A rule returns feedback on a specific level: Error, Warning or Informational.
Errors will start with the letter E
. Errors will (or can) result in a hard failure for the template being validated.
Warnings start with the letter W
. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.
Informational results start with the letter I
. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I
or --include-checks I
.
Rule Numbers | Category |
---|---|
(E|W|I)0XXX | Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.) |
(E|W|I)1XXX | Functions (Ref, GetAtt, etc.) |
(E|W|I)2XXX | Parameters |
(E|W|I)3XXX | Resources |
(E|W|I)4XXX | Metadata |
(E|W|I)6xxx | Outputs |
(E|W|I)7xxx | Mappings |
(E|W|I)8xxx | Conditions |
(E|W|I)9xxx | Reserved for users rules |
Warning
Rule E3012
is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks
if it is not required for your internal best practices.
Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.
A rule can be marked as experimental by setting the experimental
flag in the Rule's MetaData:
class MyExperimentalRule(CloudFormationLintRule):
id = 'E1234'
...
experimental = True
To include these rules, use the -e/include-experimental
argument when running cfn-lint.
(This documentation is generated by running cfn-lint --update-documentation
, do not alter this manually)
The following 145 rules are applied by this linter:
Rule ID | Title | Description | Config (Name:Type:Default) |
Source | Tags |
---|---|---|---|---|---|
E0000 | Parsing error found when parsing the template | Checks for JSON/YAML formatting errors in your template | Source | base |
|
E0001 | Error found when transforming the template | Errors found when performing transformation on the template | Source | base ,transform |
|
E0002 | Error processing rule on the template | Errors found when processing a rule on the template | Source | base ,rule |
|
E1001 | Basic CloudFormation Template Configuration | Making sure the basic CloudFormation template components are properly configured | sections:string: | Source | base |
E1002 | Template size limit | Check the size of the template is less than the upper limit | Source | limits |
|
E1003 | Template description limit | Check if the size of the template description is less than the upper limit | Source | description ,limits |
|
E1004 | Template description can only be a string | Template description can only be a string | Source | description |
|
E1010 | GetAtt validation of parameters | Validates that GetAtt parameters are to valid resources and properties of those resources | Source | functions ,getatt |
|
E1011 | FindInMap validation of configuration | Making sure the function is a list of appropriate config | Source | functions ,findinmap |
|
E1012 | Check if Refs exist | Making sure the refs exist | Source | functions ,ref |
|
E1015 | GetAz validation of parameters | Making sure the function not is of list | Source | functions ,getaz |
|
E1016 | ImportValue validation of parameters | Making sure the function not is of list | Source | functions ,importvalue |
|
E1017 | Select validation of parameters | Making sure the function not is of list | Source | functions ,select |
|
E1018 | Split validation of parameters | Making sure the split function is properly configured | Source | functions ,split |
|
E1019 | Sub validation of parameters | Making sure the sub function is properly configured | Source | functions ,sub |
|
E1020 | Ref validation of value | Making the Ref has a value of String (no other functions are supported) | Source | functions ,ref |
|
E1021 | Base64 validation of parameters | Making sure the function not is of list | Source | functions ,base64 |
|
E1022 | Join validation of parameters | Making sure the join function is properly configured | Source | functions ,join |
|
E1023 | Validation NOT function configuration | Making sure that NOT functions are list | Source | functions ,not |
|
E1024 | Cidr validation of parameters | Making sure the function CIDR is a list with valid values | Source | functions ,cidr |
|
E1026 | Cannot reference resources in the Conditions block of the template | Check that any Refs in the Conditions block uses no resources | Source | conditions ,functions ,ref |
|
E1027 | Check dynamic references secure strings are in supported locations | Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. | Source | functions ,dynamic reference |
|
E1028 | Check Fn::If structure for validity | Check Fn::If to make sure its valid. Condition has to be a string. | Source | functions ,if |
|
E1029 | Sub is required if a variable is used in a string | If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. | custom_excludes:string: | Source | functions ,sub |
E2001 | Parameters have appropriate properties | Making sure the parameters are properly configured | Source | parameters |
|
E2002 | Parameters have appropriate type | Making sure the parameters have a correct type | Source | parameters |
|
E2003 | Parameters have appropriate names | Check if Parameters are properly named (A-Za-z0-9) | Source | parameters |
|
E2010 | Parameter limit not exceeded | Check the number of Parameters in the template is less than the upper limit | Source | parameters ,limits |
|
E2011 | Parameter name limit not exceeded | Check the size of Parameter names in the template is less than the upper limit | Source | parameters ,limits |
|
E2012 | Parameter value limit not exceeded | Check if the size of Parameter values in the template is less than the upper limit | Source | parameters ,limits |
|
E2014 | Default value cannot use Refs | Check if Refs are not used in Parameter Defaults | Source | parameters ,ref |
|
E2015 | Default value is within parameter constraints | Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern | Source | parameters |
|
E2503 | Resource ELB Properties | See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate | Source | properties ,elb |
|
E2504 | Check Ec2 Ebs Properties | See if Ec2 Ebs Properties are valid | Source | properties ,ec2 ,ebs |
|
E2506 | Resource EC2 Security Group Ingress Properties | See if EC2 Security Group Ingress Properties are set correctly. Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are are exclusive and using the type of Ref or GetAtt | Source | resources ,ec2 ,securitygroup |
|
E2507 | Check if IAM Policies are properly configured | See if there elements inside an IAM policy are correct | Source | properties ,iam |
|
E2520 | Check Properties that are mutually exclusive | Making sure CloudFormation properties that are exclusive are not defined | Source | resources |
|
E2521 | Check Properties that are required together | Make sure CloudFormation resource properties are included together when required | Source | resources |
|
E2522 | Check Properties that need at least one of a list of properties | Making sure CloudFormation properties that require at least one property from a list. More than one can be included. | Source | resources |
|
E2523 | Check Properties that need only one of a list of properties | Making sure CloudFormation properties that require only one property from a list. One has to be specified. | Source | resources |
|
E2529 | Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log Group | The current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set. | Source | resources ,lambda |
|
E2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give an error if used. | Source | resources ,lambda ,runtime |
|
E2532 | Check State Machine Definition for proper syntax | Check the State Machine String Definition to make sure its JSON. Validate basic syntax of the file to determine validity. | Source | resources ,stepfunctions |
|
E2540 | CodePipeline Stages | See if CodePipeline stages are set correctly | Source | properties ,codepipeline |
|
E2541 | CodePipeline Stage Actions | See if CodePipeline stage actions are set correctly | Source | resources ,codepipeline |
|
E3000 | Resource schema | CloudFormation Registry resource schema validation | Source | resources |
|
E3001 | Basic CloudFormation Resource Check | Making sure the basic CloudFormation resources are properly configured | Source | resources |
|
E3002 | Resource properties are valid | Making sure that resources properties are properly configured | Source | resources |
|
E3003 | Required Resource properties are missing | Making sure that Resources properties that are required exist | Source | resources |
|
E3004 | Resource dependencies are not circular | Check that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAtt | Source | resources ,circularly ,dependson ,ref ,sub ,getatt |
|
E3005 | Check DependsOn values for Resources | Check that the DependsOn values are valid | Source | resources ,dependson |
|
E3006 | Resources have appropriate names | Check if Resources are properly named (A-Za-z0-9) | Source | resources |
|
E3007 | Unique resource and parameter names | All resources and parameters must have unique names | Source | parameters ,resources |
|
E3008 | Check values of properties for valid Refs and GetAtts | Checks resource properties for Ref and GetAtt values | Source | resources ,ref ,getatt |
|
E3010 | Resource limit not exceeded | Check the number of Resources in the template is less than the upper limit | Source | resources ,limits |
|
E3011 | Resource name limit not exceeded | Check the size of Resource names in the template is less than the upper limit | Source | resources ,limits |
|
E3012 | Check resource properties values | Checks resource property values with Primitive Types for values that match those types. | strict:boolean:False | Source | resources |
E3013 | CloudFront Aliases | CloudFront aliases should contain valid domain names | Source | properties ,cloudfront |
|
E3016 | Check the configuration of a resources UpdatePolicy | Make sure a resources UpdatePolicy is properly configured | Source | resources ,updatepolicy |
|
E3017 | Property is required based on another properties value | When certain properties have a certain value it results in other properties being required. This rule will validate those required properties are specified when those values are supplied | Source | resources |
|
E3018 | Property is unwanted based on another properties value | When certain properties have a certain value it results in other properties not being needed. This rule will validate those unwanted properties are not specified when those values are supplied | Source | resources |
|
E3020 | Validate Route53 RecordSets | Check if all RecordSets are correctly configured | Source | resources ,route53 ,record_set |
|
E3021 | Check Events Rule Targets are less than or equal to 5 | CloudWatch Events Rule can only support up to 5 targets | Source | resources ,events |
|
E3022 | Resource SubnetRouteTableAssociation Properties | Validate there is only one SubnetRouteTableAssociation per subnet | Source | resources ,ec2 ,subnet ,route table |
|
E3025 | RDS instance type is compatible with the RDS type | Check the RDS instance types are supported by the type of RDS engine. Only if the values are strings will this be checked. | Source | resources ,rds |
|
E3026 | Check Elastic Cache Redis Cluster settings | Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled | Source | resources ,elasticcache |
|
E3027 | Validate AWS Event ScheduleExpression format | Validate the formation of the AWS::Event ScheduleExpression | Source | resources ,events |
|
E3030 | Check if properties have a valid value | Check if properties have a valid value in case of an enumator | Source | resources ,property ,allowed value |
|
E3031 | Check if property values adhere to a specific pattern | Check if properties have a valid value in case of a pattern (Regular Expression) | Source | resources ,property ,allowed pattern ,regex |
|
E3032 | Check if a list has between min and max number of values specified | Check lists for the number of items in the list to validate they are between the minimum and maximum | Source | resources ,property ,list ,size |
|
E3033 | Check if a string has between min and max number of values specified | Check strings for its length between the minimum and maximum | Source | resources ,property ,string ,size |
|
E3034 | Check if a number is between min and max | Check numbers (integers and floats) for its value being between the minimum and maximum | Source | resources ,property ,number ,size |
|
E3035 | Check DeletionPolicy values for Resources | Check that the DeletionPolicy values are valid | Source | resources ,deletionpolicy |
|
E3036 | Check UpdateReplacePolicy values for Resources | Check that the UpdateReplacePolicy values are valid | Source | resources ,updatereplacepolicy |
|
E3037 | Check if a list has duplicate values | Certain lists don't support duplicate items. Check when duplicates are provided but not supported. | Source | resources ,property ,list |
|
E3038 | Check if Serverless Resources have Serverless Transform | Check that a template with Serverless Resources also includes the Serverless Transform | Source | resources ,transform |
|
E3039 | AttributeDefinitions / KeySchemas mismatch | Verify the set of Attributes in AttributeDefinitions and KeySchemas match | Source | resources ,dynamodb |
|
E3041 | RecordSet HostedZoneName is a superdomain of Name | In a RecordSet, the HostedZoneName must be a superdomain of the Name being validated | Source | resource ,properties ,route53 |
|
E3042 | Check at least one essential container is specified | Check that every TaskDefinition specifies at least one essential container | Source | properties ,ecs ,task ,container ,fargate |
|
E3043 | Validate parameters for in a nested stack | Evalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required. | Source | resources ,cloudformation |
|
E3050 | Check if REFing to a IAM resource with path set | Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' | Source | properties ,iam |
|
E3502 | Check if a JSON Object is within size limits | Validate properties that are JSON values so that their length is within the limits | Source | resources ,limits ,json |
|
E3503 | ValidationDomain is superdomain of DomainName | In ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validated | Source | certificate ,certificatemanager ,domainvalidationoptions ,validationdomain |
|
E4001 | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured | Source | metadata |
|
E5001 | Check that Modules resources are valid | Check that Modules resources are valid | Source | resources ,modules |
|
E6001 | Outputs have appropriate properties | Making sure the outputs are properly configured | Source | outputs |
|
E6002 | Outputs have required properties | Making sure the outputs have required properties | Source | outputs |
|
E6003 | Outputs have values of strings | Making sure the outputs have strings as values | Source | outputs |
|
E6004 | Outputs have appropriate names | Check if Outputs are properly named (A-Za-z0-9) | Source | outputs |
|
E6005 | Outputs descriptions can only be strings | Outputs descriptions can only be strings | Source | outputs |
|
E6010 | Output limit not exceeded | Check the number of Outputs in the template is less than the upper limit | Source | outputs ,limits |
|
E6011 | Output name limit not exceeded | Check the size of Output names in the template is less than the upper limit | Source | outputs ,limits |
|
E6012 | Output description limit not exceeded | Check the size of Output description in the template is less than the upper limit | Source | outputs ,limits |
|
E7001 | Mappings are appropriately configured | Check if Mappings are properly configured | Source | mappings |
|
E7002 | Mappings have appropriate names | Check if Mappings are properly named (A-Za-z0-9) | Source | mappings |
|
E7003 | Mapping keys are strings and alphanumeric | Check if Mappings keys are properly typed as strings and alphanumeric | Source | mappings |
|
E7010 | Mapping limit not exceeded | Check the number of Mappings in the template is less than the upper limit | Source | mappings ,limits |
|
E7011 | Mapping name limit not exceeded | Check the size of Mapping names in the template is less than the upper limit | Source | mappings ,limits |
|
E7012 | Mapping attribute limit not exceeded | Check if the amount of Mapping attributes in the template is less than the upper limit | Source | mappings ,limits |
|
E8001 | Conditions have appropriate properties | Check if Conditions are properly configured | Source | conditions |
|
E8002 | Check if the referenced Conditions are defined | Making sure the used conditions are actually defined in the Conditions section | Source | conditions |
|
E8003 | Check Fn::Equals structure for validity | Check Fn::Equals is a list of two elements | Source | functions ,equals |
|
E8004 | Check Fn::And structure for validity | Check Fn::And is a list of two elements | Source | functions ,and |
|
E8005 | Check Fn::Not structure for validity | Check Fn::Not is a list of one element | Source | functions ,not |
|
E8006 | Check Fn::Or structure for validity | Check Fn::Or is a list of two elements | Source | functions ,or |
|
I1002 | Template size limit | Check the size of the template is approaching the upper limit | Source | limits |
|
I1003 | Template description limit | Check if the size of the template description is approaching the upper limit | Source | description ,limits |
|
I1022 | Use Sub instead of Join | Prefer a sub instead of Join when using a join delimiter that is empty | Source | functions ,sub ,join |
|
I2010 | Parameter limit | Check the number of Parameters in the template is approaching the upper limit | Source | parameters ,limits |
|
I2011 | Parameter name limit | Check the size of Parameter names in the template is approaching the upper limit | Source | parameters ,limits |
|
I2012 | Parameter value limit | Check if the size of Parameter values in the template is approaching the upper limit | Source | parameters ,limits |
|
I3010 | Resource limit | Check the number of Resources in the template is approaching the upper limit | Source | resources ,limits |
|
I3011 | Check stateful resources have a set UpdateReplacePolicy/DeletionPolicy | The default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policies | Source | resources ,updatereplacepolicy ,deletionpolicy |
|
I3012 | Resource name limit | Check the size of Resource names in the template is approaching the upper limit | Source | resources ,limits |
|
I3013 | Check resources with auto expiring content have explicit retention period | The behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data losses | Source | resources ,retentionperiod |
|
I3037 | Check if a list that allows duplicates has any duplicates | Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. | Source | resources ,property ,list |
|
I3042 | ARNs should use correctly placed Pseudo Parameters | Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number | partition:boolean:True region:boolean:False accountId:boolean:False |
Source | resources |
I6010 | Output limit | Check the number of Outputs in the template is approaching the upper limit | Source | outputs ,limits |
|
I6011 | Output name limit | Check the size of Output names in the template is approaching the upper limit | Source | outputs ,limits |
|
I6012 | Output description limit | Check the size of Output description in the template is approaching the upper limit | Source | outputs ,limits |
|
I7010 | Mapping limit | Check the number of Mappings in the template is approaching the upper limit | Source | mappings ,limits |
|
I7011 | Mapping name limit | Check the size of Mapping names in the template is approaching the upper limit | Source | mappings ,limits |
|
I7012 | Mapping attribute limit | Check if the amount of Mapping attributes in the template is approaching the upper limit | Source | mappings ,limits |
|
W1001 | Ref/GetAtt to resource that is available when conditions are applied | Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. | Source | conditions ,resources ,relationships ,ref ,getatt |
|
W1011 | FindInMap keys exist in the map | Checks the keys in a FindInMap to make sure they exist. Check only if the Map Name is a string and if the key is a string. | Source | functions ,findinmap |
|
W1019 | Sub validation of parameters | Validate that Fn::Sub Parameters are used | Source | functions ,sub |
|
W1020 | Sub isn't needed if it doesn't have a variable defined | Checks sub strings to see if a variable is defined. | Source | functions ,sub |
|
W2001 | Check if Parameters are Used | Making sure the parameters defined are used | Source | parameters |
|
W2030 | Check if parameters have a valid value | Check if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref) | Source | parameters ,resources ,property ,allowed value |
|
W2031 | Check if parameters have a valid value based on an allowed pattern | Check if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref) | Source | parameters ,resources ,property ,allowed pattern |
|
W2501 | Check if Password Properties are correctly configured | Password properties should not be strings and if parameter using NoEcho | Source | parameters ,passwords ,security ,dynamic reference |
|
W2506 | Check if ImageId Parameters have the correct type | See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] | Source | parameters ,ec2 ,imageid |
|
W2510 | Parameter Memory Size attributes should have max and min | Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints | Source | parameters ,lambda |
|
W2511 | Check IAM Resource Policies syntax | See if the elements inside an IAM Resource policy are configured correctly. | Source | properties ,iam |
|
W2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give a warning if used. | Source | resources ,lambda ,runtime |
|
W3002 | Warn when properties are configured to only work with the package command | Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. | Source | resources |
|
W3005 | Check obsolete DependsOn configuration for Resources | Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. | Source | resources ,dependson ,ref ,getatt |
|
W3010 | Availability Zone Parameters should not be hardcoded | Check if an Availability Zone property is hardcoded. | Source | parameters ,availabilityzone |
|
W3011 | Check resources with UpdateReplacePolicy/DeletionPolicy have both | Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion | Source | resources ,updatereplacepolicy ,deletionpolicy |
|
W3037* | Check IAM Permission configuration | Check for valid IAM Permissions | Source | properties ,iam ,permissions |
|
W4001 | Metadata Interface parameters exist | Metadata Interface parameters actually exist | Source | metadata |
|
W4002 | Check for NoEcho References | Check if there is a NoEcho enabled parameter referenced within a resources Metadata section | Source | resources ,NoEcho |
|
W6001 | Check Outputs using ImportValue | Check if the Output value is set using ImportValue, so creating an Output of an Output | Source | outputs ,importvalue |
|
W7001 | Check if Mappings are Used | Making sure the mappings defined are used | Source | mappings |
|
W8001 | Check if Conditions are Used | Making sure the conditions defined are used | Source | conditions |
* experimental rules