Skip to content

Latest commit

 

History

History
199 lines (184 loc) · 50.8 KB

rules.md

File metadata and controls

199 lines (184 loc) · 50.8 KB

Rules

Rule levels

A rule returns feedback on a specific level: Error, Warning or Informational.

Errors

Errors will start with the letter E. Errors will (or can) result in a hard failure for the template being validated.

Warnings

Warnings start with the letter W. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.

Informational

Informational results start with the letter I. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I or --include-checks I.

Categories

Rule Numbers Category
(E|W|I)0XXX Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.)
(E|W|I)1XXX Functions (Ref, GetAtt, etc.)
(E|W|I)2XXX Parameters
(E|W|I)3XXX Resources
(E|W|I)4XXX Metadata
(E|W|I)6xxx Outputs
(E|W|I)7xxx Mappings
(E|W|I)8xxx Conditions
(E|W|I)9xxx Reserved for users rules

Warning Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices.

Experimental rules

Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.

A rule can be marked as experimental by setting the experimental flag in the Rule's MetaData:

class MyExperimentalRule(CloudFormationLintRule):
    id = 'E1234'
    ...
    experimental = True

To include these rules, use the -e/include-experimental argument when running cfn-lint.

Rules

(This documentation is generated by running cfn-lint --update-documentation, do not alter this manually)

The following 145 rules are applied by this linter:

Rule ID Title Description Config
(Name:Type:Default)
Source Tags
E0000 Parsing error found when parsing the template Checks for JSON/YAML formatting errors in your template Source base
E0001 Error found when transforming the template Errors found when performing transformation on the template Source base,transform
E0002 Error processing rule on the template Errors found when processing a rule on the template Source base,rule
E1001 Basic CloudFormation Template Configuration Making sure the basic CloudFormation template components are properly configured sections:string: Source base
E1002 Template size limit Check the size of the template is less than the upper limit Source limits
E1003 Template description limit Check if the size of the template description is less than the upper limit Source description,limits
E1004 Template description can only be a string Template description can only be a string Source description
E1010 GetAtt validation of parameters Validates that GetAtt parameters are to valid resources and properties of those resources Source functions,getatt
E1011 FindInMap validation of configuration Making sure the function is a list of appropriate config Source functions,findinmap
E1012 Check if Refs exist Making sure the refs exist Source functions,ref
E1015 GetAz validation of parameters Making sure the function not is of list Source functions,getaz
E1016 ImportValue validation of parameters Making sure the function not is of list Source functions,importvalue
E1017 Select validation of parameters Making sure the function not is of list Source functions,select
E1018 Split validation of parameters Making sure the split function is properly configured Source functions,split
E1019 Sub validation of parameters Making sure the sub function is properly configured Source functions,sub
E1020 Ref validation of value Making the Ref has a value of String (no other functions are supported) Source functions,ref
E1021 Base64 validation of parameters Making sure the function not is of list Source functions,base64
E1022 Join validation of parameters Making sure the join function is properly configured Source functions,join
E1023 Validation NOT function configuration Making sure that NOT functions are list Source functions,not
E1024 Cidr validation of parameters Making sure the function CIDR is a list with valid values Source functions,cidr
E1026 Cannot reference resources in the Conditions block of the template Check that any Refs in the Conditions block uses no resources Source conditions,functions,ref
E1027 Check dynamic references secure strings are in supported locations Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. Source functions,dynamic reference
E1028 Check Fn::If structure for validity Check Fn::If to make sure its valid. Condition has to be a string. Source functions,if
E1029 Sub is required if a variable is used in a string If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. custom_excludes:string: Source functions,sub
E2001 Parameters have appropriate properties Making sure the parameters are properly configured Source parameters
E2002 Parameters have appropriate type Making sure the parameters have a correct type Source parameters
E2003 Parameters have appropriate names Check if Parameters are properly named (A-Za-z0-9) Source parameters
E2010 Parameter limit not exceeded Check the number of Parameters in the template is less than the upper limit Source parameters,limits
E2011 Parameter name limit not exceeded Check the size of Parameter names in the template is less than the upper limit Source parameters,limits
E2012 Parameter value limit not exceeded Check if the size of Parameter values in the template is less than the upper limit Source parameters,limits
E2014 Default value cannot use Refs Check if Refs are not used in Parameter Defaults Source parameters,ref
E2015 Default value is within parameter constraints Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern Source parameters
E2503 Resource ELB Properties See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate Source properties,elb
E2504 Check Ec2 Ebs Properties See if Ec2 Ebs Properties are valid Source properties,ec2,ebs
E2506 Resource EC2 Security Group Ingress Properties See if EC2 Security Group Ingress Properties are set correctly. Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are are exclusive and using the type of Ref or GetAtt Source resources,ec2,securitygroup
E2507 Check if IAM Policies are properly configured See if there elements inside an IAM policy are correct Source properties,iam
E2520 Check Properties that are mutually exclusive Making sure CloudFormation properties that are exclusive are not defined Source resources
E2521 Check Properties that are required together Make sure CloudFormation resource properties are included together when required Source resources
E2522 Check Properties that need at least one of a list of properties Making sure CloudFormation properties that require at least one property from a list. More than one can be included. Source resources
E2523 Check Properties that need only one of a list of properties Making sure CloudFormation properties that require only one property from a list. One has to be specified. Source resources
E2529 Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log Group The current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set. Source resources,lambda
E2531 Check if EOL Lambda Function Runtimes are used Check if an EOL Lambda Runtime is specified and give an error if used. Source resources,lambda,runtime
E2532 Check State Machine Definition for proper syntax Check the State Machine String Definition to make sure its JSON. Validate basic syntax of the file to determine validity. Source resources,stepfunctions
E2540 CodePipeline Stages See if CodePipeline stages are set correctly Source properties,codepipeline
E2541 CodePipeline Stage Actions See if CodePipeline stage actions are set correctly Source resources,codepipeline
E3000 Resource schema CloudFormation Registry resource schema validation Source resources
E3001 Basic CloudFormation Resource Check Making sure the basic CloudFormation resources are properly configured Source resources
E3002 Resource properties are valid Making sure that resources properties are properly configured Source resources
E3003 Required Resource properties are missing Making sure that Resources properties that are required exist Source resources
E3004 Resource dependencies are not circular Check that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAtt Source resources,circularly,dependson,ref,sub,getatt
E3005 Check DependsOn values for Resources Check that the DependsOn values are valid Source resources,dependson
E3006 Resources have appropriate names Check if Resources are properly named (A-Za-z0-9) Source resources
E3007 Unique resource and parameter names All resources and parameters must have unique names Source parameters,resources
E3008 Check values of properties for valid Refs and GetAtts Checks resource properties for Ref and GetAtt values Source resources,ref,getatt
E3010 Resource limit not exceeded Check the number of Resources in the template is less than the upper limit Source resources,limits
E3011 Resource name limit not exceeded Check the size of Resource names in the template is less than the upper limit Source resources,limits
E3012 Check resource properties values Checks resource property values with Primitive Types for values that match those types. strict:boolean:False Source resources
E3013 CloudFront Aliases CloudFront aliases should contain valid domain names Source properties,cloudfront
E3016 Check the configuration of a resources UpdatePolicy Make sure a resources UpdatePolicy is properly configured Source resources,updatepolicy
E3017 Property is required based on another properties value When certain properties have a certain value it results in other properties being required. This rule will validate those required properties are specified when those values are supplied Source resources
E3018 Property is unwanted based on another properties value When certain properties have a certain value it results in other properties not being needed. This rule will validate those unwanted properties are not specified when those values are supplied Source resources
E3020 Validate Route53 RecordSets Check if all RecordSets are correctly configured Source resources,route53,record_set
E3021 Check Events Rule Targets are less than or equal to 5 CloudWatch Events Rule can only support up to 5 targets Source resources,events
E3022 Resource SubnetRouteTableAssociation Properties Validate there is only one SubnetRouteTableAssociation per subnet Source resources,ec2,subnet,route table
E3025 RDS instance type is compatible with the RDS type Check the RDS instance types are supported by the type of RDS engine. Only if the values are strings will this be checked. Source resources,rds
E3026 Check Elastic Cache Redis Cluster settings Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled Source resources,elasticcache
E3027 Validate AWS Event ScheduleExpression format Validate the formation of the AWS::Event ScheduleExpression Source resources,events
E3030 Check if properties have a valid value Check if properties have a valid value in case of an enumator Source resources,property,allowed value
E3031 Check if property values adhere to a specific pattern Check if properties have a valid value in case of a pattern (Regular Expression) Source resources,property,allowed pattern,regex
E3032 Check if a list has between min and max number of values specified Check lists for the number of items in the list to validate they are between the minimum and maximum Source resources,property,list,size
E3033 Check if a string has between min and max number of values specified Check strings for its length between the minimum and maximum Source resources,property,string,size
E3034 Check if a number is between min and max Check numbers (integers and floats) for its value being between the minimum and maximum Source resources,property,number,size
E3035 Check DeletionPolicy values for Resources Check that the DeletionPolicy values are valid Source resources,deletionpolicy
E3036 Check UpdateReplacePolicy values for Resources Check that the UpdateReplacePolicy values are valid Source resources,updatereplacepolicy
E3037 Check if a list has duplicate values Certain lists don't support duplicate items. Check when duplicates are provided but not supported. Source resources,property,list
E3038 Check if Serverless Resources have Serverless Transform Check that a template with Serverless Resources also includes the Serverless Transform Source resources,transform
E3039 AttributeDefinitions / KeySchemas mismatch Verify the set of Attributes in AttributeDefinitions and KeySchemas match Source resources,dynamodb
E3041 RecordSet HostedZoneName is a superdomain of Name In a RecordSet, the HostedZoneName must be a superdomain of the Name being validated Source resource,properties,route53
E3042 Check at least one essential container is specified Check that every TaskDefinition specifies at least one essential container Source properties,ecs,task,container,fargate
E3043 Validate parameters for in a nested stack Evalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required. Source resources,cloudformation
E3050 Check if REFing to a IAM resource with path set Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' Source properties,iam
E3502 Check if a JSON Object is within size limits Validate properties that are JSON values so that their length is within the limits Source resources,limits,json
E3503 ValidationDomain is superdomain of DomainName In ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validated Source certificate,certificatemanager,domainvalidationoptions,validationdomain
E4001 Metadata Interface have appropriate properties Metadata Interface properties are properly configured Source metadata
E5001 Check that Modules resources are valid Check that Modules resources are valid Source resources,modules
E6001 Outputs have appropriate properties Making sure the outputs are properly configured Source outputs
E6002 Outputs have required properties Making sure the outputs have required properties Source outputs
E6003 Outputs have values of strings Making sure the outputs have strings as values Source outputs
E6004 Outputs have appropriate names Check if Outputs are properly named (A-Za-z0-9) Source outputs
E6005 Outputs descriptions can only be strings Outputs descriptions can only be strings Source outputs
E6010 Output limit not exceeded Check the number of Outputs in the template is less than the upper limit Source outputs,limits
E6011 Output name limit not exceeded Check the size of Output names in the template is less than the upper limit Source outputs,limits
E6012 Output description limit not exceeded Check the size of Output description in the template is less than the upper limit Source outputs,limits
E7001 Mappings are appropriately configured Check if Mappings are properly configured Source mappings
E7002 Mappings have appropriate names Check if Mappings are properly named (A-Za-z0-9) Source mappings
E7003 Mapping keys are strings and alphanumeric Check if Mappings keys are properly typed as strings and alphanumeric Source mappings
E7010 Mapping limit not exceeded Check the number of Mappings in the template is less than the upper limit Source mappings,limits
E7011 Mapping name limit not exceeded Check the size of Mapping names in the template is less than the upper limit Source mappings,limits
E7012 Mapping attribute limit not exceeded Check if the amount of Mapping attributes in the template is less than the upper limit Source mappings,limits
E8001 Conditions have appropriate properties Check if Conditions are properly configured Source conditions
E8002 Check if the referenced Conditions are defined Making sure the used conditions are actually defined in the Conditions section Source conditions
E8003 Check Fn::Equals structure for validity Check Fn::Equals is a list of two elements Source functions,equals
E8004 Check Fn::And structure for validity Check Fn::And is a list of two elements Source functions,and
E8005 Check Fn::Not structure for validity Check Fn::Not is a list of one element Source functions,not
E8006 Check Fn::Or structure for validity Check Fn::Or is a list of two elements Source functions,or
I1002 Template size limit Check the size of the template is approaching the upper limit Source limits
I1003 Template description limit Check if the size of the template description is approaching the upper limit Source description,limits
I1022 Use Sub instead of Join Prefer a sub instead of Join when using a join delimiter that is empty Source functions,sub,join
I2010 Parameter limit Check the number of Parameters in the template is approaching the upper limit Source parameters,limits
I2011 Parameter name limit Check the size of Parameter names in the template is approaching the upper limit Source parameters,limits
I2012 Parameter value limit Check if the size of Parameter values in the template is approaching the upper limit Source parameters,limits
I3010 Resource limit Check the number of Resources in the template is approaching the upper limit Source resources,limits
I3011 Check stateful resources have a set UpdateReplacePolicy/DeletionPolicy The default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policies Source resources,updatereplacepolicy,deletionpolicy
I3012 Resource name limit Check the size of Resource names in the template is approaching the upper limit Source resources,limits
I3013 Check resources with auto expiring content have explicit retention period The behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data losses Source resources,retentionperiod
I3037 Check if a list that allows duplicates has any duplicates Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. Source resources,property,list
I3042 ARNs should use correctly placed Pseudo Parameters Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number partition:boolean:True
region:boolean:False
accountId:boolean:False
Source resources
I6010 Output limit Check the number of Outputs in the template is approaching the upper limit Source outputs,limits
I6011 Output name limit Check the size of Output names in the template is approaching the upper limit Source outputs,limits
I6012 Output description limit Check the size of Output description in the template is approaching the upper limit Source outputs,limits
I7010 Mapping limit Check the number of Mappings in the template is approaching the upper limit Source mappings,limits
I7011 Mapping name limit Check the size of Mapping names in the template is approaching the upper limit Source mappings,limits
I7012 Mapping attribute limit Check if the amount of Mapping attributes in the template is approaching the upper limit Source mappings,limits
W1001 Ref/GetAtt to resource that is available when conditions are applied Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. Source conditions,resources,relationships,ref,getatt
W1011 FindInMap keys exist in the map Checks the keys in a FindInMap to make sure they exist. Check only if the Map Name is a string and if the key is a string. Source functions,findinmap
W1019 Sub validation of parameters Validate that Fn::Sub Parameters are used Source functions,sub
W1020 Sub isn't needed if it doesn't have a variable defined Checks sub strings to see if a variable is defined. Source functions,sub
W2001 Check if Parameters are Used Making sure the parameters defined are used Source parameters
W2030 Check if parameters have a valid value Check if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref) Source parameters,resources,property,allowed value
W2031 Check if parameters have a valid value based on an allowed pattern Check if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref) Source parameters,resources,property,allowed pattern
W2501 Check if Password Properties are correctly configured Password properties should not be strings and if parameter using NoEcho Source parameters,passwords,security,dynamic reference
W2506 Check if ImageId Parameters have the correct type See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] Source parameters,ec2,imageid
W2510 Parameter Memory Size attributes should have max and min Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints Source parameters,lambda
W2511 Check IAM Resource Policies syntax See if the elements inside an IAM Resource policy are configured correctly. Source properties,iam
W2531 Check if EOL Lambda Function Runtimes are used Check if an EOL Lambda Runtime is specified and give a warning if used. Source resources,lambda,runtime
W3002 Warn when properties are configured to only work with the package command Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. Source resources
W3005 Check obsolete DependsOn configuration for Resources Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. Source resources,dependson,ref,getatt
W3010 Availability Zone Parameters should not be hardcoded Check if an Availability Zone property is hardcoded. Source parameters,availabilityzone
W3011 Check resources with UpdateReplacePolicy/DeletionPolicy have both Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion Source resources,updatereplacepolicy,deletionpolicy
W3037* Check IAM Permission configuration Check for valid IAM Permissions Source properties,iam,permissions
W4001 Metadata Interface parameters exist Metadata Interface parameters actually exist Source metadata
W4002 Check for NoEcho References Check if there is a NoEcho enabled parameter referenced within a resources Metadata section Source resources,NoEcho
W6001 Check Outputs using ImportValue Check if the Output value is set using ImportValue, so creating an Output of an Output Source outputs,importvalue
W7001 Check if Mappings are Used Making sure the mappings defined are used Source mappings
W8001 Check if Conditions are Used Making sure the conditions defined are used Source conditions

* experimental rules