選取您的 Cookie 偏好設定

我們使用提供自身網站和服務所需的基本 Cookie 和類似工具。我們使用效能 Cookie 收集匿名統計資料,以便了解客戶如何使用我們的網站並進行改進。基本 Cookie 無法停用,但可以按一下「自訂」或「拒絕」以拒絕效能 Cookie。

如果您同意,AWS 與經核准的第三方也會使用 Cookie 提供實用的網站功能、記住您的偏好設定,並顯示相關內容,包括相關廣告。若要接受或拒絕所有非必要 Cookie,請按一下「接受」或「拒絕」。若要進行更詳細的選擇,請按一下「自訂」。

偏好設定
聯絡我們
意見回饋
AWS Documentation
建立 AWS 帳戶

CloudFormation ingest stack: CFN validator examples

PDF
焦點模式
CloudFormation ingest stack: CFN validator examples - AMS Advanced Application Developer's Guide
Format validationManual review required validationParameter validationResource attribute validationResource validationSecurity group ingress rule validation
此頁面尚未翻譯為您的語言。 請求翻譯

These examples can help you prepare your template for a successful ingest.

Format validation

Validate that the template contains a "Resources" section, and all resources defined under it have a "Type" value.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description" : "Create a SNS topic",
  "Resources": {
    "SnsTopic": {
      "Type": "AWS::SNS::Topic"
    }
  }
}

Validate that the root keys of the template are allowed. Allowed root keys are:

[
  "AWSTemplateFormatVersion",  
  "Description",  
  "Mappings",  
  "Parameters",  
  "Conditions",  
  "Resources",  
  "Rules",  
  "Outputs",  
  "Metadata"
]

Manual review required validation

If the template contains the following resources, automatic validation fails and you'll need a manual review.

The shown policies are high risk areas from a security standpoint. For example, an S3 bucket policy allowing anyone except for specific users or groups to create objects or write permissions, is extremely dangerous. So we validate the policies and approve or deny based on the contents, and those polices cannot be auto-created. We are investigating possible approaches to address this issue.

We currently don’t have automated validation around the following resources.

[
    "S3::BucketPolicy",
    "SNS::TopicPolicy",
    "SQS::QueuePolicy"
]

Parameter validation

Validate that if a template parameter doesn't have a value provided; it must have a default value.

Resource attribute validation

Required attribute check: Certain attributes must exist for certain resource types.

  • "VPCOptions" must exist in AWS::OpenSearch::Domain

  • "CludsterSubnetGroupName" must exist in AWS::Redshift::Cluster

{
    "AWS::OpenSearch::Domain": [
      "VPCOptions"
    ],
    "AWS::Redshift::Cluster": [
      "ClusterSubnetGroupName"
    ]
}

Disallowed attributes check: Certain attributes must *not* exist for certain resource types.

  • "SecretString" must not exist in "AWS::SecretsManager::Secret"

  • "MongoDbSettings" must not exist in "AWS::DMS::Endpoint"

{
  "AWS::SecretsManager::Secret": [
    "SecretString"  
  ],  
  "AWS::DMS::Endpoint": [
    "MongoDbSettings"  
  ]
}

SSM parameter check: For attributes in the following list, values must be specified via Secrets Manager or Systems Manager Parameter Store (Secure String Parameter):

{
  "RDS::DBInstance": [
    "MasterUserPassword",   
    "TdeCredentialPassword"  
  ],  
  "RDS::DBCluster": [
    "MasterUserPassword"  
  ],  
  "ElastiCache::ReplicationGroup": [
    "AuthToken"  
  ],  
  "DMS::Certificate": [
    "CertificatePem",    
    "CertificateWallet" 
  ],  
  "DMS::Endpoint": [
    "Password"  
  ],
  "CodePipeline::Webhook": {
    "AuthenticationConfiguration": [
        "SecretToken"  
    ]
  },
  "DocDB::DBCluster": [
    "MasterUserPassword"
  ]
},

Some attributes must comply with certain patterns; for example, IAM instance profile names must not start with AMS reserved prefixes, and the attribute value must match the specific regex as shown:

{
    "AWS::EC2::Instance": {
      "IamInstanceProfile": [
        "^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+",
        "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
      ]
    },
    "AWS::AutoScaling::LaunchConfiguration": {
      "IamInstanceProfile": [
        "^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+",
        "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
      ]
    },
    "AWS::EC2::LaunchTemplate": {
      "LaunchTemplateData.IamInstanceProfile.Name": [
        "^(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
      ],
      "LaunchTemplateData.IamInstanceProfile.Arn": [
        "arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile\/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
      ]
    }
}

Resource validation

Only allowlisted resources can be specified in the template; those resources are described in Supported Resources.

EC2 stacks and Auto Scaling groups (ASGs) are not allowed in the same stack due to patching limitations.

Security group ingress rule validation

  • For requests that come from the CFN Ingest Create or Stack Update CT change types:

    • If (IpProtocol is tcp or 6) AND (Port is 80 or 443) , there are no restrictions around the CidrIP value

    • Otherwise, the CidrIP cannot be 0.0.0.0/0

  • For requests that come from Service Catalog (Service Catalog products):

    • In addition to the CFN Ingest Create or Stack Update CT change type validation, the port in management_ports with the protocol in ip_protocols can only be accessed via allowed_cidrs:

      {
      "ip_protocols": ["tcp", "6", "udp", "17"],
      "management_ports": [22, 23, 389, 636, 1494, 1604, 2222, 3389, 5900, 5901, 5985, 5986],
      "allowed_cidrs": ["10.0.0.0/8", "100.64.0.0/10", "172.16.0.0/12", "192.168.0.0/16"]
  }

在本頁面

下一個主題:

Limitations

上一個主題:

Template validation

需要協助?

隱私權網站條款Cookie 偏好設定
© 2025, Amazon Web Services, Inc.或其附屬公司。保留所有權利。