Errors will start with the letter E. Errors will result in a hard failure for the template being validated.
Warnings start with the letter W. Warnings alert you when the template doesnt follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.
| Rule Numbers | Category |
|---|---|
| (E|W)0XXX | Basic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.) |
| (E|W)1XXX | Functions (Ref, GetAtt, etc.) |
| (E|W)2XXX | Parameters |
| (E|W)3XXX | Resources |
| (E|W)4XXX | Metadata |
| (E|W)6xxx | Outputs |
| (E|W)7xxx | Mappings |
| (E|W)8xxx | Conditions |
| (E|W)9xxx | Reserved for users rules |
Warning
Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices.
The following 81 rules are applied by this linter:
| Rule ID | Title | Description | Source | Tags |
|---|---|---|---|---|
| E0000 | Parsing error found when parsing the template | Checks for Null values and Duplicate values in resources | Source | base |
| E0001 | Error found when transforming the template | Errors found when performing transformation on the template | Source | base,transform |
| E0002 | Error processing rule on the template | Errors found when processing a rule on the template | Source | base,rule |
| E1001 | Basic CloudFormation Template Configuration | Making sure the basic CloudFormation template components are properly configured | Source | base |
| E1002 | Template size limit | Check the size of the template is less than the upper limit | Source | limits |
| E1003 | Template description limit | Check if the size of the template description is less than the upper limit | Source | limits |
| E1010 | GetAtt validation of parameters | Validates that GetAtt parameters are to valid resources and properties of those resources | Source | functions,getatt |
| E1011 | FindInMap validation of configuration | Making sure the function is a list of appropriate config | Source | functions,findinmap |
| E1012 | Check if Refs exist | Making sure the refs exist | Source | functions,ref |
| E1015 | GetAz validation of parameters | Making sure the function not is of list | Source | functions,getaz |
| E1016 | ImportValue validation of parameters | Making sure the function not is of list | Source | functions,importvalue |
| E1017 | Select validation of parameters | Making sure the function not is of list | Source | functions,select |
| E1018 | Split validation of parameters | Making sure the split function is properly configured | Source | functions,split |
| E1019 | Sub validation of parameters | Making sure the split function is properly configured | Source | functions,sub |
| E1020 | Ref validation of value | Making the Ref has a value of String (no other functions are supported) | Source | functions,ref |
| E1021 | Base64 validation of parameters | Making sure the function not is of list | Source | functions,base64 |
| E1022 | Join validation of parameters | Making sure the join function is properly configured | Source | functions,join |
| E1023 | Validation NOT function configuration | Making sure that NOT functions are list | Source | functions,not |
| E1024 | Cidr validation of parameters | Making sure the function CIDR is a list with valid values | Source | functions,cidr |
| E1025 | Check if Conditions exist | Making sure the Conditions used in Fn:If functions exist | Source | functions,if |
| E1026 | Cannot reference resources in the Conditions block of the template | Check that any Refs in the Conditions block uses no resources | Source | functions,ref |
| E2001 | Parameters have appropriate properties | Making sure the parameters are properly configured | Source | parameters |
| E2002 | Parameters have appropriate type | Making sure the parameters have a correct type | Source | parameters |
| E2003 | Parameters have appropriate names | Check if Parameters are properly named (A-Za-z0-9) | Source | parameters |
| E2004 | CIDR Allowed Values should be a Cidr Range | Check if a parameter is being used as a CIDR. If it is make sure allowed values are proper CIDRs | Source | parameters,cidr |
| E2010 | Parameter limit not exceeded | Check the number of Parameters in the template is lessthan the upper limit | Source | parameters,limits |
| E2011 | Parameter name limit not exceeded | Check the size of Parameter names in the template is less than the upper limit | Source | parameters,limits |
| E2012 | Parameter value limit not exceeded | Check if the size of Parameter values in the template is less than the upper limit | Source | parameters,limits |
| E2015 | Default value is within parameter constraints | Making sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPattern | Source | parameters |
| E2502 | Check if IamInstanceProfile are using the name and not ARN | See if there are any properties IamInstanceProfileare using name and not ARN | Source | properties |
| E2503 | Resource ELB Properties | See if Elb Resource Properties are set correctly HTTPS has certificate HTTP has no certificate | Source | properties,elb |
| E2504 | Check Ec2 Ebs Properties | See if Ec2 Eb2 Properties are valid | Source | properties,ec2,ebs |
| E2505 | Resource EC2 VPC Properties | See if EC2 VPC Properties are set correctly | Source | properties,vpc |
| E2506 | Resource EC2 Security Group Ingress Properties | See if EC2 Security Group Ingress Properties are set correctly. Check that "SourceSecurityGroupId" or "SourceSecurityGroupName" are are exclusive and using the type of Ref or GetAtt | Source | resources,securitygroup |
| E2507 | Check if IAM Policies are properly configured | See if there elements inside an IAM policy are correct | Source | properties,iam |
| E2508 | Check IAM resource limits | See if IAM resources do not breach limits | Source | resources,iam |
| E2509 | Validate SecurityGroup description | Check if SecurityGroup descriptions are correctly configured | Source | resources,securitygroup |
| E2510 | Resource EC2 PropertiesEc2Subnet Properties | See if EC2 Subnet Properties are set correctly | Source | properties,subnet |
| E2520 | Check Properties that are mutually exclusive | Making sure CloudFormation properties that are exclusive are not defined | Source | resources |
| E2521 | Check Properties that are required together | Make sure CloudFormation resource properties are included together when required | Source | resources |
| E2522 | Check Properties that need at least one of a list of properties | Making sure CloudFormation properties that require at least one property from a list. More than one can be included. | Source | resources |
| E2523 | Check Properties that need only one of a list of properties | Making sure CloudFormation properties that require only one property from a list. One has to be specified. | Source | resources |
| E2530 | Check Lambda Memory Size Properties | See if Lambda Memory Size is valid | Source | resources,lambda |
| E2531 | Check Lambda Runtime Properties | See if Lambda Runtime is in valid | Source | resources,lambda |
| E2540 | CodePipeline Stages | See if CodePipeline stages are set correctly | Source | properties,codepipeline |
| E2541 | CodePipeline Stage Actions | See if CodePipeline stage actions are set correctly | Source | resources,codepipeline |
| E3001 | Basic CloudFormation Resource Check | Making sure the basic CloudFormation resources are properly configured | Source | resources |
| E3002 | Resource properties are valid | Making sure that resources properties are properly configured | Source | resources |
| E3003 | Required Resource Parameters are missing | Making sure that Resources properties that are required exist | Source | resources |
| E3004 | Resource dependencies are not circular | Check that Resources are not circularly dependent by Ref, Sub, or GetAtt | Source | resources,circularly |
| E3005 | Check DependsOn values for Resources | Check that the DependsOn values are valid | Source | resources,dependson |
| E3006 | Resources have appropriate names | Check if Resources are properly named (A-Za-z0-9) | Source | resources |
| E3010 | Resource limit not exceeded | Check the number of Resources in the template is lessthan the upper limit | Source | resources,limits |
| E3011 | Resource name limit not exceeded | Check the size of Resource names in the template is less than the upper limit | Source | resources,limits |
| E3012 | Check resource properties values | Checks resource property values with Primitive Types for values that match those types. | Source | resources |
| E3013 | CloudFront Aliases | CloudFront aliases should contain valid domain names | Source | properties,cloudfront |
| E3020 | Validate Route53 RecordSets | Check if all RecordSets are correctly configured | Source | resources,route53,record_set |
| E4001 | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured | Source | metadata |
| E6001 | Outputs have appropriate properties | Making sure the outputs are properly configured | Source | outputs |
| E6002 | Outputs have required properties | Making sure the outputs have required properties | Source | outputs |
| E6003 | Outputs have values of strings | Making sure the outputs have strings as values | Source | outputs |
| E6004 | Outputs have appropriate names | Check if Outputs are properly named (A-Za-z0-9) | Source | outputs |
| E6010 | Output limit not exceeded | Check the number of Outputs in the template is lessthan the upper limit | Source | outputs,limits |
| E6011 | Output name limit not exceeded | Check the size of Output names in the template is less than the upper limit | Source | outputs,limits |
| E7001 | Mappings are appropriately configured | Check if Mappings are properly configured | Source | mappings |
| E7002 | Mappings have appropriate names | Check if Mappings are properly named (A-Za-z0-9) | Source | mapping |
| E7010 | Mapping limit not exceeded | Check the number of Mappings in the template is lessthan the upper limit | Source | mappings,limits |
| E7011 | Mapping name limit not exceeded | Check the size of Mapping names in the template is less than the upper limit | Source | mappings,limits |
| E7012 | Mapping attribute limit not exceeded | Check if the amount of Mapping attributes in the template is less than the upper limit | Source | mappings,limits |
| E8001 | Conditions have appropriate properties | Check if Conditions are properly configured | Source | conditions |
| W2001 | Check if Parameters are Used | Making sure the parameters defined are used | Source | parameters |
| W2501 | Check if Password Properties are correctly configured | Password properties should be strings and if parameter using NoEcho | Source | parameters,passwords |
| W2505 | Check if VpcID Parameters have the correct type | See if there are any refs for VpcId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::VPC::Id, AWS::SSM::Parameter::ValueAWS::EC2::VPC::Id] | Source | parameters,vpcid |
| W2506 | Check if ImageId Parameters have the correct type | See if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id] | Source | parameters,imageid |
| W2507 | Security Group Parameters are of correct type AWS::EC2::SecurityGroup::Id | Check if a parameter is being used in a resource for Security Group. If it is make sure it is of type AWS::EC2::SecurityGroup::Id | Source | parameters,securitygroup |
| W2508 | Availability Zone Parameters are of correct type AWS::EC2::AvailabilityZone::Name | Check if a parameter is being used in a resource for Security Group. If it is make sure it is of type AWS::EC2::AvailabilityZone::Name | Source | parameters,availabilityzone |
| W2509 | CIDR Parameters have allowed values | Check if a parameter is being used as a CIDR. If it is make sure it has allowed values regex comparisons | Source | parameters,availabilityzone |
| W2510 | Parameter Memory Size attributes should have max and min | Check if a parameter that is used for Lambda memory size should have a min and max size that matches Lambda constraints | Source | parameters,lambda |
| W2512 | Parameter Lambda Runtime has allowed values set | Check if a parameter that is used for Lambda runtime has allowed values constraint defined | Source | parameters,lambda |
| W3005 | Check obsolete DependsOn configuration for Resources | Check if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency. | Source | resources,dependson |
| W3010 | Availability Zone Parameters should not be hardcoded | Check if an Availability Zone property is hardcoded. | Source | parameters,availabilityzone |
| W4001 | Metadata Interface parameters exist | Metadata Interface parameters actually exist | Source | metadata |
| W7001 | Check if Mappings are Used | Making sure the mappings defined are used | Source | conditions |
| W8001 | Check if Conditions are Used | Making sure the conditions defined are used | Source | conditions |