Rules

April 27, 2026 ยท View on GitHub

Rule levels

A rule returns feedback on a specific level: Error, Warning or Informational.

Errors

Errors will start with the letter E. Errors will (or can) result in a hard failure for the template being validated.

Warnings

Warnings start with the letter W. Warnings alert you when the template doesn't follow best practices but should still function. Example: If you use a parameter for a RDS master password you should have the parameter property NoEcho set to true.

Informational

Informational results start with the letter I. Informational alert you when the template doesn't follow best practices, just like the Warnings, but in a non-blocking way. The Informational level is disabled by default and has to be enabled explicitly using -c I or --include-checks I.

Categories

Rule NumbersCategory
(E|W|I)0XXXBasic Template Errors. Examples: Not parseable, main sections (Outputs, Resources, etc.)
(E|W|I)1XXXFunctions (Ref, GetAtt, etc.)
(E|W|I)2XXXParameters
(E|W|I)3XXXResources
(E|W|I)4XXXMetadata
(E|W|I)6xxxOutputs
(E|W|I)7xxxMappings
(E|W|I)8xxxConditions
(E|W|I)9xxxReserved for users rules

Warning Rule E3012 is used to check the types for value of a resource property. A number is a number, string is a string, etc. There are occasions where this could be just a warning and other times it could be an error. cfn-lint doesn't have an exception process so all instances of this issue are considered errors. You can disable this rule using --ignore-checks if it is not required for your internal best practices. Conversely, strict typing is NOT enforced by default for this rule, so if strict adherence to resource value types is necessary for your use case, you can use --configure-rule E3012:strict=true to enforce the rule.

Experimental rules

Sometimes there are (new) rules that might be complex, that doesn't have enough solid test templates and examples and/or might have unexpected results. We support adding in these rules so they can be tested, tweaked and improved before they become generally available.

A rule can be marked as experimental by setting the experimental flag in the Rule's MetaData:

class MyExperimentalRule(CloudFormationLintRule):
    id = 'E1234'
    ...
    experimental = True

To include these rules, use the -e/include-experimental argument when running cfn-lint.

Rules

(This documentation is generated by running cfn-lint --update-documentation, do not alter this manually)

The following 307 rules are applied by this linter:

Rule IDTitleDescriptionConfig
(Name:Type:Default)		SourceTags
E0000Parsing error found when parsing the templateChecks for JSON/YAML formatting errors in your templateSourcebase
E0001Error found when transforming the templateErrors found when performing transformation on the templateSourcebase,transform
E0002Error processing rule on the templateErrors found when processing a rule on the templateSourcebase,rule
E0003Error with cfn-lint configurationError as a result of the cfn-lint configurationSourcebase,rule
E0100Validate deployment file configurationValidate if a deployment file has the correct syntax for one of the supported formatsSourcebase
E0200Validate parameter file configurationValidate if a parameter file has the correct syntax for one of the supported formatsSourcebase
E1001Basic CloudFormation Template ConfigurationMaking sure the basic CloudFormation template components are properly configuredsections:string:Sourcebase
E1002Validate if a template size is too largeCheck the size of the template is less than the upper limitSourcelimits
E1003Validate the max size of a descriptionCheck if the size of the template description is less than the upper limitSourcedescription,limits
E1004Template description can only be a stringTemplate description can only be a stringSourcedescription
E1005Validate Transform configurationValidate that the transforms section of a template is properly configuredSourcetransform
E1010GetAtt validation of parametersValidates that GetAtt parameters are to valid resources and properties of those resourcesSourcefunctions,getatt
E1011FindInMap validation of configurationMaking sure the function is a list of appropriate configSourcefunctions,findinmap
E1015GetAz validation of parametersMaking sure the GetAz function is properly configuredSourcefunctions,getaz
E1016ImportValue validation of parametersMaking sure the ImportValue function is properly configuredSourcefunctions,importvalue
E1017Select validation of parametersMaking sure the Select function is properly configuredSourcefunctions,select
E1018Split validation of parametersMaking sure the split function is properly configuredSourcefunctions,split
E1019Sub validation of parametersMaking sure the sub function is properly configuredSourcefunctions,sub
E1020Ref validation of valueMaking sure the Ref has a String value (no other functions are supported)Sourcefunctions,ref
E1021Base64 validation of parametersMaking sure the Base64 function is properly configuredSourcefunctions,base64
E1022Join validation of parametersMaking sure the join function is properly configuredSourcefunctions,join
E1024Cidr validation of parametersMaking sure the function CIDR is a list with valid valuesSourcefunctions,cidr
E1027Check dynamic references secure strings are in supported locationsDynamic References Secure Strings are only supported for a small set of resource properties. Validate that they are being used in the correct location when checking values and Fn::Sub in resource properties. Currently doesn't check outputs, maps, conditions, parameters, and descriptions.Sourcefunctions,dynamic reference
E1028Check Fn::If structure for validityCheck Fn::If to make sure its valid. Condition has to be a string.Sourcefunctions,if
E1029Sub is required if a variable is used in a stringIf a substitution variable exists in a string but isn't wrapped with the Fn::Sub function the deployment will fail.custom_excludes:string:Sourcefunctions,sub
E1030Length validation of parametersMaking sure Fn::Length is configured correctlySourcefunctions,length
E1031ToJsonString validation of parametersMaking sure Fn::ToJsonString is configured correctlySourcefunctions,toJsonString
E1032Validates ForEach functionsValidates that ForEach parameters have a valid configurationSourcefunctions,foreach
E1040Check if GetAtt matches destination formatValidate that if source and destination format exists that they matchSourcefunctions,getatt
E1041Check if Ref matches destination formatWhen source and destination format exists validate that they match in a RefSourcefunctions,ref
E1050Validate the structure of a dynamic referenceMake sure dynamic reference strings have the correct syntaxSourcefunctions,dynamic reference
E1051Validate dynamic references to secrets manager are only in resource propertiesDynamic references from secrets manager can only be used in resource propertiesSourcefunctions,dynamic reference
E1052Validate dynamic references to SSM are in a valid locationDynamic references to SSM parameters are only supported in certain locationsSourcefunctions,dynamic reference
E1101Validate an item against additional checksUse supplemental logic to validate properties againstSource
E1103Validate the format of a valueParent rule for validating the format keyword in schemasSource
E1150Validate security group formatSecurity groups have to ref/gettatt to a security group or has the valid patternSource
E1151Validate VPC id formatCheck that a VPC id matches a patternSource
E1152Validate AMI id formatCheck that a AMI id matches a patternSource
E1153Validate security group nameSecurity group names have to valid patternSource
E1154Validate VPC subnet id formatCheck that a VPC subnet id matches a patternSource
E1155Validate CloudWatch logs group nameCheck that a CloudWatch log group name matches a patternSource
E1156Validate IAM role ARN formatValidate IAM role ARN validation for ref/gett and string valuesSource
E1157Validate KMS key ARN formatValidate KMS key ARN format for ref/getatt and string valuesSource
E1158Validate SNS topic ARN formatValidate SNS topic ARN format for ref/getatt and string valuesSource
E1159Validate ACM certificate ARN formatValidate ACM certificate ARN format for ref/getatt and string valuesSource
E1160Validate Lambda function ARN formatValidate Lambda function ARN format for ref/getatt and string valuesSource
E1161Validate S3 bucket name formatValidate S3 bucket name format for ref/getatt and string valuesSource
E1162Validate KMS key ID formatValidate KMS key ID format for key UUIDs and aliasesSource
E1163Validate Lambda function name formatValidate Lambda function name format for ref/getatt and string valuesSource
E1164Validate KMS alias name formatValidate KMS alias name format for ref/getatt and string valuesSource
E1700Rules have the appropriate configurationMaking sure the Rules section is properly configuredSourcerules
E1701Validate the configuration of AssertionsMake sure the Assert value in a Rule is properly configuredSourcerules
E1702Validate the configuration of Rules RuleConditionMake sure the RuleCondition in a Rule is properly configuredSourcerules
E2001Parameters have appropriate propertiesMaking sure the parameters are properly configuredSourceparameters
E2002Parameters have appropriate typeMaking sure the parameters have a correct typeSourceparameters
E2003Parameters have appropriate namesCheck if Parameters are properly named (A-Za-z0-9)Sourceparameters,name
E2010Parameter limit not exceededCheck the number of Parameters in the template is less than the upper limitSourceparameters,limits
E2011Validate the name for a parameterValidate the name of a parameter with special handling of the max length lengthSourceparameters,limits
E2015Default value is within parameter constraintsMaking sure the parameters have a default value inside AllowedValues, MinValue, MaxValue, AllowedPatternSourceparameters
E2529Check for SubscriptionFilters have beyond 2 attachments to a CloudWatch Log GroupThe current limit for a CloudWatch Log Group is they can have 2 subscription filters. We will look for duplicate LogGroupNames inside Subscription Filters and make sure they are within 2. This doesn't account for any other subscription filters getting set.Sourceresources,lambda
E2530SnapStart supports the configured runtimeTo properly leverage SnapStart, you must have a runtime of Java11 or greaterSourceresources,lambda
E2531Validate if lambda runtime is deprecatedCheck the lambda runtime has reached the end of lifeSourceresources,lambda,runtime
E2533Check if Lambda Function Runtimes are updatableCheck if an EOL Lambda Runtime is specified and you cannot update the functionSourceresources,lambda,runtime
E2900Validate deployment file parameters are valid against template parametersValidates that required properties are provided, allowed values are valid, types are correct, and the pattern matches in a deployment file for the parameters specified in a templateSourceparameters
E3001Basic CloudFormation Resource CheckMaking sure the basic CloudFormation resources are properly configuredSourceresources
E3002Resource properties are invalidMaking sure that resources properties are properly configuredSourceresources
E3003Required Resource properties are missingMake sure that Resources properties that are required existSourceresources,properties,required
E3004Resource dependencies are not circularCheck that Resources are not circularly dependent by DependsOn, Ref, Sub, or GetAttSourceresources,circularly,dependson,ref,sub,getatt
E3005Check DependsOn values for ResourcesCheck that the DependsOn values are validSourceresources,dependson
E3006Validate the CloudFormation resource typeResource types are validated against the spec accounting for regionsSourceresources
E3007Unique resource and parameter namesAll resources and parameters must have unique namesSourceparameters,resources
E3008Validate an array in orderWill validate arrays in order for schema validationSourceresources,properties,array,prefixItems
E3009Check CloudFormation init configurationValidate that the items in a CloudFormation init adhere to standardsSourceresources,cloudformation init
E3010Resource limit not exceededCheck the number of Resources in the template is less than the upper limitSourceresources,limits
E3011Check property names in ResourcesValidate property names are property configured in ResourcesSourceresources,limits
E3012Check resource properties valuesChecks resource property values with Primitive Types for values that match those types.strict:boolean:FalseSourceresources
E3013CloudFront AliasesCloudFront aliases should contain valid domain namesSourceproperties,cloudfront
E3014Validate only one of a set of required properties are specifiedMake sure that Resources properties that are required exist. Along with other properties not being specifiedSourceresources
E3015Validate the resource condition is validCheck the condition of a resource to make sure it exists inside the templateSourceresources,conditions
E3016Check the configuration of a resources UpdatePolicyMake sure a resources UpdatePolicy is properly configuredSourceresources,updatepolicy
E3017Check Properties that need at least one of a list of propertiesMaking sure CloudFormation properties that require at least one property from a list. More than one can be included.Sourceresources
E3018Check Properties that need only one of a list of propertiesMaking sure CloudFormation properties that require only one property from a list. One has to be specified.Sourceresources
E3019Validate that all resources have unique primary identifiersUse the primary identifiers in a resource schema to validate that resources inside the template are uniqueexceptions:object:{'AWS::CodeBuild::Project': {'primaryIdentifier': ['/properties/Name']}}Sourceparameters,resources
E3020Validate that when a property is specified another property should be excludedWhen certain properties are specified other properties should not be includedSourceresources
E3021Validate that when a property is specified that other properties should be includedWhen certain properties are specified it results in other properties to be requiredSourceresources
E3022Resource SubnetRouteTableAssociation PropertiesValidate there is only one SubnetRouteTableAssociation per subnetSourceresources,ec2,subnet,route table
E3023Validate Route53 RecordSetsCheck if all RecordSets are correctly configuredSourceresources,route53,record_set
E3024Validate tag configurationValidates tag values to make sure they have unique keys and they follow pattern requirementsSourceparameters,resources,tags
E3025Validates RDS DB Instance ClassValidates the RDS DB instance types based on region and data gathered from the pricing APIsSourceresources
E3026Check Elastic Cache Redis Cluster settingsEvaluate Redis Cluster groups to make sure automatic failover is enabled when cluster mode is enabledSourceresources,elasticcache
E3027Validate AWS Event ScheduleExpression formatValidate the formation of the AWS::Event ScheduleExpressionSourceresources,events
E3028Validate the metadata section of a resourceThe metadata section can be unstructured but we do validate the items we canSourceresources
E3029Validate Route53 record set aliasesWhen using alias records you can't specify TTL or certain types are allowedSourceresources,route53,record_set
E3030Check if properties have a valid valueCheck if properties have a valid value in case of an enumatorSourceresources,property,allowed value
E3031Check if property values adhere to a specific patternCheck if properties have a valid value in case of a pattern (Regular Expression)exceptions:list:[]Sourceresources,property,allowed pattern,regex
E3032Check if a array has between min and max number of values specifiedCheck array for the number of items in the list to validate they are between the minimum and maximumSourceresources,property,array,length
E3033Check if a string has between min and max number of values specifiedCheck strings for its length between the minimum and maximumSourceresources,property,string,size
E3034Check if a number is between min and maxCheck numbers (integers and floats) for its value being between the minimum and maximumSourceresources,property,number,size
E3035Check DeletionPolicy values for ResourcesCheck that the DeletionPolicy values are validSourceresources,deletionpolicy
E3036Check UpdateReplacePolicy values for ResourcesCheck that the UpdateReplacePolicy values are validSourceresources,updatereplacepolicy
E3037Check if a list has duplicate valuesCertain lists don't support duplicate items. Check when duplicates are provided but not supported.Sourceresources,property,list
E3038Check if Serverless Resources have Serverless TransformCheck that a template with Serverless Resources also includes the Serverless TransformSourceresources,transform
E3039AttributeDefinitions / KeySchemas mismatchVerify the set of Attributes in AttributeDefinitions and KeySchemas matchSourceresources,dynamodb
E3040Validate we aren't configuring read only propertiesRead only properties can be configured in a CloudFormation template but they aren't sent to the resource provider code and can cause drift.Sourceresources,properties
E3041RecordSet HostedZoneName is a superdomain of or equal to NameIn a RecordSet, the HostedZoneName must be a superdomain of or equal to the Name being validatedSourceresource,properties,route53
E3042Validate at least one essential container is specifiedCheck that every TaskDefinition specifies at least one essential containerSourceproperties,ecs,task,container,fargate
E3043Validate parameters for in a nested stackEvalute if parameters for a nested stack are specified and if parameters are specified for a nested stack that aren't required.Sourceresources,cloudformation
E3044ECS service using FARGATE or EXTERNAL can only use SchedulingStrategy of REPLICAWhen using a LaunchType of Fargate the SchedulingStrategy has to be ReplicaSourceproperties,ecs,service,container,fargate
E3045Validate AccessControl are set with OwnershipControlsWhen using AccessControl other than private you must also configure OwnershipControls. The default is bucket owner enforced which disables ACLs.Sourceresources,s3
E3046Validate ECS task logging configuration for awslogsWhen 'awslogs' the options 'awslogs-group' and 'awslogs-region' are requiredSourceresources
E3047Validate ECS Fargate tasks have the right combination of CPU and memoryWhen using a ECS Fargate task there is a specfic combination of memory and cpu that can be usedSourceproperties,ecs,service,container,fargate
E3048Validate ECS Fargate tasks have required properties and valuesWhen using a ECS Fargate task there is a specfic combination of required properties and valuesSourceproperties,ecs,service,container,fargate
E3049Validate ECS tasks with dynamic host port have traffic-port ELB target groupsWhen using an ECS task definition of host port 0 and associating that container to an ELB the target group has to have a 'HealthCheckPort' of 'traffic-port'Sourceresources
E3050Check if REFing to a IAM resource with path setSome resources don't support looking up the IAM resource by name. This check validates when a REF is being used and the Path is not '/'Sourceproperties,iam
E3051Validate the structure of a SSM documentSSM documents are nested JSON/YAML in CloudFormation this rule adds validation to those documentsSourceproperties,ssm,document
E3052Validate ECS service requires NetworkConfigurationWhen using an ECS task definition has NetworkMode set to 'awsvpc' then 'NetworkConfiguration' is requiredSourceresources,ecs
E3053Validate ECS task definition is has correct values for 'HostPort'The 'HostPort' must either be undefined or equal to the 'ContainerPort' valueSourceresources,ecs
E3054Validate ECS service using Fargate uses TaskDefinition that allows FargateWhen using an ECS service with 'LaunchType' of 'FARGATE' the associated task definition must have 'RequiresCompatibilities' specified with 'FARGATE' listedSourceresources,ecs
E3055Check CreationPolicy values for ResourcesCheck that the CreationPolicy values are validSourceresources,creationPolicy
E3057Validate that CloudFront TargetOriginId is a specified OriginCloudFront TargetOriginId has to map to an Origin Id that is in the same DistributionConfigSourceproperties,cloudfront
E3058Validate at least one of the properties are requiredMake sure at least one of the resource properties are includedSourceresources
E3059Validate subnet CIDRs are within the CIDRs of the VPCWhen specifying subnet CIDRs for a VPC the subnet CIDRs most be within the VPC CIDRsSourceresources,ec2,vpc,subnet
E3060Validate subnet CIDRs do not overlap with other subnetsWhen specifying subnet CIDRs for a VPC the subnet CIDRs most not overlap with eachotherSourceresources,ec2,vpc,subnet
E3061Validate the days for tierings in IntelligentTieringConfigurationsWhen using AWS::S3::Bucket to configure IntelligentTieringConfigurations the Tierings have minimum and maximum valuesSourceresources,s3
E3062Validates RDS DB Instance Class based on Engine and EngineVersionValidates the RDS DB instance types based on 'Engine' and 'EngineVersion'. 'EngineVersion' is based on the minor version.Sourceresources
E3063Validate GuardDuty Detector property exclusivityThe request failed because both DataSources and Features were provided. You can provide only one; it is recommended to use Features.Sourceresources,guardduty
E3501Validate SQS queue properties are validDepending on if the queue is FIFO or not the properties and allowed values change. This rule validates properties and values based on the queue type.Sourceresources,sqs
E3502Validate SQS DLQ queues are the same typeSQS queues using DLQ have to have the destination queue as the same type (FIFO or standard)Sourceresources,sqs
E3503ValidationDomain is superdomain of DomainNameIn ValidationDomainOptions, the ValidationDomain must be a superdomain of the DomainName being validatedSourcecertificate,certificatemanager,domainvalidationoptions,validationdomain
E3504Check minimum 90 period is met between BackupPlan cold and deleteCheck that Backup plans with lifecycle rules have >= 90 days between cold and deleteSourceproperties,backup,plan,lifecycle
E3505Validate SQS 'VisibilityTimeout' is greater than a function's 'Timeout'When attaching a Lambda function to a SQS queue to a Lambda function the SQS 'VisibilityTimeout' has to be greater than or equal to the lambda functions's 'Timeout'Sourceresources,lambda,sqs
E3510Validate identity based IAM policesIAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies.Sourceresources,iam
E3511Validate IAM role arn patternValidate an IAM role arn pattern matchesSourceparameters,iam
E3512Validate resource based IAM policesIAM resources polices are embedded JSON in CloudFormation. This rule validates those embedded policies.Sourceresources,iam
E3513Validate ECR repository policyPrivate ECR repositories have a policy. This rule validates those policies.Sourceresources,iam,ecr
E3514Validate IAM resource policy resource ARNsValidates an IAM resource policy has a compliant resource ARNSourceparameters,iam
E3530Validate IAM trust policesIAM trust polices are embedded JSON in CloudFormation. This rule validates those embedded policies.Sourceresources,iam
E3601Validate the structure of a StateMachine definitionValidate the Definition or DefinitionString inside a AWS::StepFunctions::StateMachine resourceSourceresources,statemachine
E3615Validate the period is a valid valueValid values are 10, 30, 60, and any multiple of 60.Sourceresources,cloudwatch
E3617Validate ManagedBlockchain instance typeValidates the ManagedBlockchain instance types based on region and data gathered from the pricing APIsSourceresources
E3620Validate a DocDB DB Instance classValidates the DocDB instance types based on region and data gathered from the pricing APIsSourceresources
E3621Validate the instance types for AppStream FleetValidates the AppStream Fleet instance types based on region and data gathered from the pricing APIsSourceresources
E3628Validate EC2 instance types based on regionValidates the EC2 instance types based on region and data gathered from the pricing APIsSourceresources
E3633Validate Lambda event source mapping StartingPosition is used correctlyWhen 'EventSourceArn' is associate to Kinesis, Kafka, or DynamoDB you must specify 'StartingPositionSourceresources
E3634Validate Lambda event source mapping starting position is used with SQSWhen 'EventSourceArn' is associated to SQS don't specify 'StartingPosition'Sourceresources
E3635Validate Neptune DB instance classValidates the instance types for Neptune DB based on region and data gathered from the pricing APIsSourceresources
E3636Validate CodeBuild projects using S3 also have LocationWhen using 'S3' for 'Type' then you must also specify 'Location'Sourceresources,codebuild
E3638Validate DynamoDB BillingMode pay per request configurationWhen 'BillingMode' is 'PAY_PER_REQUEST' don't specify 'ProvisionedThroughput'Sourceresources
E3639When BillingMode is Provisioned you must specify ProvisionedThroughputWhen 'BillingMode' is 'Provisioned' 'ProvisionedThroughput' is requiredSourceresources
E3641Validate GameLift Fleet EC2 instance typeValidates the GameLift Fleet EC2 instance types based on region and data gathered from the pricing APIsSourceresources
E3647Validate ElastiCache cluster cache node typeValidates the ElastiCache instance types based on region and data gathered from the pricing APIsSourceresources
E3652Validate Elasticsearch domain cluster instanceValidates the Elasticsearch instance types based on region and data gathered from the pricing APIsSourceresources
E3660RestApi requires a name when not using an OpenAPI specificationWhen using AWS::ApiGateway::RestApi you have to provide 'Name' if you don't provide 'Body' or 'BodyS3Location'Sourceresources,apigateway
E3661Validate Route53 health check has AlarmIdentifier when using CloudWatchWhen 'Type' is 'CLOUDWATCH_METRIC' you must specify 'AlarmIdentifier'Sourceresources
E3663Validate Lambda environment variable names aren't reservedLambda reserves a set of environment variable names for its use. This rule validates that the provided environment variable names don't use the reserved variable namesSourceresources,lambda,runtime
E3667Validate RedShift cluster node typeValidates the RedShift instance types based on region and data gathered from the pricing APIsSourceresources
E3670Validate the instance types for an AmazonMQ BrokerValidates the instance types for AmazonMQ broker based on region and data gathered from the pricing APIsSourceresources
E3671Validate block device mapping configurationCertain volume types require Iops to be specifiedSourceresources,ec2
E3672Validate the cluster node type for a DAX ClusterValidates the DAX cluster instance types based on region and data gathered from the pricing APIsSourceresources
E3673Validate if an ImageId is requiredValidate if an ImageID is required. It can be required if the associated LaunchTemplate doesn't specify an ImageIDSourceresources,ec2
E3674Primary cannoy be True when PrivateIpAddress is specifiedOnly specify the private IP address for an instance in one spotSourceresources,ec2
E3675Validate EMR cluster instance typeValidates the EMR cluster instance types based on region and data gathered from the pricing APIsSourceresources
E3676Validate ELBv2 protocols that require certificates have a certificate specifiedWhen using HTTP or TLS you must specify a certificateSourceresources
E3677Validate Lambda using ZipFile requires an allowable runtimeUsing the ZipFile attribute requires a javascript or python runtime to be specifiedSourceresources
E3678Using the ZipFile attribute requires a runtime to be specifiedUsing the ZipFile attribute requires a runtime to be specifiedSourceresources
E3679Validate ELB protocols that require certificates have a certificate specifiedWhen using HTTPS or SSL you must provide a certificateSourceresources
E3680Application load balancers require at least 2 subnetsSourceresources
E3681Validate target group target type property restrictionsWhen a TargetGroup target type is lambda or not there are different restrictions on properties.Sourceresources
E3682Validate when using Aurora certain properies aren't requiredWhen creating an aurora DBInstance don't specify 'AllocatedStorage', 'BackupRetentionPeriod', 'CopyTagsToSnapshot', 'DeletionProtection', 'EnableIAMDatabaseAuthentication', 'MasterUserPassword', or 'StorageEncrypted'Sourceresources
E3683Validate target group protocol property restrictionsWhen a TargetGroup protocol is HTTP/HTTPS or GENEVE there are different restrictions on properties.Sourceresources
E3684Validate target group health check protocol property restrictionsWhen a TargetGroup health check protocol is specified there are restrictions on other properties.Sourceresources
E3685Container image functions cannot use Handler, Runtime, or LayersFunctions with PackageType 'Image' cannot specify Handler, Runtime, or Layers propertiesSourceresources
E3686Validate allowed properties when using a serverless RDS DB clusterValidate that when EngineMode is 'serverless' or 'provisioned' that the appropriate allowed properties are provided. If 'EngineMode' is not provided make sure serverless properties don't exist at all.Sourceresources
E3687Validate to and from ports based on the protocolWhen using icmp, icmpv6, tcp, or udp you have to specify the to and from port rangesSourceresources
E3688Validate that to and from ports are both -1When ToPort or FromPort are -1 the other one must also be -1Sourceresources
E3689Validate MonitoringInterval and MonitoringRoleArn are used togetherWhen MonitoringInterval is greater than 0 you need to specify MonitoringRoleArn. If MonitoringRoleArn is specified MonitoringInterval has to be greather than 0.Sourceresources
E3690Validate DB Cluster Engine and Engine VersionValidate the DB Cluster engine along with the engine versionSourceresources
E3691Validate DB Instance Engine and Engine VersionValidate the DB Instance engine along with the engine versionSourceresources
E3692Validate Multi-AZ DB cluster configurationWhen creating a Multi-AZ DB Cluster there are required fields and the allowed values are differentSourceresources
E3693Validate Aurora DB cluster configurationWhen creating an Aurora DB Cluster there are required fields and the allowed values are differentSourceresources
E3694Validates RDS DB Cluster instance classValidates the RDS DB Cluster instance types based on region and data gathered from the pricing APIsSourceresources
E3695Validate Elasticache Cluster Engine and Engine VersionValidate the Elasticache cluster engine along with the engine versionSourceresources
E3696LogLevel is not supported when LogFormat is set to TextLogLevel is not supported when LogFormat is set to 'Text'. Remove LogLevel from your request or change the LogFormat to 'JSON'Sourceresources
E3697Validate Lambda environment variables do not exceed 4 KBAWS Lambda limits the total size of all environment variables to 4 KB. If this limit is exceeded, the deployment will fail. This rule sums the lengths of all keys and values and validates the total does not exceed 4096 bytes.Sourceresources,lambda
E3698API Gateway Stage and Deployment must use the same RestApiWhen an API Gateway Stage references a Deployment, both must reference the same RestApi. A mismatch causes a deployment failure.Sourceresources,apigateway
E3699API Gateway Method and Authorizer must use the same RestApiWhen an API Gateway Method references an Authorizer, both must reference the same RestApi. A mismatch causes a deployment failure.Sourceresources,apigateway
E3700Validate CodePipeline Source actions are only in the first stageWhen using AWS::CodePipeline::Pipeline this rule will validate that Source actions are only used in the first stageSourceresources,codepipeline
E3701Validate input and output artifact names are used properlyWhen using AWS::CodePipeline::Pipeline InputArtifacts names have to be previously used OutputArtifact names. Additionally, the OutputArtifacts names have to be uniqueSourceresources,codepipeline
E3702Validate the number of input and output artifacts in a CodePipelineWhen using AWS::CodePipeline::Pipeline action types have different contraints for InputArtifacts and OutputArtifactsSourceresources,codepipeline
E3703Validate the configuration of a pipeline actionWhen definition a CodePipeline certain action types have configuration constraints so this rule validates themSourceresources,codepipeline
E3704Validate TransitEncryptionEnabled is set when using Valkey engineWhen Engine is valkey, TransitEncryptionEnabled must be explicitly setSourceresources,elasticache
E3705Validate SQS FIFO queue EventSourceMapping BatchSize is at most 10When an EventSourceMapping references a FIFO SQS queue, the BatchSize must be at most 10Sourceresources,lambda,sqs
E3706MaxSize must be greater than or equal to MinSizeValidates that AutoScaling group MaxSize is greater than or equal to MinSizeSourceresources,autoscaling
E3707Validate RDS DBInstance Engine matches DBCluster EngineWhen a DBInstance references a DBCluster via DBClusterIdentifier, the Engine property must match between the two resourcesSourceresources,rds
E3708API Gateway Method AuthorizationType must match Authorizer TypeWhen using AuthorizationType 'CUSTOM', the referenced Authorizer must have Type 'TOKEN' or 'REQUEST'. When using AuthorizationType 'COGNITO_USER_POOLS', the Authorizer must have Type 'COGNITO_USER_POOLS'.Sourceresources,apigateway
E3709Validate RDS DBInstance StorageEncrypted matches DBClusterWhen a DBInstance references a DBCluster via DBClusterIdentifier, the StorageEncrypted property must match between the two resourcesSourceresources,rds
E3710Resource type is from a service that has been shut downChecks if a resource type belongs to an AWS service that has reached full shutdown and is no longer availableSourceresources,lifecycle
E3711Validate ListenerRule target group protocol is not GENEVEWhen a ListenerRule forwards to a TargetGroup, the TargetGroup protocol must not be GENEVE. GENEVE is only supported with Gateway Load Balancers, not Application or Network Load Balancers.Sourceresources,elasticloadbalancingv2
E3712TargetTrackingScaling policy requires ASG MaxSize greater than MinSizeWhen using a TargetTrackingScaling policy the referenced AutoScalingGroup must have MaxSize different from MinSize to allow scalingSourceresources,autoscaling
E3713Validate Fargate ECS services use supported log driversWhen using an ECS service with 'LaunchType' of 'FARGATE' the referenced task definition containers must use a supported log driver ('awslogs', 'splunk', or 'awsfirelens'). Other log drivers like 'json-file' or 'syslog' are not supported on Fargate.Sourceresources,ecs
E3714Validate LaunchTemplate SecurityGroup and Subnet are in the same VPCWhen a LaunchTemplate references SecurityGroups via 'SecurityGroupIds' and Subnets via 'NetworkInterfaces', the SecurityGroup's VpcId must match the Subnet's VpcIdSourceresources,ec2
E3715VirtualName must use ephemeral device format when Ebs is absentWhen specifying VirtualName without Ebs in a block device mapping, the value must match 'ephemeralN' (N=0-23) or the deployment will fail.Sourceresources,ec2
E3716Validate Lambda layer ARN length based on regionValidates the Lambda layer ARN length based on region. ARN length varies by partition due to partition and region name length.Sourceresources,lambda
E3718Validate API Gateway Authorizer TTL based on typeAuthorizerResultTtlInSeconds maximum of 3600 only applies to TOKEN and REQUEST authorizers.Sourceresources,apigateway
E3719Validate RDS BackupRetentionPeriod configurationBackupRetentionPeriod is not allowed when DBClusterIdentifier is specified. For standalone non-Aurora instances the maximum is 35.Sourceresources,rds
E3720Validate StorageEncrypted is set when KmsKeyId is specifiedWhen specifying a KmsKeyId for a non-custom engine RDS DBInstance, StorageEncrypted must be set to true. Custom engines (custom-*) handle encryption implicitly and do not require StorageEncrypted.Sourceresources,rds
E3721Validate ReplicaMode value for Oracle and Db2 enginesWhen specifying ReplicaMode for Oracle or Db2 engines, the value must be 'mounted' or 'open-read-only'.Sourceresources,rds
E4001Metadata Interface have appropriate propertiesMetadata Interface properties are properly configuredSourcemetadata
E4002Validate the configuration of the Metadata sectionValidates that Metadata section is an object and has no null valuesSourcemetadata
E5001Check that Modules resources are validCheck that Modules resources are validSourceresources,modules
E6001Check the properties of OutputsValidate the property structure for outputsSourceoutputs
E6002Outputs have required propertiesMaking sure the outputs have required propertiesSourceoutputs
E6003Check the type of OutputsValidate the type of properties in the Outputs sectionSourceoutputs
E6004Outputs have appropriate namesCheck if Outputs are properly named (A-Za-z0-9)Sourceoutputs
E6005Validate the Output condition is validCheck the condition of an output to make sure it exists inside the templateSourceoutputs,conditions
E6010Output limit not exceededCheck the number of Outputs in the template is less than the upper limitSourceoutputs,limits
E6011Check property names in OutputsValidate property names are property configured in OutputsSourceoutputs,limits
E6101Validate that outputs values are a stringMake sure that output values have a type of stringSourceoutputs
E6102Validate that output exports have values of stringsMake sure output exports have a value of type stringSourceoutputs
E7001Mappings are appropriately configuredCheck if Mappings are properly configuredSourcemappings
E7002Check property names in MappingsValidate property names are property configured in MappingsSourcemappings,limits
E7010Max number of properties for MappingsCheck the number of Mappings in the template is less than the upper limitSourcemappings,limits
E8001Conditions have appropriate propertiesCheck if Conditions are properly configuredSourceconditions
E8002Check if the referenced Conditions are definedMaking sure the used conditions are actually defined in the Conditions sectionSourceconditions
E8003Check Fn::Equals structure for validityCheck Fn::Equals is a list of two elementsSourcefunctions,equals
E8004Check Fn::And structure for validityCheck Fn::And is a list of two elementsSourcefunctions,and
E8005Check Fn::Not structure for validityCheck Fn::Not is a list of one elementSourcefunctions,not
E8006Check Fn::Or structure for validityCheck Fn::Or is a list of two elementsSourcefunctions,or
E8007Check Condition structure for validityCheck Condition has a value of another conditionSourcefunctions,condition
I1002Validate approaching the template size limitCheck the size of the template is approaching the upper limitSourcelimits
I1003Validate if we are approaching the max size of a descriptionCheck if the size of the template description is approaching the upper limitSourcedescription,limits
I1022Use Sub instead of JoinPrefer a sub instead of Join when using a join delimiter that is emptySourcefunctions,sub,join
I2003Validate AllowedPattern is a valid regexsValidate the pattern defined in a AllowedPattern. This is informational as the service side regex library is different than the Python oneSourceparameters,allowed pattern
I2010Parameter limitCheck the number of Parameters in the template is approaching the upper limitSourceparameters,limits
I2011Parameter name limitCheck the size of Parameter names in the template is approaching the upper limitSourceparameters,limits
I2530Validate that SnapStart is configured for >= Java11 runtimesSnapStart is a no-cost feature that can increase performance up to 10x. Enable SnapStart for Java 11 and greater runtimesSourceresources,lambda
I3010Resource limitCheck the number of Resources in the template is approaching the upper limitSourceresources,limits
I3011Check stateful resources have a set UpdateReplacePolicy/DeletionPolicyThe default action when replacing/removing a resource is to delete it. This check requires you to explicitly set policiesSourceresources,updatereplacepolicy,deletionpolicy
I3012Resource name limitCheck the size of Resource names in the template is approaching the upper limitSourceresources,limits
I3013Check resources with auto expiring content have explicit retention periodThe behaviour for data retention is different across AWS Services.If no retention period is specified the default for some services is to delete the data after a period of time.This check requires you to explicitly set the retention period for those resources to avoid unexpected data lossesSourceresources,retentionperiod
I3037Check if a list that allows duplicates has any duplicatesCertain lists support duplicate items.Provide an alert when list of strings or numbers have repeats.Sourceresources,property,list
I3042ARNs should use correctly placed Pseudo ParametersChecks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Numberpartition:boolean:True
region:boolean:False
accountId:boolean:False		Sourceresources
I3100Checks for legacy instance type generationsNew instance type generations increase performance and decrease costSourceresources,ec2,rds,elasticcache,elasticsearch
I3510Validate statement resources match the actionsIAM policy statements have different constraints between actions and resources. This rule validates that resource ARNs or asterisks match the actions.Sourceresources,iam
I6010Output limitCheck the number of Outputs in the template is approaching the upper limitSourceoutputs,limits
I6011Output name limitCheck the size of Output names in the template is approaching the upper limitSourceoutputs,limits
I7002Mapping name limitCheck the size of Mapping names in the template is approaching the upper limitSourcemappings,limits
I7010Mapping limitCheck the number of Mappings in the template is approaching the upper limitSourcemappings,limits
W1001Ref/GetAtt to resource that is available when conditions are appliedCheck the Conditions that affect a Ref/GetAtt to make sure the resource being related to is available when there is a resource condition.Sourceconditions,resources,relationships,ref,getatt,sub
W1011Instead of REFing a parameter for a secret use a dynamic referenceInstead of REFing a parameter for a secret use a dynamic reference. Solutions like SSM parameter store and secrets manager provide better security of sercretsSourcefunctions,dynamic reference,ref
W1019Validate that parameters to a Fn::Sub are usedValidate that Fn::Sub Parameters are usedSourcefunctions,sub
W1020Sub isn't needed if it doesn't have a variable definedChecks sub strings to see if a variable is defined.Sourcefunctions,sub
W1028Check Fn::If has a path that cannot be reachedCheck Fn::If path can be reachedSourcefunctions,if
W1030Validate the values that come from a Ref functionResolve the Ref and then validate the values against the schemaSourcefunctions,ref
W1031Validate the values that come from a Fn::Sub functionResolve the Fn::Sub and then validate the values against the schemaSourcefunctions,sub
W1032Validate the values that come from a Fn::Join functionResolve the Fn::Join and then validate the values against the schemaSourcefunctions,join
W1033Validate the values that come from a Fn::Split functionResolve the Fn::Split and then validate the values against the schemaSourcefunctions,split
W1034Validate the values that come from a Fn::FindInMap functionResolve the Fn::FindInMap and then validate the values against the schemaSourcefunctions,findinmap
W1035Validate the values that come from a Fn::Select functionResolve the Fn::Select and then validate the values against the schemaSourcefunctions,select
W1036Validate the values that come from a Fn::GetAZs functionResolve the Fn::GetAZs and then validate the values against the schemaSourcefunctions,getazs
W1040Validate the values that come from a Fn::ToJsonString functionResolve the Fn::ToJsonString and then validate the values against the schemaSourcefunctions,tojsonstring
W1051Validate dynamic references to secrets manager are not used when a secrets manager ARN was expectedCertain properties expect a secret manager ARN. This rule validates if you may be accidently using a secret in place of the ARNSourcefunctions,dynamic reference
W1053Dynamic references should not contain spacesDynamic references with spaces between '{{' and 'resolve' will not be resolved by CloudFormation and will be treated as a literal stringSourcefunctions,dynamic reference
W1100Validate if the template is using YAML mergeThe CloudFormation service does not support YAML anchors, aliases, or merging. This rule validates if the merge capability is being usedSourceyaml
W2001Check if Parameters are UsedMaking sure the parameters defined are usedSourceparameters
W2002Parameter type is not officially supported by CloudFormationCloudFormation accepts any AWS::SSM::Parameter::Value<> or List<> pattern, but only validates specific types. Using unsupported types may work but CloudFormation will not validate the parameter values.Sourceparameters
W2010NoEcho parameters are not masked when used in Metadata and OutputsUsing the NoEcho attribute does not mask any information stored in the following: Metadata, Outputs, Resource MetadataSourcefunctions,dynamic reference,ref
W2030Check if parameters have a valid valueCheck if parameters have a valid value in case of an enumator. The Parameter's allowed values is based on the usages in property (Ref)Sourceparameters,resources,property,allowed value
W2031Check if parameters have a valid value based on an allowed patternCheck if parameters have a valid value in a pattern. The Parameter's allowed pattern is based on the usages in property (Ref)Sourceparameters,resources,property,pattern
W2501Check if Password Properties are correctly configuredPassword properties should not be strings and if parameter using NoEchoSourceparameters,passwords,security,dynamic reference
W2506Check if ImageId Parameters have the correct typeSee if there are any refs for ImageId to a parameter of inappropriate type. Appropriate Types are [AWS::EC2::Image::Id, AWS::SSM::Parameter::ValueAWS::EC2::Image::Id]Sourceparameters,ec2,imageid
W2511Check IAM Resource Policies syntaxSee if the elements inside an IAM Resource policy are configured correctly.Sourceproperties,iam
W2530Validate that SnapStart is properly configuredTo properly leverage SnapStart, you must configure both the lambda function and attach a Lambda version resourceSourceresources,lambda
W2531Check if EOL Lambda Function Runtimes are usedCheck if an EOL Lambda Runtime is specified and give a warning if used.Sourceresources,lambda,runtime
W2533Check required properties for Lambda if the deployment package is a .zip fileWhen the package type is Zip, you must also specify the handler and runtime properties.Sourceresources,lambda
W3002Warn when properties are configured to only work with the package commandSome properties can be configured to only work with the CloudFormationpackage command. Warn when this is the case so user is aware.Sourceresources
W3005Check obsolete DependsOn configuration for ResourcesCheck if DependsOn is specified if not needed. A Ref or a Fn::GetAtt already is an implicit dependency.Sourceresources,dependson,ref,getatt
W3010Availability zone properties should not be hardcodedCheck if an Availability Zone property is hardcoded.Sourceparameters,availabilityzone
W3011Check resources with UpdateReplacePolicy/DeletionPolicy have bothBoth UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletionSourceresources,updatereplacepolicy,deletionpolicy
W3034Check if parameter values are between min and maxCheck if parameter values value being between the minimum and maximumSourceresources,property,number,size
W3037Check IAM Permission configurationCheck for valid IAM PermissionsSourceproperties,iam,permissions
W3045Controlling access to an S3 bucket should be done with bucket policiesNearly all access control configurations can be more successfully achieved with bucket policies. Consider using bucket policies instead of access control.Sourceresources,s3
W3660Validate if multiple resources are modifying a Rest API definitionWhen using AWS::ApiGateway::RestApi with 'Body' or 'BodyS3Location' the resource handler will use PutRestApi with mode overwrite. Depending on how resources are updated the IaC template will drift and create orphaned resources.Sourceresources,apigateway
W3663Validate SourceAccount is required propertyWhen configuration a Lambda permission with a SourceArn that doesn't have an AccountId you should also specify the SourceAccountSourceresources,lambda,permission
W3664Validate Lambda permission Principal matches SourceArn resource typeWhen configuring a Lambda permission with a SourceArn that references a resource, the Principal should match the service that owns that resource typeSourceresources,lambda,permission
W3671Iops is ignored for certain EBS volume typesWhen Iops is specified with volume types gp2, st1, sc1, or standard, the value is silently ignored. Remove Iops or use a volume type that supports provisioned IOPS (io1, io2, gp3).Sourceresources,ec2,ebs
W3687Validate that ports aren't specified for certain protocolsWhen using a protocol other than icmp, icmpv6, tcp, or udp the port ranges properties are ignoredSourceresources
W3688When restoring DBCluster certain properties are ignoredWhen creating a DBCluster extra properties are ignored and could result in driftSourceresources,rds
W3689When using a source DB certain properties are ignoredWhen creating a DBCluster from a source certain properties are ignored and could result in driftSourceresources,rds
W3690Validate DB Cluster Engine Version is not deprecatedValidate the DB Cluster engine version is not deprecated and can be used to create new instancesSourceresources
W3691Validate DB Instance Engine Version is not deprecatedValidate the DB Instance engine version is not deprecated and can be used to create new instancesSourceresources
W3693Validate Aurora DB cluster configuration for ignored propertiesWhen creating an Aurora DB Cluster there are fields that will allow for successful deployment but are ignoredSourceresources
W3694SNS Subscription Endpoint should match ProtocolWhen an SNS Subscription Protocol is 'sqs', the Endpoint should reference an SQS Queue. When Protocol is 'lambda', the Endpoint should reference a Lambda Function.Sourceresources,sns
W3696Resource type is from a service that is sunsettingChecks if a resource type belongs to an AWS service that is in the sunset phase and will be shut downSourceresources,lifecycle
W3697Resource type is from a service in maintenance modeChecks if a resource type belongs to an AWS service that is in maintenance mode with no new featuresSourceresources,lifecycle
W3698VirtualName is ignored when Ebs is specifiedWhen both VirtualName and Ebs are specified in a block device mapping, VirtualName is silently ignored by EC2. Remove VirtualName or Ebs.Sourceresources,ec2
W3699ReplicaMode is ignored for non-Oracle/Db2 enginesWhen ReplicaMode is specified with engines other than Oracle or Db2, the value is silently ignored. Remove ReplicaMode or use an engine that supports it.Sourceresources,rds
W3700Non-standard Domain values are converted to vpcWhen Domain is specified with a value other than 'standard' or 'vpc', the value is silently converted to 'vpc'. Use 'vpc' explicitly to avoid confusion.Sourceresources,ec2
W4001Metadata Interface parameters existMetadata Interface parameters actually existSourcemetadata
W4005Validate cfnlint configuration in the MetadataMetadata cfn-lint configuration has many values and we want to validate thatSourcemetadata
W6001Check Outputs using ImportValueCheck if the Output value is set using ImportValue, so creating an Output of an OutputSourceoutputs,importvalue
W7001Check if Mappings are UsedMaking sure the mappings defined are usedSourcemappings
W8001Check if Conditions are UsedMaking sure the conditions defined are usedSourceconditions
W8003Fn::Equals will always return true or falseValidate Fn::Equals to see if its comparing two strings or two equal items. While this works it may not be intended.Sourcefunctions,equals

* experimental rules