another properties value | When certain properties have a certain value it results in other properties being required. This rule will validate those required properties are specified when those values are supplied | Source | resources |
|
| E3018 | Property is unwanted based on another properties value | When certain properties have a certain value it results in other properties not being needed. This rule will validate those unwanted properties are not specified when those values are supplied | Source | resources |
|
| E3020 | Validate Route53 RecordSets | Check if all RecordSets are correctly configured | Source | resources,route53,record_set |
|
| E3021 | Check Events Rule Targets are less than or equal to 5 | CloudWatch Events Rule can only support up to 5 targets | Source | resources,events |
|
| E3022 | Resource SubnetRouteTableAssociation Properties | Validate there is only one SubnetRouteTableAssociation per subnet | Source | resources,ec2,subnet,route table |
|
| E3025 | RDS instance type is compatible with the RDS type | Check the RDS instance types are supported by the type of RDS engine. Only if the values are strings will this be checked. | Source | resources,rds |
|
| E3026 | Check Elastic Cache Redis Cluster settings | Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled | Source | resources,elasticcache |
|
| E3027 | Validate AWS Event ScheduleExpression format | Validate the formation of the AWS::Event ScheduleExpression | Source | resources,events |
|
| E3030 | Check if properties have a valid value | Check if properties have a valid value in case of an enumator | Source | resources,property,allowed value |
|
| E3031 | Check if property values adhere to a specific pattern | Check if properties have a valid value in case of a pattern (Regular Expression) | exceptions:list:[] | Source | resources,property,allowed pattern,regex |
| E3032 | Check if a list has between min and max number of values specified | Check lists for the number of items in the list to validate they are between the minimum and maximum | Source | resources,property,list,size |
|
| E3033 | Check if a string has between min and max number of values specified | Check strings for its length between the minimum and maximum | Source | resources,property,string,size |
|
| E3034 | Check if a number is between min and max | Check numbers (integers and floats) for its value being between the minimum and maximum | Source | resources,property,number,size |
|
| E3035 | Check DeletionPolicy values for Resources | Check that the DeletionPolicy values are valid | Source | resources,deletionpolicy |
|
| E3036 | Check UpdateReplacePolicy values for Resources | Check that the UpdateReplacePolicy values are valid | Source | resources,updatereplacepolicy |
|
| E3037 | Check if a list has duplicate values | Certain lists don't support duplicate items. Check when duplicates are provided but not supported. | Source | resources,property,list |
|
| E3038 | Check if Serverless Resources have Serverless Transform | Check that a template with Serverless Resources also includes the Serverless Transform | Source | resources,transform |
|
| E3039 | AttributeDefinitions / KeySchemas mismatch | Verify the set of Attributes in AttributeDefinitions and KeySchemas match | Source | resources,dynamodb |
|
| E3041 | RecordSet HostedZoneName is a superdomain of Name | In a RecordSet, the HostedZoneName must be a superdomain of the Name being validated | Source | resource,properties,route53 |
|
| E3042 | Check at least one essential container is specified | Check that every TaskDefinition specifies at least one essential container | Source | properties,ecs,task,container,fargate |
|
| E3043 | Validate parameters for in a nested stack | Evalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required. | Source | resources,cloudformation |
|
| E3044 | Check Fargate service scheduling strategy | Check that Fargate service scheduling strategy is REPLICA | Source | properties,ecs,service,container,fargate |
|
| E3045 | Validate AccessControl are set with OwnershipControls | When using AccessControl other than private you must also configure OwnershipControls. The default is bucket owner enforced which disables ACLs. | Source | resources,s3 |
|
| E3050 | Check if REFing to a IAM resource with path set | Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' | Source | properties,iam |
|
| E3502 | Check if a JSON Object is within size limits | Validate properties that are JSON values so that their length is within the limits | Source | resources,limits,json |
|
| E3503 | ValidationDomain is superdomain of DomainName | In ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validated | Source | certificate,certificatemanager,domainvalidationoptions,validationdomain |
|
| E3504 | Check minimum 90 period is met between BackupPlan cold and delete | Check that Backup plans with lifecycle rules have >= 90 days between cold and delete | Source | properties,backup,plan,lifecycle |
|
| E4001 | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured | Source | metadata |
|
| E4002 | Validate the configuration of the Metadata section | Validates that Metadata section is an object and has no null values | Source | metadata |
|
| E5001 | Check that Modules resources are valid | Check that Modules resources are valid | Source | resources,modules |
|
| E6001 | Outputs have appropriate properties | Making sure the outputs are properly configured | Source | outputs |
|
| E6002 | Outputs have required properties | Making sure the outputs have required properties | Source | outputs |
|
| E6003 | Outputs have values of strings | Making sure the outputs have strings as values | Source | outputs |
|
| E6004 | Outputs have appropriate names | Check if Outputs are properly named (A-Za-z0-9) | Source | outputs |
|
| E6005 | Outputs descriptions can only be strings | Outputs descriptions can only be strings | Source | outputs |
|
| E6010 | Output limit not exceeded | Check the number of Outputs in the template is less than the upper limit | Source | outputs,limits |
|
| E6011 | Output name limit not exceeded | Check the size of Output names in the template is less than the upper limit | Source | outputs,limits |
|
| E6012 | Output description limit not exceeded | Check the size of Output description in the template is less than the upper limit | Source | outputs,limits |
|
| E7001 | Mappings are appropriately configured | Check if Mappings are properly configured | Source | mappings |
|
| E7002 | Mappings have appropriate names | Check if Mappings are properly named (A-Za-z0-9) | Source | mappings |
|
| E7003 | Mapping keys are strings and alphanumeric | Check if Mappings keys are properly typed as strings and alphanumeric | Source | mappings |
|
| E7010 | Mapping limit not exceeded | Check the number of Mappings in the template is less than the upper limit | Source | mappings,limits |
|
| E7011 | Mapping name limit not exceeded | Check the size of Mapping names in the template is less than the upper limit | Source | mappings,limits |
|
| E7012 | Mapping attribute limit not exceeded | Check if the amount of Mapping attributes in the template is less than the upper limit | Source | mappings,limits |
|
| E8001 | Conditions have appropriate properties | Check if Conditions are properly configured | Source | conditions |
|
| E8002 | Check if the referenced Conditions are defined | Making sure the used conditions are actually defined in the Conditions section | Source | conditions |
|
| E8003 | Check Fn::Equals structure for validity | Check Fn::Equals is a list of two elements | Source | functions,equals |
|
| E8004 | Check Fn::And structure for validity | Check Fn::And is a list of two elements | Source | functions,and |
|
| E8005 | Check Fn::Not structure for validity | Check Fn::Not is a list of one element | Source | functions,not |
|
| E8006 | Check Fn::Or structure for validity | Check Fn::Or is a list of two elements | Source | functions,or |
|
| I1002 | Template size limit | Check the size of the template is approaching the upper limit | Source | limits |
|
| I1003 | Template description limit | Check if the size of the template description is approaching the upper limit | Source | description,limits |
|
| I1022 | Use Sub instead of Join | Prefer a sub instead of Join when using a join delimiter that is empty | Source | functions,sub,join |
|
| I2010 | Parameter limit | Check the number of Parameters in the template is approaching the upper limit | Source | parameters,limits |
|
| I2011 | Parameter name limit | Check the size of Parameter names in the template is approaching the upper limit | Source | parameters,limits |
|
| I2012 | Parameter value limit | Check if the size of Parameter values in the template is approaching the upper limit | Source | parameters,limits |
|
| I2530 | Validate that SnapStart is configured for >= Java11 runtimes | SnapStart is a no-cost feature that can increase performance up to 10x. Enable SnapStart for Java 11 and greater runtimes | Source | resources,lambda |
|
| I3010 | Resource limit | Check the number of Resources in the template is approaching the upper limit | Source | resources,limits |
|
| I3011 | Check stateful resources have a set UpdateReplacePolicy/DeletionPolicy | The default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policies | Source | resources,updatereplacepolicy,deletionpolicy |
|
| I3012 | Resource name limit | Check the size of Resource names in the template is approaching the upper limit | Source | resources,limits |
|
| I3013 | Check resources with auto expiring content have explicit retention period | The behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data losses | Source | resources,retentionperiod |
|
| I3037 | Check if a list that allows duplicates has any duplicates | Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. | Source | resources,property,list |
|
| I3042 | ARNs should use correctly placed Pseudo Parameters | Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number | partition:boolean:True region:boolean:False accountId:boolean:False |
Source | resources |
| I3100 | Checks for legacy instance type generations | New instance type generations increase performance and decrease cost | Source | resources,ec2,rds,elasticcache,elasticsearch |
|
| I6010 | Output limit | Check the number of Outputs in the template is approaching the upper limit | Source | outputs,limits |
|
| I6011 | Output name limit | Check the size of Output names in the template is approaching the upper limit | Source | outputs,limits |
|
| I6012 | Output description limit | Check the size of Output description in the template is approaching the upper limit | Source | outputs,limits |
|
| I7010 | Mapping limit | Check the number of Mappings in the template is approaching the upper limit | Source | mappings,limits |
|
| I7011 | Mapping name limit | Check the size of Mapping names in the template is approaching the upper limit | Source | mappings,limits |
|
| I7012 | Mapping attribute limit | Check if the amount of Mapping attributes in the template is approaching the upper limit | Source | mappings,limits |
|
| W1001 | Ref/GetAtt to resource that is available when conditions are applied | Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. | Source | conditions,resources,relationships,ref,getatt,sub |
|
| W1011 | FindInMap keys exist in the map | Checks the keys in a FindInMap to make sure they exist. Check only if the Map Name is a string and if the key is a string. | Source | functions,findinmap |
|
| W1019 | Sub validation of parameters | Validate that Fn::Sub Parameters are used | Source | functions,sub |
|
| W1020 | Sub isn't needed if it doesn't have a variable defined | Checks sub strings to see if a variable is defined. | Source | functions,sub |
|
| W2001 | Check if Parameters are Used | Making sure the parameters defined are used | Source | parameters |
|
| W2030 | Check if parameters have a valid value | Check if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref) | Source | parameters,resources,property,allowed value |
|
| W2031 | Check if parameters have a valid value based on an allowed pattern | Check if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref) | Source | parameters,resources,property,allowed pattern |
|
| W2501 | Check if Password Properties are correctly configured | Password properties should not be strings and if parameter using NoEcho | Source | parameters,passwords,security,dynamic reference |
|
| W2506 | Check if ImageId Parameters have the correct type | See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] | Source | parameters,ec2,imageid |
|
| W2510 | Parameter Memory Size attributes should have max and min | Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints | Source | parameters,lambda |
|
| W2511 | Check IAM Resource Policies syntax | See if the elements inside an IAM Resource policy are configured correctly. | Source | properties,iam |
|
| W2530 | Validate that SnapStart is properly configured | To properly leverage SnapStart, you must configure both the lambda function and attach a Lambda version resource | Source | resources,lambda |
|
| W2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give a warning if used. | Source | resources,lambda,runtime |
|
| W2533 | Check required properties for Lambda if the deployment package is a .zip file | When the package type is Zip, you must also specify the handler and runtime properties. |
Source | resources,lambda |
|
| W3002 | Warn when properties are configured to only work with the package command | Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. | Source | resources |
|
| W3005 | Check obsolete DependsOn configuration for Resources | Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. | Source | resources,dependson,ref,getatt |
|
| W3010 | Availability Zone Parameters should not be hardcoded | Check if an Availability Zone property is hardcoded. | Source | parameters,availabilityzone |
|
| W3011 | Check resources with UpdateReplacePolicy/DeletionPolicy have both | Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion | Source | resources,updatereplacepolicy,deletionpolicy |
|
| W3037* | Check IAM Permission configuration | Check for valid IAM Permissions | Source | properties,iam,permissions |
|
| W3045 | Controlling access to an S3 bucket should be done with bucket policies | Nearly all access control configurations can be more successfully achieved with bucket policies. Consider using bucket policies instead of access control. | Source | resources,s3 |
|
| W4001 | Metadata Interface parameters exist | Metadata Interface parameters actually exist | Source | metadata |
|
| W4002 | Check for NoEcho References | Check if there is a NoEcho enabled parameter referenced within a resources Metadata section | Source | resources,NoEcho |
|
| W6001 | Check Outputs using ImportValue | Check if the Output value is set using ImportValue, so creating an Output of an Output | Source | outputs,importvalue |
|
| W7001 | Check if Mappings are Used | Making sure the mappings defined are used | Source | mappings |
|
| W8001 | Check if Conditions are Used | Making sure the conditions defined are used | Source | conditions |
|
| W8003 | Fn::Equals will always return true or false | Validate Fn::Equals to see if its comparing two strings or two equal items. While this works it may not be intended. | Source | functions,equals |
* experimental rules