A rule returns feedback on a specific level: Error, Warning or Informational.
Errors will start with the letter E
. Errors will (or can) result in a hard failure for the template being validated.
Warnings start with the letter W
. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.
Informational results start with the letter I
. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I
or --include-checks I
.
Rule Numbers | Category |
---|---|
(E|W|I)0XXX | Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.) |
(E|W|I)1XXX | Functions (Ref, GetAtt, etc.) |
(E|W|I)2XXX | Parameters |
(E|W|I)3XXX | Resources |
(E|W|I)4XXX | Metadata |
(E|W|I)6xxx | Outputs |
(E|W|I)7xxx | Mappings |
(E|W|I)8xxx | Conditions |
(E|W|I)9xxx | Reserved for users rules |
Warning
Rule E3012
is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks
if it is not required for your internal best practices.
Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.
A rule can be marked as experimental by setting the experimental
flag in the Rule's MetaData:
class MyExperimentalRule(CloudFormationLintRule):
id = 'E1234'
...
experimental = True
To include these rules, use the -e/include-experimental
argument when running cfn-lint.
The following 120 rules are applied by this linter: (This documentation is generated from the Rules, do not alter this manually)
Rule ID | Title | Description | Config (Name:Type:Default) |
Source | Tags |
---|---|---|---|---|---|
E0000 | Parsing error found when parsing the template | Checks for Null values and Duplicate values in resources | Source | base |
|
E0001 | Error found when transforming the template | Errors found when performing transformation on the template | Source | base ,transform |
|
E0002 | Error processing rule on the template | Errors found when processing a rule on the template | Source | base ,rule |
|
E1001 | Basic CloudFormation Template Configuration | Making sure the basic CloudFormation template components are properly configured | Source | base |
|
E1002 | Template size limit | Check the size of the template is less than the upper limit | Source | limits |
|
E1003 | Template description limit | Check if the size of the template description is less than the upper limit | Source | limits |
|
E1004 | Template description can only be a string | Template description can only be a string | Source | description |
|
E1010 | GetAtt validation of parameters | Validates that GetAtt parameters are to valid resources and properties of those resources | Source | functions ,getatt |
|
E1011 | FindInMap validation of configuration | Making sure the function is a list of appropriate config | Source | functions ,findinmap |
|
E1012 | Check if Refs exist | Making sure the refs exist | Source | functions ,ref |
|
E1015 | GetAz validation of parameters | Making sure the function not is of list | Source | functions ,getaz |
|
E1016 | ImportValue validation of parameters | Making sure the function not is of list | Source | functions ,importvalue |
|
E1017 | Select validation of parameters | Making sure the function not is of list | Source | functions ,select |
|
E1018 | Split validation of parameters | Making sure the split function is properly configured | Source | functions ,split |
|
E1019 | Sub validation of parameters | Making sure the sub function is properly configured | Source | functions ,sub |
|
E1020 | Ref validation of value | Making the Ref has a value of String (no other functions are supported) | Source | functions ,ref |
|
E1021 | Base64 validation of parameters | Making sure the function not is of list | Source | functions ,base64 |
|
E1022 | Join validation of parameters | Making sure the join function is properly configured | Source | functions ,join |
|
E1023 | Validation NOT function configuration | Making sure that NOT functions are list | Source | functions ,not |
|
E1024 | Cidr validation of parameters | Making sure the function CIDR is a list with valid values | Source | functions ,cidr |
|
E1026 | Cannot reference resources in the Conditions block of the template | Check that any Refs in the Conditions block uses no resources | Source | functions ,ref |
|
E1027 | Check dynamic references secure strings are in supported locations | Dynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions. | Source | functions ,dynamic reference |
|
E1028 | Check Fn::If structure for validity | Check Fn::If to make sure its valid. Condition has to be a string. | Source | functions ,if |
|
E1029 | Sub is required if a variable is used in a string | If a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail. | Source | functions ,sub |
|
E2001 | Parameters have appropriate properties | Making sure the parameters are properly configured | Source | parameters |
|
E2002 | Parameters have appropriate type | Making sure the parameters have a correct type | Source | parameters |
|
E2003 | Parameters have appropriate names | Check if Parameters are properly named (A-Za-z0-9) | Source | parameters |
|
E2004 | CIDR Allowed Values should be a Cidr Range | Check if a parameter is being used as a CIDR. If it is make sure allowed values are proper CIDRs | Source | parameters ,cidr |
|
E2010 | Parameter limit not exceeded | Check the number of Parameters in the template is less than the upper limit | Source | parameters ,limits |
|
E2011 | Parameter name limit not exceeded | Check the size of Parameter names in the template is less than the upper limit | Source | parameters ,limits |
|
E2012 | Parameter value limit not exceeded | Check if the size of Parameter values in the template is less than the upper limit | Source | parameters ,limits |
|
E2014 | Default value cannot use Refs | Check if Refs are not used in Parameter Defaults | Source | parameters |
|
E2015 | Default value is within parameter constraints | Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern | Source | parameters |
|
E2503 | Resource ELB Properties | See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate | Source | properties ,elb |
|
E2504 | Check Ec2 Ebs Properties | See if Ec2 Eb2 Properties are valid | Source | properties ,ec2 ,ebs |
|
E2505 | Resource EC2 VPC Properties | Check if the default tenancy is default or dedicated and that CidrBlock is a valid CIDR range. | Source | properties ,vpc |
|
E2506 | Resource EC2 Security Group Ingress Properties | See if EC2 Security Group Ingress Properties are set correctly. Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are are exclusive and using the type of Ref or GetAtt | Source | resources ,securitygroup |
|
E2507 | Check if IAM Policies are properly configured | See if there elements inside an IAM policy are correct | Source | properties ,iam |
|
E2510 | Resource EC2 PropertiesEc2Subnet Properties | See if EC2 Subnet Properties are set correctly | Source | properties ,subnet |
|
E2520 | Check Properties that are mutually exclusive | Making sure CloudFormation properties that are exclusive are not defined | Source | resources |
|
E2521 | Check Properties that are required together | Make sure CloudFormation resource properties are included together when required | Source | resources |
|
E2522 | Check Properties that need at least one of a list of properties | Making sure CloudFormation properties that require at least one property from a list. More than one can be included. | Source | resources |
|
E2523 | Check Properties that need only one of a list of properties | Making sure CloudFormation properties that require only one property from a list. One has to be specified. | Source | resources |
|
E2529 | Check for duplicate Lambda events | Check if there are any duplicate log groups in the Lambda event trigger element. | Source | resources ,lambda |
|
E2530 | Check Lambda Memory Size Properties | See if Lambda Memory Size is valid | Source | resources ,lambda |
|
E2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give an error if used. | Source | resources ,lambda ,runtime |
|
E2532 | Check State Machine Definition for proper syntax | Check the State Machine String Definition to make sure its JSON. Validate basic syntax of the file to determine validity. | Source | resources ,stepfunctions |
|
E2540 | CodePipeline Stages | See if CodePipeline stages are set correctly | Source | properties ,codepipeline |
|
E2541 | CodePipeline Stage Actions | See if CodePipeline stage actions are set correctly | Source | resources ,codepipeline |
|
E3001 | Basic CloudFormation Resource Check | Making sure the basic CloudFormation resources are properly configured | Source | resources |
|
E3002 | Resource properties are valid | Making sure that resources properties are properly configured | Source | resources |
|
E3003 | Required Resource Parameters are missing | Making sure that Resources properties that are required exist | Source | resources |
|
E3004 | Resource dependencies are not circular | Check that Resources are not circularly dependent by Ref, Sub, or GetAtt | Source | resources ,circularly |
|
E3005 | Check DependsOn values for Resources | Check that the DependsOn values are valid | Source | resources ,dependson |
|
E3006 | Resources have appropriate names | Check if Resources are properly named (A-Za-z0-9) | Source | resources |
|
E3008 | Check values of properties for valid Refs and GetAtts | Checks resource properties for Ref and GetAtt values | Source | resources |
|
E3010 | Resource limit not exceeded | Check the number of Resources in the template is less than the upper limit | Source | resources ,limits |
|
E3011 | Resource name limit not exceeded | Check the size of Resource names in the template is less than the upper limit | Source | resources ,limits |
|
E3012 | Check resource properties values | Checks resource property values with Primitive Types for values that match those types. | strict:boolean:True | Source | resources |
E3013 | CloudFront Aliases | CloudFront aliases should contain valid domain names | Source | properties ,cloudfront |
|
E3016 | Check the configuration of a resources UpdatePolicy | Make sure a resources UpdatePolicy is properly configured | Source | resources ,updatepolicy |
|
E3020 | Validate Route53 RecordSets | Check if all RecordSets are correctly configured | Source | resources ,route53 ,record_set |
|
E3021 | Check Events Rule Targets are less than or equal to 5 | CloudWatch Events Rule can only support up to 5 targets | Source | resources ,events |
|
E3022 | Resource SubnetRouteTableAssociation Properties | Validate there is only one SubnetRouteTableAssociation per subnet | Source | resources ,subnet ,route table |
|
E3023 | Validate that AlarmIdentifier is specified when using CloudWatch Metrics | When using a CloudWatch Metric for Route53 Health Checks you must also specify the AlarmIdentifier | Source | resources ,route53 ,alarm_identifier |
|
E3024 | Validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST | When using ProvisionedThroughput with BillingMode PAY_PER_REQUEST will result in BillingMode being changed to PROVISIONED | Source | resources ,dynamodb ,provisioned_throughput ,billing_mode |
|
E3025 | RDS instance type is compatible with the RDS type | Check the RDS instance types are supported by the type of RDS engine. Only if the values are strings will this be checked. | Source | resources ,rds |
|
E3026 | Check Elastic Cache Redis Cluster settings | Evaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabled | Source | resources ,elasticcache |
|
E3027 | Validate AWS Event ScheduleExpression format | Validate the formation of the AWS::Event ScheduleExpression | Source | resources ,events |
|
E3030 | Check if properties have a valid value | Check if properties have a valid value in case of an enumator | Source | resources ,property ,allowed value |
|
E3031 | Check if property values adhere to a specific pattern | Check if properties have a valid value in case of a pattern (Regular Expression) | Source | resources ,property ,allowed pattern ,regex |
|
E3032 | Check if a list has between min and max number of values specified | Check lists for the number of items in the list to validate they are between the minimum and maximum | Source | resources ,property ,list ,size |
|
E3033 | Check if a string has between min and max number of values specified | Check strings for its length between the minimum and maximum | Source | resources ,property ,string ,size |
|
E3034 | Check if a number is between min and max | Check numbers (integers and floats) for its value being between the minimum and maximum | Source | resources ,property ,number ,size |
|
E3035 | Check DeletionPolicy values for Resources | Check that the DeletionPolicy values are valid | Source | resources ,deletionpolicy |
|
E3036 | Check UpdateReplacePolicy values for Resources | Check that the UpdateReplacePolicy values are valid | Source | resources ,updatereplacepolicy |
|
E3037 | Check if a list has duplicate values | Certain lists don't support duplicate items. Check when duplicates are provided but not supported. | Source | resources ,property ,list |
|
E3038 | Check if Serverless Resources have Serverless Transform | Check that a template with Serverless Resources also includes the Serverless Transform | Source | resources ,transform |
|
E3050 | Check if REFing to a IAM resource with path set | Some resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/' | Source | properties ,iam |
|
E3502 | Check if a JSON Object is within size limits | Validate properties that are JSON values so that their length is within the limits | Source | resources ,limits ,json |
|
E4001 | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured | Source | metadata |
|
E6001 | Outputs have appropriate properties | Making sure the outputs are properly configured | Source | outputs |
|
E6002 | Outputs have required properties | Making sure the outputs have required properties | Source | outputs |
|
E6003 | Outputs have values of strings | Making sure the outputs have strings as values | Source | outputs |
|
E6004 | Outputs have appropriate names | Check if Outputs are properly named (A-Za-z0-9) | Source | outputs |
|
E6005 | Outputs descriptions can only be strings | Outputs descriptions can only be strings | Source | outputs |
|
E6010 | Output limit not exceeded | Check the number of Outputs in the template is less than the upper limit | Source | outputs ,limits |
|
E6011 | Output name limit not exceeded | Check the size of Output names in the template is less than the upper limit | Source | outputs ,limits |
|
E6012 | Output description limit not exceeded | Check the size of Output description in the template is less than the upper limit | Source | outputs ,limits |
|
E7001 | Mappings are appropriately configured | Check if Mappings are properly configured | Source | mappings |
|
E7002 | Mappings have appropriate names | Check if Mappings are properly named (A-Za-z0-9) | Source | mapping |
|
E7003 | Mapping keys are strings and alphanumeric | Check if Mappings keys are properly typed as strings and alphanumeric | Source | mapping |
|
E7010 | Mapping limit not exceeded | Check the number of Mappings in the template is less than the upper limit | Source | mappings ,limits |
|
E7011 | Mapping name limit not exceeded | Check the size of Mapping names in the template is less than the upper limit | Source | mappings ,limits |
|
E7012 | Mapping attribute limit not exceeded | Check if the amount of Mapping attributes in the template is less than the upper limit | Source | mappings ,limits |
|
E8001 | Conditions have appropriate properties | Check if Conditions are properly configured | Source | conditions |
|
E8002 | Check if the referenced Conditions are defined | Making sure the used conditions are actually defined in the Conditions section | Source | conditions |
|
E8003 | Check Fn::Equals structure for validity | Check Fn::Equals is a list of two elements | Source | functions ,equals |
|
E8004 | Check Fn::And structure for validity | Check Fn::And is a list of two elements | Source | functions ,and |
|
E8005 | Check Fn::Not structure for validity | Check Fn::Not is a list of two elements | Source | functions ,not |
|
E8006 | Check Fn::Or structure for validity | Check Fn::Or is a list of two elements | Source | functions ,or |
|
I3011 | Check DynamoDB tables have a set DeletionPolicy | The default action when removing a DynamoDB Table is to delete it. This check requires you to specifically set a DeletionPolicy and you know the risks | Source | resources ,dynamodb |
|
I3037 | Check if a list that allows duplicates has any duplicates | Certain lists support duplicate items.Provide an alert when list of strings or numbers have repeats. | Source | resources ,property ,list |
|
W1001 | Ref/GetAtt to resource that is available when conditions are applied | Check the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition. | Source | resources ,relationships |
|
W1011 | FindInMap keys exist in the map | Checks the keys in a FindInMap to make sure they exist. Check only if the Map Name is a string and if the key is a string. | Source | functions ,findinmap |
|
W1019 | Sub validation of parameters | Validate that Fn::Sub Parameters are used | Source | functions ,sub |
|
W1020 | Sub isn't needed if it doesn't have a variable defined | Checks sub strings to see if a variable is defined. | Source | functions ,sub |
|
W2001 | Check if Parameters are Used | Making sure the parameters defined are used | Source | parameters |
|
W2030 | Check if parameters have a valid value | Check if parameters have a valid value in case of an enumator. The Parameters allowed values is based on the usages in property (Ref) | Source | resources ,property ,allowed value |
|
W2501 | Check if Password Properties are correctly configured | Password properties should be strings and if parameter using NoEcho | Source | parameters ,passwords |
|
W2506 | Check if ImageId Parameters have the correct type | See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] | Source | parameters ,imageid |
|
W2509 | CIDR Parameters have allowed values | Check if a parameter is being used as a CIDR. If it is make sure it has allowed values regex comparisons | Source | parameters ,availabilityzone |
|
W2510 | Parameter Memory Size attributes should have max and min | Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints | Source | parameters ,lambda |
|
W2511 | Check IAM Resource Policies syntax | See if the elements inside an IAM Resource policy are configured correctly. | Source | properties ,iam |
|
W2531 | Check if EOL Lambda Function Runtimes are used | Check if an EOL Lambda Runtime is specified and give a warning if used. | Source | resources ,lambda ,runtime |
|
W3002 | Warn when properties are configured to only work with the package command | Some properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware. | Source | resources |
|
W3005 | Check obsolete DependsOn configuration for Resources | Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. | Source | resources ,dependson |
|
W3010 | Availability Zone Parameters should not be hardcoded | Check if an Availability Zone property is hardcoded. | Source | parameters ,availabilityzone |
|
W4001 | Metadata Interface parameters exist | Metadata Interface parameters actually exist | Source | metadata |
|
W6001 | Check Outputs using ImportValue | Check if the Output value is set using ImportValue, so creating an Output of an Output | Source | outputs ,importvalue |
|
W7001 | Check if Mappings are Used | Making sure the mappings defined are used | Source | conditions |
|
W8001 | Check if Conditions are Used | Making sure the conditions defined are used | Source | conditions |
Rule ID | Title | Description | Source | Tags |
---|---|---|---|---|
W3037 | Check IAM Permission configuration | Check for valid IAM Permissions | Source |