Skip to content

Latest commit

 

History

History
177 lines (164 loc) · 36.4 KB

rules.md

File metadata and controls

177 lines (164 loc) · 36.4 KB

Rules

Rule levels

A rule returns feedback on a specific level: Error, Warning or Informational.

Errors

Errors will start with the letter E. Errors will (or can) result in a hard failure for the template being validated.

Warnings

Warnings start with the letter W. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.

Informational

Informational results start with the letter I. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I or --include-checks I.

Categories

Rule Numbers Category
(E|W|I)0XXX Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.)
(E|W|I)1XXX Functions (Ref, GetAtt, etc.)
(E|W|I)2XXX Parameters
(E|W|I)3XXX Resources
(E|W|I)4XXX Metadata
(E|W|I)6xxx Outputs
(E|W|I)7xxx Mappings
(E|W|I)8xxx Conditions
(E|W|I)9xxx Reserved for users rules

Warning Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices.

Experimental rules

Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.

A rule can be marked as experimental by setting the experimental flag in the Rule's MetaData:

class MyExperimentalRule(CloudFormationLintRule):
    id = 'E1234'
    ...
    experimental = True

To include these rules, use the -e/include-experimental argument when running cfn-lint.

Rules

The following 120 rules are applied by this linter: (This documentation is generated from the Rules, do not alter this manually)

Rule ID Title Description Config
(Name:Type:Default)
Source Tags
E0000 Parsing error found when parsing the template Checks for Null values and Duplicate values in resources Source base
E0001 Error found when transforming the template Errors found when performing transformation on the template Source base,transform
E0002 Error processing rule on the template Errors found when processing a rule on the template Source base,rule
E1001 Basic CloudFormation Template Configuration Making sure the basic CloudFormation template components are properly configured Source base
E1002 Template size limit Check the size of the template is less than the upper limit Source limits
E1003 Template description limit Check if the size of the template description is less than the upper limit Source limits
E1004 Template description can only be a string Template description can only be a string Source description
E1010 GetAtt validation of parameters Validates that GetAtt parameters are to valid resources and properties of those resources Source functions,getatt
E1011 FindInMap validation of configuration Making sure the function is a list of appropriate config Source functions,findinmap
E1012 Check if Refs exist Making sure the refs exist Source functions,ref
E1015 GetAz validation of parameters Making sure the function not is of list Source functions,getaz
E1016 ImportValue validation of parameters Making sure the function not is of list Source functions,importvalue
E1017 Select validation of parameters Making sure the function not is of list Source functions,select
E1018 Split validation of parameters Making sure the split function is properly configured Source functions,split
E1019 Sub validation of parameters Making sure the sub function is properly configured Source functions,sub
E1020 Ref validation of value Making the Ref has a value of String (no other functions are supported) Source functions,ref
E1021 Base64 validation of parameters Making sure the function not is of list Source functions,base64
E1022 Join validation of parameters Making sure the join function is properly configured Source functions,join
E1023 Validation NOT function configuration Making sure that NOT functions are list Source functions,not
E1024 Cidr validation of parameters Making sure the function CIDR is a list with valid values Source functions,cidr
E1026 Cannot reference resources in the Conditions block of the template Check that any Refs in the Conditions block uses no resources Source functions,ref
E1027 Check dynamic references secure strings are in supported locations Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. Source functions,dynamic reference
E1028 Check Fn::If structure for validity Check Fn::If to make sure its valid. Condition has to be a string. Source functions,if
E1029 Sub is required if a variable is used in a string If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. Source functions,sub
E2001 Parameters have appropriate properties Making sure the parameters are properly configured Source parameters
E2002 Parameters have appropriate type Making sure the parameters have a correct type Source parameters
E2003 Parameters have appropriate names Check if Parameters are properly named (A-Za-z0-9) Source parameters
E2004 CIDR Allowed Values should be a Cidr Range Check if a parameter is being used as a CIDR. If it is make sure allowed values are proper CIDRs Source parameters,cidr
E2010 Parameter limit not exceeded Check the number of Parameters in the template is less than the upper limit Source parameters,limits
E2011 Parameter name limit not exceeded Check the size of Parameter names in the template is less than the upper limit Source parameters,limits
E2012 Parameter value limit not exceeded Check if the size of Parameter values in the template is less than the upper limit Source parameters,limits
E2014 Default value cannot use Refs Check if Refs are not used in Parameter Defaults Source parameters
E2015 Default value is within parameter constraints Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern Source parameters
E2503 Resource ELB Properties See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate Source properties,elb
E2504 Check Ec2 Ebs Properties See if Ec2 Eb2 Properties are valid Source properties,ec2,ebs
E2505 Resource EC2 VPC Properties Check if the default tenancy is default or dedicated and that CidrBlock is a valid CIDR range. Source properties,vpc
E2506 Resource EC2 Security Group Ingress Properties See if EC2 Security Group Ingress Properties are set correctly. Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are are exclusive and using the type of Ref or GetAtt Source resources,securitygroup
E2507 Check if IAM Policies are properly configured See if there elements inside an IAM policy are correct Source properties,iam
E2510 Resource EC2 PropertiesEc2Subnet Properties See if EC2 Subnet Properties are set correctly Source properties,subnet
E2520 Check Properties that are mutually exclusive Making sure CloudFormation properties that are exclusive are not defined Source resources
E2521 Check Properties that are required together Make sure CloudFormation resource properties are included together when required Source resources
E2522 Check Properties that need at least one of a list of properties Making sure CloudFormation properties that require at least one property from a list. More than one can be included. Source resources
E2523 Check Properties that need only one of a list of properties Making sure CloudFormation properties that require only one property from a list. One has to be specified. Source resources
E2529 Check for duplicate Lambda events Check if there are any duplicate log groups in the Lambda event trigger element. Source resources,lambda
E2530 Check Lambda Memory Size Properties See if Lambda Memory Size is valid Source resources,lambda
E2531 Check if EOL Lambda Function Runtimes are used Check if an EOL Lambda Runtime is specified and give an error if used. Source resources,lambda,runtime
E2532 Check State Machine Definition for proper syntax Check the State Machine String Definition to make sure its JSON. Validate basic syntax of the file to determine validity. Source resources,stepfunctions
E2540 CodePipeline Stages See if CodePipeline stages are set correctly Source properties,codepipeline
E2541 CodePipeline Stage Actions See if CodePipeline stage actions are set correctly Source resources,codepipeline
E3001 Basic CloudFormation Resource Check Making sure the basic CloudFormation resources are properly configured Source resources
E3002 Resource properties are valid Making sure that resources properties are properly configured Source resources
E3003 Required Resource Parameters are missing Making sure that Resources properties that are required exist Source resources
E3004 Resource dependencies are not circular Check that Resources are not circularly dependent by Ref, Sub, or GetAtt Source resources,circularly
E3005 Check DependsOn values for Resources Check that the DependsOn values are valid Source resources,dependson
E3006 Resources have appropriate names Check if Resources are properly named (A-Za-z0-9) Source resources
E3008 Check values of properties for valid Refs and GetAtts Checks resource properties for Ref and GetAtt values Source resources
E3010 Resource limit not exceeded Check the number of Resources in the template is less than the upper limit Source resources,limits
E3011 Resource name limit not exceeded Check the size of Resource names in the template is less than the upper limit Source resources,limits
E3012 Check resource properties values Checks resource property values with Primitive Types for values that match those types. strict:boolean:True Source resources
E3013 CloudFront Aliases CloudFront aliases should contain valid domain names Source properties,cloudfront
E3016 Check the configuration of a resources UpdatePolicy Make sure a resources UpdatePolicy is properly configured Source resources,updatepolicy
E3020 Validate Route53 RecordSets Check if all RecordSets are correctly configured Source resources,route53,record_set
E3021 Check Events Rule Targets are less than or equal to 5 CloudWatch Events Rule can only support up to 5 targets Source resources,events
E3022 Resource SubnetRouteTableAssociation Properties Validate there is only one SubnetRouteTableAssociation per subnet Source resources,subnet,route table
E3023 Validate that AlarmIdentifier is specified when using CloudWatch Metrics When using a CloudWatch Metric for Route53 Health Checks you must also specify the AlarmIdentifier Source resources,route53,alarm_identifier
E3024 Validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST When using ProvisionedThroughput with BillingMode PAY_PER_REQUEST will result in BillingMode being changed to PROVISIONED Source resources,dynamodb,provisioned_throughput,billing_mode
E3025 RDS instance type is compatible with the RDS type Check the RDS instance types are supported by the type of RDS engine. Only if the values are strings will this be checked. Source resources,rds
E3026 Check Elastic Cache Redis Cluster settings Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled Source resources,elasticcache
E3027 Validate AWS Event ScheduleExpression format Validate the formation of the AWS::Event ScheduleExpression Source resources,events
E3030 Check if properties have a valid value Check if properties have a valid value in case of an enumator Source resources,property,allowed value
E3031 Check if property values adhere to a specific pattern Check if properties have a valid value in case of a pattern (Regular Expression) Source resources,property,allowed pattern,regex
E3032 Check if a list has between min and max number of values specified Check lists for the number of items in the list to validate they are between the minimum and maximum Source resources,property,list,size
E3033 Check if a string has between min and max number of values specified Check strings for its length between the minimum and maximum Source resources,property,string,size
E3034 Check if a number is between min and max Check numbers (integers and floats) for its value being between the minimum and maximum Source resources,property,number,size
E3035 Check DeletionPolicy values for Resources Check that the DeletionPolicy values are valid Source resources,deletionpolicy
E3036 Check UpdateReplacePolicy values for Resources Check that the UpdateReplacePolicy values are valid Source resources,updatereplacepolicy
E3037 Check if a list has duplicate values Certain lists don't support duplicate items. Check when duplicates are provided but not supported. Source resources,property,list
E3038 Check if Serverless Resources have Serverless Transform Check that a template with Serverless Resources also includes the Serverless Transform Source resources,transform
E3050 Check if REFing to a IAM resource with path set Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' Source properties,iam
E3502 Check if a JSON Object is within size limits Validate properties that are JSON values so that their length is within the limits Source resources,limits,json
E4001 Metadata Interface have appropriate properties Metadata Interface properties are properly configured Source metadata
E6001 Outputs have appropriate properties Making sure the outputs are properly configured Source outputs
E6002 Outputs have required properties Making sure the outputs have required properties Source outputs
E6003 Outputs have values of strings Making sure the outputs have strings as values Source outputs
E6004 Outputs have appropriate names Check if Outputs are properly named (A-Za-z0-9) Source outputs
E6005 Outputs descriptions can only be strings Outputs descriptions can only be strings Source outputs
E6010 Output limit not exceeded Check the number of Outputs in the template is less than the upper limit Source outputs,limits
E6011 Output name limit not exceeded Check the size of Output names in the template is less than the upper limit Source outputs,limits
E6012 Output description limit not exceeded Check the size of Output description in the template is less than the upper limit Source outputs,limits
E7001 Mappings are appropriately configured Check if Mappings are properly configured Source mappings
E7002 Mappings have appropriate names Check if Mappings are properly named (A-Za-z0-9) Source mapping
E7003 Mapping keys are strings and alphanumeric Check if Mappings keys are properly typed as strings and alphanumeric Source mapping
E7010 Mapping limit not exceeded Check the number of Mappings in the template is less than the upper limit Source mappings,limits
E7011 Mapping name limit not exceeded Check the size of Mapping names in the template is less than the upper limit Source mappings,limits
E7012 Mapping attribute limit not exceeded Check if the amount of Mapping attributes in the template is less than the upper limit Source mappings,limits
E8001 Conditions have appropriate properties Check if Conditions are properly configured Source conditions
E8002 Check if the referenced Conditions are defined Making sure the used conditions are actually defined in the Conditions section Source conditions
E8003 Check Fn::Equals structure for validity Check Fn::Equals is a list of two elements Source functions,equals
E8004 Check Fn::And structure for validity Check Fn::And is a list of two elements Source functions,and
E8005 Check Fn::Not structure for validity Check Fn::Not is a list of two elements Source functions,not
E8006 Check Fn::Or structure for validity Check Fn::Or is a list of two elements Source functions,or
I3011 Check DynamoDB tables have a set DeletionPolicy The default action when removing a DynamoDB Table is to delete it. This check requires you to specifically set a DeletionPolicy and you know the risks Source resources,dynamodb
I3037 Check if a list that allows duplicates has any duplicates Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. Source resources,property,list
W1001 Ref/GetAtt to resource that is available when conditions are applied Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. Source resources,relationships
W1011 FindInMap keys exist in the map Checks the keys in a FindInMap to make sure they exist. Check only if the Map Name is a string and if the key is a string. Source functions,findinmap
W1019 Sub validation of parameters Validate that Fn::Sub Parameters are used Source functions,sub
W1020 Sub isn't needed if it doesn't have a variable defined Checks sub strings to see if a variable is defined. Source functions,sub
W2001 Check if Parameters are Used Making sure the parameters defined are used Source parameters
W2030 Check if parameters have a valid value Check if parameters have a valid value in case of an enumator. The Parameters allowed values is based on the usages in property (Ref) Source resources,property,allowed value
W2501 Check if Password Properties are correctly configured Password properties should be strings and if parameter using NoEcho Source parameters,passwords
W2506 Check if ImageId Parameters have the correct type See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] Source parameters,imageid
W2509 CIDR Parameters have allowed values Check if a parameter is being used as a CIDR. If it is make sure it has allowed values regex comparisons Source parameters,availabilityzone
W2510 Parameter Memory Size attributes should have max and min Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints Source parameters,lambda
W2511 Check IAM Resource Policies syntax See if the elements inside an IAM Resource policy are configured correctly. Source properties,iam
W2531 Check if EOL Lambda Function Runtimes are used Check if an EOL Lambda Runtime is specified and give a warning if used. Source resources,lambda,runtime
W3002 Warn when properties are configured to only work with the package command Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. Source resources
W3005 Check obsolete DependsOn configuration for Resources Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. Source resources,dependson
W3010 Availability Zone Parameters should not be hardcoded Check if an Availability Zone property is hardcoded. Source parameters,availabilityzone
W4001 Metadata Interface parameters exist Metadata Interface parameters actually exist Source metadata
W6001 Check Outputs using ImportValue Check if the Output value is set using ImportValue, so creating an Output of an Output Source outputs,importvalue
W7001 Check if Mappings are Used Making sure the mappings defined are used Source conditions
W8001 Check if Conditions are Used Making sure the conditions defined are used Source conditions

Experimental rules

Rule ID Title Description Source Tags
W3037 Check IAM Permission configuration Check for valid IAM Permissions Source